Information security Management (1): Three levels of organization

In fact, an organization that we can think of is composed of a number of columns of information processing activities, as the organization expands and grows, information processing and control becomes more and more difficult, so we need to manage and monitor information security. According to the Faculty of Computer Science at Duke University and the University of Sydney, all organizations can be viewed and managed from a three-level system, so we can manage and control information security issues from these three levels of systems. These three levels are:fromal, informal, Technical, because in fact translated into Chinese these three words is quite disgusting, this article or in English to express different information levels, the corresponding meaning is: formal level, informal level, and technical level. It represents the management and operation level of formal system-organization, the cultural level of informal system-organization, and the technical level of Technical system-organization. The goal of information security management is to use a series of controls to maintain the integrity of these three levels of the organization (Integrity). In this paper, the scope and principles of the system are described in detail, which is the basis of the management system.

Key concepts:

1. The organization is composed of three levels of systems, Fromal system,informal system,technical system;
2. The organization uses the various controls to manage and control these three level system;
3. The purpose of all controls is to maintain the integrity of the Organization, which is to maintain the consistency of the three-tier system.

1 Three levels of the organization

This part mainly introduces the definition of three level system and the content of responsibility. Information security in fact refers to the organization of these three levels of system consistency, that is, the organizational structure of the formal system, informal system of organizational culture, and technical system technology applications, should be for the purpose of the organization exists, And should help the organization achieve its stated goals.

1.1 Formal System

Formal system defines the entire organization, in fact formal system is what we say in the management of the Organization, focus on the processing of information in the Organization's operations, such as flow direction, including the organization structure, rules and regulations, organizational strategy and other things. In the formal system, we often develop a number of organizational operations rules that help organizations achieve unity in the process of running.

But for a man-made organization, only a series of rules and regulations is far from enough, especially in the field of information security. We can help manage operations (formal system) more efficiently and efficiently with a range of technical means (i.e., technical control of the technical system), while We also need to manage our Organization's culture to help us prevent the organization's confidential information from being disclosed intentionally or unintentionally by its internal personnel.

In general, we want to control the technical control and organizational culture for the purpose of making formal system operational success.

• Defines all major ' official ' information handling of the organisation
• Rule based and tends to bring about uniformity
• Misinterpretation of the formal system can be detrimental
• Computerisation of major information flow to bring about efficiencies and effectiveness are possible-but not enough

1.2 Informal System

Informal system actually refers to the sub-culture of the organization, is the expansion of the formal system. The difficulty is to unify the people's viewpoint, the goal and the goal, the means is to establish the appropriate enterprise culture, establishes the appropriate symbolic system (this refers to in the personnel exchange, we should define some symbols and the words, then everybody, sees this symbol and this word, can have to the state of affairs more unified and the clear understanding, This piece of domestic companies do not really good, most of us do not realize the importance of semantics, which will be discussed in detail later. For example: In the film "50 Gray", the "safety words" set by the male and female protagonists are such things that when they say "safe words", they know that they should stop or perform other reactions. ）

• Represents organisation ' s sub-culture where meanings is established, intentions is understood, beliefs is formed, commi Tments and responsibilities are made, altered and discharged
• A natural means to augment the formal systems
• Groups with overlapping memberships is possible as size of organisation grows
• Challenges of differences in opinions, goals, and objectives

1.3 Technical System

The Technical system refers to the technical aspects of the Organization's operations, that is, the information system we use within the company, which is designed to make our operations and management more efficient and effective, as well as the areas of technical attention. But if you want to become an expert in the field of information security, it is not enough to actually know this level of technology, we must know that the purpose of technology is to support management, so want to become an expert in information security, on the basis of mastery of technology, but also in-depth understanding of the internal logic of organizational operations, this part, See if there is a chance to expand in the field of management to say a bit.

The technical system level deserves to be the automation part of the formal system, playing the role of supporting the formal system within the organization. So, in fact, without the technical control of the formal system, it makes no sense.

• Automated parts of the formal system
• Presupposes the existence of a formal system
• Could be problematic if no formal system exists
• Plays supportive role to the formal system

Different control modes for 23-level systems

We believe that management is a control, corresponding to different levels of organizational systems, because their properties and scope are not the same, we have to use different control methods to manage. But our aim is to maintain the consistency of these three systems.

