(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No.4, 2010
Challenges in Managing Information Security Froman Organization’s Perspective
Patrick Kanyolo NgumbiSchool of Science and EngineeringAtlantic International UniversityHawaii, USApkngumbi@yahoo.com
This study used purposefully selected employees to fillself-administered unstructured questionnaires to provide informationon aspects concerning information security at organizational level.The responses were subjected to non-probability analysis from whichunderstanding of challenges encountered and subsequent impact wereobtained. Six evaluation questions were used to gain insight intoinformation security components. The study documented fourcategories of challenges encountered, possible outcomes of challenges and consequential impact. These results are beneficial tobusiness end-users, information security managers, top and seniormanagement in organizations.
Information security management, organizationallevel, business information systems, challenges, outcome,impact
Information is very valuable business asset and it requiresbeing suitably protected . Protecting this informationrequires implementing appropriate information securitymeasures. Measures are necessary tools to avoid occurrence of incidences from attacks.Information security is preservation of : confidentialityto ensure information can be accessed by those authorized;integrity to safeguard information accuracy and completeness;and, availability to ensure authorized users have access toinformation and associated assets.The goal of information security is to provide effectivelevel of protection. To realize this level, an informationsecurity management is necessary. This context of “management” assumes the definition from Glossary of Commercial Real Estate Terms , that, “management is a jobof planning, organizing, and controlling business enterprise”.Through planning, organizing and controlling, effectiveinformation security is achievable.Information security management is concerned withmaking information protection more effective. Further,protecting business information effectively demandsunderstanding of challenges pertaining to managinginformation security. Studies reviewed following aspects of information security: (1) Lack of proactive actions oninformation security management , which means thatorganizations are ill-prepared for eventualities; (2) New andevolving technologies, research, tools and standards pose newchallenges to organizations , which means it is a source of difficulties in securing business transactions, infrastructureand information; and, (3) Four challenges identified asstructural, process, boundary and human, have challengesconcerning human resources least emphasized despite havingconsequences in threats from inside organizations .To advance understanding in the area of businessinformation protection, this study examines challenges ininformation security management through organizations’employees. The study uses the research question: “What aretoday’s organizational challenges constraining effectivemanagement of information security”.The understanding of challenges is beneficial toinformation security managers and decision makers inorganizations. The study scope entails reviewing relevantliterature on one hand and carrying out non-probability analysisof responses on the other hand, to obtain answer to the researchquestion. Uses of results of this study include securitymanagers determining threats and vulnerabilities in order tomaintain effective risk management and enabling interlink forstrategic, tactical and operational security levels.
Information Security ManagementInternational Organization for Standardization (ISO)17799  provides three basic information security goals,namely, confidentiality, integrity and availability. To achievethe goals an organization needs to implement management andtechnical security measures. From management securitymeasures, the organization can attain physical and operationalsecurity as well as legal and ethical obligations. On the otherhand, from technical security measures an organization canattain following: access controls, system integrity,cryptography for security, audit and monitoring, and,configuration and security assurance.Today’s information security focus is to secure businessinformation systems . Further, today’s businessenvironment is complex and sometimes it involves real-timetransactions, which can be prone to myriad of security attacks.This scenario necessitates a management approach which isinformation security management. Information securitymanagement is defined in Vermeulen and Von Solms  as“… the structured process for implementation and ongoingmanagement of information security in an organization”. It is aprocess that is structured – meaning, it is a prearranged set of procedures for information security to implement. It is also anongoing management – meaning that, it is a continuousactivity of planning, controlling, coordinating or organizinginformation security.