A E I
Transcription
A E I
ASSESSMENT OF ENTERPRISE INFORMATION SECURITY HOW TO MAKE IT CREDIBLE AND EFFICIENT Erik Johansson October 2005 Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Industrial Information and Control Systems KTH, Royal Institute of Technology Stockholm, Sweden Ex.R. 05-06 TRITA-ICS-0502 ISSN 1104-3504 ISRN KTH/ICS/R--05/02--SE Cover illustration © 2005 Mathias Ekstedt and Erik Johansson Stockholm 2005, Universitetsservice US AB Abstract Information is an important business asset in today’s enterprises. Hence enterprise information security is an important system quality that must be carefully managed. Although enterprise information security is acknowledged as one of the most central areas for enterprise IT management, the topic still lacks adequate support for decision making on topmanagement level. This composite thesis consists of four articles which presents the Enterprise Information Security Assessment Method (EISAM), a comprehensive method for assessing the current state of the enterprise information security. The method is useful in helping guide topmanagement’s decision-making because of the following reasons: 1) it is easy to understand, 2) it is prescriptive, 3) it is credible, and 4) it is efficient. The assessment result is easy to understand because it presents a quantitative estimate. The result can be presented as an aggregated single value, abstracting the details of the assessment. The result is easy to grasp and enables comparisons both within the organization and in terms of industry in general. The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where improvements efforts are essential. It is credible for two reasons. Firstly, the method presents an explicit and transparent definition of enterprise information security. Secondly, the method in itself includes an indication of assessment uncertainty, expressed in terms of confidence levels. The method is efficient because it focuses on important enterprise information security aspects, and because it takes into account how difficult it is to find security related evidence. Being resource sparse it enables assessments to take place regularly, which gives valuable knowledge for long-term decision-making. The usefulness of the presented method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden. The success from this research should encourage further researcher in using these analysis techniques to guide decisions on other enterprise architecture attributes. Key words: Enterprise Information Security, Enterprise Architecture, Security Assessment, Information Technology Management, Architecture Theory Diagram, Electric Power Industry, Chief Information Officer (CIO), Chief Information Security Officer (CISO). I ASSESSMENT OF ENTERPRISE INFORMATION SECURITY Preface The research and experiences reported herein spans a decade. It is the result of years of research at the department of Industrial Information and Control Systems (ICS) at the Royal Institute of Technology (KTH) in Stockholm, Sweden. For me personally, it all started off long ago when I did research in the field of dependability assessments for safety-critical systems. I noticed similar difficulties when assessing overall qualities in both safety and security paradigms. During the years, following my Licentiate thesis, I continued to lecture at KTH, and momentarily did some consultancies. I then observed an absence of methods for quantitative assessments of enterprise-wide system qualities, and I was therefore enchanted when an opportunity aroused to develop a quantitative assessment method for enterprise information security, from the collaboration between ICS and Vattenfall AB. Acknowledgements First of all, I would like to express my sincere gratitude to Professor Torsten Cegrell, for his encouragement, patience, and support during the overall course of my work. However, without Dr. Pontus Johnson, the completion of this endeavor would not have been possible. Pontus has provided me with invaluable support and fruitful collaboration. In addition, I have greatly enjoyed the creative discussions and teamwork with Dr. Mathias Ekstedt. I would also like to thank Dr. Johan Schubert for inspiring discussions during my earlier years of research. I am also indebted to all the people at the department for creating an atmosphere that has made all these years both rewarding and fun. In particular, I would like to thank Judith Westerlund, for always spreading a warm and happy atmosphere! Among the others at the department I would particularly like to thank the members of the Enterprise Architecture Research Programme (EARP) for excellent collaboration as well as for amusing and interesting discussions. My deep gratitude goes also to the sponsor of this research Vattenfall AB, particularly the global CIO Group. I would especially like to mention Georg Karlén, without whom this work would not have been feasible. Many thanks also to a number of individuals from the Swedish power industry and from the Information Processing Society in Sweden, which have contributed to results in the thesis by their cooperation and sharing of experience. Finally, I would like to thank all my friends, my supporting parents, and my beloved wife Carina and our lovely sons Jakob and Viktor, for their endless encouragement and support. Stockholm, October 2005 Erik Johansson III Table of Contents ABSTRACT ................................................................................................. I PREFACE ................................................................................................. III ACKNOWLEDGEMENTS .......................................................................... III INTRODUCTION AND SUMMARY ................................................................7 BACKGROUND .............................................................................................................. 7 RESEARCH PURPOSE ..................................................................................................... 8 RELATED WORKS .......................................................................................................... 9 CONTRIBUTIONS ......................................................................................................... 13 RESEARCH DESIGN ...................................................................................................... 15 CONCLUSIONS ............................................................................................................ 18 REFERENCES ............................................................................................................... 