Study Reports on Managing IT Security In Organization

Description
Information security (sometimes shortened to InfoSec) is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take

STUDY REPORTS ON MANAGING IT SECURITY IN ORGANIZATIONS
Information technology security or computing system security is one of the most important issues that businesses all over the world strive to deal with. However, the world has now changed and in essential ways. The desk-top computer and workstation have appeared and proliferated widely. The net effect of all this has been to expose the computer-based information system, i.e. its hardware, its software, its software processes, its databases, its communications to an environment over which no one—not end user, not network administrator or system owner, not even government—has control. Purpose Since IT security has a very broad spectrum and encompasses a lot of issues, we want to focus our research by taking a critical look at how business organizations manage IT security with specific emphasis on administrative and physical controls. Methods When the authors of this paper approached the topic to be studied it soon became evident that the most relevant and interesting task was not merely to investigate how business and non business organizations manage their IT security, but in fact try to understand what lies behind them. The purpose of this paper demands a deeper insight of how organizations address the issue of computer security; the authors wanted to gain a deeper understanding of how security issues have been addressed or being tackled by the organizations. Thus, the qualitative method was most suitable for this study. Conclusion Based on the chosen approach, the result of this study has shown that both business and non-business organizations located in Jönköping recognize the importance of IT security, and are willing to protect their systems from threats such as unauthorized access, theft, fire, power outage and other threats to ensure the smooth running of their systems at all times.

Table of Contents
1 Introduction ................................................................................ 1

i

1.1 1.2 1.3 1.4 1.5 1.6 2.1 2.1.1
2.1.1.1 2.1.1.2 2.1.1.3 2.1.1.4 2.1.1.5 2.1.1.6 2.1.1.7

Background of the Study ........................................................................1 Problem of the Study ..............................................................................2 Purpose of the Study ..............................................................................2 Research Questions ...............................................................................2 Research Audience ................................................................................2 Disposition..............................................................................................2 Security Planning and Plan ....................................................................3 Contents of a Security Plan ....................................................................4
Policy ..............................................................................................................................4 Current Security Status...................................................................................................5 Requirements..................................................................................................................5 Recommended Controls .................................................................................................5 Responsibility for Implementation...................................................................................5 Timetable ........................................................................................................................6 Continuing Attention........................................................................................................6

2 Theorethical Framework ........................................................... 3

2.1.2 2.1.3 2.1.4 2.1.5 2.2 2.2.1 2.2.2 2.2.3 2.3 2.3.1 2.4 2.4.1
2.4.1.1 2.4.1.2 2.4.1.3

Business Continuity Plans ......................................................................7 Incidence Response Plans .....................................................................7 Advance Planning...................................................................................8 Response Team .....................................................................................8 Risk Analysis ..........................................................................................8 The Nature of Risk..................................................................................9 Steps of a Risk Analysis .........................................................................9 Reasons For and Against Risk Analysis...............................................10 Organizational Security Policies ...........................................................11 Characteristics of a Good Security Policy.............................................11 Physical Security ..................................................................................12 Natural Disasters ..................................................................................12
Flood12 Fire 12 Other Natural Disasters ............................................................................................... 12

2.4.2 2.4.3 2.4.4
2.4.4.1 2.4.4.2 2.4.4.3 2.4.4.4 2.4.4.5

Power Loss...........................................................................................13 Human Vandals ....................................................................................13 Contingency Planning...........................................................................13
Backup ......................................................................................................................... 13 Offsite Backup.............................................................................................................. 13 Networked Storage ...................................................................................................... 14 Cold Site ...................................................................................................................... 14 Hot Site ........................................................................................................................ 14

3 METHODOLOGY ...................................................................... 14
3.1 3.2 3.3 3.4 3.5 4.1 4.1.1 4.1.2 4.1.3 4.1.4 Choice of method .................................................................................14 Method of analysis................................................................................15 Data collection ......................................................................................16 Choice of respondents..........................................................................16 Trustworthiness: Validity and Reliability ...............................................17 Saab Training Systems ........................................................................18 Security plan.........................................................................................18 Risk analysis ........................................................................................19 Security policy ......................................................................................19 Disasters and physical threats..............................................................19

4 EMPIRICAL FINDINGS ............................................................. 18

ii

4.2 4.2.1 4.2.2 4.2.3 4.2.4 4.3 4.3.1 4.3.2 4.3.3 4.3.4 4.4 4.4.1 4.4.2 4.4.3 4.4.4 4.5 4.5.1 4.5.2 4.5.3 4.5.4 5.1 5.2 5.3 5.4 6.1 6.2 6.3

Jönköping University ............................................................................19 Security plan.........................................................................................19 Risk analysis ........................................................................................19 Security Policy ......................................................................................20 Disasters and Physical threats .............................................................20 Kitron Development AB ........................................................................20 Security Plan ........................................................................................20 Risk Analysis ........................................................................................20 Security Policy ......................................................................................21 Disasters and Physical threats .............................................................21 Elite Stora Hotellet, Jonkoping .............................................................21 Security Plan ........................................................................................21 Risk Analysis ........................................................................................21 Security Policy ......................................................................................22 Disasters and Physical threats .............................................................22 Scandic Hotel .......................................................................................22 Security Plan ........................................................................................22 Risk Analysis ........................................................................................22 Security policy ......................................................................................22 Disasters and Physical Threats ............................................................22 Security Plan ........................................................................................24 Risk Analysis ........................................................................................24 Security Policy ......................................................................................25 Disasters and Physical Threats ............................................................25 General Conclusion ..............................................................................26 Final Discussion ...................................................................................27 Recommendations for further studies...................................................27

5 ANALYSIS................................................................................. 23

6 CONCLUSION ........................................................................... 26

Appendix:....................................................................................... 30

iii

1

Introduction

This chapter includes the background of the study, problem of the study, purpose of the study and disposition of the study.

1 .1

Background of the Study

Information technology security or computing system security is one of the most important issues that businesses all over the world strive to deal with. Thus, IT security issue, as it was understood in the 1960s and even later was how to create in a computer system a group of access controls that would implement or emulate the processes of the prior paper world, plus the associated issues of protecting such software against unauthorized change, subversion and illicit use, and of embedding the entire system in a secure physical environment with appropriate management oversights and operational doctrine and procedures. The poorly understood aspect of security was primarily the software issue with, however, a collateral hardware aspect; namely, the risk that it might malfunction or be penetrated and subvert the proper behavior of software. For the related aspects of communications, personnel, and physical security, there was a plethora of rules, regulations, doctrine and experience to cover them. It was largely a matter of merging all of it with the hardware/software aspects to yield an overall secure system and operating environment. However, the world has now changed and in essential ways. The desk-top computer and workstation have appeared and proliferated widely. The Internet is flourishing and the reality of a World Wide Web is in place. Networking has exploded and communication among computer systems is the rule, not the exception. Many commercial transactions are now web-based; many commercial communities have moved into a web posture. The "user" of any computer system can literally be anyone in the world. Networking among computer systems is ubiquitous; information system outreach is the goal. The net effect of all this has been to expose the computer-based information system, i.e. its hardware, its software, its software processes, its databases, its communications to an environment over which no one—not end user, not network administrator or system owner, not even government—has control. What must be done is to provide appropriate technical, procedural, operational and environmental safeguards against threats as they might appear or be imagined, embedded in a societally acceptable legal framework. And appear threats did—from individuals and organizations, national and international. The motivations to penetrate systems for evil purpose or to create malicious software— generally with an offensive or damaging consequence—vary from personal intellectual satisfaction to espionage, to financial reward, to revenge, to civil disobedience, and to other reasons. Information system security has moved from a largely self-contained bounded environment interacting with a generally known and disciplined user community to one of worldwide scope with a body of users that may not be known and are not necessarily trusted. Importantly, security controls has to deal with circumstances over which there is largely no control or expectation of avoiding their impact. IT security, as it has evolved, shares a similarity with liability insurance; they face a threat environment that is known in a very general way and can generate attacks over a broad spectrum of possibilities; but the exact details or even time or certainty of an attack is unknown until an event has occurred. (Pfleeger and Pfleeger, 2003).

