Information security management system standards

This article presents ISO’s most successful information security standard ISO/IEC 27001 together with the other standards in the family of information security standards — the socalled ISO/IEC 2700x family of information security management system (ISMS) standards and guidelines. We shall take a brief look at the history and progress of these standards, where they originated from and how became the common language of organizations around the world for engaging in business securely. We shall take a tour through the different types of standard at are included in the ISMS family and how the relate and fit together and we will finally conclude with a short presentation of ISMS third party certification. The material used in this article has been derived directly from the many articles and books by Prof. Humphreys on the ISO/IEC 2700x ISMS family and they are implemented and applied in practice in business, commerce and government sectors.     

Information security management standards: Problems and solutions

International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.     

Information security management standards: Compliance, governance and risk management

Managing information security as opposed to the IT security is an area that is now eventually coming of age. For many years the focus has been mainly on IT security and with the implementation of such security left to the IT department and technical experts. Early in the 90s things started to change with the first draft of an information security management standard BS 7799 focusing in on security related to people, processes, information as well as IT. Since then there has been many developments taking us to where we are today with these early security management standards being transformed in international standards published by ISO/IEC. These standards are being used by hundreds of thousands of organisations using these standards worldwide. Based on the authors previously copyrighted writings, this article explores what these standards have got to offer organisations, what benefits are to be gained and how such standards have helped with compliance. In particular it focuses in on the insider threat as an example of one of the growing problems that organisations need to deal with and how these international standards are useful in helping to solve the insider threat problem.     

Information security policy: An organizational-level process model

To protect information systems from increasing levels of cyber threats, organizations are compelled to institute security programs. Because information security policies are a necessary foundation of organizational security programs, there exists a need for scholarly contributions in this important area. Using a methodology involving qualitative techniques, we develop an information security policy process model based on responses from a sample of certified information security professionals. As the primary contribution of this research study, the proposed model illustrates a general yet comprehensive policy process in a distinctive form not found in existing professional standards or academic publications. This study's model goes beyond the models illustrated in the literature by depicting a larger organizational context that includes key external and internal influences that can materially impact organizational processes. The model that evolved from the data in this research reflects the recommended practices of our sample of certified professionals, thus providing a practical representation of an information security policy process for modern organizations. Before offering our concluding comments, we compare the results of the study with the literature in both theory and practice and also discuss limitations of the study. To the benefit of the practitioner and research communities alike, the model in this study offers a step forward, as well as an opportunity for making further advancements in the increasingly critical area of information security policy.     

信息网络安全及防范技术探究

现代社会的飞速发展促使信息网络安全的重要性大大的增加,因此在日常的网络活动中就必须要注意整个网络信息的安全性,还需要使用一些非常的手段进行处理,才能够保持信息的安全,防止有效的信息被窃取,因此就需要针对网络信息的安全做出一些有效的措施。     

Information systems security research agenda: Exploring the gap between research and practice

This paper undertakes a systematic review of the Information Systems Security literature. The literature review consists of three parts: First, we perform topic modeling of major Information Systems journals to understand the field's debates. Second, we conduct a Delphi Study composed of the Chief Information Security Officers of major corporations in the US to identify security issues that they view as important. Third, we compare Topic Modeling and the Delphi Study results and discuss key debates, gaps, and contradictions within the academic literature. Further, extant Information Systems Security literature is reviewed to discuss where the academic community has placed the research emphasis and what is now required in the discipline. Based on our analysis, we propose a future agenda for Information Systems security research.     

Information security problems as evidence of management failures

What's the traditional response to the bringer of bad news? Shoot the messenger. With information security problems cropping up left and right like mushrooms on the forest floor, it's no wonder that a number of information security managers have recently been asked to find employment elsewhere. These firings are often window-dressing, not a serious attempt to solve the problem.     

信息安全管理测量的集成综合评价方法

把系统评价方法应用到信息安全管理测量的领域,依据ISO/IEC27004《信息安全管理测量》标准,为信息安全管理体系的测量提出一种层次分析法与多级模糊综合评价的集成模型。实例应用表明,该方法能把专家的主观定性判断转化为客观性较好的定量评价结果。在目前ISO/IEC27004尚未提供可操作性强的测量方法的状况下,不失为一种有效的综合评价方法。     

Information security policy noncompliance: An integrative social influence model

Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.     

