chapters of the book (information security, risk management and contingency ..... Three types of information security policy where given namely Enterprise ...
APPLYING MANAGEMENT THEORY PRINCIPLES IN THE MANAGEMENT OF COMPUTER INFORMATION AND SECURITY
By
MAKURA SHEUNESU MAKURA 13090012
A mini-project submitted in partial fulfillment of requirements for the degree BACHELOR OF SCIENCE IN COMPUTER SCIENCE (HONOURS) in the FACULTY OF ENGINEERING, BUILT ENVIRONMENT AND INFORMATION TECHNOLOGY UNIVERSITY OF PRETORIA November, 2013 Supervisor: Professor Martin Olivier
Abstract This paper attempts to interrogate Michael Whitman‟s text (Management of Information Security) with view to establish if it adopted management principles espoused by Henri Fayol, Taylor and Mintzberg. The intention is to see the extent to which the book was influenced particularly by Fayol‟s management principles. A correlation approach was adopted in attempting to demonstrate if a link existed between Fayol‟s five management elements and key chapters of the book (information security, risk management and contingency planning). Our findings seem to suggest that the book is to a greater extent influenced by Henri Fayol‟s management ideas.
i
Table of Contents Contents Abstract......................................................................................................................................................... i Table of Contents ........................................................................................................................................ ii 1. SECTION ONE ....................................................................................................................................... 1 1.1 Introduction ....................................................................................................................................... 1 2. SECTION TWO ...................................................................................................................................... 2 2.1 Contributors to Management .......................................................................................................... 2 2.1.1 Henri Fayol ................................................................................................................................. 2 2.1.2 Frederick Winslow Taylor ........................................................................................................ 4 2.1.3 Frank and Lilian Gilbreth ......................................................................................................... 5 2.1.4 Peter Drucker ............................................................................................................................. 5 2.1.5 Douglas McGregor ..................................................................................................................... 6 2.1.6 The Japanese management ....................................................................................................... 6 2.1.7 Henry Mintzberg ........................................................................................................................ 6 2.1.8 Henry Gantt ................................................................................................................................ 6 3.SECTION THREE................................................................................................................................... 7 3.0 Brief overview of the management of information security textbook .......................................... 7 4. SECTION FOUR .................................................................................................................................... 8 4.0 Analysis and Interpretation ............................................................................................................. 8 4.0.1 Chapter 1- Introduction to the Management of Information Security ................................. 8 4.0.2 Chapter 2: Planning for Security ............................................................................................. 9 4.0.3 Chapter 3: Planning for Contingencies .................................................................................. 10 4.0.4 Chapter 4: Information Security Policy ................................................................................. 10 4.0.5 Chapter 5: Developing the Security Program ....................................................................... 11 4.0.6 Chapter 6: Security Management Models ............................................................................. 11 4.0.7 Chapter 7: Security Management Practices .......................................................................... 12 4.0.8 Chapter 8: Risk Management: Identifying and Assessing Risk .......................................... 12 4.0.9 Chapter 9: Risk Management: Controlling Risk .................................................................. 12 4.0.10 Chapter 10: Protection Mechanisms .................................................................................... 12 4.0.11 Chapter 11: Personnel and Security..................................................................................... 12 4.0.12 Chapter 12: Law and Ethics ................................................................................................. 13 5. CONCLUSION ..................................................................................................................................... 13 REFERENCES .......................................................................................................................................... 14
ii
iii