21 PAPER A - AN ARCHITECTURE THEORY DIAGRAM DEFINITION ..........31 PAPER B - THE IMPORTANCE OF PRIORITIZATION ................................53 PAPER C - ESTIMATING THE CREDIBILITY OF THE RESULTS ................79 PAPER D - THE IMPORTANCE OF INFORMATION SEARCH COST .........101 V ASSESSMENT OF ENTERPRISE INFORMATION SECURITY VI Introduction and Summary INTRODUCTION AND SUMMARY This introduction and summary starts with a description of the background for the work. It continues with describing the rationale of this research and highlighting some related works. Next follows a summary of the major contributions of the four included papers and a section about the research design. Finally this introduction and summary closes with an outline of the main conclusions of the present composite thesis. BACKGROUND This composite thesis presents results based upon a research project performed in collaboration between the department of Industrial and Information Control Systems (ICS) at the Royal Institute of Technology (KTH) and the company Vattenfall AB 1 . The research project has focused on the development of a method for the assessment of Enterprise Information Security (herein denoted as EIS). The project is part of ICS comprehensive research program, the Enterprise Architecture Research Programme (EARP), that exploits the discipline of Enterprise Architecture (EA) as an approach for managing the company’s total information system portfolio. The primary stakeholder for the EA at a company is the persons who are responsible for the management and evolution of the enterprise system - i.e. the overall system of IT related entities. The overall goal of the EARP research program is to provide top-level management with architecture-based tools and methods for planning and decision-making of enterprise-wide information system, cf. (Johnson 2002). In today’s large companies enterprise system is highly complex. Technically, large enterprise possess several hundreds of extensively interconnected and heterogeneous IT systems performing tasks that vary from Enterprise Resource Planning (ERP) to real-time control and monitoring of the processes, such as Distributed Control System (DCS) and Supervisory Control and Data Acquisition System (SCADA). Organizationally, the enterprise system embraces business processes and business units using, as well as maintaining and acquiring, the IT systems. 1 Vattenfall AB is one of today’s largest electric power companies operating in Europe (Vattenfall 2005). 7 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY Information and systems are to a large extent becoming integrated in industry operations. Networking technologies offer tools for making communication and sharing of information more efficient and faster than before. However, the networking and interconnection of systems can significantly increase the enterprise exposure to information security risks (Weiss 2001). In the operations of electric power industry a secure communication of information is essential. A sufficient level of information security is a necessary pre-requisite for the continuance and credibility of operations. The significance of information security has been continuously increasing in the management of organizations and in ensuring their operating ability as well as in maintaining disturbancefree and efficient operations. Thus, enterprise information security has become an increasingly important system quality. Even though enterprise information security is one of the most central areas for enterprise IT management, the area still lacks sufficient support for decision-making on a top-management level. The stakeholder amongst others for the present research is the CIO 2 (or the CISO 3 ) of large enterprises whose needs drive and guide the assessment of enterprise information security (Gottschalk et al. 2000, Kirkland 2002). The global CIO group at Vattenfall recognized the need for an adequate method to estimate the level of information security for the enterprise. Consequently this research project was initiated by Vattenfall. Hence when it comes to the empirical context of this thesis, the forthcoming description is one focused towards the requirements of the electric power industries. Furthermore it is within this particular domain that the present research has been mainly empirically conducted. However, it is the belief of the author that the need for, and requirements on, an adequate assessment method regarding enterprise information security is similar in most industrial domains. RESEARCH PURPOSE The purpose of this research project has been derived from Vattenfalls (along with other large power and energy companies) need of an adequate method for the assessment of enterprise information security. Vattenfalls requirements of a good assessment method on enterprise information security are stated to be; A) easy to understand, B) prescriptive, C) credible, and D) efficient. These four aspects are further discussed below. A) Results should be easy to understand. High-level assessment traditionally produces a document reporting the potential findings. These types of results are difficult to communicate in the organization and benchmarks of different units are 2 3 8 Chief Information Officer Chief Information Security Officer INTRODUCTION AND SUMMARY impractical. The assessment method should rather present a numerical result. Furthermore, the global CIO group at Vattenfall argue that the assessment result would be easier to grasp (and thereby to communicate) if it is presented as a single aggregated value, abstracting the assessment details. In addition, a numerical result would be straightforward to use as a benchmark by enabling comparisons within an organizational unit, between subsidiaries, and in terms of other power electric companies, when directing new improvements. B) Results should be prescriptive. In order to guide the top-level management in decisions about improvement efforts on information security, the results from the method should be concrete and traceable. The method should point out areas of weaknesses and strengths thereby giving directions for improvements. C) The assessment should be credible in two aspects. Firstly, the baseline for the assessment has to be trustworthy, i.e. the theory has to be widely accepted. Credible comparisons of organizational units can be established if the theory of the assessment method is not biased towards any particular source. Secondly, this type of assessment will always have less-than-perfect credibility; but it must be clear to know how uncertain the result is. D) It should be efficient. A detailed assessment of information security at the enterprise top-level can become very expensive, due to the massive amount of information and the resources needed to collect the appropriate evidences. Usually, the resources available for the assessment are limited. The method has to be efficient in terms of resource usage. An efficient assessment method is a prerequisite to enable frequent assessments to take place. Inexpensive assessment (even though it may only be indicative) offers valuable knowledge when performed regularly. RELATED WORKS This work has been inspired by, and is in many senses a continuation of, the previous dissertations of Johnson (2002), and Ekstedt (2004). It spans a wide area of disciplines and consequently this section will only present a brief review of related work. It begins by describing the area of Enterprise Architecture (EA) and continues by highlighting the concept of Information Security followed by a subsection on the notion Enterprise Information Security (EIS). Lastly it relates to previous research on Decision-making and Assessment methods. Enterprise Architecture. Managing a large company’s total information system portfolio is difficult. Since large enterprises of today consist of hundreds of different systems which are being integrated, there is an increasing need for abstracting these software-based systems in order to grasp and manage their evolution. Already 1989, Mary Shaw stated that 9 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY “Larger Scale Systems Require Higher-Level