Motivation and the Scope of the Research

Digitalized information has become the new currency of business; it crosses any kind of boundaries, national, organizational, or geographical boundaries. The use of the information is a necessity for a corporation to do daily operations and business. Without appropriate information, neither the managers can make decisions correctly nor can the employees do any transactions or affairs. Hence, information is critical assets for corporations, but increasing uses of information result in higher risk. It should be well stored, transmitted, and protected, and only be used by authorized people or organizations.

As the information security study of DTI/PWC (2008) states:

“Information is the new currency of business – a critical corporate asset whose value rises and falls at different times, and in different ways, depending on when, how, where and by whom it is placed into circulation as a medium of exchange. Therein lie the risks. And the opportunities.” (DTI/PWC, 2008)

Information as a new currency has two meanings, one is that it has its value, and another is that currency is a flow transmitting between corporations. Hence, a corporation faces many information security risks, once information incidents occur, it not only causes financial loss, e.g. maintenance or recovery fee for servers or data, but also damages the intangible assets, such as business secret, confidential data, reputation of their corporation, or trust of their partners and clients. For any kind of organizations, the security incidents could possibly lead to severe problems, and they should strive for averting such problems.

Another reason for a corporation to build an information security system is the compliance for the laws and regulations. The regulatory bodies compel the corporations

to take some actions to improve their information security. For the relating laws and regulations, Whitman and Mattord (2008) summarized some important laws and regulations, and we rearranged that into table 1-1. Among those laws and regulations, the most important are Sarbanes-Oxley Act and Basel II for information security managements.

Table 1-1: Key U.S. Laws Related to Information Security

Act Subject Descriptions

Communications Act of 1934, (amended 1996 and 2001)

Telecommunication Regulates interstate and foreign telecommunications

Computer Fraud and Abuse Act, (amended 1994, 1996, and 2001)

Threats to computers

Defines and formalizes laws to counter threats from computer-related acts and offenses

Requires all federal Computer systems that contain classified information to have surety plans in place, and requires periodic security training for all individuals who operate, design, or manage such systems

Economic Espionage Act of 1996

Trade secrets Designed to prevent abuse of information gained by an individual working in one company and employed by another Federal Privacy Act of

1974

Privacy Governs federal agency use of personal information

Gramm-Leach-Bliley Act of 1999(GLB) or

Financial Services Modernization Act

Banking Focuses on Facilitating affiliation among banks, insurance, and securities firms; it has significant impact on the privacy of personal information used by these industries

Health Insurance Portability and Accountability Act (HIPPA)

Health care privacy Regulates collection, storage, and transmission of sensitive personal health care information

Sarbanes-Oxley Act of 2002

Financial Reporting Affects how public organizations and accounting firms deal with corporate governance, financial disclosure, and the practice of public accounting

Sarbanes-Oxley Act

Sarbanes-Oxley Act (SOX), a regulation signed into US law in response to the Enron, WorldCom, Tyco, and other scandals, is a critical piece of legislation that affects the executive management of publicly traded organizations and accounting firms. The main purpose of the regulation is to prevent financial fraud and deception. It contains eleven titles that describe specific mandates and requirements for financial reporting and each title consists of several sections. One of the most important parts of SOX is Section 404, which requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. The adequacy of controls depends substantially on mainstream issues for information security professionals (Schultz, 2004).

The financial information is stored in hardware, processed by computing systems, and transferred by computing networks. All of those hardware, systems, and networks require certain adequate authentication and access controls. As stated by Schultz, “information security has accumulated a large body of knowledge and technology that addresses all of these issues” (Schultz, 2004), the SOX regulates organizations to comply with it and obliges them to improve their controls and managements with information security.

Security and Freedom

Clarifies use of encryption for people in the USA and permits all persons in the U.S. to buy or sell any encryption product and state that the government cannot require the use of any kind of key escrow system for encryption products

USA PATRIOT improvement and reauthorization Act 2006

Terrorism Made permanent 14 of the 16 expanded powers of the

Department of Homeland Security and the FBI in investigating terrorist activity

Basel II Accord Banking Create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face.

Source: rearranged from (Whitman & Mattord, 2008) pp.93-94.

Basel II Accord

Basel II Accord creates regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face. Basel II additionally requires capital provision for operational risks, which was defined by the Basel II Committee as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events”. There are three approaches, Basic Indicator Approach, Standardized Approach and Advanced Measurement Approach, available for calculating amount of capital required to cover risk.