1

1 .2

Problem of the Study

Most business organizations consider issues relating to computing system security or IT security to be very sensitive. There are so many threats to security in computing systems. The costs of these threats if they really occur could be very huge; hence the need to protect computing systems and also have measures in place to reduce the effects of security threats after their occurrence.

1 .3

Purpose of the Study

We want to focus our research by taking a critical look at how business organizations manage IT security with specific emphasis on administrative and physical controls.

1 .4

Research Questions

How have business and non-business organizations

• • • •
1 .5

Planned or unplanned their computing system security Analyzed risks, if any What security policy they have, and What physical controls there are.

Research Audience

It is our hope that business organizations and non business institutions would find our project useful by way of securing their computing system security physically and administratively which is just one aspect of the entire IT security structure.

1 .6

Disposition

The following disposition will outline the thesis structure and content.

Chapter 1 This chapter includes the background of the study, problem of the study, purpose of the study and disposition of the study. Chapter 2 This chapter outlines the theoretical framework of IT security with reference to a number of authors in the field of IT security. We look at the basis of our project from four related areas: security planning, risk analysis, security policy and physical controls, (Pfleeger and Pfleeger, 2003). Chapter 3

2

This chapter presents the methodology used to examine how organizations and institutions in Jönköpings Län manage their IT security administratively and physically. The purpose is to create an understanding for the chosen methods in order to ensure the quality of the information-collection procedure as well as the credibility of the study. Furthermore the chapter will consider the process of interpreting the information Chapter 4 This chapter presents the empirical findings from the study. The information retrieved from the interviews will be presented by developing case descriptions along some key variables. Chapter 5 In this chapter, we present an analysis of our findings collected through interviews and questionnaires in relation to the theoretical framework Chapter 6 This chapter summarizes the entire report based on the empirical findings and analysis. It also contains the final discussion as well as recommendations for further studies

2

Theorethical Framework

In this chapter we talk about the theoretical framework of information technology security with reference to a number of authors in the field of IT security. We look at the basis of our project from four related areas: security planning, risk analysis, security policy and physical controls, (Pfleeger and Pfleeger, 2003).

2 .1

Security Planning and Plan

Years ago, when most computing was done on mainframe computers, data processing centers were responsible for protection. Responsibility for security rested neither with the pro-

3

grammers nor the users but instead with the computing centers themselves. These centers developed expertise in security, and they implemented many protection activities in the background, without users having to be conscious of protection needs and practices (Pfleeger et al, 2003). Since the early 1980s, the introduction of personal computers and the general ubiquity of computing have changed the way many of us work and interact with computers. In particular, a significant amount of the responsibility for security has shifted to the user and away from the computing center. But many users are unaware of this responsibility, so they do not deal with the risks posed or do not implement simple measures to prevent or mitigate problems. Unfortunately, there are many common examples of this neglect. Things we would protect if they were on paper are ignored when they are stored electronically. For example, a person who carefully locks up paper copies of company confidential records overnight may leave running a personal computer on a manager's desk. In this situation, a curious person walking past can retrieve confidential memoranda and data. For this and other reasons, every organization using computers to create and store valuable assets should perform thorough and effective security planning. A security plan is a document that describes how an organization will address its security needs. The plan is subject to periodic review and revision as the organization's security needs change. A good security plan is an official record of current security practices, plus a blue-print for orderly change to improve those practices. The impact of the security plan is very important, a carefully written plan, supported by management, notifies employees that security is important to management and therefore to everyone. Thus, the security plan has to have the appropriate content and produce the desired effects. (Pfleeger et al, 2003). 2.1.1 Contents of a Security Plan

According to Pfleeger et al, (2003), every security plan must address seven issues:

• • • • • • •
2 .1 .1 .1

Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals. Current state, describing the status of security at the time of the plan Requirements, recommending ways to meet the security goals Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements Accountability, describing who is responsible for each security activity Timetable, identifying when different security functions are to be done Continuing attention, specifying a structure for periodically updating the security plan.

Policy

A security plan must state the organization's policy on security. A security policy is a highlevel statement of purpose and intent. The policy statement should specify the following:

•

The organization's goals on security. For example, should the system protect data from leakage to outsiders, protect against the loss of data due to physical disaster, protect the data's integrity, or protect against loss of business when computing resources fail? What is the higher priority: serving customers or securing data?

4

• •
2 .1 .1 .2

Where the responsibility for security lies. For example, should the responsibility rest with a small computer security group, with each employee, or with relevant managers? The organization's commitment to security. For example, who provides security support for staff, and where does security fit into the organization's structure?

Current Security Status

To be able to plan for security, an organization must understand the vulnerabilities to which it may be exposed. The organization can determine the vulnerabilities by performing a risk analysis: a careful investigation of the system, its environment, and the things that might go wrong. The risk analysis forms the basis for describing the current status of security. The status can be expressed as a listing of organizational assets, the security threats to the assets, and the controls in place to protect the assets.
2 .1 .1 .3 Requirements

The heart of the security plan is its set of security requirements: functional or performance demands placed on a system to ensure a desired level of security. The requirements are usually derived from organizational needs. Sometimes these needs include the need to conform to specific security requirements imposed from outside, such as by a government agency or a commercial standard. Pfleeger et al points out that, organizations must distinguish the requirements from constraints and controls. A constraint is an aspect of the security policy that constrains, circumscribes, or directs the implementation of the requirements. A control, on the hand, is an action, device, procedure, or technique that removes or reduces vulnerability.
2 .1 .1 .4 Recommended Controls

The security requirements lay out the system's needs in terms of what should be protected (Ware, W.1984). The security plan must also recommend what controls should be incorporated into the system to meet those requirements.
2 .1 .1 .5 Responsibility for Implementation

A section of the security plan should identify which people are responsible for implementing the security requirements. This documentation assists those who coordinate their individual responsibilities with those of other developers. At the same time, the plan makes explicit who is accountable should some requirement not be met or some vulnerability not be addressed. That is, the plan notes who is responsible for implementing controls when a new vulnerability is discovered or a new kind of asset is introduced. Many roles according to Pfleeger, S. (2000) are played by people building, using, and maintaining the system. Each role can take some responsibility for one or more aspects of security. For example, let us consider the groups listed below.

• • •

Personal computer users may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security. Project leaders may be responsible for the security of data and computations. Managers may be responsible for seeing that the people they supervise implement security measures.

5

• • •

Database administrators may be responsible for the access to and integrity of data in their database. Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data. Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs.

2 .1 .1 .6

T i m e ta b l e

A comprehensive security plan cannot be executed instantly. The security plan includes a timetable that shows how and when the elements of the plan will be performed. These dates also give milestones so that management can track the progress of implementation. If the implementation is to be a phased development (that is, the system will be implemented partially at first, and then changed functionally or performance will be added in later stages), the plan should also describe how the security requirements will be implemented over time. Even when overall development is not phased, it may be desirable to implement the security aspects of the system over time. For example, if the controls are expensive or complicated, they may be acquired and implemented gradually. Similarly, procedural controls may require staff training to ensure that everyone understands and accepts the reason for the control. The plan should specify the order in which the controls are to be implemented so that the most serious exposures are covered as soon as possible. A timetable also gives milestones by which to judge the progress of the security program. Furthermore, the plan must be extensible. Conditions will change: new equipment will be acquired, new degrees and modes of connectivity will be requested, and new threats will be identified. The plan must include a procedure for change and growth, so that the security aspects of changes are considered as part of preparing for the change, not for adding security after the change has been made. The plan should also contain a schedule for periodic review. Even though there may have been no obvious, major growth, most organizations experience modest change on a daily basis. At some point the cumulative impact of the change is enough to require the plan to be modified.
2 .1 .1 .7 Continuing Attention

Good intentions are not enough when it comes to security. Institutions and corporate bodies must not only take care in defining requirements and controls, but they must also find ways for evaluating a system's security to be sure that the system is as secure as they intend it to be. Thus, the security plan must call for reviewing the security situation periodically. As users, data, and equipment change, new exposures may develop. In addition, the current means of control may become obsolete or ineffective (such as when faster processor times enable attackers to break an encryption algorithm). The inventory of objects and the list of controls should periodically be scrutinized and updated, and risk analysis performed anew. The security plan should set times for these periodic reviews, based either on calendar time (such as, review the plan every nine months) or on the nature of system changes (such as, review the plan after every major system release).