1. SECTION ONE 1.1 Introduction To kick start the investigation, there is need to understand what the term „management theory‟ means. A theory is defined collectively as a well-constructed explanation with concepts, expectations of outcomes and also a frame of principles that seek to explain a certain phenomenon [1]. Theories are used as „tools‟ to help in understanding and explaining about a specific subject. Henri Fayol outlined what management entails by illustrating the following, he said, “to manage is to forecast and plan, to organise, to command, to co-ordinate and to control” [1]. In the context of this research, our notion focuses management with context to Henri Fayol‟s work on management. Henri Fayol was a French mining engineer and theorist and was responsible for the development of Fayolism [1]. There are other theorist also who had a role and played a significant impact to scientific management notably Frederick Windsor Talylor, Henry Gantt, Frank and Lilian Gilbreth [1]. Taylor is considered to be the “Father” of scientific management as his ideas are still in use today. These theorists had many contributions they made in the scientific management field. Gantt, Frank and Gilbreth all followed Taylor‟s ideas. Henry Gantt was responsible for the introduction of a payment system where the system calculated the performance of an individual per day [1]. Other theorists of management include Henry Mintzberg, Peter Drucker, Urwick and Brench. A detailed study of their work will be discussed in the following section. It is important for us to know of the contribution of the above mentioned people so as to appreciate and understand management, its past, present and future. Management is said by [1] to be consisting of the following elements: planning, organising, resourcing, leading and lastly controlling. As such, management requires planning in order to operate correctly. Management is used in various fields including but not limited to, science, business, tourism, and sport. Management theories as outlined before, consists of methodologies used in management, and these methodologies have been developed by the theorists mentioned above. Management theory consists of several categories, visually described in figure 1 below [1]. Classical Scientific Management Adminstrative Contingency Theory Systems Theory
Management Theory
Human relations theorists Social Psychological Organisational Behaviour Strategic Perspective Positioning Perspective Resource Based View
Figure 1 Source: Management theory and practice, 7th edition, Cole and Kelly: page 6 The diagram above shows that there are several categories Management theories. . Taylor‟s theory or „Taylorism‟ falls under scientific management, the same with other theorists like Gantt and Gilbreth. Early theorists like Taylor and Fayol, are in the classical category to management.
1
2. SECTION TWO 2.1 Contributors to Management In this section the works of Henri Fayol, Frederick Taylor, Henry Gantt, Lilian Gilbreth, Peter Drucker, Japanese management, Mintzberg and many other theorists who made significant contribution to management will be discussed 2.1.1 Henri Fayol This section outlines a detailed analysis of Fayol‟s contribution to management theory. Fayol developed sets of theories called “Fayolism” wherein he outlined fourteen (14) principles of organisational management. These principles are, namely division of work, authority, discipline, unity of command, unity of direction, sub-ordination of individual interests to general interests, remuneration, centralisation, scalar chain, order, equity, stability of tenure of personnel, initiative and team spirit [1]. Fayol further outlined elements of management which are based on his definition of management. These five elements are planning, organising, commanding, coordinating and controlling [1]. These elements form the basic process in management. 2.1.1.1 Fayol's elements of management Fayol‟s principles of management which he used in the definition of management will be explained in more detail. You recall that these elements are:(1) Planning, (2) Organising, (3) Command, (4) Co-ordination, (5) Control. The elements are described in detail below. (a) Planning: In this element of management, Fayol argued that an organisational manager must have a plan of action. This is where decisions of or on what must be done in a specific time are made. „What must be done‟ includes the strategies put in place and implementation of the envisaged methodologies. (b) Organising: According to Fayol, this aspect involves the creation of an organisational structure. Such structure can be modelled by the managers whereby they provide materials used, the work-force and tools in order to implement the plan of action successfully. (c) Command: This is where managers need to understand individuals in terms of their strengths and weaknesses. This is necessary so as to know who how to implement plans of action. (d) Co-ordination: In this element of management, Fayol outlines that managers have to span or co-ordinate activities to be done by individuals or teams of the organisation. This is necessary so that the plan of action can implemented successfully and efficiently. Fayol sees communication as key for co-ordination among individuals and managers. (e) Control: In this element of management, Fayol outlines that all the preceeding elements will have been properly laid out and followed. 2.1.1.2 Fayol's principles of management Henri Fayol, in his 1916 book, outlined fourteen principles of management. He argued that the list was not exhaustive but rather where "capable of adaptation"[1]. The table below is an extract of the 14 principles of management by Fayol: 2
1. Division of work
Reduces the span of attention or effort for any one person or group. Develops practice and familiarity.
2. Authority
The right of give orders. Should not be considered without reference to responsibility.
3. Discipline
Outward marks respect in accordance with formal or informal agreements between firm and its employees.
4. Unity of command
One man one superior!
5. Unity of Direction
One head and one plan for a group of activities with the same objective.
6. Subordination of individual interests to general interest
The interest of one individual or one group should not prevail over the genral good. This is a difficult area of the management.
