Information security management system
Encyclopedia
An information security management system (ISMS) is a set of policies concerned with information security
management or IT related risks
. The idioms arose primarily out of ISO 27001.
The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
), or Deming cycle, approach:
The best known ISMS is described in ISO/IEC 27001
and ISO/IEC 27002
and related standards published jointly by ISO
and IEC
.
Another competing ISMS is Information Security Forum
's Standard of Good Practice
(SOGP). It is more best practice
-based as it comes from ISF's industry experiences.
Other frameworks such as COBIT
and ITIL
touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework Risk IT
dedicated to Information security.
There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem:
These facts inevitably lead to the conclusion that:
Security administration is a management and NOT a purely technical issue
The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification,
assessment and management of information security risks. Furthermore such a company
will be capable of successfully addressing information confidentiality, integrity and
availability requirements which in turn have implications for:
Chief objective of Information Security Management is to implement the appropriate
measurements in order to eliminate or minimize the impact that various security related
threats
and vulnerabilities
might have on an organization. In doing so, Information
Security Management will enable implementing the desirable qualitative characteristics
of the services offered by the organization (i.e. availability of services, preservation of
data confidentiality and integrity etc.).
Large organizations or organizations such as banks and financial institutes,
telecommunication operators, hospital and health institutes and public or governmental
bodies have many reasons for addressing information security very seriously. Legal and
regulatory requirements which aim at protecting sensitive or personal data as well as
general public security requirements impel them to devote the utmost attention and
priority to information security risks.
Under these circumstances the development and implementation of a separate and
independent management process namely an Information Security Management System
is the one and only alternative.
As shown in Figure, the development of an ISMS framework entails the following 6
steps:
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
management or IT related risks
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
. The idioms arose primarily out of ISO 27001.
The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
ISMS description
As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001 therefore incorporates the typical "Plan-Do-Check-Act" (PDCAPDCA
PDCA is an iterative four-step management method used in business for the control and continuous improvement of processes and products...
), or Deming cycle, approach:
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
The best known ISMS is described in ISO/IEC 27001
ISO/IEC 27001
ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
and ISO/IEC 27002
ISO/IEC 27002
ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
and related standards published jointly by ISO
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
and IEC
International Electrotechnical Commission
The International Electrotechnical Commission is a non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as "electrotechnology"...
.
Another competing ISMS is Information Security Forum
Information Security Forum
The Information Security Forum is an independent, not-for-profit association of leading organizations from around the world. It is dedicated to investigating, clarifying and resolving key issues in information security, and developing best practice methodologies, processes and solutions that meet...
's Standard of Good Practice
Standard of Good Practice
The Standard of Good Practice for Information Security, published by the Information Security Forum , is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains....
(SOGP). It is more best practice
Best practice
A best practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark...
-based as it comes from ISF's industry experiences.
Other frameworks such as COBIT
COBIT
COBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
and ITIL
Itil
Itil may mean:*Atil or Itil, the ancient capital of Khazaria*Itil , also Idel, Atil, Atal, the ancient and modern Turkic name of the river Volga.ITIL can stand for:*Information Technology Infrastructure Library...
touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework Risk IT
Risk IT
Risk IT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.Risk IT was published in 2009 by ISACA...
dedicated to Information security.
There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem:
- Federal Information Security Management Act of 2002Federal Information Security Management Act of 2002The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 . The act recognized the importance of information security to the economic and national security interests of the United States...
is a United States federal law enacted in 2002 that recognized the importance of information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
for the information and information systemsInformation systemsInformation Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...
that support the operations and assets of the agency, including those provided or managed by another agency, contractorGovernment contractorA government contractor is a private company that produces goods or services under contract for the government. Often the terms of the contract specify cost plus – i.e., the contractor gets paid for its costs, plus a specified profit margin. Laws often require governments to award contracts...
, or other source. - Governing for Enterprise Security Implementation Guide of the Carnegie Mellon UniversityCarnegie Mellon UniversityCarnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
Software Engineering InstituteSoftware Engineering InstituteThe Carnegie Mellon Software Engineering Institute is a federally funded research and development center headquartered on the campus of Carnegie Mellon University in Pittsburgh, Pennsylvania, United States. SEI also has offices in Arlington, Virginia, and Frankfurt, Germany. The SEI operates...
CERTCERT Coordination CenterThe CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
is designed to help business leaders implement an effective program to govern information technology (IT) and information security. - A Capability Maturity Model for system security engineering was standardized in ISO/IEC 21827.
- Information Security Management Maturity Model (known as ISM-cubed or ISM3) is another form of ISMS. ISM3 builds on standards such as ISO 20000ItilItil may mean:*Atil or Itil, the ancient capital of Khazaria*Itil , also Idel, Atil, Atal, the ancient and modern Turkic name of the river Volga.ITIL can stand for:*Information Technology Infrastructure Library...
