Information Security Management Tutorial

5.1 Information Security Management

Welcome to learning unit 5 on Information Security Management. Let’s begin with the agenda.

5.2 Information Security Management

Similar to the learning units that we covered so far, in this unit we will learn about ISM purpose, objectives, scope, value, key concepts, triggers, interfaces, inputs and ouputs, challenges and risks. Let us begin with the purpose and objectives in the next slide.

5.3 Information Security Management - Purpose and Objective

The purpose of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business. The Objectives of Information security management are: • Protect the interests of those relying on information • Protect the systems and communications that deliver the information Let us look at the scope of ISM in the next slide.

5.4 Information Security Management - Scope

The ISM process should be the focal point for all IT security issues, and must ensure that an Information Security Policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services. ISM needs to understand the total IT and business security environment, including the: • Business Security Policy and plans • Current business operation and its security requirements • Future business plans and requirements • Legislative requirements • Obligations and responsibilities with regard to security contained within SLAs • The business and IT risks and their management. Understanding all of this will enable ISM to ensure that all the current and future security aspects and risks of the business are cost-effectively managed. To achieve effective information security governance, management must establish and maintain an Information Security Management System (ISMS) to guide the development and management of a comprehensive information security programme that supports the business objectives. In the next slide let us discuss about ISM value to the business.

5.5 Information Security Management - Value to the Business

ISM ensures that an Information Security Policy is maintained and enforced that fulfils the needs of the Business Security Policy and the requirements of corporate governance. ISM raises awareness of the need for security within all IT services and assets throughout the organization, ensuring that the policy is appropriate for the needs of the organization. ISM manages all aspects of IT and information security within all areas of IT and Service Management activity. ISM provides assurance of business processes by enforcing appropriate security controls in all areas of IT and by managing IT risk in line with business and corporate risk management processes and guidelines. Let us proceed to look at ISM policies in the next slide.

5.6 Information Security Management - Policies

Information Security Management activities should be focused on and driven by an overall Information Security Policy and a set of underpinning specific security policies. The ITP should have the full support of top executive IT management and ideally the support and commitment of top executive business management. The policy should cover all areas of security, be appropriate, meet the needs of the business and should include: • An overall Information Security Policy • Use and misuse of IT assets policy • An access control policy • A password control policy • An e-mail policy • An internet policy • An anti-virus policy • An information classification policy • A document classification policy • A remote access policy • A policy with regard to supplier access of IT service, information and components • An asset disposal policy. These policies should be widely available to all customers and users, and their compliance should be referred to in all SLRs, SLAs, contracts and agreements. The policies should be authorized by top executive management within the business and IT, and compliance to them should be endorsed on a regular basis. All security policies should be reviewed – and, where necessary, revised –at least on annual basis. In the next slide we will at the key concepts of ISM.

5.7 Information Security Management - Key Concepts

The Information Security Management process and framework will generally consist of: • An Information Security Policy and specific security policies that address each aspect of strategy, controls and regulation • An Information Security Management System (ISMS), containing the standards, management procedures and guidelines supporting the information security policies. • A comprehensive security strategy, closely linked to the business objectives, strategies and plans • An effective security organizational structure • A set of security controls to support the policy • The management of security risks • Monitoring processes to ensure compliance and provide feedback on effectiveness • Communications strategy and plan for security • Training and awareness strategy and plan. Let us understand the ISM control elements in the next slide.

5.8 Information Security Management - Key Concepts

The objectives of the control elements of the ISMS are to: • Establish a management framework to initiate and manage information security in the organization • Establish an organization structure to prepare, approve and implement the Information Security Policy • Allocate responsibilities • Establish and control documentation. So far, we have discussed about the policy, framework and control elements of ISM. In the continuation to the key concepts, in the next slide let us understand the plan element.

