The purpose of this article is to explore the possible integrate use of Control Objectives for
Information Technology (COBIT), Balanced Scorecard (BSC) frameworks for strategic information security management and Systems Security Engineer-Capability Maturity Model (SSE-CMM). The objective is to explore the strengths, weaknesses, implementation techniques, and potential benefits of such an integrated framework. This integration is achieved by “bridging” the gaps or mitigating the weaknesses that are recognized within one framework, using the methodology prescribed by the second framework. Thus, integration of COBIT and BSC can provide a more comprehensive mechanism for strategic information security management – one that is fully aligned with business, IT and information security strategies. The use of SSECMM as a tool for performance measurement and evaluation can ensure the adoption of a continuous improvement approach for successful sustainability of this comprehensive framework. There are some instances of similar studies conducted previously:
- metrics based security assessment (Goldman & Christie, 2004) using ISO 27001 and SSE-CMM
- mapping of processes for effective integration of COBIT and SEI-CMM (IT Governance Institute, 2007
- mapping of COBIT with ITIL and ISO 27002 (IT Governance Institute, 2008) for effective management and alignment of IT with business
The factor that differentiates this research study from the previous ones is that none of the previous studies integrated BSC, COBIT and SSE-CMM, to formulate a comprehensive framework for strategic Information Security Management (ISM) that is aligned with business, IT and information security strategies. Therefore, a valid opportunity to conduct this research study exists.
Threats to security of business information, information-based assets, intellectual property, and privacy of personal information are increasing. According to Privacy Rights Clearinghouse (2009), a consumer privacy protection foundation, more than 250 million records containing sensitive personal information were involved in security breaches in the U.S. since January 2005. In order to proactively deal with these growing threats and to protect the security and privacy of information-based assets, organizations are increasingly adopting information security management systems (ISMS).
Although organizations use several established international standards and frameworks like ISO27001, ISO 27799, ISO27002, NIST, FIPS, ANSI, etc. for information security management, the primary driving factor for such implementations are regulatory compliance requirements (Turner, Oltsik & McKnight, 2008). In order to be compliant with requirements of applicable industry regulations like Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Gramm Leach Bliley Act (GLBA), Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), etc., organizations adopt ISMS and frameworks. The IT organization also adopts best practices and supporting tools like IT Infrastructure Library (ITIL), Control Objectives for Information Technology (COBIT),
Capability maturity Model Integration (CMMI), Six Sigma, etc. for IT service, support, quality management and information security management.
The strategic integration of these frameworks and tools is not easy for the organization as successful implementation is dependent upon a range of factors, from organizational culture to training of employees (Elci, Ors & Preneel, 2008). Organizations can gain additional value and benefits by using a combination of standards and best practices (for strategic ISM). This is supported by studies showing the combination of ISO, ITIL and COBIT (Turner, Oltsik & McKnight, 2008). There are also other examples of combination of standards such as ISO and SSE-CMM that have been used for metrics based security assessment (Goldman & Christie, 2004) and other studies that show the mapping of processes for effective integration of COBIT and SEI-CMM (IT Governance Institute, 2007a). A research report released by the IT Governance Institute (2008) in collaboration with the Office for Government Commerce (OGC) maps COBIT with ITIL and ISO 27002, stating that using this combination of standards and best practices can lead to effective management and alignment of IT with business.
This study proposes the integrated use of Control Objectives for Information Technology (COBIT) and Balanced Scorecard (BSC) frameworks for strategic information security management. The goal is to investigate the strengths, weaknesses, implementation techniques, and potential benefits of such an integrated framework. Such an integrated framework bridges the gaps or mitigates the weaknesses that are recognized within one framework, using the methodology prescribed by the second framework. Thus, the integration of COBIT and BSC can provide a more comprehensive mechanism for strategic ISM – one that is fully aligned with business, IT and information security strategies. It is also important to measure and evaluate the performance of the integrated “strategic information security management framework” using a standards based model, like the Systems Security Engineering Capability Maturity Model (SSECMM).
What is the problem?
