ASQ: Publications: Software Quality Professional

Media Room

View Shopping Cart

Quality Progress Magazine

Issues

I Want To

Article Access Key

Public Article
Log-In to View

Full, Senior, or Fellow members with no subscription.
Full, Associate, Forum/Division, Senior or Fellow members who are also subscribers.
Enterprise and Site Members have access to all issues.

June 2001
Volume 3 • Number 3

Contents

From the Editor

You can’t do business with someone you don’t trust.

"Trust me" is a valid model for interactions only where trust has been defined and demonstrated. If information transactions are to take full advantage of the technology now available they must be grounded in well-established security management.

Advances in computing and communications have facilitated an explosive growth in the speed and volume of information transactions. People are now being asked to provide—and to entrust to others whom they have never met—the most personal details of their preferences and purchases, their financial dealings, and their physical health.

Businesses that rely on a steady flow of information confront a two-fold dilemma: how to reassure customers that they can safely share personal information, and how to minimize their own risk that the data collected might be lost, compromised, or stolen.

The litany of abuses and disasters comes with the daily news: credit card numbers misappropriated or held for ransom; personal data to be sold off at auction; massive corporate losses due to inadequate contingency planning; personal and corporate identity theft.

Security is therefore emerging as a significant quality requirement for information transactions. An information economy depends on the reliability of its lifeblood flow of information. Without confidence in the integrity of that flow, new technologies cannot provide their promised benefits.

Individuals cannot share personal information in good conscience, nor can businesses be assured of the integrity of their data-driven processes, without explicit specification and assurance of security requirements.

One hopeful sign is the emergence of best-practice guidelines and international standards for specifying security requirements, implementing appropriate controls, and assessing and certifying compliance.

The recently approved international standard "Code of Practice for Information Security Management" (ISO/IEC 17799:2000) characterizes information security in terms of preserving confidentiality, integrity, and availability.

• Confidentiality is the duty of a custodian to prevent further disclosure of information
or to release it only to the extent agreed upon.
• Integrity ensures that data have not been undetectably altered or destroyed in an unauthorized manner.
• Availability addresses the concern that the data be accessible and useable upon demand by an authorized entity.

Recommended practices are analogous to broader quality management practices, such
as establishing a security policy—similar to the ISO 9001-mandated quality policy—and overseeing the system’s operation with internal audits and management reviews.

The recipe for success, according to ISO/IEC 17799, includes:

• A security policy, objectives, and activities that reflect business objectives
• An approach to implementing security that is consistent with the organizational culture
• Visible support and commitment from management
• A good understanding of security requirements and risk management
• A comprehensive system of measurement used to evaluate performance and to feedback suggestions for improvement

Organizations worldwide are starting to become aware of the advantages of obtaining certification of compliance to information security management standards. Again, the analogy is direct to the third-party assessment of quality management systems. Those concerned about appraisal costs must weigh them against the direct failure cost of a security breach or that of the resulting loss of customers.

In fact, a cost-of-security model may be the best way to consider this situation, exactly as in the traditional cost-of-quality model. In such a framework, the total cost for managing security is the sum of the costs expended for achieving security and the costs borne when security is not achieved.

As with quality costs, one can categorize security achievement costs under the headings of prevention and appraisal. Similarly, failing to achieve security may be manifest as internal failures or external failures.

Typical prevention costs would be investment in procedure development, tools, and training; appraisal costs include audits and testing. Failures require rework, as well as loss of business and diminished reputation. A classic "pay me now or pay me later" situation applies here as elsewhere. A security appraisal up front might well cost several times less than an emergency response to an incident after the fact.

Assurance activities are, in essence, a "confidence" game: the effort to provide adequate confidence that requirements—including security requirements—are being met and that all stakeholders will be satisfied.

Over the past few years a number of international technical standards have been adopted, addressing such security techniques as digital signatures, cryptography, key management, and authentication. More recently, however, framework documents have emerged to address a systematic way of planning to employ these technologies.

Attention is thus shifting from a narrow technical focus on the security of specific information transactions to a wider framework for creating business relationships with high levels of trust, based on confidence in business partners’ systems and policies, including respect for individuals’ confidentiality concerns.

You can’t manage quality if you haven’t managed security.

The traditional software quality factors—functionality, reliability, usability, efficiency, maintainability, and portability—must now be joined by security.

"Trust, but verify." Not a bad guiding principle.

I can be contacted at sqpeditor@aol.com