Information security management

Last updated

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. [1] This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. [2] As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security. [3] [4]

Contents

Risk management and mitigation

Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring. [1] [5] [6] A meteorite crashing into a server room is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat. Just as people don't have to start preparing for the end of the world just because of the existence of a global seed bank. [7]

After appropriate asset identification and valuation have occurred, [2] risk management and mitigation of risks to those assets involves the analysis of the following issues: [5] [6] [8]

Once a threat and/or vulnerability has been identified and assessed as having sufficient impact/likelihood on information assets, a mitigation plan can be enacted. The mitigation method is chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than the one used to limit the threat of unauthorized probing and scanning of a network (the LAN-to-WAN domain). [8]

Information security management system

An information security management system (ISMS) represents the collation of all the interrelated/interacting information security elements of an organization so as to ensure policies, procedures, and objectives can be created, implemented, communicated, and evaluated to better guarantee the organization's overall information security. This system is typically influenced by an organization's needs, objectives, security requirements, size, and processes. [9] An ISMS includes and lends to risk management and mitigation strategies. Additionally, an organization's adoption of an ISMS indicates that it is systematically identifying, assessing, and managing information security risks and "will be capable of successfully addressing information confidentiality, integrity, and availability requirements." [10] However, the human factors associated with ISMS development, implementation, and practice (the user domain [8] ) must also be considered to best ensure the ISMS' ultimate success. [11]

Implementation and education strategy components

Implementing an effective information security management (including risk management and mitigation) requires a management strategy that takes note of the following: [12]

Without sufficient budgetary considerations for all the above—in addition to the money allotted to standard regulatory, IT, privacy, and security issues—an information security management plan/system can not fully succeed.

Relevant standards

Standards that are available to assist organizations with implementing the appropriate programs and controls to mitigate threats and vulnerabilities include the ISO/IEC 27000 family of standards, the ITIL framework, the COBIT framework, and O-ISM3 2.0. The ISO/IEC 27000 family represents some of the most well-known standards governing information security management and their ISMS is based on global expert opinion. They lay out the requirements for best "establishing, implementing, deploying, monitoring, reviewing, maintaining, updating, and improving information security management systems." [3] [4] ITIL acts as a collection of concepts, policies, and best practices for the effective management of information technology infrastructure, service, and security, differing from ISO/IEC 27001 in only a few ways. [13] [14] COBIT, developed by ISACA, is a framework for helping information security personnel develop and implement strategies for information management and governance while minimizing negative impacts and controlling information security and risk management, [4] [13] [15] and O-ISM3 2.0 is The Open Group's technology-neutral information security model for enterprise. [16]

See also

Related Research Articles

Security management is the identification of an organization's assets i.e. including people, buildings, machines, systems and information assets, followed by the development, documentation, and implementation of policies and procedures for protecting assets.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Standard of Good Practice for Information Security</span>

The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers all types of organizations. ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.

ISO/IEC 27005 "Information technology — Security techniques — Information security risk management" is an international standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) providing good practice guidance on managing risks to information. It is a core part of the ISO/IEC 27000-series of standards, commonly known as ISO27k.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Security level management (SLM) comprises a quality assurance system for electronic information security.

In information security, risk factor is a collective name for circumstances affecting the likelihood or impact of a security risk.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. A SWOT analysis of the ISO/IEC 27001 certification process was conducted in 2020.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

The Open Group Information Security Management Maturity Model (O-ISM3) is a maturity model for managing information security. It aims to ensure that security processes in any organization are implemented so as to operate at a level consistent with that organization’s business requirements. O-ISM3 defines a comprehensive but manageable number of information security processes sufficient for the needs of most organizations, with the relevant security control(s) being identified within each process as an essential subset of that process.

References

  1. 1 2 Campbell, T. (2016). "Chapter 1: Evolution of a Profession". Practical Information Security Management: A Complete Guide to Planning and Implementation. APress. pp. 1–14. ISBN   9781484216859.
  2. 1 2 Tipton, H.F.; Krause, M. (2003). Information Security Management Handbook (5th ed.). CRC Press. pp. 810–11. ISBN   9780203325438.
  3. 1 2 Humphreys, E. (2016). "Chapter 2: ISO/IEC 27001 ISMS Family". Implementing the ISO/IEC 27001:2013 ISMS Standard. Artech House. pp. 11–26. ISBN   9781608079315.
  4. 1 2 3 Campbell, T. (2016). "Chapter 6: Standards, Frameworks, Guidelines, and Legislation". Practical Information Security Management: A Complete Guide to Planning and Implementation. APress. pp. 71–94. ISBN   9781484216859.
  5. 1 2 Watts, S. (21 June 2017). "IT Security Vulnerability vs Threat vs Risk: What's the Difference?". BMC Blogs. BMC Software, Inc. Retrieved 16 June 2018.
  6. 1 2 Campbell, T. (2016). "Chapter 4: Organizational Security". Practical Information Security Management: A Complete Guide to Planning and Implementation. APress. pp. 43–61. ISBN   9781484216859.
  7. Lundgren, Björn; Möller, Niklas (2019). "Defining Information Security". Science and Engineering Ethics. 25 (2): 419–441. doi:10.1007/s11948-017-9992-1. ISSN   1353-3452. PMC   6450831 . PMID   29143269.
  8. 1 2 3 Kim, D.; Solomon, M.G. (2016). "Chapter 1: Information Systems Security". Fundamentals of Information Systems Security. Jones & Bartlett Learning. pp. 2–46. ISBN   9781284128239.
  9. Terroza, A.K.S. (12 May 2015). "Information Security Management System (ISMS) Overview" (PDF). The Institute of Internal Auditors. Archived from the original (PDF) on 7 August 2016. Retrieved 16 June 2018.
  10. "Need: The Need for ISMS". Threat and Risk Management. European Union Agency for Network and Information Security. Retrieved 16 June 2018.
  11. Alavi, R.; Islam, S.; Mouratidis, H. (2014). "A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations". Human Aspects of Information Security, Privacy, and Trust. Lecture Notes in Computer Science. Vol. 8533. pp. 297–305. doi: 10.1007/978-3-319-07620-1_26 . ISBN   978-3-319-07619-5.{{cite book}}: |journal= ignored (help)
  12. Tipton, H.F.; Krause, M. (2010). Information Security Management Handbook. Vol. 3 (6th ed.). CRC Press. pp. 100–02. ISBN   9781420090956.
  13. 1 2 Kim, D.; Solomon, M.G. (2016). Fundamentals of Information Systems Security. Jones & Bartlett Learning. p. 225. ISBN   9781284128239.
  14. Leal, R. (7 March 2016). "ISO 27001 vs. ITIL: Similarities and differences". The ISO 27001 & ISO 22301 Blog. Advisera Expert Solutions Ltd. Retrieved 16 June 2018.
  15. White, S.K. (22 December 2017). "What is COBIT? A framework for alignment and governance". CIO. IDG Communications, Inc. Retrieved 16 June 2018.
  16. "Open Information Security Management Maturity Model (O-ISM3), Version 2.0". The Open Group. 21 September 2017. Retrieved 16 June 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.