6

2.1.2

Business Continuity Plans

Small companies working on a low profit margin can literally be put out of business by a computer incident. Large, financially sound businesses can weather a modest incident that interrupts their use of computers for a while, although it is painful to them since they do not want to spend money unnecessarily. The analysis is sometimes as simple as no computers means no customers mean no sales means no profit. (Pfleeger et al, 2003). Government agencies, educational institutions, and nonprofit organizations also have limited budgets, which they want to use to further their needs. They may not have a direct profit motive, but being able to meet the needs of their customers—the public, students, and constituents—partially determine how well they will fare in the future. All kinds of organizations must plan for ways to cope with emergency situations. A business continuity plan documents how a business will continue to function during a computer security incident. An ordinary security plan covers computer security during normal times and deals with protecting against a wide range of vulnerabilities from the usual sources. A business continuity plan deals with situations having two characteristics: Catastrophic situations, in which all or a major part of a computing capability is suddenly unavailable • Long duration, in which the outage is expected to last for so long that business will suffer There are many situations in which a business continuity plan would be helpful. Here are some examples that typify what one might find in reading articles and newspapers: A fire destroys a company's entire network A seemingly permanent failure of a critical software component renders the computing system unusable. • A business must deal with the abrupt failure of its supplier of electricity, telecommunications, network access, or other critical service. • A flood prevents the essential network support staff from getting to the operations center. As one can see, these examples are likely to recur, and each disables a vital function. The key to coping with such disasters is advanced planning and preparation, identifying activities that will keep a business viable when the computing technology is disabled. According to Pfleeger et al, the steps in business continuity planning are these:

•

• •

• •

Assess the business impact of a crisis. • Develop a strategy to control impact. Develop and implement a plan for the strategy.

2.1.3 Incidence Response Plans An incidence response plan tells the staff how to deal with a security incidence. In contrast to the business continuity plan, the goal of incident response is handling the current security incident, without regard for the business issues. The security incident may at the same time be a business catastrophe, as addressed by the business continuity plan. But as a specific security event, it might be less than catastrophic (that is, it may not interrupt business severely) but could be a serious breach of security, such as a hacker attack or a case of internal fraud. An incident could be a single event, a series of events, or an ongoing problem. An incident response plan should

•

Define what constitutes an incident

7

• Identify who is responsible for taking charge of the situation •
Describe the plan of action. These procedures should be spelt out in advance because "creating these items during a crisis will lead to costly mistakes" (Tipton, F.H. and Krause, M.2001).

2.1.4 Advance Planning As with all planning functions, advance planning works best because people can think logically, unhurried, and without pressure. What constitutes an incident may be vague. One cannot know the details of an incident in advance. Typical characteristics include harm or risk of harm to computer systems, data, or processing; initial uncertainty as to the extent of damage; and similar uncertainty as to the source or method of the incident. For example, you can see that the file is missing or the home page has been defaced, but you do not know how or by whom or what other damage there may be. In organizations that have not done advance planning, chaos may develop at this point. "One of the most important things you can do to protect your organization from disaster is to plan for that disaster" (Russell, D. & Gangemi Sr., G.T. ,1991). Someone calls the network manager. Someone sends email to the help desk. People start to investigate on their own, without coordinating with the relevant staff in other departments, agencies, or businesses. And there is a lot of conversation, rumor, and misinformation: more heat than light. 2.1.5 Response Team The response team is the set of people charged with responding to the incident. The response team may include

• • •

Director: person in charge of the incident, who decides what actions to take and when to terminate the response. The director is typically a management employee. Lead technician: person who directs and coordinates the response. The lead technician decides where to focus attention, analyzes situation data, documents the incident and how it was handled, and calls for other technical people to assist with the analysis. Advisor(s): legal, human resources, or public relations staff members as appropriate.

In a small incident a single person can handle more than one of these roles. Nevertheless, it is important that there be a single person in charge, a single person who directs the response work, a single point of contact for employees and users, and a single point of contact for the "public."

2 .2

Risk Analysis

Good, effective security planning includes a careful risk analysis. A risk is a potential problem that the system or its users may experience. A risk may be distinguished from other project events by looking for three things, as suggested by Rook, (1993):

8

• • •

A loss associated with an event. The event must generate a negative effect: compromised security, lost time, diminished quality, lost money, lost control, lost understanding, and so on. This loss is called the risk impact. The likelihood that the event will occur. There is a probability of occurrence associated with each risk, measured from 0 (impossible) to 1 (certain). When the risk probability is 1, we say we have a problem. The degree to which we can change the outcome. We must determine what, if anything, we can do to avoid the impact or at least reduce its effects. Risk control involves a set of actions to reduce or eliminate the risk.

In general, there are three strategies for risk reduction: 1. avoiding the risk, by changing requirements for security or other system characteristics 2. transferring the risk, by allocating the risk to other systems, people, organizations, or assets; or by buying insurance to cover any financial loss should the risk become a reality 3. assuming the risk, by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs Risk analysis is the process of examining a system and its operational context to determine possible exposures and the potential harm they can cause. Thus, the first step in a risk analysis is to identify and list all exposures in the computing system of interest. Then, for each exposure, possible controls and costs are identified. The last step is a cost and benefit analysis: Does it cost less to implement a control or to accept the expected costs of the loss? (Rook, 1993). 2.2.1 The Nature of Risk In our everyday lives, we take risks. In crossing the road or playing the lottery, we take the chance that our actions may result in some negative result—such as being injured or losing money. Consciously or unconsciously, we weigh the benefits of taking the action with the possible losses that might result. Just because there is a risk to a certain act, one does not necessarily avoid it; one may look both ways before crossing the street, but we do cross it. In building and using computer systems, we must take a more organized and careful approach to assessing the risks. Many of the systems we build and use can have a dramatic impact on life and health if they fail. For this reason, risk analysis is an essential part of security planning. We cannot guarantee that systems will be risk free; that is why security plans must address actions needed should an unexpected risk become a problem. And some risks are simply part of doing business; for example, we must plan for disaster recovery, even though we take many steps to avoid disasters in the first place. 2.2.2 Steps of a Risk Analysis Risk analysis for security is adapted from more general management practices, placing special emphasis on the kinds of problems likely to arise from security issues. By following well-defined steps, we can analyze the security risks in a computing system. The basic steps of risk analysis as suggested by Canavan, J.E. (2001), are listed below:

9

1. 2. 3. 4. 5. 6.

Identifying and prioritizing assets. Determine vulnerabilities Identifying threats and their probabilities. Identifying countermeasures. Developing a cost benefit analysis. Developing security policies and procedures.

2.2.3

Reasons For and Against Risk Analysis Risk analysis is a well-known planning tool, used often by auditors, accountants, and managers. In many institutions, such as obtaining approval for new drugs, new power plants, and new medical devices, a risk analysis is required by law in many countries. There are many good reasons to perform a risk analysis in preparation for creating a security plan.

•

• • • •

Improve awareness. Discussing issues of security can raise the general level of interest and concern among developers and users. Especially when the user population has little expertise in computing, the risk analysis can educate users about the role security plays in protecting functions and data that are essential to user operations and products. Relate security mission to management objectives. Security is often perceived as a financial drain for no gain. Management does not always see that security helps balance harm and control costs. Identify assets, vulnerabilities, and controls. Some organizations are unaware of their computing assets, their value to the organization, and the vulnerabilities associated with those assets. A systematic analysis produces a comprehensive list of assets, valuations, and risks. Improve basis for decisions. A security manager can present an argument such as "I think we need a firewall here" or "I think we should use token-based authentication instead of passwords." Risk analysis augments the manager's judgment as a ba- sis for the decision. Justify expenditures for security. Some security mechanisms appear to be very expensive and without obvious benefit. A risk analysis can help identify instances where it is worth the expense to implement a major security mechanism. Justification is often derived from examining the much larger risks of not spending for security.

However, despite the advantages of risk analysis, there are several arguments against using it to support decision making.

