A recurring theme in the Continuity Compliance website is the need to determine your critical processes. In most cases, which of the organizations processes are critical takes some discovery. And then, there are obvious processes that don’t take much thought. The protection of Information Assets, such as data stored on your local hard drive, encrypted data stored on a remote e-vault or even those documents from the last major acquisition in 1984, stuffed in a white banker’s box in a warehouse in Ohio are definitely a critical component of the major process for Information Security Management.
Information Security Management is the overall process for protecting “information assets” that are essential to your business such as HR Files, Customer Data and Mailings Lists. As defined in the
BS ISO/IEC 27001-1:2005 Terms and Definitions section, Information Security is defined as
“Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”.
Further definition for the Information Security Management System states;
“the part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”.
Based on the above definitions and general experiences, it is apparent that Information Security requires the management of the processes for success. Key words such as Risk, Confidentiality and Availability are everyday requirements in the world of IT Departments. How organizations go about their specific business of information security varies to some degree. There are a number of general frameworks and a few standards that an organization can use to assist them in ensuring their critical processes for managing information security is working.
Frameworks help us to define, build, and communicate ideas and requirements but they tend to lack guidance. This may leave an organization with a large costly implementation project with slow ROI or failed sub projects that cannot see light at the end of the tunnel. Standards require the organization to implement specific controls. They can leverage the beneficial elements of Frameworks to ensure compliance to the standard as well as be more flexible to the requirements of the business. Some standards can be audited by a third party, such as BS ISO/IEC 27001-1:2005 Information technology – Security techniques-Information Security management systems – Requirements. Others, such as the NIST Special Publication 800-53 Recommended Security Control for Federal Information Systems has become a widely adopted standard by non-government business to use for guidance in managing their IT business.
Information Assets come in many shapes and sizes, and can be found throughout the organization. Both the NIST 800-53 Publication and the ISO 27001-1 Requirements document list a family or domain of areas to input controls.
In a generalized view, Information Security Management should look at the following areas to ensure protection.
|Physical and Environmental Protection|
|Security Planning||Contingency Planning and Operations|
|Management System and Services Acquisition||Configuration Management|
|Management Security Control Review||Hardware and Software Maintenance|
|Processing Authorization||System and Information Integrity|
|Personnel Security||Media Protection|
|Incident Response||Security Awareness and Training|
|Identification and Authentication||Logical Access Control|
Every day, sensitive data is being compromised and it is under the auspices of Information Security Management that a company ensures that correct and timely response can mitigate the costly and sometimes devastating effects of a security breach. Whichever combination of or sets of controls that an organization adopts, the important rule is to be able to manage the confidentiality, integrity and availability of these critical information assets.