Documente Academic
Documente Profesional
Documente Cultură
Samuel Sambasivam
Computer Science Department
Azusa Pacific University
Azusa, CA 91702, USA
ssambasivam@apu.edu
Abstract
During the last ten years, the role of formal information security standards has gained
importance. In several ways, they can be helpful in achieving security of business informa-
tion systems. One of them is the provision of comprehensive collections of evaluation crite-
ria and security measures. Such can be the basis of a holistic security strategy in that they
can act as basis for security policies and auditing schemes. Large enterprises appear to
have determined security strategies and written security policies as a matter of course and
in most cases it can be anticipated that formal standards have been their origin. As for
firms from the medium size sector, this is less often the case. This paper deals with the
acceptance of formal standards among medium enterprises. We analyze their suitability
with respect to company size and discuss typical challenges to their implementation .
Keywords: Information Security, Medium Enterprises, Formal Standards, ISO 27001,
Suitability
lack of interest or acceptance as well as a similar to that of the Institute for Small
minor suitability. and Medium Enterprise research counting
all enterprises to the medium size sector
Nevertheless, when dealing with the secu-
which have more than 40 employees and
rity of business information systems, the
realize a revenue of more than 2 million
special conditions within the medium en-
Euros per year.
terprise sector should not be missed out.
In many European countries, medium en- 2.2 Considered Standards
terprises are of special importance to the
Several standards and frameworks are
domestic economy. In Germany for ex-
available in the field of information securi-
ample more than 90% of companies sub-
ty management. Subject to our compari-
ject to value added tax (VAT) belong to
son have been the ISO 27000 family, the
this sector and realize around half of all
Standard of Good Practice (SoGP) by the
annual turnovers (ISME 2004).
Information Security Forum and the IT
Barlette and Fomin studied the suitability Baseline Protection Manual by the German
of formal information security standards Federal Office for IT security. The Control
for small and medium enterprises based Objectives for Information and Related
on the existing literature. Since there are Technology (COBIT) as well as the IT In-
very few publications directly addressing frastructure Library (ITIL) are often men-
this topic, Barlette and Fomin explore the tioned in connection with IT security.
domain of quality assurance standards Though the outcome of their implementa-
instead and draw conclusions by analogy. tion supports a company in establishing
In contrast to their approach we try to secure information systems, their main
answer the adequacy question based on content deals with different matters, hence
practical experience using the case study they have not been counted as IS stan-
methodology. dards.
Barlette and Fomin come to the conclu- The ISO 27000 standard family clearly
sion, that small and medium enterprises plays an outstanding role in this realm. It
are not capable of adopting formal IS originates from the standards BS7799 and
standards at the present time. In our in- ISO17799 respectively which are found in
vestigation, we go into deeper detail and older literature likewise, so they some-
investigate which kind of standard re- times lead to confusion in conceptuality.
quirements present themselves as unat- The standard itself consists of a selection
tainable. This way we pave the foundation of so called “control objectives” and “con-
for decision making on whether a standard trols” each of which belongs to one of 13
adoption is still beneficial - at least part- sections representing a certain area of
wise or in a mitigated from. interest.
2. BACKGROUND
2.1 Characteristics of Medium-Sized
Companies
When talking about medium enterprises it
is vital to find a working definition of how
to classify them. Typically, there are two
main figures through which medium enter-
prises are characterized. The number of
employees being the first and the annual
turnover being the second one. The Euro-
pean Union defines a medium enterprise Figure 1: 11 Security domains of ISO 27001.
as a company having 50 to 249 employees Source: Ambi (n.d.)
and having an annual turnover of between ISO 27001 takes a “process approach” to
9 and 50 million Euros. Other institutions security . That is, instead of describing
like the German Institute for Small and security technology it defines operational
Medium enterprise research use a slightly procedures. These procedures are ex-
differing definition however. Aspects like pected to be filled out with technical
the private ownership and the company’s measures but the standard itself is not
legal status in which the entrepreneur very determined as to which these meas-
often has individual responsibility for the ures shall be.
success and failure of the venture play a
role (ISME 2004). We applied a definition
decisive for whether the external validity working domain, annual turnover etc. and
of a survey is maintained. Case studies could be used for sample stratification.
again rely on analytical generalization and Section B polled framework conditions of
therefore don’t constitute a sample which the company. As opposed to section A, it
must be picked according to statistical did however focus more on the inner struc-
rules (Yin 2003). The generalized findings ture and workings than on external figures
should however be tested e.g. by replicat- such as the turnover. Section C reflected
ing them across cases and test for whether the current state of the company’s IT se-
they hold true or not. The online survey curity or related matters. Especially it
has in some instances been used to do so. asked for whether certain technologies or
Using a multi method approach, cohe- techniques are used.
rences discovered during the study were
4. RESULTS
tested against the survey results to test if
the statistical data support the analytically 4.1 Case Study Results
gained findings.