•

•

False sense of precision and confidence. The heart of risk analysis is the use of empirical data to generate estimates of risk impact, risk probability, and risk exposure. The danger is that these numbers will give us a false sense of precision, thereby giving rise to an undeserved confidence in the numbers. However, in many cases the numbers themselves are much less important than their relative sizes. Whether an expected loss is $100,000 or $150,000 is relatively unimportant. It is much more significant that the expected loss is far above the $10,000 or $20,000 budget allocated for implementing a particular control. Hard to perform. Enumerating assets, vulnerabilities, and controls requires creative thinking. Assessing loss frequencies and impact can be difficult and subjective. A

10

•

•

large risk analysis will have many things to consider. Risk analysis can be restricted to certain assets or vulnerabilities. Immutability. It is typical on many software projects to view processes like risk analysis as an irritating fact of life—a step to be taken in a hurry so that the developers can get on with the more interesting jobs related to designing, building, and testing the system. For this reason, risk analyses, like contingency plans and fiveyear plans, have a tendency to be filed and promptly forgotten. But if an organization takes security seriously, it will view the risk analysis as a living document, updating it at least annually or in conjunction with major system upgrades. Lack of accuracy. Risk analysis is not always accurate, for many reasons. First we may not be able to calculate the risk probability with any accuracy, especially when we have no past history of similar situations. Second, even if we know the likelihood, we cannot always estimate the risk impact very well. And third, we may not be able to anticipate all the possible risks.

2 .3

Organizational Security Policies

A key element of any organization's security planning is an effective security policy. A security policy must answer three questions: who can access which resources in what manner? A security policy is the set of decisions that, collectively, determines an organization's posture towards security (Cheswick & Bellovin, 1994). A policy document is written in broad enough terms that it does not change frequently. The information security policy is the foundation upon which all protection efforts are built. It should be a visible representation of priorities of the entire organization, definitively stating underlying assumptions that drive security activities. The policy should articulate senior management's decisions regarding security as well as asserting management's commitment to security (Pfleeger et al, 2003). Security pol- icy applies to all use of any form of automated data processing of information, all staff of the company, its agents and contractors and is sanctioned by the board (Roberts, D.W.1990). The key objective of the security policy is to protect the organizational resources, while giving due consideration to the impact on user productivity. The security policy should be uniformly enforced across the enterprise (Ahuja, V., 1996).

2.3.1 Characteristics of a Good Security Policy According to Pfleeger et al, (2003), certain characteristics make a security policy a good one :

• •

Coverage. A security policy must be comprehensive: It must either apply to or explicitly exclude all possible situations. Furthermore, a security policy may not be updated as each new situation arises, so it must be general enough to apply naturally to new cases that occur as the system is used in unusual or unexpected ways. Durability. A security policy must grow and adapt well. In large measure, it will survive the system's growth and expansion without change. If written in a flexible way, the existing policy will be applicable to new situations. However, there are timeswhen the policy must change, so the policy must be changeable when it needs to be. An important key to durability is keeping the policy free from ties to specific data or protection mechanisms that almost certainly will change.

11

•

•

Realism. The policy must be realistic. That is, it must be possible to implement the stated security requirements with existing technology. Moreover, the implementation must be beneficial in terms of time, cost, and convenience; the policy should not recommend a control that works but prevents the system or its users from performing their activities and functions. Usefulness. An incomplete security policy will not be implemented properly, if at all. The policy must be written in language that can be read, understood, and followed by anyone who must implement it or is affected by it. For this reason, the policy should be succinct, clear, and direct.

2 .4

Physical Security

Physical security is the term used to describe protection needed outside the computer system. Physical resources include people, hardware, and the supporting system elements and resources associated with the management of information in all its states—transmission, storage, and processing. (Whitman, & Mattord, 2004). Typical physical security controls include guards, locks, and fences to deter direct attacks. In addition, there are other kinds of protection against less direct disasters, such as floods and power outages; these, too, are part of physical security. 2.4.1 Natural Disasters Computers are subject to the same disasters that can occur to homes, stores, and automobiles. They can be flooded, burned, melted, hit by falling objects, and destroyed by earthquakes, storms, and tornadoes. Additionally, computers are sensitive to their operating environment, so excessive heat or inadequate power is also a threat. It is impossible to prevent natural disasters, but through careful planning it is possible to reduce the damage they inflict. (Adam, J. 1992).

2 .4 .1 .1

F lo o d

Water from a natural flood comes from ground level, rising gradually, and bringing with it mud and debris. Often, there is time for an orderly shutdown of the computing system; at worst, the organization loses some of the processing in progress. At other times, such as when a dam breaks, a water pipe bursts, or the roof collapses in a storm, a sudden flood can overwhelm the system and its users before anything can be saved. Water can come from above, below, or the side. The machinery may be destroyed or damaged by mud and water, but most computing systems are insured and replaceable by the manufacturer.
2 .4 .1 .2 Fire

Fire is more serious than water; often there is not as much time to react, and human lives are more likely to be in immediate danger. Fire can cause havoc indirectly, if attempts are made to douse it with foam, sprinklers or hoses (Hawker, A., 2000).
2 .4 .1 .3 Other Natural Disasters

Computers are subject to storms, earthquakes, volcanoes, and similar events. Although not natural disasters, building collapse, explosion, and damage from falling objects can be con-

12

sidered in the same category. These kinds of catastrophes are difficult to predict or estimate. 2.4.2 Power Loss Computers need electricity and they require a constant, pure supply of it. With a direct power loss, all computation ceases immediately. Because of possible damage to media by sudden loss of power, many disk drives monitor the power level and quickly retract the recording head if power fails. For certain time critical applications, loss of service from the system is intolerable; in these cases, alternative complete power suppliers must be instantly available. 2.4.3 Human Vandals Since computers and their media are sensitive to a variety of disruptions, a vandal can destroy hardware, software, and data. Human attackers may be disgruntled employees, bored operators, saboteurs, or people seeking excitement. If physical access is easy to obtain, crude attacks using axes or bricks can be very effective. Physical attacks by unskilled vandals are often easy to prevent; a guard can stop someone approaching a computer installation with a threatening or dangerous object. When physical access is difficult, more subtle attacks can be tried, resulting in quite serious damage. People with only some sophisticated knowledge of a system can short-circuit a computer with a car key or disable a disk drive with a paper chip. These items are not likely to attract attention until the attack is completed. Attacks or threats can sometimes be classified as being deliberate (e.g. hacker penetration) or accidental (e.g. message sent in error to the wrong address) (Ford, W, 1994).

2.4.4 Contingency Planning The key to successful recovery is adequate preparation. Seldom does a crisis destroy irreplaceable equipment; most computing systems - personal computers to mainframes—are standard, off-the-shelf systems that can be easily replaced. Data and locally developed programs are more vulnerable because they cannot be quickly substituted from another source. The following are some of the measures organizations can take after a crisis occurs:
2 .4 .4 .1 Backup

A backup is a copy of all or a part of a file to assist in reestablishing a lost file. In professional computing systems, periodic backups are usually performed automatically, often at night when system usage is low. Everything on the system is copied, including system files, user files, scratch files, and directories, so that the system can be regenerated after a crisis. This type of backup is called a complete backup. Complete backups are done at regular intervals, usually weekly or daily, depending on the criticality of the information or service provided by the system.
2 .4 .4 .2 Offsite Backup

A backup copy is useless if it is destroyed in a crisis, too. Many major computing installations rent warehouse space some distance from the computing system, far enough away that a crisis is not likely to affect the offsite location at the same time. As a backup is completed, it is transported to the backup site. Keeping a backup version separate from the ac-

13

tual system reduces the risk of its loss. Similarly, the paper trail is also stored somewhere other than at the main computing facility.
2 .4 .4 .3 Networked Storage

With today's extensive use of networking, using the network to implement backups is a good idea. Storage providers sell space in which you can store data; think of these services as big network-attached disk drives. Networked storage is perfect for backups of critical data because you can choose a storage provider whose physical storage is not close to your processing. In this way, physical harm to your system will not affect your backup. You do not need to manage tapes or other media and physically transport them offsite.
2 .4 .4 .4 Cold Site

