Assessment of Enterprise Information Security - An Architecture Theory Diagram Definition -

In order to manage and improve something, it is normally necessary to be able to assess the current state of affairs. A problem with assessment, however, is that in order to assess, it is normally necessary to be able to define the assessment topic. These general statements are also true within the area of Enterprise Information Security. Although much has been written on the topic, there is little consensus on what Enterprise Information Security really is. The lack of consensus lessens the credibility of existing assessment approaches. This paper presents a well-defined, transparent, and quantified method for the assessment of Enterprise Information Security. The method is based on the consolidation of the most prominent sources on the topic and results in a single quantitative estimate of the level of Enterprise Information Security in a company. The usefulness of the presented method has been verified by a case study at a large European electric utility. The present paper is a part of an ongoing research project on a credible and cost-effective method for Enterprise Information Security assessment. 1. Background to research This paper presents results from an on-going research project that focuses on the development of a method for the assessment of Enterprise Information Security. The project is part of a comprehensive research program, the Enterprise Architecture Research Programme (EARP) at the Royal Institute of Technology (KTH) in Stockholm Sweden. EARP exploits the discipline of Enterprise Architecture as an approach for managing the company’s total information system portfolio. The company’s primary stakeholder for the Enterprise Architecture is the Chief Information Officer (CIO) who is responsible for the management and evolution of the enterprise information system. The overall goal of the research program is to provide the CIO function with architecture-based tools and methods for planning and decision making of enterprise-wide information system [7]. Information and the supporting processes of the enterprise-wide information systems are important business assets. Hence it follows that information security (i.e. preservation of confidentiality, integrity and availability) has become an increasingly important system quality that has to be carefully managed. Security of information may be essential to maintain competitive edge, cash-flow, profitability, legal compliance and commercial image. Although Enterprise Information Security today is one of the most central areas for enterprise IT management, the topic still lacks good support for decision making on top-management level (i.e. the CIO level) [10]. Good decisions require good information. Consequently a credible and usable method for assessing the current state of Enterprise Information Security would be desirable. 1.1 Purpose and Scope The purpose of the overall research project is to develop a method for the assessment of Enterprise Information Security (herein denoted as the EIS method). This EIS method presents an indicative single value on a scale, i.e. an EIS score. Secondly, it presents sound estimates of the credibility of the assessment score. Thirdly, the EIS procedure is designed to be as cost-effective as possible. However, in order to assess, it is fundamental to be able to clearly define the assessment topic. Although much has been written on the topic, there is little consensus on what Enterprise Information Security really is. This lessens the credibility of existing assessment approaches, and brings us to the purpose of this paper.