Toward a Target Function of an Information Security Management System

Abstract

The limits of traditional (static) policies are well-known in many areas of computer science and information security, and are extensively discussed in the literature. Although some flexibility has been achieved with the introduction of dynamic policies, these efforts have only addressed a fraction of the requirements necessary to secure today's enterprises. Currently, no feedback mechanisms are in place to evaluate the effectiveness or economic impacts of static or dynamic policy implementation. Here, we address the requirement for feedback and present a policy for the next generation. This is a policy that includes a dynamic feedback response to the effectiveness of changes. The structure of this new type of policy, called a ``management system'', is borrowed from discrete event system (DES) theory and functions as a control loop. A management system consists of four elements (control system, sensor, controller, and actuator) that are involved in a control law. Two types of management system can be defined. A simple management system (1$^\textrm{st}$ order management system) responds to and regulates only perturbations. An advanced management system (2$^\textrm{nd}$ order management system) has an overarching target function that influences the controller. This target function is usually economically oriented. Finally, we compare our new type of policy with two management systems that follows the Plan-Do-Check-Act (PDCA cycle) model. We investigate the two PDCA cycle standards ISO/IEC 27001 (Information Security Management System, ISMS) and BS 25999 (Business Continuity Management System, BCMS). We also show that the new type of policy can be applied to management systems based on a PDCA cycle.