Depending on the nature of the computation, it may be important to be able to recover from a crisis and resume computation quickly. A bank, for example, might be able to tolerate a four-hour loss of computing facilities during a fire, but it could not tolerate a tenmonth period to rebuild a destroyed facility, acquire new equipment, and resume operation. Most computer manufacturers have several spare machines of most models that can be delivered to any location within 24 hours in the event of a real crisis. Sometimes the machine will come straight from assembly; other times the system will have been in use at a local office. Machinery is seldom the hard part of the problem. Rather, the hard part is deciding where to put the equipment in order to begin a temporary operation. A cold site is a facility with power and cooling system available, in which a computing system can be installed to begin immediate operation. Some companies maintain their own cold sites, and other cold sites can be leased from disaster recovery companies. These sites usually come with cabling, fire prevention equipment, separate office space, telephone access, and other features. Typically, a computing center can have equipment installed and resume operation from a cold site within a week of a disaster.
2 .4 .4 .5 Hot Site

If the application is more critical or if the equipment needs are more specialized, a hot site may be more appropriate. A hot site is a computer facility with an installed and ready-torun computing system. The system has peripherals, telecommunications lines, power supply, and even personnel ready to operate on a short notice. Some companies maintain their own; other companies subscribe to a service that has available one or more locations with installed and running computers. To activate a hot site, it is necessary only to load software and data from offsite backup copies.

3

METHODOLOGY

This chapter presents the methodology used to examine how organizations and institutions in Jönköpings Län manage their IT security administratively and physically. The purpose is to create an understanding for the chosen methods in order to ensure the quality of the information-collection procedure as well as the credibility of the study. Furthermore the chapter will consider the process of interpreting the information

3 .1

Choice of method

Holme and Solvang (1997), suggests that before we know what to investigate we cannot know how to do it. This statement marks clearly that when choosing a method we are controlled by the nature of the topic we want to study. For the choice of method, it is crucial

14

how we initially create an understanding of the relationships we want to study; what we perceive to be a problem, what part of the reality we chose to study and how we, based on this, formulate our purpose. Further, it is very important to chose the method that best suites the purpose of the study. If a researcher decides on a method before having a clear purpose, it will lead to that he or she does not have complete freedom in the choice of research questions. When faced with a research problem, we have several different ways to deal with it. These are often divided into the categories of qualitative and quantitative methods. Qualitative methods have a low degree of formalization, this method's primary purpose is an understanding one and is not concerned with testing if the information is generalizable, but the central issue is to get a deeper understanding of the problem being studied (Holme & Solvang, 1997). Qualitative research is a strategy for going beneath the surface; it yields a holistic overview of consumer behaviour and provides insights into emotions and motivations (Mariampolski, 2001). One of the greatest strengths of qualitative research is that it gives a more fundamental understanding of the topic (Carson, Gilmore, Perry & Gronhaug, 2001), while a great weakness is that, because of the flexibility associated with it, it can be difficult to compare the results between different units (Holme &Solvang, 199). Quantitative methods, on the other hand, are more formalized and structured. They are characterized by a great extent of control from the researcher (Holme &Solvang, 1997). According to Mariampolski (2001), quantitative research is necessary when the objectives demand strict enumeration or when probabilistic projections are demanded. A big strength with quantitative research lies in the information produced, in a way that makes it generalizable, a big weakness however is that we do not have any guarantee that the information collected is relevant for the purpose of the study (Holme & Solvang, 1997). The basic difference between qualitative and quantitative research is that with quantitative research the information is turned into to figures, from which it is possible to perform statistical analyses, while in qualitative methods it is the researcher's perception or interpretation of the information that is important (Holme & Solvang, 1997). According to Carson et al. (2001), qualitative research methods are suitable for addressing questions of how and why things occur, while quantitative methods are more appropriate for answering questions of what and howmany. When the authors of this paper approached the topic to be studied it soon became evident that the most relevant and interesting task was not merely to investigate how business and non business organizations manage their IT security physically, but in fact try to understand what lies behind them. The purpose of this paper demands a deeper insight of how organizations address the issue of computer security; the authors wanted to gain a deeper understanding of how security issues have been addressed or being tackled by the organizations. Thus, the qualitative method was most suitable for this study.

3 .2

Method of analysis

Unlike statistical analysis, there is no fixed way of analyzing the data in a qualitative approach. As Yin (1994, p105) points out, 'much depends on an investigator's own style of rigorous thinking, along with the sufficient presentation of evidence and careful consideration of alternative interpreta- tions.' Two general strategies were used for analysis. Yin (1994), suggested that developing a case description is a useful way of analysis when the original purpose of the case study is descriptive. Since, this paper is by nature a descriptive one; we used a descriptive framework for organizing the case studies. According to Yin (1994), relying on theoretical propositions is another way to organize the case study and to define alternative explanations to be examined. This paper begun by discuss-

15

ing relevant theories about information technology security in general, then we used descriptive approach to organize our empirical findings. We also used the theoretical propositions to supplement the descriptive frameworks.

3 .3

Data collection

Since a qualitative method was applied, the process of collecting data for studying how organizations protect their computing systems administratively and physically took the form of looking at both primary and archival data (however very few useful archival data was available). We intended to gather primary data by conducting face-to-face interview and administering questionnaires to persons in charge of IT matters in our chosen organizations. The main thrust of the primary data was to cover as much information about the organization's concerned as regards management of computing system security in Jönköpings Län. Our primary data was retrieved through standardized interviews and questionnaires to heads of IT departments in our selected organizations. In view of Maxwell (1998) the interviews could be conducted in a standardized or semi-standardized form with prepared questions as a guideline to the discussion. Because of the descriptive nature of the information that was to be gathered, a guide of questions was given to five (5) organizations located in Jönköping. The interview guide (see appendix ) was constructed to guide both parties through the interview and help keep the focus. The questionnaire was entirely based on the theoretical framework presented and the aim was to examine how organizations located in Jönköping manage their computing system security. The questions in this study included a mixture of open and closed ended questions with emphasize on the open questions to avoid limitation of the discussion. We followed Yin's (1994) advice that, an investigator should ask respondents for the fact of a matter as well as his\her own opinions about the matter. In many situations, we asked them to propose their own insights into certain occurrences and used such proposition as the basis for further inquiry.

3 .4

Choice of respondents

In this paper, we have used a holistic unit of analysis. According to Yin (1994m p 49), 'this approach is advantageous when no logical subunits can be identified and when the relevant theory underlying the case study is itself of a holistic nature.' For the purpose of this paper we wanted to build a descriptive framework about the way organizations (both business and non-business) in Jönköping are managing their computing system security. We initially wanted to make a comparative study of how organizations In Jönköping, Sweden and organizations in Reading, UK, manage their computing system security, however, we could not find companies in the UK, since most of the companies that we contacted thought IT security issues were too critical and therefore, they were not ready to share anything on IT security with us. We therefore, had to concentrate on only organizations based in Jönköping. We selected organizations from both business and nonbusinesse fields. We faced a very difficult time trying to select our respondents since most organizations perceive computing system security to be a sentitve area and also because as international students we could not speak and understand Swedish which is the language used in Sweden. However, we do not claim that this paper gives a complete account of how business and non-business institutions protect their computing system security. We have only provided a

16

general description of what some of the organizations are doing to protect their systems against theft, unauthorized access, power loss and fire. We consider the issue of information technology security to be a very broad one and therefore, a complete study could have been conducted into it but we could not do so because of time constraints and general lack of knowledge about the technicalities of computing system security.