From the 133 controls contained in ISO
Reliability is the fourth quality criterion of 27001, we found 35 of them to be attaina-
a case study and it is said to be achieved ble with the available means, staff and
when the investigation process adheres to skills. 68 controls were even found to be
well documented standards assuring that a already compliant as a result of docu-
later investigator would come to the same mented working procedures evolved with-
conclusions about a case if he followed out prior knowledge of the standard and
them. For this purpose Yin (2003, p.37) derived from the company’s intuitive un-
suggests the usage of a study protocol derstanding of security. 30 controls have
which beneath an overview over the been marked as unattainable when at-
project contains all procedures carried out tempting to implement it. Reasoning
as well as the study questions. Since the brought up four main rationale:
case study is based on an audit which itself
is a well documented process, this re- (A) A too weak market position. Large
quirement is naturally fulfilled. enterprises closing large deals with their
business partners can justify demands
3.2 Online Survey such as including IT security terms into
acquisition or cooperation contracts. The
The online survey was used to gain empiri-
studied company does not invest enough
cal data beyond the single case at hand.
turnover to make such demands (is appli-
For this purpose, key business figures and
cable to controls 8.1.2, 10.2.1, 12.1.1).
some security relevant details were polled.
(See appendix for more details on the sur- (B) Technical Difficulties. Some controls
vey instrument) require technical equipment which is not
available. Off the shelf vendor software
3.2.1 Target Population
does not always satisfy requirements
The target population of the survey was (10.6.1, 11.4.1, 11.4.4) but no better
the entirety of medium sized enterprises substitute can be found in the same price
preferable with a number of employees range. Also, procedures like testing a dis-
between 40 and 100. aster recovery case cannot be fully carried
out because fallback hardware is only
To cover all industries alike, we drew a
available to a limited degree i.e. IT sys-
random sample of this population by par-
tems are not 100% redundant and testing
ticipants via email and phone. The infor-
anyway would interrupt the operation of
mation base for the invitations has been
the daily business (14.1.5). With the IT
taken from different sources like yellow
environment being a grown structure, in-
pages, the chamber of commerce and
homogeneity is common among the prod-
trade directories obtained from industrial
ucts used. Despite the small size of the
estates. All respondents participated vo-
network, vulnerability management is an
luntarily and no inclusion or exclusion cri-
exhausting task in the absence of afforda-
teria were defined.
ble technical solutions. This results in the
3.2.2 Structure and Content of the need to manage vulnerabilities manually.
Survey The same is true for regular reviews of
user access rights (12.2.4) and source
The survey was divided into three sections code management (12.4.3). Both tasks
(A, B, C). Section A polled general infor- could be automated if better affordable
mation which allow for a classification ac- solutions were available. Since they are
cording to the number of employees, not, it overworks available manpower.
(C) Skill/Staff shortage. With most em- Non-response can have different causes
ployees being trained in the businesses and it is important to highlight, that a low
main fields of activity, specialist knowledge response rate taken by itself does not imp-
in computer forensics and law is rather not ly a low quality of the sample. Whether a
available (6.1.5, 10.8.1, 13.2.3, 15.1.1, result is generalizable despite a low re-
15.1.4). sponse rate depends on its reasons. More
precisely: A high response rate is neither
Among other techniques, ISO 27000 utiliz-
essential nor sufficient. Schnell et al.
es segregation of duties as an organiza-
(2005) point out that the generalizability
tional measure to achieve transparency
of sample results depends on whether the
and therewith security. Segregation how-
participation behavior is linked to the mat-
ever requires individuals between which
ter of study. Further they state that if
duties can be segregated. Given the small
there is no link present one can assume
number of IT employees a segregation is
that responses are “missed at random” so
often not achievable (10.1.3, 10.10.4,
that there is not necessarily a skew at
15.3.1).
hand.
