The information security management process describes the structured fit of information security into the organisation. Security management is based on the principles of a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS).
An ISMS is a set of policies concerned with information security management or IT related risks. The governing principle behind an ISMS is that the organisation should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
The design and implementation of an ISMS is influenced by the needs, objectives, security requirements and the size and structure of the organisation. It employs the PDCA, Plan-Do-Check-Act model to structure the processes and principles necessary for a secure operating environment.
- The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.
- The Do phase involves implementing and operating the controls.
- The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
- In the Act phase, changes are made where necessary to bring the ISMS back to peak performance.
Security administration is a management and not a purely technical issue. The establishment, maintenance and continuous update of an ISMS provide an indication that the organisation is using a systematic approach for the identification, assessment and management of information security risks. Furthermore this renders the organisation capable of successfully addressing information confidentiality, integrity and availability requirements.
The primary objective of information security management is to implement appropriate measures in order to eliminate or minimise the impact that various security related threats and vulnerabilities might have to the organisation.
A basic concept of security management is to ensure adequate information security; the primary goal of information security is to protect the organisations information assets against risks, to guarantee safety of information and to maintain its value to the organisation. When protecting information it is the value of the information that must be protected. These values are stipulated by confidentiality, integrity and availability.
The organisations information security policy specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving system security within the context of the organisations overall business risks. It specifies requirements for the implementation of security controls customised to the needs of the organisation.
The information security policy is designed to ensure the selection of adequate and proportionate security controls that protect the organisations information assets and give confidence to interested parties.
To be effective, the organisations information security policy should:
- have the continuous and visible support and commitment of the organisations senior management team;
- be managed centrally, based on a common strategy and policy across the entire organisation;
- be an integral part of the overall management of the organisation related to and reflecting the organisation’s approach to risk management and the degree of assurance required;
- have security objectives and activities based on business objectives and requirements and led by business management;
- undertake only necessary tasks and avoid over-control and waste of resources;
- fully comply with the organisations philosophy providing a system that enables staff to demonstrate accountability without preventing them from performing routine activities.
- be based on continuous training and awareness of staff and avoid the use of disciplinary measures;
- be a regularly reviewed and updated process;
Because organisations and information systems constantly evolve, the activities within the security management process must be revised continuously, in order to stay up-to-date and effective.
Information security related activities are documented; external reports are commissioned and sent to the organisation. The organisation is then able to adapt their requirements based on the information received from the reports. The managed operations service provider can adjust their plan or implementation based on the findings in order to satisfy all the requirements stated in the SLA, including new requirements.
The information security management process is related to almost all other IT service processes. The most obvious relationships are to the service level management process, the incident management process and the change management process.
The organisations information security management process consists of activities that are carried out and controlled by stakeholders within the organisation. The fundamentals of these information security related activities can be summarised as follows.
The first activity in the organisations information security management process is the control process. The control process defines the allocation of responsibility, the policy statements and the management framework. The security management framework defines the processes for the development of security plans, the implementation of the security plans, the evaluation and how the results of evaluation are translated into action plans.
Security control is a description of how security management will be organised and how it will be managed. Policy statements are documents that outline specific requirements or rules that should be met.
In the information security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use Policy” would cover the rules and regulations for appropriate use of the computing facilities.
The security management framework is an established management framework to initiate and control the implementation of information security within the organisation and to manage on-going information security provision.
The planning process contains activities that in cooperation with service level management lead to the information security section in the organisations SLA with the managed operations service provider.
The operational level agreements for information security are set up and implemented; this means that there has to be cooperation with other processes. For example if security management wishes to change the IT infrastructure in order to achieve a security goal, these changes will be performed through the change management process.
Security management will deliver the request for change; the SLA change manager is responsible for the change management process itself.
The security section of the service level agreement, documents the agreement between the organisation and the managed operations service provider that demonstrate the agreed service levels. The SLA is a contract with the managed operations service supplier covering the delivery of IT services that support the organisation in the delivery of their services.
The implementation process ensures that all measures, as specified in the plans, are properly implemented. During the implementation process no new measures are defined or changed.
Security implementation aims to achieve information security according to the security management plan. Asset registers maintain a comprehensive inventory of the organisations IT assets with responsibility assigned to ensure that effective security protection is maintained.
Personnel security involves well defined job descriptions for all staff outlining security roles and responsibilities. Security policies are documents that outline specific security requirements that should be met.
Access control requires network management to ensure that only those with the appropriate responsibility have access to information in the organisations network and the protection of the supporting infrastructure.
The security evaluation of the organisations information service is an important process, evaluation is necessary to measure the success of implementation. The results of the security evaluation process are used to manage the service level agreement. Evaluation results can lead to new requirements and a request for change. The request for change is defined and sent to the change management process.
There are two main types of security evaluation; internal audit, and external audit. Internal audits are carried out by the managed operations service provider’s internal IT-auditors, external audits are carried out by independent IT-auditors.
A security review evaluates the operational security of the organisations deployed IT assets; documented results are the outcome of the evaluated implementation. The managed operations service provider performs internal audits which involve a security review of operational security by an internal auditor.
The organisation also performs external audits which involve a security review of the organisations IT assets by an independent auditor.
It is necessary for information security to be maintained because of changes to the IT infrastructure and changes within the organisation itself, as a result security risks alter over time. The maintenance of security involves both the maintenance of the security section of the service level agreement and the more detailed security plans.
Security maintenance is based on the results of the security evaluation process and insight into the changing information security risks, these activities will produce proposals. These proposals serve as inputs for the planning process and can be taken into the maintenance of the service level agreements.