Previous Lesson
Next Lesson

Information Security Management

Purpose

The purpose of the information security management practice is to protect the information needed by the organization to conduct its business.

This includes understanding and managing risks to the confidentiality, integrity, and availability of information, as well as other aspects of information security such as authentication (ensuring someone is who they claim to be) and non-repudiation (ensuring that someone can’t deny that they took an action).

Process Integration

Many processes and procedures are required to support information security management. These include: 

  • an information security incident management process
  • a risk management process
  • a control review and audit process
  • an identity and access management process 
  • event management
  • procedures for penetration testing, vulnerability scanning etc. 
  • procedures for managing information security related changes, such as firewall configuration changes. 

The security of data and information is of vital importance to any organisation and it is therefore a business decision as to what information should be protected and to what level.

Guidance

The required security is established by means of policies, processes, behaviours, risk management, and controls, which must maintain a balance between: 

  • Prevention – Ensuring that security incidents don’t occur
  • Detection – Rapidly and reliably detecting incidents that can’t be prevented l Correction Recovering from incidents after they are detected. 

It is also important to achieve a balance between protecting the organization from harm and allowing it to innovate. Information security controls that are too restrictive may do more harm than good, or may be circumvented by people trying to do work more easily. Information security controls should consider all aspects of the organization and align with its risk appetite. 

Information security management interacts with every other practice. It creates controls that each practice must consider when planning how work will be done. It also depends on other practices to help protect information. 

Information security management must be driven from the most senior level in the organization, based on clearly understood governance requirements and organizational policies. Most organizations have a dedicated information security team, which carries out risk assessments and defines policies, procedures, and controls. In high-velocity environments, information security is integrated as much as possible into the daily work of development and operations, shifting the reliance on control of process towards verification of preconditions such as expertise and integrity. 

Information security is critically dependent on the behaviour of people throughout the organization. Staff who have been trained well and pay attention to information security policies and other controls can help to detect, prevent, and correct information security incidents. Poorly trained or insufficiently motivated staff can be a major vulnerability. 

Terminology

  • Information Security Policy – The Information Security Policy should support and be aligned to the business security policy. It should include policies covering the use of IT assets, email, the internet, important documents, remote access, access by third parties (such as suppliers) and asset disposal. In addition, it defines the approach to resetting passwords, maintaining anti-virus controls and classifying information. These policies should be available to all customers and users as well as to IT staff, and compliance to the policy should be referenced in all internal agreements and external contracts. The policy should be reviewed and revised on at least an annual basis.
  • Information Security Management System/Security Framework – The Information Security Management System (ISMS — also referred to as the Security Framework) helps establish a cost-effective security program to support business objectives. The objective of the ISMS is to ensure that appropriate controls, tools and procedures are established to support the Information Security Policy.
  • Confidentiality (of Data) – Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it: Access must be restricted to those authorised to view the data in question.
  • Integrity (of Data) – Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorised people (for example, in a breach of confidentiality). These measures include file permissions and user access controls. 
  • Availability (of Data) – Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts. It’s also important to keep current with all necessary system upgrades.  

Contribution to the Service Value Chain

  • Plan – Information security must be considered in all planning activity and must be built into every practice and service. 
  • Improve – Information security must be considered in all improvement value chain activity to ensure that vulnerabilities are not introduced when making improvements. 
  • Engage – Information security requirements for new and changed services must be understood and captured. All levels of engagement, from operational to strategic, must support information security and encourage the behaviours needed. All stakeholders must contribute to information security, including customers, users, suppliers, etc. 
  • Design & Transition – Information security must be considered throughout this value chain activity, with effective controls being designed and transitioned into operation. The design and transition of all services must consider information security aspects as well as all other utility and warranty requirements. 
  • Obtain/build – Information security must be built into all components, based on the risk analysis, policies, procedures, and controls defined by information security management. This applies whether the components are built internally or procured from suppliers. 
  • Deliver & Support – Detection and correction of information security incidents must be an integral part of this value chain activity.