A multi-dimensional model for information security management

Eloff, Maria Margaretha

06 December 2011

D.Phil. / Any organisation is dependent on its information technology resources. The challenges posed by new developments such as the World Wide Web and e-business, require new approaches to address the management and protection of IT resources. Various documents exist containing recommendations for the best practice to follow for information security management. BS7799 is such a code of practice for information security management. The most important problem to be addressed in this thesis is the need for new approaches and perspectives on information security (IS) management in an organisation to take cognisance of changing requirements in the realm of information technology. In this thesis various models and tools are developed that can assist management in understanding, adapting and using internationally accepted codes of practice for information security management to the best benefit of their organisations. The thesis consists of three parts. Chapter 1 and Chapter 2 constitute Part 1: Introduction and Background. In Chapter 1 the problem statement, objectives and deliverables are given. Further the chapter contains definitions of important terminology used in the thesis as well as an overview of the research. Chapter 2 defines various terms associated with information security management in an attempt to eliminate existing confusion. The terms are mapped onto a hierarchical framework in order to illustrate the relationship between the different terms. In Part 2: IS Management Perspectives and Models, consisting of chapters 3, 4, 5 and 6, new approaches to information security management is discussed. In Chapter 3 different perspectives on using a code of practice, such as BS7799 for IS management, is presented. The different perspectives are based on the unique characteristics of the organisation such as its size and functional purpose. These different perspectives also enable organisations to focus on the controls for specific resources or security services such as integrity or confidentiality. In Chapter 4 these different perspectives ofbusiness type/size, the security services and the resources are integrated into a multi-dimensional model and mapped onto BS7799. Using the multi-dimensional model will enable management to answer questions such as: "Which BS7799 controls must a small retail organisation interested in preserving the confidentiality of their networks implement?" In Chapter 5 the SecComp model is proposed to assist in determining how well an organisation has implemented the BS7799 controls recommended for their needs. In Chapter 6 the underlying implemented IT infrastructure, i.e. the software, hardware and network products are also incorporated into determining if the information assets of organisations are sufficiently protected. This chapter combines technology aspects with management aspects to provide a consolidated approach towards the evaluation of IS. The thesis culminates in Part 3: Conclusion, which comprises one chapter only. In this last chapter, Chapter 7, the research undertaken thus far is summarised and the pros and cons of the proposed modelling approach is weighed up. The thesis is concluded with a reflection on possible areas for further research.

Information resources management

Data protection

Computer security

Database management security measures