7. Renumeration
Pay should be fair to both employee and firm
8. Centralisation
Is always present to a greater extent, depending on the size of the company and the quality of its managers.
9. Scalar Chain
The line of authority from top to bottom of the organisation
10. Order
A place for everything and everything in its place; the right man in the right place.
11. Equity
A combination of kindness and Justice towards employees.
12. Stability of tenure of personnel
Employees need to be given a time to settle thir jobs, even though this maybe a lengthy period in case of managers.
13. Initiative
Within the limits of authority and discipline, all levels of staff should be encouraged to show initiative.
14. Espirit de corps
Harmony is a great strength to an organisation; teamwork should be encouraged.
Source: management theory and practice, 7th Edition by Cole and Kelly: page 25 Many theorists have used Fayol's principles examples being Taylor, Urwick and Brench[1]. 3
2.1.2 Frederick Winslow Taylor Apart from Fayol, Frederick Winslow Taylor and played a significant role in shaping scientific management. He is regarded as one of the pioneers of scientific management, through his approach to management was known as “Taylorism” [1]. His main ideas are outlined in a 1911 paper entitled: “Principles of Scientific Management” [1]. Initially, whilst working in a company, he noticed and commented on several processes between worker and management. He opined that organisations had no vibrant notions of work, working standards were not being implemented, and workers were not given adequate salaries to improve performance. Moreover, managerial decisions lacked proper planning and were conceptual, workers were given tasks that they were unable to do in a specified time, management were failing to realise that to improve operations, it was necessary to give incentives not only management but also the workers themselves [4]. 2.1.2.0 Taylor’s principles of management Taylor postulated that scientific management needed to change operations both on the management side and the labourers [1]. He developed a series of steps to achieve this namely, “develop a science for each operation and replace opinion and rule of thumb (ii) determine accurately from the science the correct time and method for each job (iii) set up a suitable organisation to take responsibility from the workers except that of actual job performance (iv) select and train workers (v) accept that management itself be governed by the science developed for each operation and surrender arbitrary power over workers, that is cooperate them” [1]. Taylor propositioned a sequence of tests and experiments that lead to the development of what he called “shop system” [4]. In this system, Taylor‟s objective was to find out the time taken by either a machine or a labourer to finish a given task using known materials and under monitored conditions. Making use of a stop watch to monitor the performance, Taylor went on to develop standards for both the labourer and the machine performance [4]. Taylor went on to develop things aspects such as , “instruction cards, order of work cards, routing sequences, material specifications, inventory control systems, and material handling standards” all to assist in performance management[4]. He further went to suggest that skilled and learned supervisors would be responsible for monitoring the phases of each operation. Taylor wrote many papers in which he described the proposed systems. One of his papers was titled: “Shop Management” laid emphasis on the management theory. In the paper Taylor outlined five key objectives of achieving organisational efficiency. He argued that: “1. The objective of good management was to pay high wages and have low unit production costs; 2. To achieve this objective, management had to apply scientific methods of research and experiment to its overall problem in order to formulate principles and standard processes which would allow for control of the manufacturing operations; 3. Employees had to be scientifically placed on jobs where materials and working conditions were scientifically selected so that standards could be met; 4. Employees should be scientifically and precisely trained to improve their skill in so performing a job that the standard of output could be met; and 5. An air of close and friendly cooperation would have to be cultivated between management and workers in order to insure the continuance of this psychological environment that would make possible application of the other principles he had mentioned” [4]. 4
Taylor‟s ideas were scientific and addressed many of the problems found in organisational management today. It can be deduced that the principles of management sought to increase production output through increasing performance of both the labourers and machines. Taylor wanted skills to be improved first through the setting of standards, this then would lead to an increase in performance. There are other theorists who adopted Taylor‟s ideas of particular mention are Frank and Lilian Gilbreth. Their ideas are discussed below. 