Industry View

Looking for Information Security Control in a Global Business Climate

Mike Jerbic details efforts by The Open Group Security Forum to help further develop secure information architecture standards

By Mike Jerbic, The Open Group Security Forum

June 17, 2008 — In 1891, Professor Fredrich Wieser wrote in his Theory of Value, "The idea of the importance of property only originates in scarcity. " Applying this principle to computer and information security resonates as well, because computing resources are abundant — so much so that considering them as property is unimportant. I would challenge any IT manager to name even a quarter of their existing computer resource inventory, even with the help of so-called reporting tools. On the other hand, information access, integrity and use, is considered high-value business property with proprietary value. After all, information service providers can charge high premiums for their services to provide and maintain "asymmetric" differences in information access, creation and availability. For some enterprises competing in the information age, keeping information scarce is their only business advantage — the one thing worth preserving.

The key security problem CSOs face today is securing property rights in their organizations' information — while still supporting business in a global, shared services-oriented economy. CSOs are faced with a new objective: information-centric security beyond the enterprise.

Using the global information infrastructure increasingly requires that the private and public sectors, and consumers, each assume a spectrum of new risks. At the same time many managers of these risks don't fully understand them; and the power of individual IT systems users (through negligent or malicious misuses of systems by employees, contractors, etc.) to do great harm with the abundant commodity technology is rapidly growing. In response to this concern, industry and public interest groups, policy makers, regulators and others are developing new standards and regulations that place controls on the security management of information systems and their information.

The Open Group Security Forum and the American Bar Association's Cyberspace Law Committee of the Business Law section recently collaborated on a white paper called "Information Security Strategy: A Framework for Information-Centric Security Governance." The purpose of this collaboration was to present an approach to achieving this new objective within an acceptable risk management envelope and to initiate projects within The Open Group that will help all of us govern information asset security more effectively. The paper presents a framework to manage information-centric security both within and between enterprises sharing information, focusing on the key elements of any governance structure:

The Stakeholders: Who are the key players and what are their functions and roles? The paper identifies six critical stakeholders: Business management; Legal; Audit; Controls and Compliance; Business Process; and Information Technology. Each of these key players possesses their own dedicated roles and responsibilities. Business management has a business to run. The legal team has the responsibility (among others) to develop opinions on whether the organization is compliant to legal or regulatory requirements. Too often technical people or auditors may be making these assessments, but in the United States at least, any determination of compliance to a legal standard is part of the practice of law. The Controls and Compliance organization establishes internal policy and enforces compliance to internal (not legal) standards. Auditors measure the extent to which the organization performs to the policy requirements. Business process people define and implement how the business will work functionally, and the IT organization architects, designs, implements, and maintains the information technology components of the processes.