Basel II elaborates “Loss Event Type Classification (operational risk)” (Basel, 2004), and those type categories (level 1) are (1) Internal fraud, (2) External fraud, (3) Employment practices and workplace safety, (4) Clients, products and business practices, (5) Damage to physical assets, (6) Business disruption and system failures, and (7) Execution, delivery and process management. Under each level 1 categories, there are level 2 categories and activities (level 3), such as unauthorized activity, theft and fraud, and others. These categories are highly related to information security and risk management, and therefore banks can acquire knowledge from the two areas.

A corporation has to confront these laws and issues, and improve their information security to protect its asset, maintain its good reputation, and comply with laws and regulations (E&Y, 2008). The consequences are that they have to introduce information security related controls, policy, and standards into their organizations. The percentage of information security budget increasing steadily in IT budget (Richardson, 2008) shows that information security is becoming more and more important and receiving more attentions.

In the past few decades, almost all approaches for information security are

“technical solutions”. However, in recent years, people realized the importance and effectiveness of managerial solutions, i.e. the effectiveness of information security policy, information risk assessment, and employees’ security awareness trainings. Combining technical and managerial solutions can make the corporation be more secure. For example, with information security standards and policies, technicians could select suitable technologies products for the organization and employees could have a clearer view of their responsibilities and accountabilities.

The question is, with so many information security technical and managerial issues, how does an organization know what to do, how to improve their information security, or how should they let the others know they are doing well? One of the answers is certification, which ensures the organization complied with a specific standard that guarantees a minimum quality. An information security management standard, e.g. ISO 27001, involves many aspects of security, such as policy, environments, personnel, and technologies. The standard provides a framework to help organizations known how to improve their information security. Once an organization establishes a management system that meets the ISO 27001 requirements and applies for the certification, an external registrar would visit the firm to audit and analyze the system and its security features. If the system meets the standards, the registrar will issue an official certificate that states that the ISMS meets the ISO27001 requirements. An organization must meet each requirements of the standard to get certified, and that means if we believe in the convincible authorities (e.g. ISO and BSI) which grant the certification, we can trust the organization with certification is doing information security well. .

ISO/IEC 27001:2005

In 2005, the International Organization for Standardization (ISO) published ISO/IEC 27001:2005 (Information technology - Security techniques - Information security management systems – Requirements), which is a revised and updated version of British Standard BS7799 part2. ISO 27001 provides a model and promotes process approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS) which consists many aspect of information security, such as security policy, asset managment, human resource security, physical and environmental security, communications and operations management, access control, etc. The process approach highlights the importance of (1) understanding an organization’s information security requirements and the need to establish policy and objectives for information security; (2) implementing and operating controls to manage an organization's information security risks in the context of the organization’s overall business risks; (3) monitoring and reviewing the performance and effectiveness of the ISMS; and (4) continual improvement based on objective measurement (Fenz, et al., 2007; ISO, 2005a). It is built on the Plan-Do-Check-Act (PDCA) process model (see figure 1-1).

Figure 1-1: PDCA Model Applied to ISMS Processes

Source: ISO 27001 standard (ISO, 2005a)

From the above, we can understand why information security issues are crucial, and how certification can help the organizations to improve their information security management and reduce the impact of information security incidents. In the global, there are 6443 certificates registered to “International Register of ISMS Certificates¹” until May 2010 (Version 199). In Taiwan, the number of certificates shown in the websites is 373 (version 199, May 2010), and the growth of past several years was shown in figure 1-2. In the recent years, the number of certificates of Taiwan has been increasing sharply.

Especially in 2009, more than one hundred organizations got the certifications in this year in response to “Government Agencies Information Security Level of Responsibilities Classification Program²”, since the year 2009 is the deadline for the class A agencies³ to get certified. Such a phenomenon drew our attention, why did so many organizations decide to adopt ISO 27001? Are there any unusual reasons behind the organizations that

1 Website: http://www.iso27001certificates.com/

2 政府機關資訊安全責任等級分級作業施行計畫

3 The class A agencies are the most important kernels of the government operations, therefore such agencies have highest priority. For detail information, please see the official documents

lead to such states?

Figure 1-2: Number of Certificates in Taiwan

Source: International Register of ISMS Certificates

Actually, in the past years, there were some organizations that adopted and implemented an information security management system but some did not. What are the differences between them? What really drives an organization to adopt an information security system? Most of the researches focus on the effectiveness of implementation, whereas little researches discussed the reasons why an organization decided to adopt it.

The gap should be addressed, so this research expects to find out the reasons why an organization decided to adopt ISMS, more specifically, ISO 27001.