Abstraction” (Shaw 1989). However, that was a call for software architecture, and now it needs to be repeated for the enterprise level of system architecture. The author agrees with Mathias Ekstedt who pointed out that the Enterprise Architecture (EA) to a large extent has been deduced as a response to an ever increasing need for abstracting software systems (Ekstedt 2004). The area of EA has been widely described, discussed and defined in literature and on websites (Zachman 1987, Spewak, Sowa and Zachman 1992, The Clinger-Cohen Act 1996, Boar 1999, Armour et al. 1999a, Armour et al. 1999b, CIO Council 1999, Boster et al. 2000, Armour and Kaisler 2001, Armour et al. 2002, The Open Group 2003, DoDAF 2003, Jonkers et al. 2003, Perks et al. 2003, CIMOSA 2004, EAC 2004, FEAPMO 2004, GEAO 2004, IFEAD 2004, Ronin 2004, ZIFA 2004). Many authors have pointed out the close coupling between software architecture and quality attributes (Boehm et al. 1978, Oskarsson 1982, Barbacci et al. 1995, Shaw et al.1996, Allen 1997, Barbacci et al. 1997, Fenton and Pfleeger 1997, Bass et al. 1998, Kazman 1998, Medvidovic 1999, Emmerich 2000, Garlan 2000, Kazman et al. 2001, Andersson 2002, Johnson 2002, Clements et al. 2002, Ekstedt et al. 2004). Hence, the quality attribute of information security is naturally a part of the EA discipline. This argument is also strengthen by literature that state that the quality and appropriateness of a system cannot be assessed only within the system itself, its overall context must also be taken into consideration (Parnas 1972, Checkland 1981, Davies 1993, Brooks 1995, Kruchten 2000, Linthicum 2000, Maier et al. 2000, Suh 2003 and Solms et al. 2004). In the case of the continuously increasing number of integrated software systems inside companies, this context is comprised of both the business organization and the IT departments (Stevens et al. 1998, Johnson 2002, Ekstedt 2004, Stuart et al. 2004, Johnson and Ekstedt 2005). Information Security. Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability of the information processed in an organization (National Research Council 1991, Barbacci 1995, US Government 2002). Information security as a concept is wide. Pragmatically, enterprise information security is defined 4 by many different types of sources (OECD 1992 and 2002, NIST 1995, Swanson et al. 1996, OMB 1996, Swanson 1998, Gollman 1999, ISO 2000, Liu 2001, Stoneburner 2001, Swanson 2001, Alberts et al. 2001a and 2003, Barman 2002, Peltier 2002, Stoneburner 2002, SEI 2003, Gartner 2003, BSI 2003, EWICS 2003, FIPS 2003, ISF 2003, IT Governance Institute 2004, Caralli 2004, CEM 2004, Heiser 2004, PWC 2004, Ernst & Young 2005, and Ross et al. 2005). Just as there is a problem with the consensus in the choice of word for the elaborated piece of reality, here labelled the enterprise information security, likewise are there many words being used for it. Information Security is most often used these days, but words such as Computer Security, Information Technology Security, Information System Security, and even Cyber Security are also frequently encountered. However, in this thesis I would like to emphasize that it concerns a high-level assessment by denoting the area Enterprise Information Security. 4 10 INTRODUCTION AND SUMMARY Standards can provide an important component in the information security environment but they should not be relied on blindly (Mercury 2003). In striving to define the area of enterprise information security more than a few standards related to Information Security have thus been analyzed. Several of the sources have different views. For instance some are focus on security management (e.g. ISO 1997, ISO 2000, ISF 2003, and BSI 2003), some on general security aspect for the processes (e.g. ITGI 2000 and 2004, and ITIL 2004), and yet others on some specific security aspects (e.g. NIST 1995, ISO 1996, and SEI 2003). Others are not applicable for this high-level assessment, because they focus on physical security, and for specifying security requirements in IT products and systems (e.g. ISO 1998 and 2001, Wood 1990, ITSEC 1991 and CC 2004a-c, and Jones et al. 2005). Enterprise Information Security. In this work four sources have been used as a base for defining the area of enterprise information security, cf. (Johansson 2005a). The ISO/IEC international standard 17799 Information Technology - Code of Practice for Information Security Management (ISO 2000), National Institute of Standards and Technology (NIST) Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems (Swanson 2001), The Standard of Good Practice for Information Security (SOGP), published by Information Security Forum (ISF 2003), and the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) approach released by CMU/SEI (Alberts et al. 2001b). In October 2001 they released the OCTAVE Catalog of Practices that have been used in this work (Alberts et al. 2001a). NIST categorizes security technologies according to three primary purposes: support, prevent, and recover (Swanson et al. 1996). Others (King et al. 2001; Bishop 2003) have categorized security technologies slightly differently: prevent, detect, and recover. Others comprise the environmental influence by pointing at the preventive and behavioral attributes of security (Jonsson 1998). Regardless of which categorization is used, NIST encourages security managers to use categories to help evaluate the benefit of a security technology. Until now, security managers have little structured or quantitative guidance on how to actually evaluate and compare technologies based on categories. The present work contributes by providing a comprehensive categorization of the area based on syntactic and semantic analysis (Johansson 2005a). However, finding an objective definition of the discipline Enterprise Information Security (EIS) is not straight forward. Based on the research performed by Johnson and Ekstedt, this work has used Architecture Theory Diagram (ATD) as an approach for defining the area under examination (cf. Johnson 2002, Johnson et al. 2004, and Ekstedt 2004). In present research a new unambiguous and transparent definition of enterprise information security has thus been created based on four sources on the topic (Johansson 2005a). This transparent definition of the area supports in the decision-making process for the CIO (Johnson et al. 2004). Decision-making. Previous research on decision support in EA is sparse. Kazman, et al. (Kazman et al. 2001) used multi-attribute analysis techniques to estimate the costs and benefits of software architectural attributes, such as performance, security, and 11 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY modifiability, so that software engineers could make tradeoffs among information system architectural design decisions. Other security decision-analysis models have been qualitative in nature, such as the countermeasure matrix (Straub et al. 1998) which compares two security risk-mitigation controls by highlighting their strengths and weaknesses relative to deterrence, prevention, detection, and remedies. Already 1996, Kontio (Kontio 1996) first proposed using a well-known decision analysis technique called Analytic Hierarchy Process (Saaty 1990) to help software engineers make systematic decisions when selecting commercial-off-the-shelf (COTS) products. The same technique was used in the research performed by Karlsson, within