Some demanded security management
4.2.1. Answers
tasks are in the nature of their work at-
tainable, the time needed to carry them Practically all responding companies stated
out lies however by far beyond what is that their company IT was business critical
available to IT staff. Additional employees to them (96%) but only a small part of
would be needed to keep track with them. them (17%) had a written IT security poli-
Examples are a complete asset manage- cy in place.
ment, functionally testing each software
Key business figures and security policies.
update or patch as well as input/output
Furthermore, the annual turnover can be
validation for vendor products (10.3.2,
found to have no measurable influence on
12.2.1, 12.2.2, 12.2.4, 12.5.4, 12.6.1).
whether the company makes use of formal
Doubtful Cost-Benefit Relation. Some standards or not.
measures like the physical barriers and
Nearly a third of the interrogated compa-
entry controls (9.1.1, 9.1.2) have a doubt-
nies stated that they had experienced se-
ful cost-benefit relation. The same is true
curity related incidents in the past. This
for the helpdesk service management
was usually more than once and in two
(9.2.4) and an even more detailed incident
instances the company even filed a com-
response plan (13.2.1).
plaint. There is no recognizable correlation
Due to its fields of activities, some controls between company size and the frequency
do not apply to the audited company. of occurrence of security incidents. Except
Controls 10.9.1 through 10.9.3 for exam- in one case, all companies that had expe-
ple deal with security in electronic com- rienced security incidents didn’t have a
merce systems. Since no such system is written security policy and vice versa.
in place, they could be skipped.
Impact of general business regulation on
4.2 Survey Results security management. Several of the res-
ponding companies said their business
The survey had a total amount of some 30
underlay a governmental regulation such
valid and plausible responses which fall
as those for engineering disciplines, quality
under the working definition of medium
standards for food production or manufac-
enterprises. As for the companies’ work-
turing of pharmaceuticals. We anticipated
ing domain, the IT industry makes up the
that regulated professions could make
largest group of industries, however it
more frequent use of formal standards as
doesn’t constitute the majority of answers.
they could display proper handling of po-
Reaching from construction engineering
tential security risks to regulatory authori-
over media to controlling, the sample cov-
ties. We found however no connection
ers several industries.
between the regulation of businesses and
The response rate of the survey was the application of formal security stan-
around 5 percent. While it is obviously dards – that is, companies operating in
desirable to have higher rates, the rela- regulated businesses do not have written
tively low rate does not necessarily pre- security policies more often. The same is
vent results from being generalizable to a true for the adoption of and certification
bigger population. according to other standards such as ISO
9000 for process quality management. In
fact even most (otherwise) certified com-
panies did not have a written security poli- the survey asked for the existence of a
cy, and those which had a security policy legal department, employees trained in
in place, did not have any (other) certifica- data protection law and computer foren-
tion. sics. As expected, all companies which
have a security policy, also have a data
Cooperation and mutual agreements.
protection policy in place. Companies do
Some formal security standards such as
however have a data protection policy
ISO 27000 require organizations to have
three times as often as they have a securi-
mutual security agreements and require
ty policy. A legal department again is an
cooperating parties to maintain the same
uncommon thing among respondents and
level of security standards. All companies
nearly all companies that have one anyway
which had a written IT security policy did
are the ones having a security policy. All
also have cooperation contracts with other
employees trained in computer forensics
parties. The reverse is however not true.
work in a company having a security poli-
Several companies did not have a security
cy. Legal skills as well as those in com-
policy despite the fact that they were in a
puter forensics fall together with the exis-
contractual (cooperation) relationship with
tence of a security policy. It is remarka-
other organizations. The research as-
ble, that external help appears typically
sumption that cooperation contracts could
not to be sought.
therefore lead to companies encouraging
others in elaborating a policy cannot be Appraisal of business decisions. Some
affirmed based on the data at hand. It questions in survey section C were de-
might however still be the case. Eventual- signed to spot check the current state of IT
ly this can just not be shown because so security within the organization. It has
few medium enterprises do use IS stan- been anticipated, that only few respon-
dards. When two companies not adhering dents have made use of an IS standard.
to standards set up a cooperation relation- To verify if the waiver of IS standards can
ship, there is no encouraging motivation be rationalized from a technical and from a
existent. Pointedly analyzing standard business perspective, some questions tried
compliant companies could reveal more on out if the company’s current IT environ-
this. ment is based upon a profound basis tak-
ing information security into account.
