Integrated Information Management Systems

Transcription

1 Integrated Information Management Systems Ludk Novák ANECT a.s. Brno, Czech Republic Abstract The article tries to find consensus in these tree different types of the systems the quality system, the IT service system and the information security system, which are frequently used for information. An aim is not to choose the best method, but to compose a complex framework based on advantages and synergies. The author describes his experience with integrations of the tree types of the systems into one consistent information framework. The integration is based on similarities of the systems especially on the PDCA Model, which is a key shared principle. The second principle is an effort to incorporate information risks into each type of systems. There is not possible to manage risk properly without close connection to realising information and communication technology benefits these days. Keywords: Information, Software quality, IT service, Information security, CobiT, ITIL, BS7799, PDCA model. 1 Introduction Wide using of information and communication technology (ICT) has a very serious consequence organizations are more and more dependent on quality, reliability and security of their information and communication systems including all related processes and activities. Provision of more effective and efficient services with appropriate reliability and security is an essential responsibility of people who are involved information. Information aims are also shifting. Increasing importance of ICT for organizations everyday life means it is not more acceptable just administrates and maintains ICT infrastructure. An information primer role is to manage and improve IT services, which are able to deliver defined and measurable added values for business units. So information gains an essential position in general business and strategy. There are several best practice methodologies or standards in the information and security world. CobiT (Control objectives for information and related technology), ISO 9000, ITIL (Information Technology Infrastructure Library), BS and/or ISO/IEC are the most general frameworks. New requirements on information have appeared recently (like Basel II, Sarbanes-Oxley Act, critical information infrastructure protection etc.) and emphases needs for information systems based on international standards and open methodologies. BASEL II the new capital accord establishes new requirements on operational risk control in banking. ICT is a key element of the operational risk and banks should adopt process driven approach to risk, information and operation. The Sarbanes-Oxley Act establishes new mandates for financial reporting based on internal control environment. Company s managers are fully responsible for the internal controls and should make statement about the internal control. Most financial reporting processes are driven by ICT, so strong information is also a key element. And information managers and other ICT professionals are held accountable for the quality and integrity of information produced by ICT. Security and Protection of Information

2 2 Starting points The regulation examples mentioned above present current situation in information. The new requirements do not distinguish among information, information risk, information security, ICT operations etc. There is just one control framework for information and the basic question is if any information is presented trustfully? 2.1 Information added value According to the current needs information has to find and defines an appropriate information added value (or ICT added value) much more extensively. There are tree general types of the added value connected with ICT: Increase automation an organization is able to align its business and information and enlarges its production and performance by using ICT the organization is effective (It does good thinks). Decrease costs an organization is able to use resources responsible and reduces costs and other expenses by using ICT the organization is efficient (It does thinks well). Manage risks an organization is able to adjust security measures and minimises security incidents, related risks and possible damages the organization is secure. Increase automation Decrease costs ICT added value Manage risks Figure 1: ICT added value The existing information needs and requirements stress all tree types of the information added value. There is an important issue to find a balance among all tree types, because it is not possible to realize ICT benefits without proper risk. On the other hand information risks should be in close connection to the ICT benefits and reflect them. This is a complex outlook on information sometimes called IT governance. 2.2 IT Governance and CobiT Methodology IT Governance is a structure of relationships and processes to direct and control the organization in order to achieve the organization s goals by adding value while balancing risk versus return over ICT and its processes. [1] CobiT (Control Objectives for Information and related Technology) [1] as an IT Governance model is a complex information framework and its basic idea says Information should reach effective balance between realising benefits by increase automation or decrease costs and managing risks. To accomplish this, information needs to identify most important activities to be performed, measure progress towards achieving goals and determine how well the ICT processes are performing. 84 Security and Protection of Information 2005