the field of Requirement Engineering for prioritizing requirements (Karlsson 1996 and 1998). In present research this analysis technique has been successfully applied to help the organizations make systematic prioritizations on the enterprise information security area (Johansson 2005b). Moreover it has been used to perform two different surveys among security experts (Johansson 2005b and 2005d). The tool FocalPoint used for these prioritizations is based on the Analytic Hierarchy Process (FocalPoint 2005). The use of statistical theory typically assumes that all observations are correct; statistical theory cannot help us assess the credibility of individual observation, e.g. answers to interview questions, for instance. For these purposes, this work use heuristics as employed by historian researchers when evaluating the credibility of historical information, and as employed by the judicial system when evaluating the credibility of witnesses and other evidence in a court of law (Edvardsson 1998 and Pfleeger 2005). Based on the research of Edvardsson, in the area of Critical Thinking, the present work has developed a heuristic model to determine the credibility of individual observations (Johansson 2005c). The work also relies on traditional statistical theory; a sample of observations may be employed to estimate a value, e.g. the mean value, of a population. However, statistical theory states that the fewer samples one uses and the more varied the used population is, the lower the credibility of the estimation. Nevertheless it is possible to aggregate the assessment answers into a single value with an estimated confidence level, cf. (Johansson 2005c) and (Blom 1984a and 1984b). Assessment methods. To the author’s knowledge there is no single assessment method available (besides the one proposed herein) that complies with all the high-level requirements earlier stated by Vattenfall. The fact that assessing the qualities of information security in the enterprise setting is both a technical and an organizational undertaking is recognizes by most approaches today (e.g. Alberts et al. 2003, ISF 2003, SEI 2003, DFS 2004, and Veriscan 2005). In available assessment methods a lot of the focus relies on identifying organizational assets that are important for the business by conducting interviews with different stakeholders. But these methods do not attempt to estimate the credibility of the measurement in the way the EISAM does (Johansson 2005c). Many assessment methods use comprehensive checklists based on a standard, e.g. the ISO/IEC 17799 (ISO 2000). Others are mainly related to the security attribute in relation to the 12 INTRODUCTION AND SUMMARY system design (Butler 2003). The checklist-based assessments inevitable give results that depend on the skill of the team of respondents and the facilitator’s ability to prioritize the areas that are most important for the enterprise under examination. Thus, existing metrics in the field of information security, like (Swanson 2001, Swanson et al. 2003, SEI 2003, and DFS 2004), does not easily get aggregated into a credible single value. In the method proposed herein uncertainties of the observations are estimated and taken into account in the result of the assessment (Johansson 2005c). In addition, the objectiveness of the assessments is hard to judge since commercially available methods lack transparency that enables researcher (or customers) to actually review the baseline of their method. Besides, to the author’s knowledge there is no available assessment method that neither takes into account for the limitations of the available resources and optimizes the resources needed for the assessment nor estimates the credibility of the assessment result, e.g. by examining the credibility of the respondents’ answers. Moreover, do they not assure that the most important areas are being assessed neither do they estimate the cost of searching for the information needed. In summary, none of today’s available assessment methods sufficiently satisfy the requirements of Vattenfalls global CIO group, mentioned earlier in the section ”Research Purpose.” CONTRIBUTIONS The section summarizes the contributions of the present work. Since this is a composite thesis the details of the contributions are found in the four included papers, i.e. section A to D (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson 2005d). The major contribution of this thesis is a comprehensive method for assessing the current state of enterprise information security. This method has been developed based on six concepts: Database of Theory, Architecture Theory Diagram, Prioritization of Importance, Statistical Credibility Analysis, Heuristic Credibility Assessment Model, and Information Search Cost Analysis. The relation between the included papers describing these six concepts and the four major characteristics of the presented method are presented in Table 1. 13 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY Table 1. The relation of central concepts to the characteristics of the method Characteristic Easy to understand Prescriptive Credible Database of Theory X X X Architecture Theory Diagram X X Concept Efficient A A Prioritization of Importance Statistical Credibility Analysis Heuristic Credibility Assessment Model Information Search Cost Analysis Described in paper: X B X C X C X D In summary the presented method has the following characteristics: - it presents the final results as a single value that is easy to understand, - it indicates areas where improvement efforts are essential, - it offers a clear and transparent definition of enterprise information security, - it estimates the credibility to facilitate dependable results, - it enables prioritizations towards the most important areas for the enterprise, - it is resourceful by taking the cost of the information search into account. The result is easy to understand because it presents a quantitative estimate that abstract the details of the assessment. The result is easy to grasp and enables comparisons within the organization and in terms of industry in general (Johansson 2005a and Johansson 2005c). The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where there is lack of compliance and improvements efforts are essential (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson 2005d). The credibility of the method is established by the comprehensible and transparent definition of enterprise information security. This has been established by using the concept Architecture Theory Diagram (ATD) where several different well-known sources on the area of enterprise information security have been consolidated (Johansson 2005a). 