Security policies and workload. Another
aspect of interest is the burden of work- The survey asked how IT system mainten-
load imposed by implementing a formal ance responsibilities are arranged, whom
standard. Intuitively it should be expected, security related incidents are reported to
that as the amount of manpower grows, so and how properly IT facilities having dif-
does the capability to implement a stan- ferent security levels are separated from
dard and hence the company is more likely each other. Finally it asked if the business
to use one. value of certain services and therefore the
financial damage in case of outages is
We polled the amount of IT manpower
known to the company’s management.
available to the organization and deter-
mined the proportion of the total amount All these aspects of IT security are handled
of employees to the amount of IT person- in the considered IS standards but would
nel. Proportions did however display a big at the same time be explicable by common
variance so it was not possible to conclude sense. Their accomplishment would ar-
that with a growing amount of employees, gumentatively assist the company’s negli-
IT staff or a better proportion in both of gence of IS standards. Failing them how-
them it would be more likely for the com- ever hints to a potential misconception of
pany to have a security policy. what is necessary to maintain the compa-
ny’s IT environment’s security.
As for the overall amount of time needed
to implement a policy, responses indicated Practically all respondents did answer they
a workload between one and twelve had clearly lined out responsibilities for IT
months depending on the company size. tasks. At the same time nearly half of
them stated that non-IT staff were in-
Availability of key qualifications. Some
volved into maintaining IT systems, which
key qualifications are requirements for the
according to expectations is more likely to
successful implementation of a security
lead to mishandling.
standard. A data protection policy for ex-
ample is a prerequisite but for its elabora- Nearly one fourth mixes private informa-
tion, the essential skills must be present tion processing facilities with corporate
within the organization. Concerning this,
ones which is an ideal prerequisite for in- is affordable measured by the company’s
formation leakage in either direction. IT budget. So the potential generalizabili-
ty of this point goes back to rationale A.
Approximately half of the companies have
not determined whom security incidents The same applies to rationale D (doubtful
are reported to. Instead they follow a per cost-benefit relation).
incident strategy and decide in the event
In terms of the skill and staff shortage
of a disaster, which does neither support a
(rationale C), it is visible that the structure
prompt incident response nor does it guar-
drawn by the survey is quite similar to the
antee, that IT staff can obtain eventually
one observed at the audited company. In
required authorization of far reaching
this aspect the survey militates in favor of
measures that might be necessary for sys-
the generalizability of the case study.
tem recovery.
5. CONCLUSIONS
Most companies are not able to estimate
the business value of their IT services and Most literature on the topic of formal in-
the losses that occur in case of downtime. formation security standards approaches
In consequence, the business decisions this topic from the regulatory compliance
about if and how to protect these assets side hence putting an emphasis on busi-
have been made without knowledge of ness aspects. The effectiveness and tech-
their actual value to the company. nical aspects of formal standards are dis-
cussed in a series of papers such as those
4.3 Generalization of results and com-
by Spionen (2006), Hoehne & Eloff (2002)
parison with case study results
and Rahmel (2007). Data about the cus-
As pointed out above, four main rationale tomariness of standard driven security
for why the audited company cannot strategies as well as statistics on which of
straightforwardly implement ISO 27001 them are used predominantly can be found
have been observed during the case study. in popular annual survey reports like those
Assuming that “structural conditions” in by Ernst & Young and Deloitte Touche.
medium enterprises in general are similar Anyhow, until now literature typically illu-
to those at the studied company, we con- minates the subject without specific re-
clude that these will probably apply to a gards to medium enterprises. As an em-
larger picture. This assumption is sup- pirical investigation, we delivered an in-
ported by the survey results. sight into the information security culture
of medium sized enterprises and therewith
Some elements of uncertainty remain. In
contributed to closing this gap.