3 .5

Trustworthiness: Validity and Reliability

Is qualitative research trustworthy? How could a researcher be sure that his/her results reflect the respondent's reality? And how subjective was it? According to Carson et Al. (2001), trustworthiness in qualitative research is discussed using the dimensions of credibility dependability and conformability, these terms are addressed through sound and rigorous methodological considerations, and they all stem from the following three points: firstly, careful use, interpretation, examination and assessment of appropriate literature through referencing conceptual frameworks, prior theory or empirical results. Secondly, careful justification of the qualitative research methodologies used in a study and specifically their appropriateness, merits and values. Thirdly, careful structuring of data analysis to ensure full and descriptive evaluation and assessment, particularly in relation to data of key significance. This analysis will be linked back to methodological framework and prior theory from the literature. This aims to make the data analysis and subsequent conclusions transparent to the reader. The authors of this paper believe that these requirements have been met in this study as have been described throughout this chapter; in developing the frame of reference, the authors have carefully studied relevant theory. According to Trost (1997) the idea of reliability and validity of a study originates from quantitative methodology. These terms should be interpreted differently regarding qualitative studies. Reliability means that a result from a study should be consistent over time if similar research is conducted. The assumption is based on a static relationship between the variables, which is eliminated when conducting a qualitative study. Humans are not static, rather active participants of a dynamic process. As surroundings change constantly, new experience is gained, which implies that answers to the same question will change between research occasions. Qualitative studies should instead focus on trustworthiness. Trustworthiness is highly relevant when conducting qualitative interviews. Researcher must be able to show and prove for readers that the conducted study is trustworthy. This means that the way the information is gathered must be in line with the purpose statement (Trost, 1997). To fulfill our purpose we needed to find the underlying thoughts on how organizations manage their computing system security administratively and physically. By conducting telephone interviews we gained the necessary data to generate trustworthy results. By presenting the information gained during interviews in an empirical chapter, the trustworthiness was improved, as our subjective values were not reflected in this paper. It allows the reader to create an individual perception of the thesis' trustworthiness. Validity traditionally means that the study is measuring what it is suppose to measure. Qualitative studies strive to find out how the interviewee perceives an occurrence (Trost, 1997). Generally, the validity is strengthened when the interview is, to the furthest possible extent, built on the interviewee's premises. The interviewee is given the opportunity to express information in the most adequate manner (Befring, 1994). We therefore built our interviews on open-ended questions and probing, giving the interviewee freedom to express their opinions and share their knowledge. (Maxwell & Loomis, 2003) further describes three forms of validity applicable to qualitative research; descriptive validity, interpretive validity and theoretical validity. Descriptive valid-

17

ity is concerned with validity of how events and settings are described. It refers to the degree researchers can determine if gathered data is correct. Interpretive validity involves statement validity of how the participants' meanings and perspectives are described (Maxwell & Loomis, 2003). Researcher must therefore gather information that reflects the interviewees' opinions and thoughts rather than their own (Johnson & Turner, 2003). To ensure descriptive and interpretive validity we conducted questionnaire and telephone interviews where both participated. We also checked for consistency in answers from the interviews and questionnaires. Theoretical validity refers to the degree to which the theoretical framework supports the empirical findings (Maxwell & Loomis, 2003). As the theoretical framework has formed a basis for the interview guide, used when conducting interviews, the theoretical validity is enhanced.

4

EMPIRICAL FINDINGS

This chapter presents the empirical findings from the study. The information retrieved from the interviews and questionnaires will be presented by developing case descriptions along some key variables. Having followed the relevant themes discussed in the theoretical framework, and by taking a critical look at our questionnaire guide, it became obvious and convenient that the interpretation of our empirical findings should be characterized by the following variables; security plan, risk analysis, security policy and disasters and physical threats.

4 .1

Saab Training Systems

Saab Training Systems develops, manufactures and markets professional, high quality training systems. They specialize in laser simulator systems, mobile data communication systems, combat training systems (CTC) and target equipment for military training. Their headquarters is located at Huskvarna, Sweden. They also have offices in Stockholm and Helsingborg. Subsidiary companies are located in the USA, UK, Germany, the Netherlands and Canada. Almost 95% of the company's turnover is accounted for by exports to nearly twenty countries including the US, Germany and the UK. Saab training systems employs nearly 400 people, the majority of whom have at least one university degree, many have two or more degrees. The company has consistently made substantial financial investment in research and development. R&D investments amount to more than 10% of sales and are internally funded. As well as investing in high technology engineering, Saab Training Systems also spends substantial amounts of money on studying the ways in which people think, react and reflect. This work provides them with highly developed knowledge and skill that enable them to develop the most advanced training systems in the world. (http://www.saab.se/training/node1082.asp) 4.1.1 Security plan According to the IT manager of the Saab Training Systems, the company has a comprehensive security plan in place with the following features; the plan describes who is respon-

18

sible for each security activity, and identifies when different security functions are to be performed. 4.1.2 Risk analysis Anytime there have been any potential risks or problems with their computing systems, they have addressed them by immediately mobilizing a response team to arrest the situation and rectify the problems. 4.1.3 Security policy Saab Training Systems in addition to the security plan also has an organizational security policy, which states who can access which resources and in what matter. 4.1.4 Disasters and physical threats Saab Training Systems sees unauthorized access and theft of the systems as the most likely risk they could face. However, the company protects against these two potential threats by having logging restrictions and passwords and locking the systems with table locks and the installation of security cameras to monitor them respectively.

4 .2

Jönköping University

Jönköping University is a foundation University and it conducts research, undergraduate studies, graduate studies, doctoral studies, and contract education through four schools namely: Jönköping international business school (JIBS), School of Education and Communication (HLK), School of Engineering (ING) and the School of Health Sciences (HHJ). Jönköping University is a young and expanding university with approximately 9 000 students. The four schools offer a wide range of study programs and courses in Swedish and English. The university recruits students from all over Sweden and has a highly developed organization for international contacts and over 300 partner universities abroad (http://www.hj.se/). 4.2.1 Security plan Jönköping University currently does not have an IT security plan in place. The reason being that the IT environment has grown and there has been a lack of resources for a sound security planning. However, steps to have a comprehensive security plan and well implemented is far advanced according to the head of the IT department. 4.2.2 Risk analysis We gathered from the interview with the head of IT department that the University's computing systems have become a target from the activities of hackers of late. To ensure that teaching and learning is not disrupted by the activities of such hackers, all the computing systems have been secured by the installation of anti-spam and anti-virus programs and security patches to scan incoming mails and requests. The University's activities, that is, teaching and learning mostly depends on the computing systems, hence everything possible is done to ensure the safety of the system to enhance smooth operation of academic work.

19

Problems of risks are also addressed by rescue teams made up of people with the right competence and capabilities.

4.2.3 Security Policy Even though the University does not have a security plan in place at the moment, it has a security policy. All students of the University and other users of the computing systems are made to sign a document indicating which programs they can access and what they do not have the right to access. 4.2.4 Disasters and Physical threats Unauthorized access to the system and theft are also the likely physical threats to the computing systems. For the unauthorized access, the University has implemented these measures; logging restrictions, technical security and scanning, and to guard the system against theft, they have installed table locks and wires to lock the computers to the tables. The University plans to install security cameras as an extra measure to guard the computers and the systems against theft as from next academic year.

4 .3

Kitron Development AB

Kitron is one of Scandinavia's leading companies in the development and manufacturing of electronics for medical, defense/marine, data/telecom, and process industries. The company has various manufacturing locations in Norway, Sweden and Lithuania. At year-end, 2003, the Group had a workforce of 1 580. Kitron's area of expertise is the development and manufacture of electronic products. Kitron Development offers a broad range of services related to the development and industrialization of electronic products. A team of 144 Master of Science undertakes all types of assignments, ranging from simple development work to complete product packages from concept to a prototype ready for series production in one of Kitron's manufacturing plants. Each Task Force has a representative from Kitron Development, which promotes good interdisciplinary cooperation within the Group. Kitron Development has branches in Oslo, Kongsberg, Jönköping, Gothenburg and Karlskoga. (http://www.kitron.com/content/view/investor_relations/421/) 4.3.1 Security Plan Kitron has a security plan in place which clearly states a policy indicating goals of security and the willingness to achieve the goals. The security plan is seen as the blue-print for all security issues in the company. 4.3.2 Risk Analysis In spite of the fact that Kitron believes there are several risks confronting their system, the IT head did not pinpoint any of these risks to us. However, the company has installed antivirus software and firewalls to check mails and incoming traffic. They have in place a procedure to follow in resolving crisis.