3 The COBIT concept is that control in ICT is approached by looking at information that is needed to support the business objectives or requirements, and by looking at information as being the result of the combined application of ICT resources that need to be managed by ICT processes. To satisfy business objectives, information needs to conform to certain criteria. The following tree basic elements form the CobiT framework: Information criteria present business goals and needs and their implications to information (effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability). ICT resources are available means which can be used by information (data, applications, technology, facilities, and people). ICT processes are all activities and tasks related to information form four broad domains (planning and organization, acquisition and implementation, delivery and support, and monitoring). In summary, in order to provide the information that the organisation needs to achieve its objectives, IT governance must be exercised by the organisation to ensure that ICT resources are managed by a set of naturally grouped ICT processes. CobiT as a useful tools calls attention to: Organization contribution ensuring effective IT governance and information, User orientation measuring up to business expectations, Operational excellence performing the ICT function with increasing credibility and impact, Future orientation building the foundation for future delivery and continuous learning and growth. CobiT methodology is ideal for establishing a complex and comprehensive control environment for information. But there is a significant shortage. The ICT processes are not defined so deeply in CobiT. It was not authors aim to describe all details, but it is better to use another guidance to implement information from the practical point of view. 2.3 Integrated information system requirements There are thee types of the ICT added value and successful information should integrate all aspects quality, reliability and security. This information system should be composed from the following: Good relationship with business and users of information and communication systems enhancing effectiveness is essential to a quality system; Effectiveness of all ICT operations based on proper IT service delivery and support reducing expenses is a main goal of an IT service system; Control and limitation of information security risks and possible damages is a key benefit of an information security system. Quality IT service CobiT Information security Figure 2: Integrated information system Security and Protection of Information

4 Are these tree different information systems compatible each other or not? And can effective and efficient integration stand on advantages and synergies of the systems? You can hear similar questions quite often these days. 3 Information system basic components The quality has quality systems based on ISO 9000 (or ISO in IT). The reliability establishes an IT service system follows recommendations of BS 15000, which generalizes ITIL and the security stands for information security system, which applies controls from BS or ISO Each system and its contribution to the integrated information system are discussed in the next text. 3.1 Quality system Quality is the totality of characteristics of a product or service that bear on the ability to satisfy stated and implied needs. [ISO 8402] A Quality Management System (QMS) is a well-known system emphasises an importance of customers and their requirements for any business. ISO 9001:2000 [2] is a familiar example of a collection of quality best practices. The principles are valid for information too, so business unit and user requirements are seriously important issues. Excellent information should systematically discover user ideas and transform them properly to the real life. QMS s added value is to increase automation and partly to decrease costs. An suitable level of internal process formalism (like process definition, resources, document, record ) is another advantage of QMS. The guidance ISO/IEC 90003:2004 [3] covers all aspects of software quality, from acquisition to supply, including development, operation and maintenance of computer software, and providing guidance on how to implement highly successful ISO 9001:2000 process driven approach in a software environment. The structure of the standard demonstrates the comprehensiveness of the five perspectives (see the figure 3). Management responsibility Quality system ISO/IEC Resource Product realization Measurement, analysis and improvements Figure 3: Basic structure of quality system for software engineering A lot of organizations are running QMS, so information can use QMS s tools and rules as guidance for document, resource, record etc. There is also useful to add a concept of information into QMS framework not to establish any parallel structures. QMS s culture in the organization is a useful asset too, so it can be promoted to include information and/or information security issues. 3.2 IT service system IT service is a described set of facilities, IT and non-it, supported by the IT service provider that fulfils one or more needs of the customer and that is perceived by the customer as a coherent whole. [15] IT Service Management (ITSM) is relatively a new approach to information, which is concentrated on ICT operation processes. ISTM is primary known as the process and service-focused approach to information. ITSM addresses the provision and support of IT services tailored to the needs of the organization. ITSM offers a common framework for ICT activities, as part of the provision of services, based on ICT infrastructure. These activities are divided into processes (see figure 4), which when used together provide an 86 Security and Protection of Information 2005

5 effective ITSM framework for service delivery and service support. ITSM brinks decrease costs and partly increase automation for the organization. Service delivery processes Capacity Service continuity and availability Release process Release Service level Service reporting Control processes Change Configuration Resolution processes Incident Problem Information security Budgeting and accounting for IT services Realationship Processes Business relationship Supplier Figure 4: IT service processes ITSM concept is defined by two standards: the first BS :2002 [5] describes system specification and a code of practice is presented by the second BS :2003 [6]. There is a huge public interest consequently both standards are adopting as new international standards ISO/IEC IT Service Management in short way. ITSM concentrates on high reliability a transparency of ICT operations. A primary aim is to define operation processes including relationship and measurements, monitor and supervise process realizations and enhance operation effectiveness based on results and trends. ITSM is an ideal way, how to control, monitor and improve internal ICT operations. ITSM is not just about the standards. The philosophy comes from IT Infrastructure Library (ITIL) which is a complex set guidance, how to design, build and run ITSM. The documents describing service delivery and service support are a core the whole ITIL library. 3.3 Information security system Information security is preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved. [8] An Information Security Management System (ISMS) concentrates on definition of processes connected with information risk analysis and treatment and the ICT added value is to manage risks. The standard BS :2002 [11] defines ISMS requirements and specifies how to design, enforce, control and improve information security. There is a draft of a new international standard ISO/IEC [12] based on BS :2002 and a final version is expected at the end of A key element of any ISMS is an information risk and treatment process which concentrates on choosing proper security objectives and controls. Security and Protection of Information