3.1.2 we mentioned that the attainability
of standard controls has been determined It has been determined how common it is
on the basis of the company’s own as- for medium enterprises to make use of
sessment. Though most assessments formal information security standards and
were based on rather invariant facts like put formal security policies into place.
the availability of certain management Using a case study as research methodol-
software on the retail market, or the avail- ogy it has been assessed which parts of
ability of manpower, this assessment could today‘s most common formal standards
be more or less distinct in other cases. are unattainable and would therefore justi-
However, while single standard controls fy negligence or mitigation of parts of their
could be assessed with another outcome in content. By auditing a medium sized en-
different cases, it appears unlikely that the terprise’s current state of IT security and
proportion of attainable and unattainable its implementation capabilities of ISO
controls would be completely different. 27001 as an example standard, it could be
demonstrated, that the object of study
The too weak market position (rationale A)
could implement 77% of the overall re-
is due to the company’s overall amount of
quirement. While this means, that not all
turnover and the part of it that is invested
requirements can be met right away, it
into IT. Since the term medium enterprise
also demonstrates, that the great majority
is for the one thing defined based on the
can. In line with (BSI100-2), the amount
company’s turnover it can be anticipated,
of compliant and attainable controls
that this situation will not be significantly
represents the pareto-part of all possible
different in other companies.
security measures.
The technical difficulties stated in rationale
The fact that 51% of standard controls
B are due to a lack of available technical
were not implemented at the audited com-
off the shelf solutions in a price range that
pany but were attainable right away, re-
Institute for SME Research BONN: SMEs in Tellis, Winston: Introduction to Case Study
Germany - Facts and Figures (2004) (1997)
http://www.ifm- The Qualitative Report, Volume 3 Num-
bonn.org/ergebnis/sme-2004.pdf ber 2 [Online]
http://www.nova.edu/ssss/QR/QR3-
ISACA: COBIT 4.1 Executive Summary
2/tellis1.html
(2007)
http://www.isaca.org/AMTemplate.cfm? Thelen, Mary J.: Integrating process im-
Sec- provement, ISO 9000 and TQM in SITA
tion=Downloads&Template=/ContentMa Research and Development (1997)
nage- The TQM Magazine - Volume: 9 Issue: 4
ment/ContentDisplay.cfm&ContentID=3 Page: 265 – 269
4172 ISSN: 0954-478X - DOI:
10.1108/09544789710181880 - Pub-
ISMS User Group: Certificate Register
lisher: MCB UP Ltd
(2008)
http://www.iso27001certificates.com University of Melbourne: IT & ITIL based
Glossary of Terms (2008)
ISO: The ISO Survey of ISO 9000 and ISO
http://servicedesk.unimelb.edu.au/kno
14000 Certificates(2000)
wledgebase/itservices/a-z/p.html
http://www.iso.org/iso/survey10thcycle
.pdf Yin, Robert K.: Case Study Research –
Design and Methods (2003)
Martins, A & Eloff, J.H.P.: Measuring In-
Applied Social Research Methods Series
formation Security (2001), Proceedings
Volume 5, Third Edition – Sage Publica-
of Workshop on Information Security –
tions ISBN 0-7619-2552-X
System Rating and Ranking, Virginia
National State Auditors Association & U.S.
General Accounting Office: Management
Plannig Guide for Information Systems
Security Auditing (2001)
http://www.gao.gov/special.pubs/mgmt
pln.pdf
Rahmel, J.: Einfuehrung in die Informa-
tionssicherheit [German] (2007)
http://www.wi2.uni-
tri-
er.de/de/cms/teaching/Sommersemeste
r2007/VorlesungInformationssicherheit/
InfoSec-1-Informationssicherheit-
070603.pdf
Rea, Luis M. & Parker, Richard A.: Design-
ing and Conducting Survey Research
(2005)
Third Edition – Wiley ISBN 0-7879-
7546-X
Schnell et al: Methoden der empirischen
Sozialforschung (2005)
[Empirical social research methodology]
Oldenbourg - ISBN: 3-486-57684-4
Siponen, Mikko: Information Security
Standards Focus on the Existence of
Process, not its Content (2006)
Journal Commun. ACM
http://doi.acm.org/10.1145/1145287.1
145316
Szakats, Daniel: IT Maturity and Sourcing
Strategies (2004)
http://www.ifi.unizh.ch/egov/Diplomarb
eit_Szakats.pdf
8. APPENDICES