The Implementation of Deming's System Model to Improve Security Management: A Case Study

Article excerpt

Threats to information security are increasing with the development of information technology and a greater dependence on the Internet. We report on a case-study of a telecommunications marketing company which has successfully changes from being a traditional trading company to a company that relies almost entirely on e-commerce. The PDCA model developed by Deming was used to design a security management system for this company. The system was designed to estimate the chances of breaches in security, to draw up appropriate policies and operational rules to deal with them, and to assure that the usability, integrity confidentiality of data in the company. The system helped the company obtain information security certification from the local accreditation agency, SGS Taiwan. Lessons are developed from the case study for the design and implementation of effective security systems.

Introduction

With the coming of e-commerce and major developments in the internet, many enterprises including private companies and government departments and agencies have bureaus adopt computerized their operation successively, something that involves the storage of data in computers or the communication of data through the internet. Therefore, how to achieve operational security and to maintain safe information systems have become urgent issues for many enterprises. In this study develop an information security management system to conform to the standards set by ISO/IEC 19977 (http://www.iso.ch/). As these standards make clear, information security is not just a technical problem; it is also just as much, if not more, of a management problem. Through or by means of an overall planning scheme, targeting the particular requirements of the company in question, using the risk management tools , and analyzing and evaluating the security weakness and strengths of the company, we hope to develop a comprehensive and effective system that will reduce the security dangers to the company and over time lead to significantly fewer breaches or lapses of security

Literature Review

PDCA Model

Deming introduced PDCA to Japanese enterprises in 1950, according to which quality improvements take place through four major steps: Plan-Do-Check-Action. Since then Japan has become the world leader in quality management. In 1993, Deming changed "Check" to "Study" in the model, in order to emphasize that 'investigation' and 'analysis' are the basis of Action, thus making it the PDSA model [1]. Another quality 'guru' Juran argued that the kind of quality circles that had that become a popular way of developing and implementing quality improvements in Japan, could be improved if they became what he called, Quality Progressive Spirals in terms of which the PDCA series of steps could function differently in different enterprises or company [4]. Many research studies have examined the functioning of PDCA [e.g., 5, 8, 13, 18, 19], but most have been about quality management and rarely related to information security management. The present study adopts the case approach research to examine the usefulness of the reveal the PDCA model as a method for improving the management of information security.

ISO/IEC 17799

The purpose of ISO/IEC 17799 Code is to establish a set of standard criteria for an Information Security Management System, which is not only designed to provide 'absolute protection' but also to ensure the enterprise takes full responsibility for it own information security evaluation and control. The terms or headings according to which security issues are examined in the code: (1) Scope, (2) Terms and Definitions, (3) Security Policy, (4) Organizational Security, (5) Asset Classification and Control, (6) Personnel Security, (7) Physical and Environment Security, (8) Communications and Operations Management, (9) Access Control, (10) System Development and Maintenance, (11) Business Continuity Management, and (12) Compliance. …