网络安全管理系统的研究与实现

随着网络信息技术的在人们日常生活中的广泛普及,网络信息的安全性问题日益得到公众的重视。计算机技术的专家为了保护网络的安全,研究了一系列保护网络系统的技术,如防火墙、入侵检测系统、安全审计等技术,并广泛应用于网络中,取得相对较好的成绩。但是由于网络病毒的不断更新,原本可以抵御病毒入侵的系统,随着时间的推移,不能防御新生的系统。本文从国内外现有网络安全管理系统的现状进行介绍,分析研究网络安全管理系统地必要性,进而提出实现其研究的办法。     

Economic aspects of information security: An emerging field of research

This paper chronicles the development of economics of information security as an academic area of research. It also describes the contributions of the papers in the special section of this issue devoted to the topic.

Information systems research centers: An initial survey

The concept of the Information Systems Research Center (ISRC) is not new, yet its purpose, structure and activities are not universally agreed upon. This paper compares ten centers in the U.S.A. as to their objectives, organizational structure, curriculum, current research areas, and activities. The ISRCs are then examined in an attempt to assess benefits and problems.     

互联网新型安全和管理体系结构研究展望*

随着互联网的发展,传统的基于TCP/IP体系结构的互联网在安全、管理等方面的缺陷逐渐暴露出来,尽管采取了一些补救措施,但仍显力不从心。学术界普遍感到需要针对当前互联网体系结构的缺陷和未来的应用需求,对下一代互联网安全和管理体系结构进行重新设计。为此,分析了当前互联网在安全和管理存在的若干主要问题,结合相关研究情况,总结了学术界在若干基础问题上的共识与分歧,并展望了进一步的研究方向。     

Knowledge processing for concurrent engineering: An evolving challenge in CIM research

As technological tasks in CIM environments become more complicated, the level of intelligence required to automate and integrate these tasks also evolves with increasing complexity. This paper classifies CIM tasks and their required intelligence into facility, data and decision levels, and discusses the automation and integration of those knowledge-intensive CIM tasks at their decision level. Since decision-level tasks are often more abstract than those at the facility and data levels, a systematic approach is necessary to build research programs for the automation of these tasks. This paper will use the decision-level task of concurrent engineering as an example to explain the five-step approach that we have adapted to form our research programs in this evolving area of CIM research. These five steps are: (1) perform analysis of the task and its needed decision-level supports, (2) conceptualize these analysis results into a concise framework, (3) propose a software paradigm for the conceptual framework, (4) identify functional requirements from this paradigm to guide software implementations, and (5) correlate implementation results to identify a fundamental technology. More specifically, the analysis of concurrent engineering tasks in CIM can be found in Section 2. Section 3 explains the conceptualization process which views decision making activities as mappings and loops between a control and performance space. In Section 4, concurrent engineering is modeled as a team problem-solving process participated in by multiple cooperating knowledge sources (MCKS) with overlapping expertise to perform those loops. Several functional requirements are identified from this MCKS model of concurrent engineering and example research activities to address these challenges are described in Section 5. The correlations in Section 6 indicate that the knowledge processing technology, evolved from applied artificial intelligence research, is a fundamental technology for building intelligent systems to support various knowledge-intensive CIM tasks at their decision level.     

Information security ignorance: An exploration of the concept and its antecedents

In this study, we propose and examine the concept of information security ignorance, which is an individual's chosen state of remaining underinformed about information security. Ignorance may be a rational choice for individuals when feeling overwhelmed by the available information. The findings of this study, based on the analysis of 319 survey responses, suggest that media and interpersonal communication influence information security ignorance. However, personal traits, including locus of control, intellectual curiosity, and computer anxiety, play a stronger role in shaping ignorance. Security ignorance was found to be positively related to the perception that the Internet is a safe place.     

Facing the challenge of wireless security

Increasingly, companies and individuals are using wireless technology for important communications they want to keep private, such as mobile e-commerce transactions, email, and corporate data transmissions. At the same time, as wireless platforms mature, grow in popularity, and store valuable information, hackers are stepping up their attacks on these new targets. This is a particular problem because wireless devices, including smart cellular phones and personal digital assistants (PDAs) with Internet access, were not originally designed with security as a top priority. Now, however, wireless security is becoming an important area of product research and development. As in the wired world, wireless security boils down to protecting information and preventing unauthorized system access. However, it is challenging to implement security in small-footprint devices with low processing power and small memory capacities and that use unreliable, low bandwidth wireless networks. Vendors and others have developed several security approaches for the various wireless technologies, although each of these early efforts has some shortcomings. Security researchers are thus busy developing new technologies and fixing holes in existing ones. The paper discusses wireless security technology and its shortcomings     

Information security: Reality and fiction

Awareness of the need for true information security is steadily evolving in finance, industry and government, although action does not match rhetoric. There is a growing need for sophisticated security measures as evidenced by the increasing incidence of penetrations, at all levels of sophistication, of automated systems. These security measures can be developed and installed based on a procedure of risk analysis, security audit and design of countermeasure.