20

4.3.3

Security Policy

Kitron has a security policy in addition to the security plan where the company has defined who accesses which resources and in what manner. The company sees the policy to be important since it will help to ensure that only authorized people have the right to access the system and its programs. 4.3.4 Disasters and Physical threats Fire and power loss are the two threats that Kitron believes are more likely to interrupt the operations of their computing systems. To protect their computing system against the outbreak of fire, they have backup tapes of their entire database which is stored in a different location so that the company does not lose everything in the event of a fire outbreak. The company also has UPS systems as back up power supply to keep the systems in operation even in periods of power outage or power fluctuations.

4 .4

Elite Stora Hotellet, Jonkoping

The Elite Stora hotel is one of the many hotel chains in Sweden. The Elite Stora hotel chain consists of 17 quality hotels all around Sweden from Malmö in the south to Luleå in the north. Each of the hotels has a unique history and the majority is housed in carefully restored building and the aim is to unite classical style with modern trends in order to achieve harmony. Elite Stora Hotellet is located in one of Jonkoping's most beautiful buildings. The hotel is situated on the west side of Lake Vattern. Trottoaren is the hotels own bistro-style restaurant and its personal decor, amusing menus and reasonable prices have made it a meetingplace for both local residents and visiting guests. The Bishop's Arms pub, with its furnishings from England, creates an atmosphere of tradition and coziness. The hotel has 135 elegant rooms that are decorated in Gustavian style and equipped with all the modern facilities. Most of the rooms in the hotel are smoke-free. The hotel organizes banquets, weddings and celebrations. It was built in the middle of the 19th century and the hotels rooms were renovated in 1995. (http://www.elite.se/eng/hotell/jonkoping/stora/historik.htm) 4.4.1 Security Plan Elite Stora hotellet in Jönköping has a security plan that shows a policy indicating goals of security and willingness to achieve them. The company also sees the security plan as a comprehensive guide to protect their computing system. 4.4.2 Risk Analysis

According to the head of IT security, the company had not encountered any risks as far as their computing system is concerned but believes in case of any risks occurring they have people with the requisite skills to deal with any problem. They also have procedures to follow during emergency cases but he could not explain the procedure to us as he thinks it is a corporate strategy they do not want to share.

21

4.4.3

Security Policy

The company has a security policy in place which also defines those who are authorized to access the computing system and how and what they should do when they using the system, but just like with the procedure to follow in case of risks, we did not find any example. 4.4.4 Disasters and Physical threats Elite Stora hotel also believes power loss is the biggest threat to their computing system as it could render their operations to a halt. In spite of this threat, the hotel has not got any UPS in place in case of power outages.

4 .5

Scandic Hotel

Scandic hotel is the oldest hotel chain in the Nordic Countries. The whole chain started in 1963 as a motel on Sweden's main roads and has now developed into a chain of 148 hotels across the world with 68 of these hotels across Sweden. It all started with a motel, Esso Motor Hotel and it was located in Laxå in central Sweden and it was opened on the 14 July 1963. The chain expanded to Denmark and Norway in the early 70's and after some years Esso Motel Hotel became the biggest chain in Scandinavia. The hotel chain expanded abroad, to Denmark and Norway, as early as the beginning of the 1970s and within only a couple of years Esso Motor Hotel was the biggest chain in Scandinavia. (http://www.hotelonline.com/News/PR2003_3rd/Jul03_ScandicChain.html) In the mid-1980s Esso sold its hotel chain and the chain was renamed Scandic Hotels. The Scandic hotel in Jönköping was established in 1972; the hotel has 220 rooms and currently has a total of 150 staff, 48 permanent and 102 part time workers. (P. Hyalmarsson, personal communication, 2005-06-09). 4.5.1 Security Plan We gathered from the IT manager of Scandic Hotel, Peter Hyalmarsson that they also posses a security plan and the content includes a policy indicating goals of security and willingness to achieve them. 4.5.2 Risk Analysis Their systems have not experienced any potential problems or risks but they have anti-virus software to protect their systems against some potential risks. We found out that the company also has put in place a blue-print that directs the IT department in emergency cases. 4.5.3 Security policy Scandic Hotel has a comprehensive security policy, which states among other things persons who can access which resources and in what matter. 4.5.4 Disasters and Physical Threats The IT Manager thinks fire and theft are the most likely of all the threats to occur and they have taken the following steps to guard and protect their systems against these threats, for fire they have backup tapes of their database and is located at a different location so in the

22

event of a fire they wont loose valuable data and for theft they have security locks and authorization codes to their computer rooms.

5

ANALYSIS

In this chapter, we present an analysis of our findings collected through interviews and questionnaires in relation to the theoretical framework.

23

5 .1

Security Plan

As we learnt from the theoretical framework, the impact of the security plan is very important, a carefully written plan, supported by management, notifies employees that security is important to management and therefore to everyone. In view of this assertion, we were expecting to find a comprehensive security plan in the organizations we studied. According to Pfleeger and Pfleeger, security plans should address seven basic issues which are;

• • • • • • •

Policy, indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals. Current state, describing the status of security at the time of the plan Requirements, recommending ways to meet the security goals Recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements Accountability, describing who is responsible for each security activity Timetable, identifying when different security functions are to be done Continuing attention, specifying a structure for periodically updating the security plan.

It became evident in empirical findings that none of the organizations we studied have addressed all of these issues. Some of them have addressed one or two of these issues while one of them does not have a security plan in place at all even though it recognizes the importance of such a document.

5 .2

Risk Analysis

Risk analysis for security is adapted from more general management practices, placing special emphasis on the kinds of problems likely to arise from security issues. By following well-defined steps, we can analyze the security risks in a computing system. The basic steps of risk analysis are listed below: Identify assets. Determine vulnerabilities Estimate likelihood of exploitation. Compute expected annual loss. Survey applicable controls and their costs. Project annual savings of control.

However, we found out from the study that the organizations have their own ways of analyzing risks even though we could not get any information on how they analyze risks. The three strategies for reducing the effects of risk as suggested by Pfleeger are;

• •

avoiding the risk, by changing requirements for security or other system characteristics transferring the risk, by allocating the risk to other systems, people, organizations, or assets; or by buying insurance to cover any financial loss should the risk become a reality

24

•

assuming the risk, by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs

We realized from the empirical findings that our respondents often adopt the last strategy which is assuming the risk—by accepting it, controlling it with available resources and preparing to deal with the loss if it occurs. Most of the organizations we studied have identified some potential risks that their computing systems could face and they have all put in place measures to curb the occurrence of such risks or if they do occur they have mechanisms in place to reduce its effects and make the system work again immediately after the occurrence of the problem. Our studies also revealed that none of the organizations was prepared to share certain detailed information on on some issues with us, though almost all the organizations have their own ways of analyzing risks. For instance the IT manager of Elite Stora Hotellet conceded that the company has a procedure to follow in cases of emergency however, he was adamant to reveal the procedure since he considers it a key corporate strategy maintained only in the company.

5 .3

Security Policy

All the organizations have a security policy that clearly defines people who have the authority to access the computing systems in the various institutions. For instance, Jönköping University makes all the students and other users of its computing system sign a document which specifies which programs they could access and those they could not. We also learned from the study that even though not all the organizations have a security plan in place, they all acknowledged the importance of a security policy. One of our respondents believes having a security plan in place helps to ensure that only authorized users have access to the computing system and its programs.

5 .4

Disasters and Physical Threats

Most of the organizations consider unauthorized access, theft, and fire and power outage as the most likely risks their systems could face. While some have put in mechanisms to forestall the occurrence of these risks, others have measures to deal with them in the event of occurrence. For instance, most of the organizations have secured their computers and its systems against theft by installing table locks, wire locks and security cameras. Some of the organizations control access by the use of passwords and logging restrictions. UPS systems have also been installed in some of the organizations to protect their computing systems against power outages and fluctuations. However, we found it a bit strange that one of the organizations perceives power outage as a potential risk yet it has no UPS or any other system installed to control the risk. They only restart the systems after there has been a power outage.

25

6

CONCLUSION

This chapter summarizes the entire report based on the empirical findings and analysis. It also contains the final discussion as well as recommendations for further studies.