2.1.3 Frank and Lilian Gilbreth Frank and Lilian Gilbreth were one of the followers of Taylor‟s work and made significant contributions to scientific management. The Gilbreths suggested the use of „brick laying‟ in scientific management where they studied the ways used by bricklayers in the way of movement during the laying of bricks [1]. The Gilbreths noticed that the people in charge of monitoring how the bricks were being laid were making use of three different instructions namely, 1.To instruct a worker who bring were to be laid 2. To lay bricks using the slow pace method 3. To lay bricks using the fast paced method [4]. Their studies revealed that there was a reduction in the number of movements required in bricklaying as a result of redesigning how bricklaying was done [1]. The Gilbreths also made contribution to motion sequences wherein they were the pioneers of motion picture use in the analysis and examination of motion sequences [4]. They also devised and modelled techniques which are even being used today in management. They also developed the white list card system which was used to write instructions on a specific task so as to avoid mistakes and misunderstandings [4]. 2.1.4 Peter Drucker Peter Druker was an Austrian management expert who made significant contributions to management theory. His ideas are outlined in the book: “The practice of management”. In the book, Drucker listed seven tasks of management whereby management objectives were regarded as the first task for any organisation [3]. In post-war management, Drucker identifies the following seven key elements:,” (1) Scientific management of work as the key to productivity;(2) Decentralization as a basic principle of organization; (3) Personnel management as the orderly way of fitting people into organization structures; (4) Manager development to provide for the needs of tomorrow; (5) Managerial accounting—use of analysis and information as the foundation for firm decision-making; (6) Marketing; (7) Long-range planning”[3]. Drucker also stated the importance of planning were he argued that, “while planning cannot completely eliminate the risks of long term decisions, it can help identify potential opportunities and threats and at least minimise risks” [5]. Hence planning is perceived as important in risk management for organisations since proper planning mitigates risks. To Drucker management had a critical role to play in any organisation arguing “The manager is the dynamic, life-giving element in every business.... In a competitive economy, above all, the quality and performance of the managers determine the success of a business; indeed they determine its survival."[6] As such, managers have an important role to play within an organisation. The manager must lead the organisation and employ skills necessary to improve performance.
5
2.1.5 Douglas McGregor Douglas McGregor was an American management specialist famous for his management behaviour theories dubbed Theory X and Theory Y.[1]. McGregor propositioned two sets of assumptions which managers of organisations held regarding their workers. these were that (i) Workers were lazy and always fleeing from responsibilities assigned to them, requiring strict monitoring (Theory Z); (ii) Workers are hardworking, not needing strict monitoring and are very committed and responsible (Theory Y)[1]. These two assumptions have been widely used in management theory and are favoured as they seek to make management styles effective. McGregor‟s theories have changed the opinions of many business leaders where they are now in cooperating the theories in leadership, in particular Theory Y [7]. 2.1.6 The Japanese Management School Japanese management is based upon the work of William Ouchi through his famous theory “Theory Z” [8]. Theory Z argues that, “involved workers are the key to increased productivity” [8]. Theory Z focuses on two key concepts namely (i) the trust relationship amongst employees and management and (ii) “the awareness of subtlety by management” [8]. If there is a trust relationship between management and workers, company regulations are followed and given tasks are done thereby increasing productivity. 2.1.7 Henry Mintzberg Henry Mintzberg is a Canadian management professional who made significant contributions to management. Mintzberg modelled ten management roles in which he said can be implemented in management. In his famous book “Mintzberg on management: inside our strange world of organisations” [9]. The ten roles are namely, “1. Figurehead 2. Leader 3. Liaison 4. Monitor 5. Disseminator 6. Spokesperson 7. Entrepreneur 8. Disturbance Handler 9. Resource Allocator 10. Negotiator” [9]. These ten roles are further subdivided into three classes namely, (i) Interpersonal class- consisting of the figurehead, leader and liaison roles (ii) Informational classconsisting of monitor, disseminator, and spokesperson roles (iii) decisional-consisting of the entrepreneur, disturbance handler, resource allocator and negotiator roles [9]. Mintzberg‟s managerial roles can be used in management by any type of organisation. They are essential as they seek to improve managerial skills and managerial quality. In a1992 book entitled, “Structure in fives: Designing effective organisations” [10] Henry Mintzberg outlines how organisational functions can be divided into three classes namely (i) the core of the organisation: responsible for the critical role within the organisation, (ii) coordinating mechanism which as a methodology in organisational activities and (iii) decentralisation form used that is to say measuring the extent to which an organisation in cooperates assistants in decision making [10]. Mintzberg goes further to explain that the strategy an organisation puts in place and how effective they use the strategy will into what he calls structural configurations [10]. The structural configurations Mintzberg mentioned are namely, “1. Simple structure 2. Machine bureaucracy 3. Professional bureaucracy 4. Divisionalised form 5. Adhocracy” [10]. 2.1.8 Henry Gantt Henry Gantt accepted Taylor‟s ideas on scientific management but argued that emphasis needed to be made on the worker [1]. He is credited with conceiving a payment system which measured 6
