Introduction
- The goal of information security management is to align IT and business security and ensure that information security is managed effectively in all services and service management activities.
- Its objectivesare:
- Information is available and unable when required (availability).
- Information is available exclusively to authorized persons (confidentiality).
- Information is complete, accurate and protected against unauthorized changes (integrity).
- Its objectivesare:
- Transactions and information exchange between companies and partners can be trusted (authenticity and non-repudiation).
- Scope
- Information security management needs to understand the total IT and business security environment. This means, among other things:
- The current and future business security policy and plans.
- Security requirements.
- Legal requirements.
- Obligations and responsibilities.
- Scope
- Information security management needs to understand the total IT and business security environment. This means, among other things:
- Business and IT risks (and their management).
- Enables information security management to manage the current and future security aspects of the business cost effectively.
- This process should include the following elements:
- Production, maintenance, distribution and enforcement of an information security policy.
- Understanding agreed current and future security requirements of the business.
- Scope
- This process should include the following elements:
- Implementing(and documenting) controls that support the information security policy and manage risks.
- Managing IT service providers and contracts concerning access to the system and services.
- Management of security breaches and incidents.
- Proactive improvement of the security control systems.
- Value for the business
- Information security management ensures that the information security policy complies with the overall business security policy of the organization and the requirements of corporate governance.
- Executive management is responsible for organizations information and is tasked with responding to issues that affect its protection.
- Boards of directors are expected to make information security an integral part of corporate governance.
- Value for the business
- All IT service provider organizations must therefore ensure that they have a comprehensive information security management policy in place to monitor and enforce the policies.
- Basic concept
- The information security management process and framework include:
- Information security policy.
- Information Security Management System (ISMS).
- Comprehensive security strategy (related to the business objectives and strategy).
- Basic concept
- The information security management process and framework include:
- Effective security organization structure.
- Set of security controls to support the policy.
- Risk management.
- Monitoring processes.
- Communication strategy.
- Training and awareness strategy.
- Security governance
- IT security governance can have six outcomes:
- Strategic alignment:
- Security requirements should be driven by enterprise requirements.
- Security solutions must fit enterprise processes.
- Value delivery:
- Standard set of security practices.
- Properly prioritized and distributed effort to areas with the greatest impact and business benefit.
- Risk management
- Risk profiles.
- Awareness of risk management priorities
- Security governance
- IT security governance can have six outcomes:
- Defined, agreed and meaningful metrics.
- Measurement process that will help that identify shortcomings.
- Knowledge is recorded and available.
- Security processes assurance.
- Information security must be an integral part of all services (and systems) and is an ongoing process that needs to be continually managed
- Security governance
- The figure shows that a risk may result in a threat that in turn causes an incident, the consequence of which is damage. Measure of varying nature can be taken between these phases:
- Preventive measures –prevent effects (e.g. access management).
- Reductive measures –limit effects (e.g. backup and testing).
- Detective measures –detect effects (e.g. monitoring).
- Repressive measures–suppress effects (e.g. blocking).
- Corrective measures –repair effects (e.g. rollback).
- Information management
- All of the information required by information security management should be stored in an information security management system.
- This system includes all security controls, risks, failures, processes and reports necessary to support and maintain the information security policy and the information security management system.
- The information must cover all IT services and be integrated with other IT management systems, particularly the service portfolio and the CMS.
Implementation
- The main challenge in this process is to ensure adequate support of the company, business security and senior management.
- If this is missing, it is impossible to establish an effective security process.
- If there is senior IT management support but no business support, IT security controls and risk assessment will be severely limited in what they can achieve.
- If there is a business security policy established then a challenge becomes one of integration and alignment.
- Strict change management and configuration management are required to maintain such integration.
- Risksin information security management include:
- Increased danger of information system abuse in terms of privacy and ethics.
- Danger of hackers.
- Lack of commitment from the company, senior management, lack of adequate information.
- Excessive focus on technical aspects and no focus on service and the customer’s needs.
- Obligations and responsibilities.
No comments:
Post a Comment