5.9 Information Security Management - Key Concepts

The objective of the plan element of the ISMS is to devise and recommend the appropriate security measures, based on an understanding of the requirements of the organization. The requirements will be gathered from such sources as business and service risk, plans and strategies, SLAs and OLAs and the legal, moral and ethical responsibilities for information security. Other factors, such as the amount of funding available and the prevailing organization culture and attitudes to security, must be considered. The Information Security Policy defines the organization’s attitude and stance on security matters. This should be an organization-wide document, not just applicable to the IT service provider. Responsibility for the upkeep of the document rests with the Information Security Manager. Let us now proceed to learn about the implement element in the next slide.

5.10 Information Security Management - Key Concepts

The objective of the implementation of the ISMS is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy amongst the measures are: • Accountability for assets – Configuration Management and the CMS are invaluable here • Information classification – information and repositories should be classified according to the sensitivity and the impact of disclosure. The successful implementation of the security controls and measures is dependent on a number of factors: • The determination of a clear and agreed policy, integrated with the needs of the business • Security procedures that are justified, appropriate and supported by senior management • Effective marketing and education in security requirements • A mechanism for improvement. In the next slide we will discuss on the evaluation criteria of ISM.

5.11 Information Security Management - Key Concepts

The objectives of the evaluation element of the ISMS are to: Supervise and check compliance with the security policy and security requirements in SLAs and OLAs. Carrying out regular audits of the technical security of IT systems and to Provide information to external auditors and regulators, if required. Let’s proceed to discuss about the maintain element in the next slide.

5.12 Information Security Management - Key Concepts

The objectives of maintain element of the ISMS is to: • Improve security agreements as specified in, for example, SLAs and OLAs • Improve the implementation of security measures and controls. This should be achieved using a PDCA (Plan–Do–Check–Act) cycle, which is a formal approach suggested by ISO 27001 for the establishment of the Information Security Management System (ISMS) or framework. This cycle is described in more detail in the Continual Service Improvement publication. So far we have discussed on the elements relating to the Security Management framework. Moving ahead we will discuss on the ISM process activities, methods and techniques.

5.13 Information Security Management - Key Concepts

The diagram on the slide depicts the processes, activities, methods and techniques of ISM. The purpose of the ISM process is to ensure that the security aspects with regard to services and all Service Management activities are appropriately managed and controlled in line with business needs and risks: The key activities within the ISM process are: • Production, review and revision of an overall Information Security Policy and a set of supporting specific policies • Communication, implementation and enforcement of the security policies • Assessment and classification of all information assets and documentation • Implementation, review, revision and improvement of a set of security controls and risk assessment and responses • Monitoring and management of all security breaches and major security incidents • Analysis, reporting and reduction of the volumes and impact of security breaches and incidents and • Schedule and completion of security reviews, audits and penetration tests. Next, let us look at the Security controls.

5.14 Information Security Management - Key Concepts

The Information Security Manager must understand that security is not a step in the lifecycle of services and systems and that security cannot be solved through technology. Rather, information security must be an integral part of all services and systems and is an ongoing process that needs to be continuously managed using a set of security controls, as shown in the figure. The set of security controls should be designed to support and enforce the Information Security Policy and to minimize all recognized and identified threats. The controls will be considerably more cost-effective if included within the design of all services. This will ensure the continued protection of all existing services and that new services and access to them are in line with the policy. • Preventive: security measures are used to prevent a security incident from occurring. The best-known example of preventive measures is the allocation of access rights to a limited group of authorized people. • Reductive: further measures can be taken in advance to minimize any possible damage that may occur. These are ‘reductive’ measures. Familiar examples of reduction measures are making regular backups and the development, testing and maintenance of contingency plans. • Detective: if a security incident occurs, it is important to discover it as soon as possible – detection. A familiar example of this is monitoring, linked to an alert procedure. Another example is virus-checking software. • Repressive: measures are then used to counteract any continuation or repetition of the security incident. For example, an account or network address is temporarily blocked after numerous failed attempts to log on or the retention of a card when multiple attempts are made with a wrong PIN number. • Corrective: The damage is repaired as far as possible using corrective measures. For example, corrective measures include restoring the backup, or returning to a previous stable situation (roll-back, back-out). Fall-back can also been seen as a corrective measure. Like any other process let us understand the Triggers of ISM in the next slide.