performance of workers [1]. Through the „Gantt charts‟ Gantt compared “actual and planned performance” [4]. Gantt made another contribution to management, notably the task and bonus strategies for paying employees [4]. His strategy was beneficial to workers as they could earn whilst at the same time working on how to increase their effectiveness [4]. 3. SECTION THREE 3.0 Brief overview of the management of information security textbook The book by Michael Whitman, is an information security management book and consists of 12 chapters. Chapter 1 gives an introduction to what is information security, its roles and purpose. It gives a strong foundation to the understanding of information security and explains characteristics. The chapter further goes on to describe the principles of information security management which consists of the 6p‟s Chapter 2 of the textbook deals with security planning outlining the roles of planning, precursors needed before planning and information security governance. A point to note is the use of the security systems development life cycle (SDLC), which is a methodology used in the implementation of an information system for any administration [2]. The methodology consists of phases and for each phase there are respective team members responsible for respective tasks. Chapter 3 deals with contingency planning where the book outlines the components of contingency planning which are namely business impact analysis, incidence response plan, disaster recovery plan and business continuity plan[1]. For each phase, there are certain tasks that need to be accomplished before proceeding to the next phase. There is also division of labour in contingency planning which correlates to Fayol‟s management principles as each phase, certain individuals are responsible for specific tasks. Chapter 4 outlines the information security policy, its role, and types of information security policies [2]. The chapter further on goes on to outline guidelines needed to effective a policy. Three types of information security policy where given namely Enterprise information security policy, Issue specific security policy and system specific policy [2]. Chapter 5 of the information security textbook deals with the development of a security program outlining the roles, components of the program and use of the program [2]. The chapter also looks at the implementation of awareness programs for organisations. Chapter 6 is about security management models where many models used in security architecture are described for examples being Bell-LaPadula Confidentiality model, Biba Integrity model, Clark-Wilson Integrity model etc. Chapter 7 deals with practices performed in security management outlining the role of benchmarking, in security management [2]. The chapter also entails performance measurement making use of several information security measures and lastly the chapter speaks of certification and accreditation in information security.
7
Chapters 8 and 9 deal with risk management outlining how a risk identification and risk assessment is performed [2]. Chapter 9 deals more in how a risk is controlled and how to do a feasibility and cost benefit analysis. Chapter 10 outlines known protection mechanisms organisations use these days for example the use of access controls like identification, authentication etc [2]. The chapter continues outlining other protection mechanisms being used like firewalls, intrusion detection and prevention systems etc. Chapter 11 deals with security with the people involved in an organisation. It outlines the role of the information security personnel like a manager and engineer [2]. The chapter also talks about information security certifications and are known worldwide as like the (ISC)2 certification [2]. The then finally speaks of policies and practices that needs to be adhered to when employing people. The final chapter (Chapter 12) entitled, “Laws and Ethics”, as the title implies, deals with laws and ethics in information security [2]. The chapter speaks of relevant laws in information security and outlines some organisations with their codes of ethics [2]. 4. SECTION FOUR 4.0 Analysis and Interpretation In this section, the management elements in Whitman‟s textbook and correlating it to the management theories by the theorists described in the previous sections. 4.0.1 Chapter 1- Introduction Chapter Chapter 1 gives an introduction of information security management defining key words like security and management. [2] defines management as, “the process of achieving objectives using a given set of resources”. Comparing this definition to that of Fayol defined above it can be observed that they talk of the same thing. Fayol outlined what management entails by illustrating the following, he said, “to manage is to forecast and plan, to organise, to command, to co-ordinate and to control” [1]. The tasks Fayol outlines like forecast, plan, organise is the process of achieving the objectives. And hence the definition follows Fayol‟s definition of management.. The chapter also explains the current project management tools in use in particular the Gantt chart which was developed by the Henry Gantt who was described above [2]. Hence in project management, project management tools developed by management theory theorists like Henry Gantt are still being used. Another project management tool mentioned in the chapter is the Work Breakdown Structure (WBS) [2]. The WBS breakdown tasks into simple tasks and allows a series of steps to be followed. This allows for the division of labour among individuals which makes works easier as an individual gets assigned to a specific task. The WBS goes in-line with Fayol‟s first principle of management which is division of work which is what the WBS seeks to implore. Characteristics of management are described in this chapter which are namely planning, organising, leading and controlling [2]. Compararing these management characteristics to Henri Fayol‟s elements of management it is observed that there is a correlation in these elements of 8
