ITS 305 - Security Policies and Auditing
Chapter 1, Introduction to the Management of Information
This lesson introduces the student to concepts that are
important to different types of managers in an organization. Objectives
important to this lesson:
- Differentiate between IT management, IT Security
management, and Enterprise management
- Understand the three primary characteristics of IT security
- Be able to discuss some common operational areas of security
- Be familiar with the McCumber Cube
- Understand common security related terms
- Consider how management styles affect security policies
- Consider the six Ps of information security
This chapter begins with a parable, which continues throughout
the text, about a new IT Security manager who is having difficulties.
Her story and her problems are not clear until we consider some of the
concepts that the chapter introduces.
The first point of the chapter is that information
security is everyone's job. This sounds like the attitude of
someone trying to avoid blame and responsibility, but it is not. The
point is that everyone uses information, to some degree, and everyone
is a potential security risk because of it. This is why the text tells
us that the best approach is for the organization to make security
decisions in committees that are formed by three parts of the
- IT managers and professionals
- IT security managers and professionals
- Business managers and professionals
The first two groups look like the same people, but they are
- IT staff are responsible for meeting the IT
needs of the business. It might be better to call these people
the IT Operations staff, although that phrase may
have a different specific definition in some organizations.
- IT Security staff are responsible for protecting
- Business staff are responsible for the core
interests of the business.
A problem with this concept is that IT security is often the
domain of one part of an organization, and other parts may not have any
connection to their decision making process. The authors tell us that
this is not a viable situation.
The text continues with a series of attempts to define
security. Someone should have told the authors that a definition should
not contain the word you are defining. Let's see what they have worth
- there are several specialized areas of security: physical,
operations, communications, and network
- information security has three classic
characteristics/elements: confidentiality, integrity, and availability
(commonly referred to as CIA)
The classic CIA concept defines security from the point of view of the
IT Security staff. The text explains that an expansion of this concept
is called by several names, one being the McCumber Cube, another
being the CNSS Security model. It provides three different
perspectives on security, which should be considered together
to make better security decisions:
- IT Security perspective: Confidentiality, Integrity,
How do we protect the information, make sure it is not tampered with,
and provide access to those who need it?
- IT Operations perspective: Storage, Processing, Transmission
How do we perform the basic IT functions of storing, processing, and
- Business perspective: Policy, Education, Technology
How do we make the rules for employees about protecting information,
educate our staff in protecting it, and use the technology we have to
do our business?
It feels a bit off that the first two bullets above seem to relate to
the primary activities of the respective entities, but the third does
not. All three perspectives relate to IT security, from the point of
view of that entity. Each is different from the others, and each should
be considered a necessary aspect of the security process.
It may be clearer now that in the parable about our IT
Security manager, her organization has not adopted this set of ideas.
The text continues with definitions of
several terms it has already used and some new ones:
- Confidentiality - information should only
be accessible to users who have been granted access to it for valid
reasons. Only authorized users can access data if it is protected
properly, and if authorized users do not violate security policy.
- Integrity - data may not be changed
except by authorized users or processes. This means that data must be
protected from alteration, deletion, or other changes to its intended
- Availability - authorized users can access
data when they need to do so. The text points out that some readers
misunderstand this concept. Availability means only that proper access
methods are provided to authorized users, not to everyone.
- Privacy - information provided by a
customer, for example, is only used in ways that our organization has disclosed
to that customer. This does not mean that our organization makes no use
of the information, but that it complies with the rules that it has
made and disclosed to the information owner.
The next terms have to do with proving who you are and
accessing assigned resources.
- Identification - This is the equivalent of
entering a user ID. By itself, it is not
sufficient on any system that is at all secure.
- Authentication - This is what a user is
doing when they enter a password. The password is run
through a process to see if it matches the information on file for the
user account named. Instead of a password, the authentication
information could be biometric or a personal ID number.
- Authorization - This is the step after
authentication, in which the rights that have been
assigned to the user account become available for
use. The text says that this occurs after authentication, but be aware
that the actual assignment of rights had to be done before the user
- Accountability - This is a state or
characteristic of a system that exists if the system tracks
what actions on the system were carried out by which logged in user.
The text moves on to discuss high level concepts about management.
The material on management in
this chapter may serve as some background reading when you are making
your mind up about several course assignments. The text presents three
classic management theories:
- autocratic - do it
because I say so
- democratic - let's
all decide what to do
- laissez-faire - let the people
do what they want
Ask several managers which of the theories above they tend to
endorse, and you will get different answers depending not only on the
person you ask, but on the circumstances in which they find themselves.
It is easy to adopt a "manage less" approach when things are going
well, but hard to justify it in the middle of crisis that your staff
may have created. No one with any experience will endorse one theory
over the others in all circumstances.
The text discusses some aspects to planning that will be useful in
assignments as well. Organizations often make plans that address
actions in a particular span of time.
- strategic planning - long term plans, formed at high
levels, for the company as a whole
- tactical planning - shorter term plans, formed at an
intermediate level, to apply to applicable parts of a company
- operational planning - day to day plans, formed at low
levels, to apply to problems that are meant to be resolved in the short
Another list of wisdom is called the Six Ps of Information Security.
- Planning - planning
specifically for information security
- Policy - setting
information security rules for the organization
- Programs - not software, but operational areas within the information security division; this could represent teams that do different jobs or specific functions of particular staff
- Protection - risk
assessment and management
- People - people
will make or break your security measures
- Project Management - every project should be
managed properly to see that it is implemented successfully
The authors spend the rest of the chapter discussing project
management, which is outside the scope of this class.