Information Security Management
Encyclopedia
Information security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.
The risks to these assets can be calculated by analysis of the following issues:
Also,standards that are available to assist organizations implement the appropriate programmes and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library
and COBIT
.According to BS 7799, Information Security refers to maintaining:
• Confidentiality - Information is accessible only to those authorized.
• Integrity- Safeguarding the accuracy and completeness of information
• Availability– Authorised users have access to information when required.
To ensure that it complies with the external requirements-legislation SLA’s etc.
To create a secure environment regardless of the external requirements
Benefits:
Vital Business Information is kept secure
High availability
Quality of information
To prevent the occurrence of security-related incidents by managing the cconfidentiality, integrity and availability of IT services and data line with business requirements at acceptable cost.
Function Goal
Prevent security related incidents by establishing:
Achieve the function mission by implementing:
Managing the Confidentiality, Integrity and Availability of IT Services and Data
service, or infrastructure, or any physical location that houses
these things. A facility can be either an activity or a place;
it can be either tangible or intangible.
information. It’s all about protecting and preserving the
confidentiality, integrity, authenticity, availability, and
reliability of information.
an information system, service, or network may have been
breached or compromised. An information security event
indicates that an information security policy may have
been violated or a safeguard may have failed.
unwanted or unexpected information security events that
could very likely compromise the security of your information
and weaken or impair your business operations.
all of the policies, procedures, plans, processes, practices,
roles, responsibilities, resources, and structures that
are used to protect and preserve information. It includes all
of the elements that organizations use to manage and
control their information security risks. An ISMS is
part of a larger management system.
management’s commitment to the implementation,
maintenance, and improvement of its information
security management system..
The risks to these assets can be calculated by analysis of the following issues:
- Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets
- Vulnerabilities. How susceptible your assets are to attack
- Impact. The magnitude of the potential loss or the seriousness of the event.
Also,standards that are available to assist organizations implement the appropriate programmes and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library
Information Technology Infrastructure Library
The Information Technology Infrastructure Library , is a set of good practices for IT service management that focuses on aligning IT services with the needs of business. In its current form , ITIL is published in a series of five core publications, each of which covers an ITSM lifecycle stage...
and COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
.According to BS 7799, Information Security refers to maintaining:
• Confidentiality - Information is accessible only to those authorized.
• Integrity- Safeguarding the accuracy and completeness of information
• Availability– Authorised users have access to information when required.
C I A
Objectives:To ensure that it complies with the external requirements-legislation SLA’s etc.
To create a secure environment regardless of the external requirements
Benefits:
Vital Business Information is kept secure
High availability
Quality of information
Security Management Function Overview
Mission StatementTo prevent the occurrence of security-related incidents by managing the cconfidentiality, integrity and availability of IT services and data line with business requirements at acceptable cost.
Function Goal
Prevent security related incidents by establishing:
Achieve the function mission by implementing:
- ITIL-aligned Security Management function
- Dedicated Security Management Function Owner
- Holistic management view of security considering people, process and physical items as well as technical items
- Centralized function for managing security and establishing security related policies
- Ongoing monitoring and reporting of security
- Proactive actions to prevent security related incidents
- Periodic auditing of security practices to continually improve overall security functions and controls
- Effective security controls that are in line with business and regulatory requirements at acceptable cost levels
Critical Success Factors (CSFs)
The Critical Success Factors (CSFs) are:- Managing Confidentiality, Integrity and Availability Of IT Services And Data
- Providing Security Cost Effectively
- Proactively Addressing Security Improvements Where Needed
Key Activities
The key activities for this function are:- Plan for Security Management in line with service and policy requirements
- Coordinate implementation of Security Management people, process and technologies
- Execute Security Management control activities
- Evaluate and audit the Security Management supporting infrastructure
- Maintain Security Management people, processes and technical infrastructure
- Provide management information about Security Management quality and operations
Key Performance Indicators (KPIs)
Examples of Key Process Performance Indicators (KPIs) are shown in the list below. Each one is mapped to a Critical Success Factor (CSF).Managing the Confidentiality, Integrity and Availability of IT Services and Data
- Number of incidents caused by internal security failures
- Number of incidents caused by external security failures
- Number of security audit and testing failures
Providing Security Cost Effectively
- Percentage of delivery cost per customer related to security management activities
- Percentage of delivery cost per customer related to security measures implemented
Proactively Addressing Security Improvements Where Needed
- Number of Security Improvement Initiatives in place.
- Number of Security Improvement Initiatives completed on time
- Number of Security Improvement Initiatives not yet staffed/started
- Number of Security incidents related to non-current securitymaintenance.
Information processing facility
An information processing facility is defined as any system,service, or infrastructure, or any physical location that houses
these things. A facility can be either an activity or a place;
it can be either tangible or intangible.
Information security
Information security is all about protecting and preservinginformation. It’s all about protecting and preserving the
confidentiality, integrity, authenticity, availability, and
reliability of information.
Information security event
An information security event indicates that the security ofan information system, service, or network may have been
breached or compromised. An information security event
indicates that an information security policy may have
been violated or a safeguard may have failed.
Information security incident
An information security incident is made up of one or moreunwanted or unexpected information security events that
could very likely compromise the security of your information
and weaken or impair your business operations.
Information security management system (ISMS)
An information security management system (ISMS) includesall of the policies, procedures, plans, processes, practices,
roles, responsibilities, resources, and structures that
are used to protect and preserve information. It includes all
of the elements that organizations use to manage and
control their information security risks. An ISMS is
part of a larger management system.
Information security policy
An information security policy statement expressesmanagement’s commitment to the implementation,
maintenance, and improvement of its information
security management system..
Security Information Management
Short for security information management, a type of software that automates the collection of event log data from security devices, such as such as firewalls, proxy servers, intrusion-detection systems and antivirus software. The SIM translates the logged data into correlated and simplified formats.Why do we need to manage information security?
By proactively managing information security, services industries, business, and government agencies can reduce the likelihood and/or the impact on information systems from a wide range of threats. These threats include:- Theft of physical IT assets,
- Theft and exploitation of information,
- Deliberate disclosure of sensitive information by University people, agency or contract employees,
- Accidental disclosure of information by University people, agency or contract employees through careless talk (social engineering) or poor document control,
- Destruction or corruption of information stored on computers whether deliberate or accidental,
- Prosecution because of non-compliance with legislation e.g. the New Zealand Privacy Act,
- Concerted attacks on our networks and information by highly organised and computer literate groups; e.g. hacking, denial of service attacks, *worms and viruses.
See also
- Certified Information Security ManagerCertified Information Security ManagerCertified Information Security Manager is a certification for information security managers awarded by ISACA...
- Certified Information Systems Security ProfessionalCertified Information Systems Security ProfessionalCertified Information Systems Security Professional is an independent information security certification governed by International Information Systems Security Certification Consortium ²...
- Chief information security officerChief information security officerA chief information security officer is the senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy and program to ensure information assets are adequately protected...
- Information Security DepartmentInformation Security DepartmentThe Information Security Department is a department in the Israel Defense Forces' Directorate of Military Intelligence, responsible for preventing classified information from being compromised by unauthorized elements...
- ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
- Security Information ManagementSecurity Information ManagementSecurity information management is the industry-specific term in computer security referring to the collection of data into a central repository for trend analysis...
- Information security management systemInformation security management systemAn information security management system is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of ISO 27001....
- Network ManagementNetwork managementNetwork management refers to the activities, methods, procedures, and tools that pertain to the operation, administration, maintenance, and provisioning of networked systems....