Information Security - Military Standards Versus ISO 27001: A Case Study in a Portuguese Military Organization

摘要

The objective of this paper is to present a Case Study conducted in a Portuguese military organization, which seeks to answer the following research questions: (1) what are the most relevant dimensions and categories of information security controls applied in military organizations? (2) What are the main scenarios of information security incidents that are expected to occur? (3) What is the decision process used for planning and selection information security controls? Current trends in technological advances impose new security requirements to information systems. This is true for all application domains, including military and especially concerning their unavoidable links to cyberspace. However, most of the time these information systems are specified under rules adapted to a different environment, what can result in unexpected and dangerous security flows. This study aims to evaluate how the military doctrine of the Portuguese Army limits or promotes the implementation of the international standard ISO / IEC 27001 (information systems security management) and simultaneously to propose a formal method for the selection and management of information security controls, based on that standard and aligned with the military organization. This Case Study consists of three phases: the first phase involves the collection and analysis of key documentation of the organization; in a second phase, a questionnaire was applied in the military organization, to three distinct groups - decision-makers, information security specialists, and employees with functions specifically linked to information use; and finally, in a third phase, interviews with specialists are used to validate the results obtained from the other phases. This study reveals that (1) information security within the military organization is built on the basis of physical and human attack vectors, and targeting the infrastructure that supports the flow of information in the organization (i.e. Information Systems), (2) the information security controls applied in the military organization are included in ISO 27001; (3) planning and selection of applied information security controls are made by decision makers and information security specialists, aiming to protect mainly integrity of digital information. It appears that specialists impose their planning options essentially inferring knowledge from analogies (like following guidelines), or rather, seeking to select and retrieve past successful information security cases, i.e. similar scenarios concerning situations under planning and that may (likely) lead to the selection and implementation of the most efficient information security controls.