Information Security Management (ISM) can include a set of policies concerned with information and IT related risks. The governing principle is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security (IS) risk. The following management elements can be considered, security domains, control objectives, security controls, security functional requirements, assurance requirements, all applied into phases and levels.
ISM can also include establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System (ISMS). All within the context of the organization’s overall business risks. It should be designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties.
A basic concept of security management (SM) is IS. The primary goal of IS is to control access to information. The value of the information is what must be protected. These values include confidentiality, integrity and availability. Inferred aspects are privacy, anonymity and verifiability.
The goal of ISM comes in two parts: security requirements defined in service level agreements (SLA) and other external requirements that are specified in underpinning contracts, legislation and possible internal or external imposed policies. Basic security that guarantees management continuity. This is necessary to achieve simplified service-level management for IS.
SLAs define security requirements, along with legislation (if applicable) and other contracts. These requirements can act as key performance indicators (KPIs) that can be used for process management and for interpreting the results of the SM process. It can be related to the service level management, incident management and change management processes. SM includes control, plan, implementation, evaluation, maintenance, and a complete process-data model.
There are many problems and challenges when dealing with corporate SM:
- Dynamically changing security requirements of an organization: rapid technological development raises new security concerns for organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology.
- Externalities caused by a security system: externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. It could be positive or negative, and can be uncertain, cannot be predetermined.
- Obsolete evaluation of security concerns: the evaluations of security concerns become obsolete as the technology progresses and new threats and vulnerabilities arise.
- IT security administrators have time constraints: they should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness. But that is not what normally happen.
- Security depends on people more than on technology: employees are a far greater threat to IS than outsiders. Security is like a chain, it’s only as strong as its weakest link. The degree of security depends on three factors: the risk one is willing to take, the functionality of the system and the costs one is prepared to pay.
- Security is not a status or a snapshot, but a running process: this fact inevitably lead to the conclusion that security administration is a management issue, and not a purely technical issue.
- There are critical factors that present a constant challenge: for confidentiality, information must be protected from unauthorized parties. For integrity, information must be protected from modification by unauthorized users. For Availability, information must be available to authorized users.
The need for continuous security evaluation of organizational products, services, methods and technology is essential to maintain an effective management. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism within the organization is a critical need to achieve IS objectives. The re-evaluation process is tied with dynamic security requirement management process. We use a Plan-Do-Check-Act approach:
- Plan phase is about designing the client’s management, assessing IS risks and selecting appropriate controls.
- Do phase involves implementing and operating the controls.
- Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the management.
- Act phase is where changes are made as necessary to bring the ISMS back to peak performance.
Our consulting on SM can include defining policy, defining scope, assessing risk, managing risk, selecting controls to be implemented and applied, and preparing a statement of applicability. Elements can include conformance claims, security problem definition, security objectives, extended components definition, security requirements, summary specification. For the assessment, our IT security evaluation criteria considers requirements, architectural design, detailed design, and implementation. Our framework considers the following:
- definition of security policy
- definition of ISMS scope
- risk assessment (as part of risk management)
- risk management
- selection of appropriate controls
- statement of applicability
We help our clients to:
- organize and manage dynamically changing requirements by offering guidance on keeping the management system up-to-date.
- protect internal corporate and interacting partners from vulnerable behaviors.
- issue an assessment on the maturiy level of the client’s security policies.
- issue an assessment on the practical implementation of those policies.
- apply recommendations based on best practices and security industry adopted standards.
- know how to manage corporate IT security, from small to large infrastructure sizes, from small to large complexities.
- have the continuous, unshakeable and visible support and commitment of the organization’s top management.
- be managed centrally, based on a common strategy and policy across the entire organization.
- be an integral part of the organization and reflecting the choosen approach to risk management, control objectives and the degree of assurance required.
- have security objectives and activities based on business objectives and requirements, and led by business management.
- undertake only necessary tasks and avoiding over-control and waste of valuable resources.
- fully comply with the organization philosophy and mindset by providing a management approach that instead of preventing people from doing what they are employed to do, will enable them to do it in control and demonstrate their fulfilled accountabilities.
- have continuous training and awareness of staff and avoid the use of disciplinary measures and “police / military” practices.
Click here for tips on processes that can be considered when designing a SM solution.