An Investigation of Critical Success Factors and Procedures for Implementing Effective Information Systems Security Programs
Date of Award
Doctor of Philosophy (PhD)
Graduate School of Computer and Information Sciences
John A. Scigliano
Information security is no longer just about security. Today, security is about resource and information management, and it turns out that good security is a byproduct of a well-run organization. The corporate enterprise network is constantly changing. Thus, whatever plans we make today for enterprise management and security must be able to accommodate an unknown topological future. On top of that, the typical large-scale enterprise network is geographically far-flung, physically heterogeneous and logically as complex as a London street map. In short, technical chaos. Dr. Eugene Schultz, information security program manager at the consultancy SRI International, Inc. in Menlo Park, California, says, 'You have to get a high-level policy in pace first." The author established enterprise network security goals at the highest level of the organization - the president or the board of directors. A mere vice president of information technology will not do. Unless the real leadership sets the vision and is willing to allocate resources to adequately secure and manage information infrastructure, not much will get done.
Policy goals have been set. Whatever policy and goals are chosen, they must be unambiguously clear and that everyone in your organization is made aware of them. Complete participation of all interested parties is necessary in order for the information security program to be successful. Next, the author established what comprises the enterprise network. Carl AIlen, president of Infocore, Inc., a Highland, Utah-based consultancy, says, "Someone has to know what you've got - your network schematics, points of access, vulnerability - and who's in charge."
An information asset evaluation was also performed to answer what information resources are important enough to be protected, and where are they located? Stephen Cobb, director of special projects at the National Computer Security Association (NCSA), noted that "the evaluation process helps determine the relative value of data to a company. It raises awareness and makes people think." Top-to-bottom employee education and security management cooperation was needed throughout this process. The author needed to have the cooperation of the security staff, throughout the entire enterprise, as well as the support, understanding and compliance of end users. An ongoing education process for the entire staff was tailored to meet the needs of each group or department. This is needed, "otherwise security will be bypassed, turned off or ignored. And that's worse than having no security at all," Citibank's Chief Information Security Officer, Charles Katz says. There are several approaches one can take to implement an information security plan, and they all rest on the foundation of a security architecture. We must keep in mind, there is no perfect solution; no one vendor will meet all needs exactly, everywhere throughout an organization, but many may come close. An information security program that can react automatically to problem situations is critical. Some of the better reaction mechanisms may choose to run a predefined process. Unless the reaction to the intrusion actually accomplishes something, such as halting the attack or identifying the offender, it's pretty useless. There is no magic pill that will solve your enterprise security problems and no single vendor to meet all your needs, the information security professional must integrate from different sources until the payoff of enhanced enterprise management and asset protection is made a worthy goal. The bottom line is that security is a risk/threat management problem, and no two organizations will ever reach the same conclusions.
Rey LeClerc. 1998. An Investigation of Critical Success Factors and Procedures for Implementing Effective Information Systems Security Programs. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, Graduate School of Computer and Information Sciences. (660)