6 A code of practice for information security and other ISMS best practice are described in ISO/IEC 17799:2000 [7]. A new version is ready to be published by summer Information security categories on the following figure present the basic extend of ISO/IEC 17799:2005 [8]. ISO/IEC 17799:2005 Security policy Asset Access control Organizing information security Human resources security Physical and environmental security Communications and operations Information systems acquisition, development and maintenance Business continuity Information security incident Compliance Figure 5: Information security categories A draft of ISO/IEC Information security metrics and measurements [13] is currently in progress. An aim is to add tools, how to define measures and indicators into ISMS and sometimes it is called the 3 rd part of BS Shared principles of systems 4.1 PDCA Model All presented systems have a vital shared principle called PDCA Model (Plan Do Check Act). The model defines a basic cycle for each system. The cycle starts with planning of activities and defining expected results. Implementation and running as the second part is followed by monitoring all defined activities to have appropriate information on success of implementation, its strengths and weaknesses. This outputs and realised experiences should be used to continual improvement of the system. Plan Customers Requirements Satisfaction Do Check Act Requirements Satisfaction Suppliers Figure 6: PDCA Model concept 88 Security and Protection of Information 2005

7 PDCA Model external connections are important too. Customers (or users) are one side of externalities and suppliers are the other. The PDCA model requires a clear expression of customer requirements and proper monitoring their satisfaction. On the other hand the organization should define requirements to its suppliers and watch, how the suppliers fulfil the needs. PDCA Model is a key principle which makes possible to integrate tree systems concentrated on different topics. The other shared principles related to PDCA Model includes responsibility and commitment, resource, documentation and record control, awareness and training, reviews, continual improvement etc. 4.2 Standpoints to improve ISMS The conference main topic is information security and protection so we look at benefits of the information integration for ISMS. At first it is important to mentioned positive influence of QMS on ISMS. QMS is a well-known application of PDCA Model, so any good experience could be used for advocating ISMS. Using existing tools and following establish culture should be other preference for ISMS. Last but not least thing is share existing QMS structure in contradiction to create wholly new framework for ISMS. Relation between ITMS and ISMS contains more synergies. ITSM comprehends IT services as a fundament of information. Consequently it is advisable to apply this approach into ISMS. It means that IT services should be a starting point for risk analyses and risk treatment processes. This approach allows taking information security requirements as a part of IT service and including security into IT service reporting as a result. Change is other large room for collaboration ITSM and ISMS. ITSM offers deeper inspection and more detail description of change and related processes. ISMS can use this quite easy including configuration and release. Incident has a bit difficult situation, because ITSM recommendations should be join up with information security incident requirements defined by ISO/IEC TR 18044:2004 [9]. At the end it is necessary to warm, that availability and continuity have similar rules and residual problems are related to business comprehensions. 5 Conclusions It is not possible to discuss all information aspects and their information security consequences. The aim is to call attention to needs of joining different views. The integrated information system makes possible to take advantage of all existing similarities. It is clear that each discussed system stress its perspective, but there no barriers to improve each other. There are no limitations from this lookout. References [1] COBIT 3 rd Edition, Information Systems Audit and Control Foundation, ISACF [2] EN ISO 9001:2000 Quality systems Requirements. [3] ISO/IEC 90003:2004 Software engineering Guidelines for the application of ISO 9001:2000 to computer software. [4] Suryn, W., Hailey, V. A., and Coster, A.: Huge potential user base for ISO/IEC 90003, In ISO Focus, Volume 2, No.2, pp , February [5] BS :2002 IT Service Management Part 1: Specification for service. [6] BS :2003 IT Service Management Part 2: Code of practice for service. [7] ISO/IEC 17799:2000 Information Technology Security Techniques Code of practice for information security. [8] ISO/IEC FDIS 17799:2005 Information Technology Security Techniques Code of practice for information security. [9] ISO/IEC 18044:2004 Information Technology Security Techniques Information security incident. Security and Protection of Information

8 [10] Humphreys, T.: Being prepared to tackle threats to your business, In ISO Focus, Volume 2, No.2, pp , February [11] BS :2002 Information security systems Specification with guidance for use. [12] ISO/IEC FCD 24743:2004 Information Technology Security Techniques Information security systems requirements specification. [13] ISO/IEC 1 st WD 24742:2005 Information Technology Security Techniques Information security metrics and measurements. [14] [15] 90 Security and Protection of Information 2005