which the characteristics are exactly the elements of management described by Henri Fayol. The WBS planning tool implements Taylor‟s principles of scientific management whereby it can be observed that it distributes the number of hours each worker is given to accomplish a specific task. This was one of the objectives of Taylor‟s shop system [4] that was mentioned earlier. The WBS planning tool also seeks to measure the performance of each worker based on the skills the worker possesses. The Gilbreth‟s white list card system [4] which was mentioned earlier also, is a tool that can be used in project management as it seeks to do like what the WBS tool does also. The chapter also seems to be taking of McGregor‟s famous X and Y theories [1] when it outlines the behavioural types of managers [2]. The chapter outlines three types of behavioural leaders namely (i) autocratic (ii) democratic and (iii) laissez-faire [2]. McGregor‟s theories as outlined before look at the managerial behaviours towards employees and these type of leaders seem to have the same behavioural type as outlined by McGregor. Theory X seem to follow the autocratic type of leader were the leader is rather more strict towards workers and what the leader says it is final. The democratic type of leader seem to follow the Theory Y type of leader were the leader bases decisions after getting input from the workers themselves. The democratic leader tends to be supported more by the workers rather than the autocratic leader. 4.0.2 Chapter 2: Security planning As described in the overview above, the chapter deals with the importance of planning in the context of information security. Henri Fayol has planning as one of the elements of management where he outlines that a manager must have a plan of action. This chapter follows Fayol‟s element of management by having a plan of action where by the book describes of strategic planning used in organisations [2]. The chapter speaks of the top-down strategic planning and the bottom up strategic planning which both have their advantages and disadvantages [2]. This top down approach follows the scalar chain management principle by Henri Fayol. The management principle speaks of a proper chain of custody so to say from managers to workers of the organisation which the top down approach entails. The chapter also describes of the planning levels which is the next step in strategic planning where, there are many divisions of rather a series of steps in the overall strategic plan [2]. There exists the strategic plan, tactical plan and operational plan for these plans to operate, there is need of coordination activities across of platforms [2]. This co-ordination goes in line with Fayol‟s element of management of coordination where he outlines that managers have to co-ordinate activities to be done by individuals or teams of the organisation which is exactly what is being done in this strategic plan. The chapter speaks of the Security Systems Development Lifecycle (SDLC) which is a methodology used in information security design for an organisation [2]. It consist of a series of phases which are namely investigation, analysis, logical design, physical design, implementation and maintenance. This kind of methodology goes in-line with one of Fayol‟s management principles of division of labour [1]. This division of labour assist in improving the effort required in each step [1]. The SDLC also follows Fayol‟s elements of management as each phase of the SDLC requires planning, organising, command, co-ordination and control. Without this elements, it would not be possible for the SDLC to be fully implemented. The elements are key
9
in the evaluation of each stage and failure to do a proper plan of action will mean that there won‟t be progress in the phases. The chapter also outlines two strategic planning types namely (i) The top-down strategic planning and (ii) the bottom up strategic planning [2]. These types of strategic planning follow Taylor‟s management principles were Taylor outlines that there must be equal division of work between the workers and management. The strategic planning techniques show a sequence of events in how planning can be done, either from the management to the workers or vice versa. The Gilbreth‟s study on brick laying scenario can also be seen in this chapter. Their objective was to reduce the time taken to lay the bricks, now in the context of planning, the SDLC seeks the same objective also of reducing the time taken in accomplishing a task. 4.0.3 Chapter 3: Planning for Contingencies The chapter continues implement the planning element of management in context of contingency planning as in the preceding chapter. It describes the components of contingency planning which have been briefly outlined in the previous section. What is necessary to understand in this chapter, is the way contingency planning is handled and then correlating it to the management principles of early theorists like Fayol and Taylor. The contingency planning has business impact analysis as the first stage which mainly deals with analysis of an organisations system, looking at potential vulnerabilities and threats these systems might face [2]. This analysis makes use of Fayol‟s Planning element of management as the analysis makes use of a plan of action with a series of steps to follow. The same goes with the other phases in contingency planning which are the incident response plan, disaster recovery plan and the business continuity plan. They all follow the planning procedure outlined by Fayol. The contingency planning process also makes use of some of Fayol‟s management principles namely division of work, authority, discipline, unity of command, unity of direction, subordination of individual interests to general interests, scalar chain and many others. 