Abstract
An adequate information security management system (ISMS) to minimize business risks and maximize return on investments and business opportunities is recognized always more as key differentiator. Thus legal compliance, commercial image and competitive edge are sustainable maintained. Due to increasingly faster changing information security (IS) requirements (from market, customer, technology, law or regulations) the effectiveness and performance of the ISMS must be continually evaluated and improved. Data must be recorded, analyzed and if necessary appropriate corrective or preventive actions should be taken. For these measurement and improvement tasks we have to assign roles and responsibilities. Firstly we define different roles and their tasks for information security (IS) measurement and improvement. Starting from the approved organizational structure we assign the responsibilities for these roles to top and executive management. After we elaborate and document all relevant business processes with their supporting IT services and go on through all technical layers describing the relevant items with their dependencies and relationships. To entire processes, services and items are assigned responsibilities for the defined roles systematically, consistently and traceably. This innovative, systemic, strategic aligned approach has been implemented successfully by different medium sized organizations for several years. Based on our experiences IS awareness, IT alignment with business goals, service orientation, process and systems thinking, as well as the comprehension for the requirements of other organizational units were increased.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ISO, ISO/IEC 27002 (2005) Information technology, security techniques, code of practice for information security management, ISO, Geneva
PricewaterhouseCoopers LLP, information security breaches survey (2010) technical report, www.pwc.co.uk/pdf/isbs_survey_2010_techni-cal_report.pdf. Accessed 28 july 2010
von Solms SH, von Solms R (2009) Information security governance, Springer, New York
Da Veiga A, Eloff JHP (2007) An information security governance framework. Inf Manag Syst 24:361–372
Sowa S, Tsinas L, Gabriel R (2009) Business oriented management of information security. In: Johnson ME (ed.) Managing information risk and the economics of security, Springer, New York, pp 81–97
ISO, ISO Survey (2008) www.iso.org/iso/survey2008.pdf. Accessed 28 july 2010
ISO, ISO/IEC 27001 (2005) Information technology, security techniques, information security management systems requirements, ISO, Geneva
IT governance institute, control objectives for information and related technology (Cobit) 4.1 (2007) IT governance institute, Rolling Meadows
Office of government commerce (OGC) (2007) ITIL Service Design, The Stationery Office (TSO), Norwich
National institute of standards and technology (2008) Performance measurement guide for information security, NIST special publication 800-55 Revision 1, Gaithersburg
ISO, ISO/IEC 27004 (2009) Information technology, security techniques, information security management measurement, ISO, Geneva
Savola R (2007) Towards a security metrics taxonomy for the information and communication technology industry. In Proceedings of the IEEE 2nd international conference on software engineering advances, p 60
Humphreys E (2007) Implementing the ISO/IEC 27001 information security management standard, Artech House, Boston
Brotby K (2009) Information security governance, a practical development and implementation approach, John Wiley and Sons, Hoboken
Ray B (2007) Information lifecycle security risk assessment. Comput Secur 26:26–30
Wood C (2003) Information security roles and responsibilities made easy, Information Shield, Houston
Stoll M, Laner D (2010) Information security and system development. In: Sobh T et al (eds) Novel algorithms and techniques in telecommunications and networking. Proceedings of the IEEE TeNe 08, Springer, Berlin, pp 35–40
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Stoll, M., Breu, R. (2013). Information Security Measurement Roles and Responsibilities. In: Sobh, T., Elleithy, K. (eds) Emerging Trends in Computing, Informatics, Systems Sciences, and Engineering. Lecture Notes in Electrical Engineering, vol 151. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-3558-7_2
Download citation
DOI: https://doi.org/10.1007/978-1-4614-3558-7_2
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-3557-0
Online ISBN: 978-1-4614-3558-7
eBook Packages: EngineeringEngineering (R0)