Information security is a primary concern that pervades all organizations and comprises confidentiality, integrity and availability. Seeking to protect information as one of the company’s most important organizational assets is imperative.
With regard to information security, it is necessary to create policies as an instrument for an organization’s concepts, rules and strategy to be disseminated, implemented and supported.
The development of information security policies over the years has relied primarily on standards proposed in ISO 27002 from the International Organization for Standardization.1 However, in 2010, a consortium formed by ISACA, the Information Security Forum (ISF) and the International Information Systems Security Certification Consortium (ISC)2 proposed 12 nonproprietary principles,2 independent and grouped into three sets—business support, business protect and responsible behavior in information security promotion. These principles were intended to orient information security policy development in order to add value to organizations, not only in a tactical and standardized way, but also by aligning and considering the business strategic needs as a key point in a security policy.3
Based on the principles proposed by the consortium, the ISACA Student Group of the Brasilia (Brazil) Chapter performed a research study of the four largest telecommunications companies in Brazil, between March and April 2014, to analyze compliance with policies for information security within a competitive niche market, subject to a considerable number of laws and regulations and with a high level of data volume generated, sorted, maintained and protected.
Due to the characteristics of the market niche, policies within telecommunications companies were chosen for the study. Telecommunications is a business segment with extensive competition in Brazil. The telecommunications sector is composed of eight companies that own a diversified portfolio of products that are highly competitive in various market segments. It is a niche field governed by a number of regulations and specific legislation that are constantly changing—all while the organizations handle a considerable volume of data. Four of these companies agreed to participate in this study.
To comply with legal privacy policies, the names of the companies will not be disclosed herein, but shall be referred to as Company A, Company B, Company C and Company D.
Methodology
This study is characterized by a primary qualitative and secondary quantitative assessment. A structured approach was applied in cascade, starting from the research of mass data through a contextualization of it, until a conclusion was reached by extrapolating inferences based on tables and graphics, as demonstrated in figure 1.
The first step was gathering the research data. In this step, the security policies of the service providers or phone companies were collected. Among the eight possible companies, the policies of four were obtained.
Subsequently, an analysis of the content of the policies was initiated, seeking references to the principles originally proposed. Each principle was analyzed individually, seeking reference in the text to the subjective context presented in figure 2.
The next step was to produce a chart containing the 12 principles and the four companies analyzed to identify which organizing principles in figure 2 were met, thus performing a conversion of contextual data into numerical data to enable the tabulation of results.
Once it was possible to quantify the compliance of a policy with the proposed principles, a maturity scale was applied, assigning (according to the amount of compliance items) a level of maturity for each company as demonstrated in figure 3.
Besides the application of the maturity scale described, the data tabulation allowed for the next step: the construction of graphics of the amount, distribution and concentration of principles with which the company is in compliance. This enabled the visualization of the data in a new format in which it was possible, once again, to extrapolate the numerical data for contextual inferences.
Results and Analysis
As described in the methodology, the first step in the results analysis was to consolidate the compliance data regarding the principles in a table (figure 4) in order to allow a tabulation of results.
Applying the maturity scale presented in figure 3, the companies’ analyzed degrees of maturity can be defined, as demonstrated in figure 5.
By analyzing the companies’ maturity levels, it is possible to imply that, contrary to what was initially expected, the companies did not provide a homogeneous result. Each company presented a distinct level of maturity, which shows that, added to the evaluation structure of the analyzed policies, information security is not seen as an aggregator of value to the business but only as a fulfillment request for an ISO 27002 certification.
This point is reinforced by analyzing the distribution of the principles complied with by the companies, as demonstrated in figure 6.
It can be observed that only one of the evaluated companies has a primary concern about the development of its security policy in the business support group. That is, only one company has the vision to use its security policy as an enabler to add value to the business.
The data presented in figure 6 also show that “business protect” and “responsible behavior” in information security sets have a relationship to items distributed more evenly among firms, reinforcing the companies’ concern of using the information security policy as a more tactical and operational, and less strategic, instrument.
Conclusion
Despite the characteristics of the telecommunications sector in Brazil, which demands a more competitive, dynamic corporate vision of the business, the results of businesses’ levels of maturity and companies’ focuses were not expected by the time the companies’ evaluations started. It was expected that one focus of corporate governance in those companies was the use of information security policies as an enabler, adding value to the company and increasing the competitiveness of companies in the segment. However, this research demonstrated a heterogeneous level of maturity and little focus on the business support set.
It is noticeable that only one of the companies surveyed is concerned with aligning information security with the business and focusing on the business support set and, in parallel, all the companies studied have a primary focus on the protect the business and responsible behavior sets. This suggests that information security policy is still seen more as a tactical and operational document, only to ensure compliance with ISO 27002 recommendations, rather than a potential enabler of governance in the company.
Evaluating each group individually, the concern with the tactical level is enhanced when one observes that principles based on value delivery and continuous improvement are not a priority. On the other hand, principles based on access control and risk management are common to all companies.
This analysis also suggests that the adoption of good information security governance practices within the companies in the telecommunications segment in Brazil still has much room to improve and contribute to differentiate organizations in a highly competitive market segment.
Ultimately, this model can be applied in a generic way to other segments in private or public sectors.
Endnotes
1 International Organization for Standardization and International Electrotechnical Commission, ISO/IEC 27002: 2005, Information technology—Security techniques—Code of practice for information security controls, 2005, www.iso27001security.com/html/27002.html
2 ISACA, COBIT 5 for Information Security, USA, 2012
3 Souza Neto, J.; Gestão e Governança de Segurança da Informação no Ambiente de TI, course material, CEGSIC 2012-2014, MBA in Security Information Management, Universidade de Brasilia, 2012, p. 12-13
Kleuber Tormim, COBIT Foundation, Green IT, ISO 20000, ISO 27000, ITIL-Expert, has more than 12 years of experience in IT as an ITSM consultant at Stefanini.
Vitor Tormin Nishi, COBIT Foundation, ITIL-F, ISO 27002, has more than eight years of experience working as a systems analyst in telecom and banking segments in the fields of software testers and test environment support.
Mauricio Rocha Lyra, Ph.D., COBIT Foundation, CTFL, ISO 20000, ITIL, MCSO, OCUP, PMP, RUP, is a leading Professor at Centro Universitario de Brasília and has more than 25 years of experience in the computer science field. He is the author of the book Segurança e Auditoria em Sistemas de Informação (Informational Systems Security and Auditing).