, ISO 9001, CMMCMMCMM can refer to:*Center for Molecular Medicine , a research institute in Sweden*Coordinate-measuring machine, a device for dimensional measuring*Capability Maturity Model, tool for assessing processes in organizations...
, ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
, and general information governance and security concepts. ISM3 can be used as a template for an ISO 9001-compliant ISMS. While ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
is controls based, ISM3 is process based and includes process metrics. ISM3 is a standard for security management (how to achieve the organizations mission despite of errors, attacks and accidents with a given budget). The difference between ISM3 and ISO/IEC 21827 is that ISM3 is focused on management, ISO 21287 on Engineering.
Need for a ISMS
Security experts say and statistics confirm that:- information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;
- security depends on people more than on technology;
- employees are a far greater threat to information security than outsiders;
- security is like a chain. It is as strong as its weakest link;
- the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;
- security is not a status or a snapshot but a running process.
These facts inevitably lead to the conclusion that:
Security administration is a management and NOT a purely technical issue
The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification,
assessment and management of information security risks. Furthermore such a company
will be capable of successfully addressing information confidentiality, integrity and
availability requirements which in turn have implications for:
- business continuity;
- minimization of damages and losses;
- competitive edge;
- profitability and cash-flow;
- respected organization image;
- legal compliance
Chief objective of Information Security Management is to implement the appropriate
measurements in order to eliminate or minimize the impact that various security related
threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
and vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
might have on an organization. In doing so, Information
Security Management will enable implementing the desirable qualitative characteristics
of the services offered by the organization (i.e. availability of services, preservation of
data confidentiality and integrity etc.).
Large organizations or organizations such as banks and financial institutes,
telecommunication operators, hospital and health institutes and public or governmental
bodies have many reasons for addressing information security very seriously. Legal and
regulatory requirements which aim at protecting sensitive or personal data as well as
general public security requirements impel them to devote the utmost attention and
priority to information security risks.
Under these circumstances the development and implementation of a separate and
independent management process namely an Information Security Management System
is the one and only alternative.
As shown in Figure, the development of an ISMS framework entails the following 6
steps:
- Definition of Security Policy,
- Definition of ISMS Scope,
- Risk Assessment (as part of Risk Management),
- Risk Management,
- Selection of Appropriate Controls and
- Statement of Applicability
Critical success factors for ISMS
To be effective, the ISMS must:- have the continuous, unshakeable and visible support and commitment of the organization’s top management;
- be managed centrally, based on a common strategy and policy across the entire organization;
- be an integral part of the overall management of the organization related to and reflecting the organization’s approach to Risk Management, the control objectives and controls and the degree of assurance required;
- have security objectives and activities be based on business objectives and requirements and led by business management;
- undertake only necessary tasks and avoiding over-control and waste of valuable resources;
- fully comply with the organization philosophy and mindset by providing a system that instead of preventing people from doing what they are employed to do, it will enable them to do it in control and demonstrate their fulfilled accountabilities;
- be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices;
- be a never ending process;
See also
- Asset (computing)
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- CERTCERT Coordination CenterThe CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
- COBITCOBITCOBIT is a framework created by ISACA for information technology management and IT Governance. It is a supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks.-Overview:...
- ENISA
- Enterprise architectureEnterprise architectureAn enterprise architecture is a rigorous description of the structure of an enterprise, which comprises enterprise components , the externally visible properties of those components, and the relationships between them...
- FISMA
- Information security managementInformation Security ManagementInformation security describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage...
- IT governance
- ITILItilItil may mean:*Atil or Itil, the ancient capital of Khazaria*Itil , also Idel, Atil, Atal, the ancient and modern Turkic name of the river Volga.ITIL can stand for:*Information Technology Infrastructure Library...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- ISO 9001
- ISO/IEC 27001ISO/IEC 27001ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission...
- ISO/IEC 27002ISO/IEC 27002ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission , entitled Information technology - Security techniques - Code of practice for information security management.ISO/IEC 27002:2005...
- ISO/IEC 27004ISO/IEC 27004ISO/IEC 27004:2009, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard developed by the International Organization for Standardization and the International Electrotechnical Commission...
- ISO/IEC 27005ISO/IEC 27005ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series', is an information security standard published by the International Organization for Standardization and the International Electrotechnical Commission...
- NIST
- PDCAPDCAPDCA is an iterative four-step management method used in business for the control and continuous improvement of processes and products...
- Security control
- Security information and event managementSecurity Information and Event ManagementSecurity Information and Event Management solutions are a combination of the formerly disparate product categories of SIM and SEM...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
- WARP (information security)WARP (information security)WARP is an acronym for Warning, Advice and Reporting Point. A WARP is a community or internal company based service to share advice and information on computer-based threats and vulnerabilities.WARPs typically provide...