14 INTRODUCTION AND SUMMARY The credibility of the results is established by indicating its uncertainty. The credibility is expressed in terms of confidence levels, estimated by using two concepts Statistical Credibility Analysis and Heuristic Credibility Analysis (Johansson 2005c). The method is efficient since it focuses on important enterprise information security aspects (Johansson 2005b). The efficiency is further optimized by taking into account how difficult it is to find security related evidence (Johansson 2005d). This efficiency of the method enables assessments to take place regularly, which offers valuable knowledge for long-term decision-making. Finally, the usefulness of the presented method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden. RESEARCH DESIGN This section covers the methodological aspects that have guided the present work. It covers the particularities of how the present work has been conducted, and the research setting for the overall work is considered. In table 2 different Research Strategies are listed (adapted from Yin 1994) and the strategies used in this work are marked. As pointed out by Yin the choice of research strategy depends mainly on the type of question and to what extent one has control over the event, cf. Table 2 based on (Yin 1994). Table 2. Research Strategies (Yin 1994) Type of research question Control over event Contemporary event Used in this thesis How, why Yes Yes No Survey Who, what, where, how many/much No Yes Yes Archival Who, what, where, how many/much No Yes / No Yes History How, why No No No Case Study How, why No Yes Yes Experimental This thesis mainly makes use of three research strategies. Archival Analysis has been used 15 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY when standards and documents have been used to define the area (Johansson 2005a). Surveys have been used to prioritize the area, e.g. in (Johansson 2005b). Case Studies have been used to estimate the credibility (Johansson 2005c) and to measure and estimate the information search cost (Johansson 2005d). Different types of Data Collection methods are listed in table 3 (Yin 1994). In this particular work five of these six data collection methods have been used. Their use are described briefly below. Documentation has been used to establish the theory from selected standards, cf. (Johansson 2005a). Furthermore, the data collection by documentation has been of great importance in when corroborating and augmenting evidence from other sources during the case studies, cf. (Johansson 2005c and Johansson 2005d). Interviews have been an important source in all the included papers (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson 2005d). The assessments where made by surveys based on focused interviews. In (Johansson 2005c) a large amount of the data collected for estimating the credibility came from open-ended interviews. Finally, the formal survey presented in (Johansson 2005d) was also based on interviews. Direct observations have been a valuable source to verify data from interviews, e.g. verify if fire extinguishers exist in the server room. However, participant observations have also been used in a couple of occasions, e.g. testing the lengths of password etc, which could be used to corroborate data from interviews (Johansson 2005c and Johansson 2005d). 16 INTRODUCTION AND SUMMARY Table 3. Data Collection, strengths and weaknesses for different sources (Yin 1994) Strengths Documentation Stable – can be reviewed repeatedly Unobtrusive – not created as result of the study Exact – contains exact names, references, and details of an event Broad coverage – long span of time, many events, and many settings Weaknesses Retrievability – can be low Used in this thesis Yes Biased selectively, if collection is incomplete Reporting bias – reflects (unknown) bias of author Access – may be deliberately blocked Archival records (same as above for documentation) (same as above for documentation) Precise and quantitative Accessibility due to privacy reasons Interviews Targeted – focused directly on topic of study Bias due to poorly constructed questions Insightful – provides perceived causal inferences Response bias Yes Yes Inaccuracies due to poor recall Reflexivity – interviewee gives what interviewer wants to hear Direct Observations Reality – covers event in real time Contextual – covers context of event Time-consuming Yes Selectively – unless broad coverage Reflexivity – event may proceed differently because it is being observed Cost – hours needed by human observers Participant Observation (same as above for direct observation) Insightful into interpersonal behavior and motives Physical Artifacts Insightful into cultural features Insightful into technical operations (same as above for direct observation) Yes Bias due to investigator’s manipulation of events Selectivity No Availability 17 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY Regarding methods for Research Analysis, this work has mainly applied Statistical Analysis. The statistical analyses have been used to evaluate the different surveys, to calculate the confidence intervals, and to consolidate the theory, cf. (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson 2005d). As a tool for manipulating the data, the software Microsoft Excel has been used extensively. In addition the presented assessment method includes other analysis method, for example the Credibility Analysis and the Information Search Cost Analysis, but they are part of the result of this thesis and thus are not presented as research analysis methods here. For more information about these methods read the papers (Johansson 2005c and Johansson 2005d). CONCLUSIONS The conclusion of this thesis is that it is possible to develop an adequate method for the assessment of enterprise information security. The presented method is called the Enterprise Information Security Assessment Method (EISAM). It is a comprehensive method for assessing the current state of the enterprise information security. The EISAM has the following characteristics: - it presents the final results as a single value that is easy to understand, - it indicates areas where improvement efforts are essential, - it offers a clear and transparent definition of enterprise information security, - it estimates the credibility to facilitate dependable results, - it enables prioritizations towards the most important areas for the enterprise, - it is resourceful by taking the cost of the information search into account. The result is easy to understand because it presents a quantitative estimate. The result is clear and easy to understand since it can be presented as an aggregated single value, abstracting the details of the assessment. The result is easy to grasp and enables comparisons within the organization and in terms of industry in general. The method is prescriptive since it delivers concrete and traceable measurements. This helps guide top-level management in their decisions regarding enterprise-wide information security by highlighting the areas where there is lack of compliance, and where improvements efforts are essential (Johansson 2005a, Johansson 2005b, Johansson 2005c, and Johansson 2005d). 