4.0.4 Chapter 4: Information Security Policy The chapter defines a policy “as a plan or course of action, as of government, political party, or business, intended to influence and determine decisions, actions, and many matters” [2]. In general the policy will involve a plan which with a given set of standards and practices. This goes in line with Taylor‟s scientific management principles. Taylor emphasised the need to comply with organisational laws and scientific principles that govern the way the organisation operates and policies and standards is one way to make sure that workers comply with organisational principles. The chapter also makes use of Fayol‟s „Command‟ element of management. As the name command implies, it talks about following a specific procedure. Fayol outlined that there is need to maintain activity of workers of an organisation. The information security policy seek to maintain activities of employees through employee regulations. The system specific security policy [2], consists of standards and procedures like for access control and the use of password policies. Such regulations make use of Fayol‟s command element of management inorder to ensure that organisational policies are followed. 10
4.0.5 Chapter 5: Security Program development In this chapter, an information security program is used “to describe the structure and organisation of the effort that strives to contain the risks to the information assets or the organisation” [2]. Coordination, one of Fayol‟s element of management, “consisted of binding together, unifying, and harmonizing all activity and effort” [4]. This element of management tallies with the objectives of this chapter. In the co-ordination element of management by Fayol, all activities are meant to be done through merging of tasks and activities. The chapter illustrate the use of programs like the security, education, training and awareness (SETA) [2] program which involves the training of employees to develop skills to be used to improve job performance. The SETA program according to the book has the following advantages: 1. Improve employee behaviour 2. Members of an organisation get equipped with knowledge about where to report any discrepancies of the policy of the organisation 3. Employees become aware of any actions they make [2]. The advantages, or rather more benefits of the SETA program are clearly in line with the management principles by Fayol specifically the co-ordination principle that was outlined above. Taylor in his scientific management principles, outlined the need to have to train workers so that they possess certain skills other than the workers straining themselves. SETA is one example which follows this management principle as outlined above that its objectives is to train employees so that they become equipped with skills. Programs like the SETA program also seem to follow the Japanese management‟s Theory Z [8] which was described earlier. Theory Z seeks to train workers that they become aware of the subtleness of the management division within an organisation. And hence such programs like the SETA program seeks to train employees that they become aware of organisational laws and operations. The chapter also as described above speaks of organisational approaches used in information security. The content seem to implement Henry Mintzberg‟s organisational theory strategies where Mintzberg considers an organisation to be structured into three dimensions, the core of the organisation, coordinating mechanism and decentralisation form [10]. These three dimensions are evident in the chapter as the chapter recognises the management as the key component that drive how the organisation must operate. The information security program mentioned in this chapter can be regarded as the coordinating mechanism for the organisation in running organisational activities. 4.0.6 Chapter 6: Management models in Information Security This chapter as outlined before summarises the management models that are used in information security management. These management models contain a set of practices used in the regulation of organisational laws and rules. The chapter outlines three classes of models with different models contained within these classes. These classes are namely, (i) security architecture models (ii) security architecture models and (iii) security management models [2]. Access control models tend to be regulations to workers in terms of access to certain areas of an organisation. This makes reference again to Fayol‟s command element of management which outlines about regulations to workers. The co-ordinating element of management by Fayol can also fit into this chapter as in goes hand in hand with command. The co-ordinating element involved checking 11
