Professional Documents
Culture Documents
ABSTRACT managerial level model, and how curriculum fulfills the different
information security needs of strategic (why), tactical (how), and
Information security can be viewed as being different, at operational (what) management levels. This view of corporate
different levels of management. Strategic management involves security structure in terms of this model will better address
creating security policies, dealing with people issues, and business security issues.
evaluating threats and risks. Tactical management involves how the
security systems are developed and implemented to meet policy Background
requirements. Operational management involves maintaining
and monitoring the enforcement of information security policies. Information security is orientated towards information
This paper presents and explains information security from a technology (Nosworthy, J., 2000). However, information security
managerial level perspective and how curriculum supports the is more of a people problem than a technological problem (Rainer
model of the different information security needs of strategic et al, 2007). Many of the common job titles and descriptions
(why), tactical (how), and operational (what) management. associated with information security do not incorporate people-
Keywords: security, management, strategic, tactical, oriented objectives or experiences. For example, business
operational, curriculum. managers are generally concerned with the managerial aspects of
information security, and information security professionals are
INTRODUCTION more concerned with the technical aspects of information security
(Rainer et al, 2007). Most information security groups retain
Overview central control over policy and standards development, but leave
implementation to the operation groups (Rangaswami, 2005).
Organizations are urging top executives to make information Rather than build a technological fortress, companies must
security a priority. Therefore, quality and trustworthiness of assess their information assets from a business standpoint
information are becoming key business issues (Ezingeard et and manage the threats to each asset in a way that reflects its
al, 2005). To better accomplish information security in an importance (Lohmeyer et al, 2002); a tactical and strategic
organization, a management level infrastructure approach is approach. However, companies are still struggling to integrate
needed. Just as information and data characteristics are different security into a strategic approach (Rangaswami, 2005). This
at the different levels of management, information security has issue is not reaching top managers (Ezingeard et al, 2004). Gen-
different characteristics at the different levels of management. erally, a senior managers attention is with operational incidents
These levels of management are strategic, tactical, and (Ezingeard et al, 2004), rather than strategic assets and threat
operational. At the operations level, transaction data is produced and assessments.
serves as input to create information. Maintaining and monitoring It is unclear how information security integrates management
of integrity, confidentiality, and availability of the transaction data with technology at the different management levels. Distinguishing
are primary objectives which are supported by organizational differences between tactical and strategic approaches will enable
procedures and guidelines. At the tactical level, information is organizations to respond to short-term business drivers without
interpreted and utilized in decision making. Implementations interrupting strategic projects (Purser, 2004). Companies must
of preventative, detective, and responsive controls are a primary look at operational and strategic factors; know the value of their
objective which is supported by organizational standards. Further information; and take an integrated approach to information
analysis/aggregation of the information creates knowledge to help security (Lohmeyer et al, 2002). This paper address such issues in
make strategic level decisions. terms of a security management model.
Information security can also be viewed as being different
at the different levels of management. Such a view makes it MANAGEMENT SECURITY LEVELS DEFINED
easier to resolve needs. These needs are to pay attention to the
security issues in information technology and to cope with the Strategic Management Why do security problems exist?
different information security problems (Surendran et. al., 2002).
Organizations and academia currently lack sufficient awareness of Strategic management answers the question why do security
the different information security needs at different management enterprise problems exist? This question of security leads to
levels. developing security policies that deal with people issues, and
evaluates internal/external risks.
Purpose Policies: Information security policy provides a framework
to ensure that systems are developed and operated in a secure
This paper presents and explains information security from a manner. Such policies must consider internal and external