5.15 Information Security Management - Triggers

Information Security Management process can be triggered by: • New or changed corporate governance guidelines • New or changed Business Security Policy • New or changed corporate risk management processes and guidelines • New or changed business needs or new or changed services • New or changed requirements within agreements, such as SLRs, SLAs, OLAs or contracts • Review and revision of business and IT plans and strategies • Review and revision of designs and strategies • Service or component security breaches or warnings, events and alerts, including threshold events, exception reports • Periodic activities, such as reviewing, revising or reporting, including review and revision of ISM policies, reports and plans • Recognition or notification of a change of risk or impact of a business process or VBF, an IT service or component • Requests from other areas, particularly SLM for assistance with security issues.

5.16 Exercise - 3

Here is the Scenario: With the introduction of the Insurance Services System, the CIO has become concerned with security issue regarding user access. Due to the sensitive nature of the financial data, there is a potential for security Incidents to become high-profile and high-impact if XYZ allows open access to all XYZ staff. At present, the service desk has handled all access requests to ISS as Incidents and user rights have been changed by any member of the IT support team as they see fit. As a response to the CIO’s concerns, you have been asked to develop and put in place an information security policy in conjunction with business and make recommendations as to what all polices the organization should adhere for the success of the proposed process implementation Spend time on this exercise and come up with the recommendations.

5.17 Information Security Management - Interfaces

The ISM process interfaces with: • Incident and Problem Management: in providing assistance with the resolution and subsequent justification and correction of security incidents and problems. The Incident Management process must include the ability to identify and deal with security incidents. Service Desk and Service Operations staff must ‘recognize’ a security incident. • ITSCM: with the assessment of business impact and risk, and the provision of resilience, fail-over and recovery mechanisms. Security is a major issue when continuity plans are tested or invoked. A working ITSCM plan is a mandatory requirement for ISO 27001. • SLM: assistance with the determining of security requirements and responsibilities and their inclusion within SLRs and SLAs, together with the investigation and resolution of service and component security breaches. • Change Management: ISM should assist with the assessment of every change for impact on security and security controls. Also ISM can provide information on unauthorized changes. • Legal and HR issues must be considered when investigating security issues. • Configuration Management will give the ability to provide accurate asset information to assist with security classifications. Having an accurate CMS is therefore an extremely useful ISM input. • Security is often seen as an element of Availability Management, with Confidentiality Integrity and Availability (CIA) being the essence of Availability and ISM. Also, ISM should work with both Availability Management and ITSCM to conduct integrated Risk Analysis and Management exercises. • Capacity Management must consider security implications when selecting and introducing new technology. Security is an important consideration when procuring any new technology or software. • Financial Management should provide adequate funds to finance security requirements. • Supplier Management should assist with the joint management of suppliers and their access to services and systems, and the terms and conditions to be included within contracts concerning supplier responsibilities. Now, let’s discuss the inputs and outputs of ISM in the next slide.

5.18 Information Security Management - Inputs and Outputs

Let’s begin with the inputs. Information Security Management will need to obtain input from many areas, including: • Business information: from the organization’s business strategy, plans and financial plans, and information on their current and future requirements. • Corporate governance and business security policies and guidelines, security plans, Risk Analysis and responses • IT information: from the IT strategy and plans and current budgets • Service information: from the SLM process with details of the services from the Service Portfolio and the Service Catalogue and service level targets within SLAs and SLRs, and possibly from the monitoring of SLAs, service reviews and breaches of the SLAs • Risk Analysis processes and reports: from ISM, Availability Management and ITSCM • Details of all security events and breaches: from all areas of IT and SM, especially Incident Management and Problem Management • Change information: from the Change Management process with a Change Schedule and a need to assess all changes for their impact on all security policies, plans and controls • CMS: containing information on the relationships between the business, the services, supporting services and the technology • Details of partner and supplier access: from Supplier Management and Availability Management on external access to services and systems. Moving on, let’s understand the Outputs. The outputs produced by the Information Security Management process are used in all areas and should include: • An overall Information Security Management Policy, together with a set of specific security policies • A Security Management Information System (SMIS), containing all the information relating to ISM • Revised security risk assessment processes and reports • A set of security controls, together with details of the operation and maintenance and their associated risks • Security audits and audit reports • Security test schedules and plans, including security penetration tests and other security tests and reports • A set of security classifications and a set of classified information assets • Reviews and reports of security breaches and major incidents • Policies, processes and procedures for managing partners suppliers and their access to services and information. In the next slide we will look at the CSFs and KPIs of ISM.