18 INTRODUCTION AND SUMMARY The understandability and the prescriptiveness has essentially been established by using a Database of Theory and the concept of Architecture Theory Diagram together with Prioritization of Importance further described in (Johansson 2005a and Johansson 2005b). The credibility of the method is established by the comprehensible and transparent definition of enterprise information security. This has been established by using the concept Architecture Theory Diagram (ATD) where several different well-known sources on the area of enterprise information security have been consolidated, further described in (Johansson 2005a). The credibility of the results is established by indicating its uncertainty. The credibility is expressed in terms of confidence levels, estimated by using the two concepts Statistical Credibility Analysis and Heuristic Credibility Analysis further described in (Johansson 2005c). The method is efficient since it focuses on important enterprise information security aspects (Johansson 2005b). The efficiency is further optimized by taking into account how difficult it is to find security related evidence. This prediction is based on the concept of Information Search Cost further described in (Johansson 2005d). This efficiency of the method enables assessments to take place regularly, which offers valuable knowledge for long-term decision-making. In this thesis the feasibility of using the EISAM in guiding enterprises in their information security related decisions has been demonstrated. In addition, this thesis has provided a preliminary evaluation of the usefulness of the ATD model on enterprise information security. Real-world case studies have validated the feasibility of using the proposed concepts. The usefulness of the proposed method, along with its development, has been verified through empirical studies at a leading electric power company in Europe and through statistical surveys carried out among information security experts in Sweden. The success of this research should encourage further researchers in using these analysis techniques to guide other enterprise architectural attribute decisions. 19 REFERENCES Alberts, C., A. Dorofee, and J. Allen (2001a), OCTAVE Catalog of Practices, Version 2.0, Technical Report CMU/SEI-2001-TR-020 Carnegie Mellon University Software Engineering Institute, October 2001. Alberts, C. and A. Dorofee (2001b), OCTAVE Criteria, Version 2.0, Technical Report CMU/SEI-2001-TR-016, Carnegie Mellon University Software Engineering Institute, December 2001. Alberts, C. and A. Dorofee (2003) Managing Information Security Risks: The OCTAVE Approach. New York: Addison-Wesley, 2003. Allen, R. (1997), A Formal Approach to Software Architecture, Ph.D. Thesis, Carnegie Mellon University, 1997. Andersson, J. (2002), Enterprise Information Systems Management: An Engineering Perspective on the Aspects of Time and Modifiability, Ph.D. Thesis, Royal Institute of Technology (KTH), 2002. Armour, F. and S. Kaisler (2001), “Enterprise Architecture: Agile Transition and Implementation,” IEEE IT Professional Vol. 3, No. 6, 2001. Armour, F., S. Kaisler, and J. Getter (2002), “A UML-driven Enterprise Architecture Case Study,” Proceedings of the 36th Hawaii International Conference on System Sciences, 2002. Armour, F., S. Kaisler, and S. Liu (1999a), “A Big-Picture Look at Enterprise Architecture”, IEEE IT Professional Vol. 1, No 1, 1999. Armour, F., S. Kaisler, and S. Liu (1999b), “Building an Enterprise Architecture Step by Step”, IEEE IT Professional Vol. 1, No 4, 1999. Barbacci, M., M. Klein, and C. Weinstock (1997), Principles for Evaluating the Quality Attributes of a Software Architecture, Technical Report CMU/SEI-96-TR-036, Carnegie Mellon University Software Engineering Institute, 1997. Barbacci, M., M. Klein, T. Longstaff, and C. Weinstock (1995), Quality Attributes, Technical Report CMU/SEI-95-TR-021, Carnegie Mellon University Software Engineering Institute, 1995. Barman S. (2002), Writing Information Security Policies, New Riders Publishing, 2002. Bass, L., P. Clements, and R. Kazman (1998), Software Architecture in Practice, AddisonWesley, 1998. Bishop, M. (2003), Computer Security: Art and Science, Addison Wesley, 2003. Blom, Gunnar (1984a), Sannolikhetsteori med tillämpningar (A), Studentlitteratur, 1984. Blom, Gunnar (1984b), Statistikteori med tillämpningar (B), Studentlitteratur, 1984. Boar, B. (1999), Constructing Blueprints for Enterprise IT Architectures, John Wiley & Sons, 1999. Boehm, B.W., et al. (1978), Characteristics of software quality, North Holland, 1978. Boster, M., S. Liu, and R. Thomas (2000), “Getting the Most from Your Enterprise Architecture,” IEEE IT Professional Vol. 2, No. 4, 2000. 21 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY Brooks, F. (1975), The Mythical Man-Month, Anniversary Edition: Essays on Software Engineering, Addison-Wesley, 1st ed. 1975, 1995. BSI (2003) - Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security), IT Baseline Protection Manual, 2003, website http://www.bsi.bund.de/ accessed April 10, 2004. Butler S.A. (2003), Security Attribute Evaluation Method, Ph.D Thesis, Carnegie Mellon University, Pittsburgh, USA, May 2003. Caralli R.A. (2004), The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management, Technical Report CMU/SEI-2004-TR-010, Carnegie Mellon University Software Engineering Institute, 2004 CC (2004a), Common Criteria for Information Technology Security Evaluation, “Part 1: Introduction and general model,” Version 2.2, CCIMB-2004-01-001, January 2004, available at http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part1.pdf last accessed 4 September 2005. CC (2004b), Common Criteria for Information Technology Security Evaluation, “Part 2: Security functional requirements,” Version 2.2, CCIMB-2004-01-002, January 2004, available at http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part2.pdf last accessed 4 September 2005. CC (2004c), Common Criteria for Information Technology Security Evaluation, “Part 3: Security assurance requirements,” Version 2.2, CCIMB-2004-01-003, January 2004, available at http://niap.nist.gov/cc-scheme/cc_docs/cc_v22_part3.pdf last accessed 4 September 2005. CEM (2004), Common Methodology for Information Technology Security Evaluation, “Evaluation Methodology” Version 2.2, CCIMB-2004-01-004, January 2004, available at http://niap.nist.gov/cc-scheme/cc_docs/cem_v12.pdf last accessed 4 September 2005. Checkland, P. (1981), Systems Thinking, Systems Practice, John Wiley & Sons, 1981. CIMOSA, The CIMOSA Association (2004), http://www.cimosa.de , accessed September 7, 2004. CIO Council (1999), The Federal Enterprise Architecture Framework, Version 1.1, The Chief Information Officer Council, 1999, available at http://www.cio.gov/archive/fedarch1.pdf last accessed September 4 2005. Clinger-Cohen Act (1996), National Defense Authorization Act for Fiscal Year 1996, Division E, Public Law 104–106, February 10, 1996, http://www.osec.doc.gov/cio/oipr/itmra.pdf last accessed September 4, 2005. Davies, A. (1993), Software Requirements: Objects, Functions, and States, Prentice Hall, 1993. DFS (2004), Swedish Information Processing Society (Dataföreningen i Sverige, DFS), SBA Check, http://www.dfs.se/products/sbaeng/check last accessed May 2004. DoDAF (2003), DoD Architecture Framework Version 1.0, DoD Architecture Framework Working Group, US Department of Defense, 2003. EAC (2004), Enterprise Architecture Community, http://www.eacommunity.com , last accessed April 10 2004. 