Organizations are increasingly using ISM frameworks in order to mitigate risks and reduce threats to business assets (mainly information assets). A purely technical approach to implementation of information security controls proves insufficient in addressing the strategic objectives of the organization. As displayed in Figure 1 below, according to the results of a Global Information Security Survey (Ernst & Young, 2008), the primary drivers for investment and implementation of such ISM frameworks are mainly regulatory compliance requirements, loss of revenue, loss of stakeholder confidence, loss to brand and reputation, etc. According to a survey by Computer Weekly (2008), the deployment of such controls is generally counter-productive as 68 percent of surveyed staff admitted to bypassing their employer’s information security controls in order to do their jobs. This indicates that the investment made by the organization (for technology alone) will either provide low or inadequate returns, resulting in revenue losses and even higher operational expenditures. It also establishes the fact that there is a gap between the information security controls and the overall business and IT strategy of the organization. Hence, a more comprehensive approach to ISM is being recommended by several IT security and governance organizations.
Figure 1. Primary drivers for ISM deployment (Ernst & Young, 2008).
Since the implementation of ISM frameworks is more reactive than proactive, the focus is mostly on implementation of technical controls to prevent security and privacy breaches. As a result, the strategic significance of the ISM framework is either never realized fully or the true potential to transform the business, by using the ISM framework strategically, is ignored. This leads to the existence of ISM processes and procedures that are not aligned with the business objectives of the organization. This fact is highlighted in Figure 2 below, which shows that only 18% of the organizations surveyed had information security strategy as an integrated part of their overall business strategy. The results of this survey show that alignment between business, IT and information security strategies is still not being taken into consideration while deploying ISM processes. A well-aligned approach will not only help mitigate risks and apply technical controls, but also potentially provide benefits to the business. Interestingly, a small number of organizations have started realizing the value of investing in well-aligned business, IT and information security strategies, thereby boosting investment in governance, risk and compliance management as well. According to AMR Research (2008), governance, risk management, and compliance (GRC) spending exceeded $32B for 2008, up 7.4% from 2007, as companies shift toward identifying, assessing, and managing risk across numerous business and IT areas.
Figure 2. Perception of information security strategy (Ernst & Young, 2008).
The above discussion implies that any new ISM framework that is developed, must address not only information security processes and controls, but also the alignment of such processes and controls with an organization’s overall business and IT strategies. Moreover, it is imperative to take into consideration the aspects of governance, risk and compliance to build a truly comprehensive framework. Therefore, the goal of this research study is to develop an integrated framework that addresses the need for information security requirements as well as alignment between business, IT and information security strategies.
Significance of the Problem
Strategic information security management is gaining increasing importance within organizations, becoming almost imperative as security threats continue to escalate (Sipior & Ward, 2008). According to a new study by McAfee (2009), data theft and breaches from cybercrime may have cost businesses as much as $1 trillion globally in lost intellectual property and expenditures for repairing the damage in 2008. According to a survey by Deloitte Financial and Advisory Services (2009), 91% of public corporations expect fraud to increase or remain the same in 2009. The number of information security incidents reported by federal agencies jumped from 5,146 in fiscal 2006 to 12,986 in 2007, with a 70 percent increase in unauthorized access to federal networks alone, according to a report from the U.S. Office of Management (Aitoro, 2008). Figure 3 below points to an obvious lack of effective information security measures – both technical and management-focused, because regulatory compliance is often the primary driver for deployment of ISM programs within an organization (Pironti, 2006). It is critical for organizations to implement effective solutions for information security management that are based on strategic objectives. The focus of information security is generally more towards deploying technical tools and systems instead of using a comprehensive framework that includes people, processes, technology, procedures and policy (Siegel, Sagalow, & Serritella, 2003). The use of tools and systems alone, can lead to gaps in an organization’s business, IT and information security units. These gaps can also be further exploited due to lack of organizational IT governance mechanisms, resulting in a non-aligned approach to information security
management. Although establishing an information security management system (ISMS) can address most issues, there are still certain other gaps that need to be addressed in areas like governance, alignment and management (Business Software Alliance, 2003).
Figure 3. Significance of regulatory compliance in ISM (Pironti, 2006)
According to a survey conducted by Society for Information Management (2008), a lack of alignment of business, IT, and information security translates into lower revenues for companies. As shown in Figure 4 below, the fact stated above is further validated by an IT Governance Global Status Report (IT Governance Institute, 2008) indicating that between 2005 and 2008 the number of organizations reporting a disconnect between IT strategy and business strategy increased by almost 30%.