2.1 Formal control

So formal control mainly includes support type of technical control, organizational structure control, strategic direction of control, but also for employees to frame their responsibilities and rights. The most important part of this is the design of the personnel responsibility (responsibilities) and the authority (authorities) , which is one of the most important research parts in modern management. A good management structure, should be the right and power balance, can not appear some people's rights too big responsibility is too small (such as many state-owned enterprise leadership, can determine the entire company's resource allocation and direction, but do not need to pay too much responsibility for the results of the company's operations, which led to the result is the slogan loud, disappointing results), Or a person with too much responsibility but too little power (this part of the situation will be less.) ）

Complement: In formal system is the company operation, in my personal view, the most important is the Enterprise Strategy (strategy) customization, because this is the mission and core value of the enterprise, is the goal of the enterprise, is the high value of the enterprise. Under the strategy, we allocate specific implementation plans (plan) According to strategic needs, allocate resources according to plan, including personnel, assign responsibilities (responsibilities) and rights (authorities) in the distribution of human resources. Finally, the plan is implemented more efficiently through technical means (technical system) to achieve strategic objectives.

• Support technological controls
• Approach at organisational level
• Implementing structured is management
• Giving Strategic Direction
• Representation from a wide range of functional areas
• Hiring and termination standards
• Fair practices and moral leadership
• Protect Management from claims of negligent duty
• Compliance with the requirements of data protection legislation

2.2 Informal control

At the informal control level, the most efficient thing about security management is the enhancement of security awareness, because I've seen a lot of corporate employees, almost no sense of information security, In particular, some of his personal will not have much influence, do not need to be personally responsible for the security of information, sometimes casually say, this is a very dangerous behavior for the enterprise. For example, a secretary who records in a high-level meeting, when chatting with members of other companies, accidentally disclosed the company's latest strategic direction and strategic distribution, which will lead to the risk of being a competitor to know, so as to customize the program can be specific restraint. Could have been a good strategic plan, but now it is a burden.

The core of informal control is the development of the security awareness, which is achieved by continuing education and training programs, preferably by building a suitable security culture, because the cultural system can be self-reinforcing.

• Security awareness is a cost effective control
• Increased awareness should be supplemented with a ongoing education and training program
• Training and awareness is extremely important in developing ' trusted ' core of the firm
• An environment of developing a common belief system

2.3 Technical Control

The technical level of control is primarily validation (authentication) and access control. Then includes the firewall and other control means.

• Authentication and access Control
• Firewalls and de-militarised Zones
• Network segmentation: The big networking is a small net area.
• End-Point security: In the user Terminal control, such as the need to download the app and software to connect, in the terminal software to do some security design.
• Malicious content control

The implementation of information security technology should take into account the balance of cost and income, after all, for most companies, information security as a supporting part of the company's operations, the implementation of it should not affect the company's original revenue.
Implementation of technological solutions is dependent upon cost justifying the controls. Effectiveness of Technical controls:technical Controls alone is often not enough. Consider constituting well thought baseline organisational controls

3 overall framework of the organizational structure

The overall framework of the organizational structure should be based on the formal system as the core, technical system as an automated means of efficient operation management of the formal system, and then informal system management as formal System management and support in the enterprise culture.

3.1 Structure and standard of information system security standards and frameworks

Many of the standards and frameworks are described in more detail in later blogs.

3.2 Content of information security design institutionalising information security

To design a good efficient information security management structure, we first need a good organizational structure, then the policy and procedural framework, and the access Control and the organization of the hierarchical structure together to maintain good consistency of communication, at the same time to develop professional ethics standards and trust mechanism.

• Organisational structure
• Policy and procedural framework
• Linking access rights to the hierarchical level
• For efficiency and effectiveness purposes
• The reality is more complex than formal or the technical aspects of the system
• Maintaining consistency in communication
• Ensuring proper interpretation of information
• Ethics and Trust

4 Information security experts ' recommendations and requirements information security specialist

To become an expert in information security, it is not enough to know the knowledge at the technical level, in the more systematic information security management, the core is the way of management, technology is the tool to achieve efficiency and effectiveness.

• Work towards getting the right certification (CISSP, CISM, SABSA, Gias ...)
• Increase your skills in risk management, disaster recovery, standards and compliance
• If so inclined...build a home lab.
• Get involved in a project working with strategic partners
• Consider an internship on IS
• Take a second look at government jobs
• Adopt A multidisciplinary approach

5 knots (TU) language (CAO)

In fact, I really do not have any interest in information security management ... You even want me to write a blog to learn younger sister after the reference ... Is...
But this whole system really is a very perfect, very front-line system. The main applications are in IT consultant.

Reference documents:

1. Principles of information Security systems–texts and Cases–gurpreet dhillon-chapter 1: Information Sys Tem security:nature and Scope

Information Security Management (1): Three facets of an organization