22 REFERENCES Edvardsson B. (1998), “The Need for Critical Thinking in Evaluation of Information”, Proceedings of the 18th International Conference on Critical Thinking, Rohnert Park, USA, August 14, 1998. Ekstedt M. (2004), Enterprise Architecture for IT Management - A CIO Decision Making Perspective On Electric Power Industry, Ph.D. Thesis, Royal Institute of Technology (KTH), Stockholm, 2004. Ekstedt M., P. Johnson, Å. Lindström, M. Gammelgård, E. Johansson, L. Plazaola, and E. Silva (2004), “Consistent Enterprise Software System Architecture for the CIO – A utilityCost Approach”, Proceedings of the 37th annual Hawaii International Conference on System Sciences (HICSS), Big Island, Hawaii, USA, 2004. Emmerich W. (2000), “Software engineering for middleware: a roadmap”, International Conference on Software Engineering, Proceedings of the Conference on The Future of Software Engineering, Limerick, Ireland, June 04-11, 2000. Ernst & Young (2004), Global Information Security Survey 2004, at http://www.ey.com, accessed September 2005. EWICS (2003), Information Operations – Target, Means and Weapon, Version 1.0, European Workshop on Industrial Computer Systems TC7 Security subgroup, 2003, available at http://www.ewics.org, last accessed 2005. FEAPMO (2004), Federal Enterprise Architecture Program Management Office website, http://www.feapmo.gov, accessed April 1, 2004. FIPS (2003), Federal Information Processing Standards Publications, Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199, December 2003. Fenton, N. and S. Pfleeger (1997), Software Metrics: A Rigorous and Practical Approach, 2nd ed., PWS Publishing, 1997. FocalPoint (2005), Linköping, Sweden, website http://www.focalpoint.se, last accessed 10 February 2005. Garlan D. (2000), “Software Architecture: a Roadmap,” In A. Finkelstein (ed.), The Future of Software Engineering: 22nd International Conference on Software Engineering, 2000. Gartner (2003), Information Security – Establishing a Strong Defense in Cyberspace, Gartner Inc., 2003, available at http://www.gartner.com/5_about/news/sec_sample.pdf, accessed aug 2005. GEAO (2004), Global Enterprise Architecture Organization web site, http://www.geao.org, accessed April 1, 2004 Gollman, D. (1999), Computer Security, Wiley, 1999. Gottschalk, P., and N. Taylor (2000), “Strategic Management of IS/IT Functions: The Role of the CIO,” Proceedings of the 33rd Hawaii International Conference on System Sciences, 2000. Heiser et al. (2004), Enterprise Security Architecture Using IBM Tivoli Security Solutions, website http://www.redbooks.ibm.com/redbooks.nsf/redbooks ; last accessed October 2004. IFEAD (2004), Institute for Enterprise Architecture Developments, website, http://www.enterprise-architecture.info, accessed April 10, 2004. 23 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY ISF (2003) Information Security Forum, The Standard of Good Practice for Information Security, 2003, available at http://www.isfsecuritystandard.com, last accessed 16 May 2004. ISO (1996), ISO/IEC TR 13335-1:1996 Information technology. Guidelines for the management of IT security. Concepts and models for IT Security, 1996. ISO (1997), ISO/IEC TR 13335-2:1997 Information technology. Guidelines for the management of IT security. Managing and planning IT Security, 1997 ISO (1998), ISO/IEC TR 13335-3:1998 Information technology. Guidelines for the management of IT security. Techniques for the management of IT security, 1998. ISO (2000), ISO/IEC International Standard 17799:2000 Information Technology - Security techniques - Code of Practice for Information Security Management, 2000. ISO (2001), ISO/IEC TR 13335-5:2001Information technology. Guidelines for the management of IT security. Management guidance of network security, 2001 ISO (2004), ISO/IEC International Standard 21827 Systems Security Engineering Capability Maturity Model, at http://www.sse-cmm.org accessed 2004. ITGI (2000), IT Governance Institute, Control Objectives for Information and related Technology (COBIT), 3rd. Edition, 2000. ITGI (2004), IT Governance Institute, COBIT Security Baseline - An Information Security Survival Kit, 2004. ITIL (2004), The IT Infrastructure Library (ITIL), at http://www.itil-itsm-world.com/ last accessed 2004. ITSEC (1991) Information Technology Security Evaluation Criteria (ITSEC), Provisional Harmonised Criteria, Office for Official Publications of the European Communities, Luxembourg, 1991. Johansson E. and P. Johnson (2005a), “Assessment of EIS - An ATD Definition”, Proceedings of the 3rd Annual Conference on Systems Engineering Research (CSER), New York, March 23-25, 2005. Johansson E. and P. Johnson (2005b), “Assessment of Enterprise Information Security – The Importance of Prioritization”, Proceedings of the 9th IEEE International Annual Enterprise Distributed Object Computing Conference (EDOC), Enschede, The Netherlands, September 1923, 2005. Johansson E. and P. Johnson (2005c), “Assessment of Enterprise Information Security – Estimating the Credibility of the Results”, Proceeding of the Symposium on Requirements Engineering for Information Security (SREIS) in the 13th International IEEE Requirements Engineering Conference, Paris, France, August 29th to September 2nd, 2005. Johansson E., M. Ekstedt, and P. Johnson (2005d), “Assessment of Enterprise Information Security – The Importance of Information Search Cost”, to appear in the proceedings of 39th Hawaii International Conference on System Sciences (HICSS), Kauai, Hawaii, January 4-7, 2006. Johansson E., P. Sandberg, and L. Pettersson (2005e), “The Enterprise Information Security Assessment Method - an approach for credible and efficient assessments applied in an European Energy Company”, to appear in the proceedings of 29th European Safety, Reliability & Data Association (ESReDA) Seminar on Systems Analysis for a More Secure World, European Commission Joint Research Centre (JRC), IPSC, Ispra, Italy, October 25-26, 2005. 24 REFERENCES Johnson, P. (2002), Enterprise Software System Integration – An Architectural Perspective, Ph.D. Thesis, Royal Institute of Technology (KTH), Stockholm, 2002. Johnson, P. and M. Ekstedt (2005), The Grand Unified Theory of Software Engineering, Preprint, ISBN 91-974620-1-2, KTH – Royal Institute of Technology, Stockholm, 2005. Johnson, P., M. Ekstedt, E. Silva, and L. Plazaola (2004), “Using Enterprise Architecture for CIO Decision-Making: On the importance of theory”, Proceedings of the 2nd Annual Conference on Systems Engineering Research (CSER), April 15-16, 2004. Jones A. and D. Ashenden (2005), Risk management for computer security: protecting your network and information assets, Elsevier Butterworth-Heinemann, 2005. Jonkers, H. et al. (2003), “Towards a Language for Coherent Enterprise Architecture Descriptions,” Proceedings of the 7th IEEE International Enterprise Distributed Object Computing Conference (EDOC’03), 2003. Jonsson E. (1998), “An Integrated Framework for Security and Dependability”, Proceedings of the 1998 workshop on New security paradigms, Virginia, United States, pp. 22-29, 1998. Karlsson J. (1996), “Software Requirements Prioritizing”, Proceedings of the 2nd IEEE International Conference on Requirements Engineering, pp. 110–116, 1996. Karlsson J., et al. (1998), “An evaluation of methods for prioritizing software requirements”, Information and Software Technology 39, pp. 939–947, 1998. Kazman R., G. Abowd, L. Bass, P. Clements (1996), "Scenario-Based Analysis of Software Architecture", IEEE Software November 1996. Kazman R., M. Klein, M. Barbacci, T. Longstaff, H. Lipson, and J. Carriere (1998), “The Architecture Tradeoff Analysis Method”, Proceedings of 4th IEEE International Conference on Engineering Complex Computer Systems (ICECCS '98), Monterey, USA, 1998. Kazman R., J. Asundi, and M. Klein (2001), “Quantifying the Costs and Benefits of Architectural Decisions”, Proceedings of the 23rd International Conference on Software Engineering (ICSE 23), Toronto, Canada, 2001. Kazman R., M. Klein and P. Clements (2000), ATAM: Method for Architecture Evaluation, Technical Report CMU/SEI-2000-TR-004 Carnegie Mellon University Software Engineering Institute, 2000. King, C., C. Dalton, and E. Osmanoglu (2001), Security Architecture: Design, Deployment & Operations, McGraw-Hill RSA Press, 2001. King, G., R. Keohane, and S. Verba (1994), Designing Social Inquiry: Scientific Inference in Qualitative Research, Princeton University Press, 1994. Kirkland, N. (2002), “CIO Agenda for Productivity and Growth”, Gartner Symposium ITxpo, Cannes, France, 4-7 November, 2002. Kontio, J. (1996), “A Case Study in Applying a Systematic Method for COTS Selection”, Proceedings of 18th International Conference on Software Engineering, IEEE Computer Society Press, 1996. Kruchten, P. (2000), The Rational Unified Process: An Introduction, 2nd ed. Addison-Wesley, 2000. Linthicum, D. (2000), Enterprise Application Integration, Addison Wesley, 2000. 