Another important reason for the low success rate of ISM programs across various organizations is the lack of corporate governance and ownership of information security issues. Information security management must be considered as part of the business and it is imperative to assign responsibility for managing information security to board level, as business information is a valuable and critical corporate asset. In order to mitigate risks caused by inadequate corporate governance with respect to information security management, a holistic and comprehensive framework for information security management must be developed such that it not only addresses technical aspects of security but also takes into account business alignment, IT governance, and measurement and evaluation (Von Solms, 2001).
Figure 4. IT Governance global status report of 2008 (IT Governance Institute, 2008)
The purpose of this research study is to formulate an ISM framework that is aligned with business, IT and information security strategies. The main components of such an organizational ISM framework consist of:
1. Information Security Process Management and Control System
COBIT is an international open standard that defines requirements for the control and security of sensitive data and provides a reference framework (ISACA, 2008). COBIT consists of process domains and detailed process controls that can be applied to the ISM functions within an organization. According to Von Solms (2005), COBIT positions itself as ‘the tool for information technology governance’ and it is therefore not exclusive to information security. It also embeds Information Security governance within a wider Information Technology governance framework, which is good because it provides an integrated platform (architecture/structure) for wider Information Technology governance. Thus, COBIT can be used to satisfy the requirement of a management and control system for ISM. According to PriceWaterhouseCoopers (2006), between 2003 and 2006, the awareness of COBIT has tripled amongst the general IT population, while awareness in the general population of the existence of COBIT has increased by 50 percent.
2. Business/IT/Information Security Alignment mechanism
The existence of a management and control framework for ISM does not necessarily guarantee that the ISM practices are aligned with business and IT strategy. Hence, a mechanism that aligns business, IT and information security strategies is extremely crucial for the successful implementation of a comprehensive ISM framework. An ISM framework that provides robust security and controls but does not fit the organizational objectives would fail to achieve its full purpose and be detrimental to business functions.
In order to avoid such a situation, it is important to use an alignment mechanism. Thebalanced scorecard (BSC) is a strategic planning and management system that is used extensively in business and industry, government, and nonprofit organizations worldwide to align business activities to the vision and strategy of the organization, improve internal and external communications, and monitor organization performance against strategic goals (Balanced Scorecard Institute [BSCI], 2009). The usefulness of the BSC has made it arguably the most successful and widely accepted mechanism that organizations adopt in order to achieve strategic alignment. The total usage of BSC has doubled between 1993 and 2006 with about 57% of global companies working with the BSC in one or more functions (Rigby, 2009). The use of a cascading BSC approach can lead to the effective communication of the key drivers of success to every business unit and employee within an organization, while also providing an opportunity for contribution to the overall success of an organization (Niven, 2006). Therefore, it is imperative to use a BSC approach in conjunction with COBIT, in order to align information security processes and controls with the broader business strategy and ensure the development of a strategic ISM framework.
3. Measurement and Performance Evaluation mechanism
The implementation of a strategic framework for ISM would be incomplete if its success cannot be quantitatively measured. In order to achieve this, a standardized performance management and evaluation mechanism is required. COBIT provides a stand-alone maturity model for each of its domains, but it cannot be used as a comprehensive measurement tool (Simonsson, Johnson, & Wijkström, 2007). The SSE-CMM model describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering (SSE-CMM.org, 2009). SSE-CMM is internationally recognized and a widely accepted model for measurement and evaluation of the maturity of security processes and controls across the organization. The deployment of an SSE-CMM approach can help the organization develop a continuous improvement approach to ISM and achieve higher levels of competence and capability as related to ISM processes and procedures.
Figure 5. Solutions/Frameworks used for ISM (IT Governance Institute, 2008).
The proposed integration of COBIT, Balanced Scorecard and SSE-CMM, can potentially lead to the development of strategically aligned ISM framework. In order to fulfill the requirements for such a comprehensive framework, organizations are increasingly using an integrated approach of more than one tool or mechanism. This is evident in Figure 5 above, from the IT Governance Global Status Report (IT Governance Institute, 2008), which shows that a large number of organizations use an internally developed framework to address their ISM requirements, which usually consists of more than one internationally recognized tool or mechanism.