6 .1

General Conclusion

This paper set out to investigate organizations in Jönköpings Län about how they manage their computing system security. The study is conducted to basically find out how business non business organizations have planned or unplanned their computing system security— what advance preparation they have made to ensure that implementation meets their security needs for today and tomorrow? (2) analyzed the risk—how do they weigh the benefits of controls against their costs, and how they have justified any controls? (3) What security policy they have—who can access which resources and in what manner. And last, what physical controls there are—what aspects of the computing environment have an impact on security? The study was concentrated on business and non-business organizations and institutions based in Jönköpings Län.

26

Five organizations that are all based in Jönköping, Sweden were selected and investigated. Jönköping University, Saab Training Systems, Kitron Development AB, Elite Stora Hotellet and Scandic Hotel AB were the organizations. The method used for the investigation was mainly qualitative as we used questionnaires and telephone interviews to conduct the empirical findings. The findings from the investigation were analyzed along these four variables; security planning, risk analysis, security policy and disasters and physical threats. We gathered from our empirical findings that none of the organizations we studied have addressed all of the issues enumerated as the contents of a good security plan suggested by Pfleeger and Pfleeger, which are policy—indicating goals to achieve, current security status, requirements— recommending ways to meet the security goals, recommended controls—mapping controls to the vulnerabilities identified, accountability—describing who is responsible for each security activity, timetable—identifying when different security functions are to be done, and continuing attention—specifying a structure for periodically updating the security plan. Some of them have addressed one or two of these issues while one of them does not have a security plan in place at all even though it recognizes the importance of such a document. We found out from the study that the organizations have their own ways of analyzing risks. They have personnel with the requisite skills in dealing with problems when they occur as well as procedures to follow in emergency cases. Most of the organizations have identified some potential risks that their computing systems could face and they have all put in place measures to curb the occurrence of such risks or if they do occur they have mechanisms in place to reduce its effects and make the system work again immediately after the occurrence of the problem. Besides security plan, all the organizations have a security policy which specifies authorized people who can have access to the computing systems and which resources they access. The organizations view the policy as a very important document as it clearly identifies who accesses what and in what manner, hence, it ensures only authorized people access the system.

6 .2

Final Discussion

The final discussions reflect the authors own deliberations about the overall attainment of the research objective. The authors are convinced that the objective of this paper has been achieved. We believe that the fulfillment of the objective is due to our descriptive approach with which we endeavored to objectively select the sample in this paper. Based on the chosen approach, the result of this study has shown that both business and non-business organizations located in Jönköping recognize the importance of IT security, and are willing to protect their systems from threats such as unauthorized access, theft, fire, power outage and other threats to ensure the smooth running of their systems at all times.

6 .3

Recommendations for further studies

The authors recommend the following fields to be studied more thoroughly in the future:

•

Computing system security beyond just physical and administrative controls.

27

•

A comparative study of how organizations in different countries manage their computing system security.

Reference:

Adam, J.(1992). Threats and Counter measures, IEEE Spectrum, v29 n8. Ahuja, V.(1996), Network and Internet security, AP Professional. Befring, E.(1994). Forskningsmetodik och statistik. Lund: Studentlitteratur Canavan, J.E., (2001) Fundamentals of Network Security, Artech House, Inc. Carson, D., Audrey, G., Perry, C., & Gronhaug, K. (2001). Qualitative marketing research. Sage publications, London Cheswick, W. R., & Bellovin, S.M. (1994). Firewalls and Internet Security, Addison-Wesley Publishing Company. E bookers (2005). Amazing Deals book Elite Stora Hotelet Jonkoping, Retrieved June 10, 2005, from http://www.ebookers.com/cheap_hotels/sweden/elite_stora_hotellet_jonkoping.html Elite stora hotel,Jonkoping (2005). History. Retrieved June 10, 2005, from http://www.elite.se/eng/hotell/jonkoping/stora/historik.htm Ford, W. (1994). Computer Communications Security: Principles, Standard Protocols and Techniques, Prentice Hall P T R. Hawker, A. (2000). Security and Control in Information Systems, Routledge.

28

Holme, M., & Solvang K. (1997). Forskningsmetodik: om kvalitativa och kvantitativa metoder, Studentlitteratur, Lund. Hotel online.(2005) Scandic- Hotels with History. Retrieved June 10, 2005, from http://www.hotelonline.com/News/PR2003_3rd/Jul03_ScandicChain.html Hotel web. (2004). Best western Elite Stora Hotellet . Retrieved June 10, 2005, from http://www.hotelweb.com/hotels/Sweden-Jnkping/Best-Western-Elite-StoraHotellet.htm Johnson, B., & Turner, L.A. (2003). Data Collection Strategies in Mixed Methods Research. Thousand Oaks: Sage Publications Inc Jönköping University (2005). Welcome to Jönköping University. Retrieved June 10 2005 from http://www.hj.se/doc/229 Kitron (2003). This is Kitron. Retrieved June 10th, 2005, from http://www.kitron.com/content/view/investor_relations/421/ Kitron Development (2003). Lets keep it simple. Retrieved June 10, 2005 from http://www.kitron.com/content/download/263/811/file/Kitron.pdf

Mariampolinski, H. (2001). Qualitative marketing research. Sage Publications, London. Maxwell, J. (1998). Qualitative Research Design: An Alternative Approach. Thousand Oaks: Sage Publications. Maxwell, J. A., & Loomis, D. M. (2003). Mixed Methods Design: An Alternative Approach. I. A. Tashakkori & C. Teddlie (red.), Handbook of Mixed Methods in Social & Behavioural Research (s.241-271). Thousand Oaks: Sage Publications, Inc. Pfleeger, S. (2000). Risky Business: What We Have Yet to Learn About Software Risk Management. Journal of Systems and Software, v53 n3, Pfleeger, C.P., & Pfleeger, S.L. (2003). Security in Computing, 3rd Ed, Prentice Hall Professional Technical Reference. Roberts, D.W. (1990). Computer Security: Policy, planning and practice, Blenheim Online Publications. Rook, P. (1993). Risk Management for Software Development. ESCOM Tutorial. Russell, D., & Gangemi Sr, G.T. (1991). Computer Security Basics, O´Reilly and Associates, Inc. Saab staining systems (2004). Our Company. Retrieved June 10, 2005, from http://www.saab.se/training/node1082.asp Tipton, H.F., & Krause, M. (2001). Information Security Management, (4th Ed) Vol2, Auerbach Publications. Trost, J. (1997). Kvalitativa intervjuer. Lund: Studentlitteratur.

29

Ware, W. (1984). Information System Security and Privacy. Communication of the ACM, v27 n4. Whitman, M.E., & Mattord, H. J. (2004). Management of Information Security, Thomson Course Technology. Yin, R.K. (1994). Case Study Approach: Design and Methods. Thousand Oaks, CA: Sage.

Appendix:
QUESTIONNAIRE AND INTERVIEW GUIDE 1. Name of Company ??????????????????????????. 2. Position Held ?????????????????????????? 3. Does your organization use information technology in its operations? Tick one box

Yes???..

No???..

4. Does your organization have a security plan? Yes???.

No???.

5. If yes, tick which of these contents of a security plan you have:

??..policy indicating goals of security and willingness to achieve them ??..current security status at the time of the plan ??..requirements, recommending ways to meet the security goals ??..recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements ??..accountability, describing who is responsible for each security activity ??..timetable, identifying when different security functions are to be done

30

??..continuing attention, specifying a structure for periodically updating the security plan

5. (B) If no, why?

5. (C) What purpose does the security plan serve for the organization?

6. Has your system and/or its users experienced any potential problems/risks? Tick one box.

Yes???.

No????.

7. If yes, how has the problem or risk been addressed?

8. Besides, the security plan, does your organization have a security policy (who can access which resources and in what manner)?

Yes????

No????

9. Can you enumerate the procedure to follow when there is a crisis?

11. What are some of the natural disasters that are likely to affect the security of the computer systems? Tick which ever is applicable:

......... Fire ??. Storms ??. Earthquakes ??. Power loss ??. Unauthorized access ??. Theft

31

??. Other, (state them)??????????????????........

12. What measures do you have in place to protect the system against these physical threats?

13. Would you share any other comments on information security with us?

32



doc_332562911.docx