that everything was conformed to like general regulations and hence these management models seek the same thing also. 4.0.7 Chapter 7: Management Practices in Information Security Benchmarking, performance measures and certifications and accreditation are the key fields that this chapter speaks about which are used in information security management. Benchmarking is important so as to scan through an organisations standards and practices to check how effective they are [2]. The chapter also outlines performance measures used in information security management, ere the measures are done so as to measure the effectiveness of an organisations security program [2]. Performance measures was one of Taylor‟s ideas in management. He made use of instructions cards outlined before and the shop system which all aimed to check for the effectiveness in terms of performance. 4.0.8 Chapter 8: Management of Risks Chapters 8 and 9 all outline risk management outlining how a risk identification and risk assessments are performed. Risk management was one of Drucker‟s management ideas were he outlined that proper planning was required for any organisation to mitigate risks. Fayol‟s planning element of management was used in this chapter as a proper plan of action is required for in risk management. Properly trained workers also need to be recruited and undertake the risk identification and assessment of risks. 4.0.9 Chapter 9: Risk management and control The chapter outlines the strategies used in controlling risks. These strategies need careful planning for them to be effective. This goes in line with Fayol‟s controlling element of management as the control of risk requires the unifying of activities. 4.0.10 Chapter 10: Protection Strategies The chapter as outlined in the brief discussion above, outlines protection mechanisms like access control, firewalls, intrusion detection systems etc [2]. Such protection mechanisms like the access control mechanism seeks to regulate employees at the workplace, as in who is authorised to access what, who manages this system etc and such regulation of employees goes in line with Fayol‟s commanding element of management which seeks to regulate employees through the use of a management. Fayol even outlined the need to have audits of the organisation as these will assist in performance measurement. 4.0.11 Chapter 11: Employees and security Chapter 11 deals with the checking of employee skills, their expertise and the certifications they possess necessary in information security. Drucker, in his book, “the practice of management” listed the element personnel management [3] where he outlined the need to manage workers, in a sense of organising them into ordered organisational structures. This is what the chapter speaks of, the management of workers with emphasis on the on the skills they possess and other requirements.
12
4.0.12 Chapter 12: Ethics in management The final chapter about laws and ethics tends to be more of the legislative environment rather than of management. The chapter described various laws that are directly related to the information security field [2]. Some of the laws include export and espionage law [2]. The chapter also outlines strategies employed in managing investigation within an organisation and makes emphasis on digital forensics as a strategy [2]. Such management of investigations seem to be in line with Mintzberg organisational theory strategies in the sense that they structure an organisation in such a way that it has an investigation division and the investigation division makes use of digital forensics. Such a component is critical for any organisation to ensure that normal working operations within an organisation are not compromised. 5. CONCLUSION The analysis of the management of the information security textbook supported our initial hypothesis that the book to a greater extent follows Henri Fayol‟s elements and principles of management. The initial chapters of the book follow his five elements of management which are planning, organising, commanding, coordinating and controlling [1]. Many of the following chapter also follow Fayol‟s management principles and evidence has been found and described in the preceding sections. It is also important to note that it was not only Fayol who made significant contributions to management theory, but other scholars also did like Taylor, Mintzberg, Drucker and Gantt. Evidence was also found in the book that suggests the use of many of their management ideas. There are other management scholars who made significant contributions to management who have not been described in this report and it is necessary to appreciate their contributions to management.
13
REFERENCES [1] G.A Cole, P.Kelly. Management theory and practice, 7th edition. Cengage Learning EMEA, 2011. [2] M.E. Whitman, H.J. Mattord. Management of information security, 3rd edition. Cengage Learning, 2010. [3] A. Anupkumar. Principles of management: An analysis of the contribution of various thinkers to the field of management, and a review of the management practices of five companies, …., 2005. [4] C.S George. The History of Management Thought. Prentice Hall, 1968. [5] G. Dessler. Management Fundamentals: Modern Principles and Practices. Reston, 1982. [6] P.F. Drucker. The Practice of Management. Harper and Row publishers, 1954. [7] E.R Gray, L.R. Smeltzer. Management: The competitive edge. MacMillian, 1989. [8] J.Tackach. Theory Z Management college writing centre, pp 1-9, 1984. [9] http://www.mindtools.com/pages/article/management-roles.htm [10] F.C. Lunenburg: Organisational Structure: Mintzberg’s Framework. International journal of scholarly, academic, intellectual diversity volume 14, no 1, 2012
14
