Information security management: Difference between revisions

This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Information security management" – news · newspapers · books · scholar · JSTOR (December 2008) (Learn how and when to remove this message)

Template:Wikify is deprecated. Please use a more specific cleanup template as listed in the documentation.

Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.

The risks to these assets can be calculated by analysis of the following issues:

• Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets
• Vulnerabilities. How susceptible your assets are to attack
• Impact. The magnitude of the potential loss or the seriousness of the event.

Also,standards that are available to assist organizations implement the appropriate programmes and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT.According to BS 7799, Information Security refers to maintaining:

• Confidentiality - Information is accessible only to those authorized.

• Integrity- Safeguarding the accuracy and completeness of information

• Availability– Authorised users have access to information when required.

Objectives:

To ensure that it complies with the external requirements-legislation SLA’s etc. To create a secure environment regardless of the external requirements Benefits:

Vital Business Information is kept secure High availability Quality of information

Mission Statement To prevent the occurrence of security-related incidents by managing the cconfidentiality, integrity and availability of IT services and data line with business requirements at acceptable cost.

Function Goal Prevent security related incidents by establishing: Achieve the function mission by implementing: • ITIL-aligned Security Management function • Dedicated Security Management Function Owner • Holistic management view of security considering people, process and physical items as well as technical items • Centralized function for managing security and establishing security related policies • Ongoing monitoring and reporting of security • Proactive actions to prevent security related incidents • Periodic auditing of security practices to continually improve overall security functions and controls • Effective security controls that are in line with business and regulatory requirements at acceptable cost levels

The Critical Success Factors (CSFs) are: • Managing Confidentiality, Integrity and Availability Of IT Services And Data • Providing Security Cost Effectively • Proactively Addressing Security Improvements Where Needed

The key activities for this function are: • Plan for Security Management in line with service and policy requirements • Coordinate implementation of Security Management people, process and technologies • Execute Security Management control activities • Evaluate and audit the Security Management supporting infrastructure • Maintain Security Management people, processes and technical infrastructure • Provide management information about Security Management quality and operations

Examples of Key Process Performance Indicators (KPIs) are shown in the list below. Each one is mapped to a Critical Success Factor (CSF).

Managing the Confidentiality, Integrity and Availability of IT Services and Data

• Number of incidents caused by internal security failures • Number of incidents caused by external security failures • Number of security audit and testing failures

• Percentage of delivery cost per customer related to security management activities • Percentage of delivery cost per customer related to security measures implemented

• Number of Security Improvement Initiatives in place. • Number of Security Improvement Initiatives completed on time • Number of Security Improvement Initiatives not yet staffed/started • Number of Security incidents related to non-current security maintenance.^[1]

An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible.

Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information.

An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed.

An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of your information and weaken or impair your business operations.

An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system.

An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system..^[2]

Short for security information management, a type of software that automates the collection of event log data from security devices, such as such as firewalls, proxy servers, intrusion-detection systems and antivirus software. The SIM translates the logged data into correlated and simplified formats.^[3]

• Certified Information Security Manager
• Certified Information Systems Security Professional
• Chief information security officer
• Information Security Department
• ISO/IEC 27001
• Security Information Management
• Information security management system
• IT Security Management

• IT Library
• ISO 27001 AND ISO 27002 PLAIN ENGLISH DEFINITIONS 2005.
• What is Security Information Management 2011.

• ISACA