25 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY Liu S. (2001), “A Practical Approach to Enterprise IT Security”, IT Pro September-October, pp 35-42, 2001. Maier, M. and E. Rechtin (2000), The Art of Systems Architecting, 2nd ed., CRC Press, 2000. Medvidovic, N. David S. Rosenblum, and Richard N. Taylor (1999), “A Language and Environment for Architecture-Based Software Development and Evolution”, Proceedings of the 21th International Conference on Software Engineering (ICSE), Los Angeles, USA, 1999. Mercuri, R. (2003), “Standards Insecurity”, Communications of the ACM, Vol. 46, No 12, 2003. National Research Council (1991), Computers at Risk: Safe Computing in the Information Age, System Security Study Committee, Commission on Physical Sciences, Mathematics, and Applications, National Research Council, Washington DC, National Academy Press, 1991, also available at http://www.nap.edu/catalog/1581.html . NIST (1995), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995. OECD (1992), Organization for Economic Co-operation and Development, Guidelines for the Security of Information Systems, OECD Recommendation, Paris, 1992. OECD (2002), Organization for Economic Co-operation and Development, Guidelines for the Security of Information Systems and Networks: Towards a culture of security, OECD Recommendation, Paris, 2002. OMB Circular No. A-130 (1996), “Management of Federal Information Resources”, 1996. Oskarsson, Ö. (1982), Mechanisms of Modifiability in Large Software Systems, Ph. D. Thesis, Linköping University, Sweden, 1982. Parnas, D. (1972), “On the Criteria To Be Used in Decomposing Systems into Modules,” Communications of the ACM, Vol. 15, No. 12, 1972. Peltier T. (2002), Information Security, Policies, Procedures, and Standards, Auerbach Publications, 2002. Perks C. and T. Beveridge (2003), Guide to Enterprise IT Architecture, Springer Verlag, 2003 Pfleeger S.L. (2005), “Soup or Art? The Role of Evidential Force in Empirical Software Engineering”, IEEE Software Volume 22, Issue 1, p 66 – 73, Jan-Feb 2005. PWC (2004), PriceWaterhouseCoopers “The State of Information Security, 2003“ http://www.pwc.com, accessed 2004. Ronin (2004), Ronin International Inc. Enterprise Unified Process website, http://www.enterpriseunifiedprocess.info, accessed April 1, 2004. Ross R. et al. (2005), Information Security, National Institute of Standards and Technology Special Publication 800-53, US Government printing office, Washington D.C., February 2005. Saaty T.L. (1980), The Analytic Hierarchy Process, McGraw-Hill, New York, USA, 1980. SEI (2003), Software Engineering Institute, Systems Security Engineering Capability Maturity Model® SSE-CMM Model Description Document, Version 3.0. June 15, 2003. 26 REFERENCES Shaw, M. (1989), “Larger Scale Systems Require Higher-Level Abstractions,” Proceedings of the 5th international workshop on Software specification and design, 1989. Shaw, M. and D. Garlan (1996), Software Architecture: Perspectives on an Emerging Discipline, Prentice Hall, 1996. Solms B., et al. (2004), “The 10 deadly sins of information security management”, Computers & Security, 23:371–376, 2004. Sowa, J. and J Zachman (1992), “Extending and Formalizing the Framework for Information Systems Architecture,” IBM Systems Journal, Vol. 31, No 3, 1992. Spewak, S. (1992), Enterprise Architecture Planning: Developing a Blueprint for Data, Applications and Technology, John Wiley & Sons, 1992. Stevens, R., P. Brook, K. Jackson, and S. Arnold (1998), Systems Engineering: Cooping with Complexity, Prentice Hall, 1998. Stoneburner, G. (2001), Underlying Technical Models for Information Technology Security, National Institute of Standards and Technology Special Publication 800-33, US Government printing office, Washington D.C., USA, 2001 Stoneburner, G., et al. (2002), Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology Special Publication 800-30, US Government printing office, Washington D.C., 2002. Straub, D.W., and R.J. Welke (1998), “Coping with Systems Risk: Security Planning Models for Management Decision Making,” Management Information System Quarterly (MISQ) Volume 22, Number 4, 1998. Stuart A. and H.W. Lawson (2004), “Viewing systems from a business management perspective: The ISO/IEC 15288 standard”, The Journal Systems Engineering , Volume 7, Issue 3, pp 229-242, 2004. Suh B., and Ingoo Han (2003), “The IS risk analysis based on a business model”, Information & Management, 41(2):149–158, Elsevier Science Publishers, Amsterdam, The Netherlands, 2003. Swanson M. and Barbara Guttman (1996), Generally Accepted Principles and Practices for Securing Information Technology Systems, National Institute of Standards and Technology Special Publication 800-14, US Government printing office, Washington D.C., September 1996. Swanson M. (1998), Guide for Developing Security Plans for Information Technology Systems, National Institute of Standards and Technology Special Publication 800-18, US Government printing office, Washington D.C., December 1998. Swanson M. (2001), Security Self-Assessment Guide for Information Technology systems, National Institute of Standards and Technology Special Publication 800-26, US Government printing office, Washington D.C., November 2001. Swanson M. et al. (2003), Security Metrics for Information Technology Systems, National Institute of Standards and Technology Special Publication 800-55, US Government printing office, Washington D.C., July 2003. TOG (2003), The Open Group, The Open Group Architectural Framework (TOGAF) Version 8.1, published in December 2003, http://www.opengroup.org/architecture/togaf8/index8.htm ; accessed 2004. 27 ASSESSMENT OF ENTERPRISE INFORMATION SECURITY US Government (2002), Federal Information Security Management Act of 2002 (Title III of E-Gov), H.R. 2458-48, SEC. 301, Information Security, http://csrc.nist.gov/policies/FISMAfinal.pdf . Vattenfall AB (2005), website: http://www.vattenfall.com, accessed August 1, 2005 Veriscan (2005), Veriscan Rating®, http://www.veriscan.se, accessed June 16, 2005. Weiss, J. (2001), “Electronic security technology roadmap [for electric utilities]”, Power Engineering Society Winter Meeting, 2001, IEEE Volume 1, 2001. Wood J. (1990), “European Harmonised IT Security Evaluation Criteria”, Proceedings of the 6th International Conference on the Application of Standards for Open Systems, USA, 1990. Yin, R.K. (1996), Case Study Research: Design and Methods, 2nd ed., Sage Publications, 1996. Zachman, J. (1987), “A Framework for Information Systems Architecture,” IBM Systems Journal, Vol. 26, No 3, 1987. ZIFA (2004), The Zachman Institute for Framework Advancement website, website: http://www.zifa.com, accessed April 1, 2004. 28