5.19 Information Security Management - CSFs and KPIs

The following list includes some sample CSFs for Information Security management. Each organization should identify appropriate CSFs based on its objectives for the process. Each sample CSF is followed by a small number if typical KPIs that support the CSF. These KPIs should not be adopted without careful consideration. Each organization should develop KPIs that are appropriate for its level of maturity, its CSFs and its particular circumstances. Achievement against KPIs should be monitored and used to identify opportunities for improvement, which should be logged in the continual service improvement(CSI) register for evaluation and possible implementation • Let us take an example of a CSF which states Business protected against security violations. Supporting KPIs of this CSF would be Percentage decrease in security breaches reported to the Service Desk, Percentage decrease in the impact of security breaches and incidents, Percentage increase in SLA conformance to security clauses. • Let us take an example of a CSF which states Security procedures that are justified, appropriate and supported by senior management. Supporting KPIs of this CSF would be Increase in the acceptance and conformance of security procedures, Increased support and commitment of senior management. • Let us take an example of a CSF which states A mechanism for improvement. Supporting KPIs of this CSF would be The number of suggested improvements to security procedures and controls, Decrease in the number of security non- conformance detected during audits and security testing. So far, we have looked at the triggers, interfaces, inputs, outputs, CSfs and KPIs. Let us now proceed to understand the challenges faced by ISM in the next slide.

5.20 Information Security Management - Challenges

The challenges of ISM processes are : • Ensuring there is adequate support from business, business security and senior management • Ensuring policies can be enforced throughout the business • Ensuring alignment and integration with the business security process • Communication as it relates to security • Keeping the alignment through change management In the next slide we will understand the risks faced by ISM.

5.21 Information Security Management - Risks

The risks that the ISM process can come across are: • Increasing requirements for availability and robustness • Growing potential for misuse and abuse of information systems affecting privacy and ethical values • External dangers from hackers leading to denial-of service and virus attacks, extortion, industrial espionage and leakage of organizational information or private data. • A lack of commitment from the business to the ISM processes and procedures • Lack of commitment from the business and a lack of appropriate information on future plans and strategies • A lack of senior management commitment or a lack of resources and/or budget for the ISM process • The processes focus too much on the technology issues and not enough on the IT services and the needs and priorities of the business • Risk assessment and management is conducted in isolation and not in conjunction with Availability Management and ITSCM • ISM policies, plans, risks and information become out of-date and lose alignment with the corresponding relevant information and plans of the business and business security. In the next slide we will learn about the information management of ISM.

5.22 Information Security Management - Information Management

All the information required by ISM should be contained within the SMIS (Security Management Information System). This should include all security controls, risks, breaches, processes and reports necessary to support and maintain the Information Security Policy and the ISMS. This information should cover all IT services and components and needs to be integrated and maintained in alignment with all other IT information management systems, particularly the Service Portfolio and the CMS. The SMIS will also provide the input to security audits and reviews and to the continual improvement activities so important to all ISMSs. The SMIS will also provide invaluable input to the design of new systems and services. We have come to the end of learning unit 5, let us recap in the next slide.

5.23 Information Security Management Summary

In this learning unit we have learnt about ISM purpose, objective, scope, value to business, triggers, inputs and outputs and interfaces of ISM process. We also learnt about ISM information management, challenges, risks, CSFs and KPIs. The next section includes quiz questions, once completed we will move to next learning unit on Demand management.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

Request more information

For individuals
For business
Phone Number*
Your Message (Optional)
We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Work Email*
Phone Number*
Job Title*