Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the
confidentiality
Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information.
Legal confidentiality
By law, lawyers are often required ...
, availability, and integrity of
asset
In financial accounting, an asset is any resource owned or controlled by a business or an economic entity. It is anything (tangible or intangible) that can be used to produce positive economic value. Assets represent value of ownership that can ...
s from
threats
A threat is a communication of intent to inflict harm or loss on another person. Intimidation is a tactic used between conflicting parties to make the other timid or psychologically insecure for coercion or control. The act of intimidation for co ...
and
vulnerabilities. The core of ISM includes
information risk management
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
:''The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an ...
, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate
stakeholders.
This requires proper asset identification and valuation steps, including evaluating the value of
confidentiality
Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information.
Legal confidentiality
By law, lawyers are often required ...
,
integrity
Integrity is the practice of being honest and showing a consistent and uncompromising adherence to strong moral and ethical principles and values.
In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions. In ...
,
availability
In reliability engineering, the term availability has the following meanings:
* The degree to which a system, subsystem or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at ...
, and replacement of assets.
As part of information security management, an organization may implement an information security management system and other best practices found in the
ISO/IEC 27001
ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, ...
,
ISO/IEC 27002, and ISO/IEC 27035 standards on
information security
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
.
Risk management and mitigation
Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring.
A meteorite crashing into a
server room
A server room is a room, usually air-conditioned, devoted to the continuous operation of computer servers. An entire building or station devoted to this purpose is a data center.
The computers in server rooms are usually headless systems that ca ...
is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat.
After appropriate asset identification and valuation have occurred,
risk management and mitigation of risks to those assets involves the analysis of the following issues:
* Threats: Unwanted events that could cause the deliberate or accidental loss, damage, or misuse of information assets
* Vulnerabilities: How susceptible information assets and associated controls are to exploitation by one or more threats
*
Impact and likelihood: The magnitude of potential damage to information assets from threats and vulnerabilities and how serious of a risk they pose to the assets;
cost–benefit analysis
Cost–benefit analysis (CBA), sometimes also called benefit–cost analysis, is a systematic approach to estimating the strengths and weaknesses of alternatives. It is used to determine options which provide the best approach to achieving benefits ...
may also be part of the impact assessment or separate from it
*
Mitigation
Mitigation is the reduction of something harmful or the reduction of its harmful effects. It may refer to measures taken to reduce the harmful effects of hazards that remain ''in potentia'', or to manage harmful incidents that have already occur ...
: The proposed method(s) for minimizing the impact and likelihood of potential threats and vulnerabilities
Once a threat and/or vulnerability has been identified and assessed as having sufficient impact/likelihood on information assets, a mitigation plan can be enacted. The mitigation method is chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than the one used to limit the threat of unauthorized probing and
scanning of a network (the LAN-to-WAN domain).
Information security management system
An information security management system (ISMS) represents the collation of all the interrelated/interacting information security elements of an organization so as to ensure policies, procedures, and objectives can be created, implemented, communicated, and evaluated to better guarantee an organization's overall information security. This system is typically influenced by organization's needs, objectives, security requirements, size, and processes.
An ISMS includes and lends to effective risk management and mitigation strategies. Additionally, an organization's adoption of an ISMS largely indicates that it is systematically identifying, assessing, and managing information security risks and "will be capable of successfully addressing information confidentiality, integrity, and availability requirements."
However, the human factors associated with ISMS development, implementation, and practice (the user domain
) must also be considered to best ensure the ISMS' ultimate success.
Implementation and education strategy components
Implementing an effective information security management (including risk management and mitigation) requires a management strategy that takes note of the following:
* Upper-level management must strongly support information security initiatives, allowing information security officers the opportunity "to obtain the resources necessary to have a fully functional and effective education program" and, by extension, information security management system.
* Information security strategy and training must be integrated into and communicated through departmental strategies to ensure all personnel is positively affected by the organization's information security plan.
* A
privacy training and awareness "
risk assessment
Broadly speaking, a risk assessment is the combined effort of:
# identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. hazard analysis); and
# making judgments "on the ...
" can help an organization identify critical gaps in stakeholder knowledge and attitude towards security.
* Proper evaluation methods for "measuring the overall effectiveness of the training and awareness program" ensure policies, procedures, and training materials remain relevant.
* Policies and procedures that are appropriately developed, implemented, communicated, and enforced "mitigate risk and ensure not only risk reduction, but also ongoing compliance with applicable laws, regulations, standards, and policies."
*
Milestones and timelines for all aspects of information security management help ensure future success.
Without sufficient budgetary considerations for all the above—in addition to the money allotted to standard regulatory, IT, privacy, and security issues—an information security management plan/system can not fully succeed.
Relevant standards
Standards that are available to assist organizations with implementing the appropriate programs and controls to mitigate threats and vulnerabilities include the
ISO/IEC 27000
ISO/IEC 27000 is part of a growing family of ISO/IEC standards - the ' ISO/IEC 27000 series'. ISO/IEC 27000 is an international standard titled: ''Information technology — Security techniques — Information security management systems — Overv ...
family of standards, the
ITIL framework, the
COBIT framework, and
O-ISM3 2.0. The ISO/IEC 27000 family represents some of the most well-known standards governing information security management and the ISMS and are based on global expert opinion. They lay out the requirements for best "establishing, implementing, deploying, monitoring, reviewing, maintaining, updating, and improving information security management systems."
ITIL acts as a collection of concepts, policies, and best practices for the effective management of information technology infrastructure, service, and security, differing from ISO/IEC 27001 in only a few ways.
COBIT, developed by
ISACA
ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. , is a framework for helping information security personnel develop and implement strategies for information management and governance while minimizing negative impacts and controlling information security and risk management,
an
O-ISM32.0 is
The Open Group
The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of servi ...
's technology-neutral information security model for enterprise.
See also
*
Certified Information Systems Security Professional
*
Chief information security officer
A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately pr ...
*
Security information management
References
External links
ISACAThe Open Group
{{Authority control
Information management
Information technology management
Security