Information security management system

Plan-Do-Check-Act Cycle
ENISA: Risk Management and Isms activities

An information security management system[1] (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799.

The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

ISMS description

As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or Deming cycle, approach:

ISO/IEC 27001:2005 is a risk-based information security standard, which means that organizations need to have a risk management process in place. The risk management process fits into the PDCA model given above.[2]

However, the latest standard, ISO/IEC 27001:2013, does not emphasise the Deming cycle anymore. The ISMS user is free to use any management process (improvement) approach like PDCA or Six Sigmas DMAIC.

Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best practice-based as it comes from ISF's industry experiences.

Some best-known ISMSs for computer security certification are the Common Criteria (CC) international standard and its predecessors Information Technology Security Evaluation Criteria (ITSEC) and Trusted Computer System Evaluation Criteria (TCSEC).[3]

Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.[3]

Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework Risk IT dedicated to Information security. The below table provides a certification structure comparison of some of the best-known ISMSs:[3]

BS 7799 Common Criteria IT Security Evaluation Criteria
Operation Area England About 25 Countries European Countries
Basic Structure - 6 Management phases
- 11 Security domains
- 139 Control objectives
- 133 Security controls
- 3 Parts
- 11 Security functional requirements
- 8 Assurance requirements
- 4 Phases
- 6 Levels
Management Process 1- Define policy
2- Define scope
3- Assess risk
4- Manage risk
5- Select controls to be implemented and applied
6- Prepare a statement of applicability
1- PP/ST introduction
2- Conformance claims
3- Security problem definition
4- Security objectives
5- Extended components definition

6- Security requirements
7- TOE summary specification

1. Requirements
2- Architectural Design
3- Detailed Design
4- Implementation
Difference of Process Emphasis on managerial security Emphasis on technical security Emphasis on managerial security
Specification Control Point Provide best code of practice for information security management Provide common set of requirements for the security functionality of IT products Provide common set of requirements for the security functionality of IT products
Evaluation Method Use the PDCA model cycle Follow each certification evaluation procedure Follow commission of European communities

There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem:

Need for an ISMS

Security experts say:[7]

These facts inevitably lead to the conclusion that security administration is a management issue, and not a purely technical issue.[7]

The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Critical factors of ISMS:

A company will be capable of successfully addressing information confidentiality, integrity and availability (CIA)requirements which in turn have implications:

The chief objective of information security management is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related threats and vulnerabilities might have on an organization. In doing so, information security management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability of services, preservation of data confidentiality and integrity etc.).[7] By preventing and minimizing the impacts of security incidents, ISMS ensures business continuity, customer confidence, protect business investments and opportunities, or reduce damage to the business.[8]

Large organizations, banks and financial institutes, telecommunication operators, hospital and health institutes and public or governmental bodies have many reasons for addressing information security very seriously. Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks.[7]

Under these circumstances, the development and implementation of a separate and independent management process - namely an ISMS - is the only alternative.[7]

The development of an ISMS framework based on ISO/IEC 27001:2005 entails the following six steps:[7]

  1. Definition of security policy,
  2. Definition of ISMS scope,
  3. Risk assessment (as part of risk management),
  4. Risk management,
  5. Selection of appropriate controls
  6. Statement of applicability

Critical success factors for ISMS

To be effective, the ISMS must:[7]

Dynamic issues in ISMS

There are three main problems which lead to uncertainty in information security management systems (ISMS):[9]

Rapid technological development raises new security concerns for organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organize and manage dynamically changing requirements and keep the system up-to-date.[9]

Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organization may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalization of externalities caused by the ISMS is needed in order to benefit internalizing organizations and interacting partners by protecting them from vulnerable ISMS behaviors.[9]

The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need for continuous security evaluation of organizational products, services, methods and technology is essential to maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organization is a critical need to achieve information security objectives. The re-evaluation process is tied with dynamic security requirement management process discussed above.[9]

See also

Notes and references

  1. "Security management system’s usability key to easy adoption". sourcesecurity.com. Retrieved 22 August 2013.
  2. Humphreys, Edward (8 March 2011). "Information security management system standards". Datenschutz und Datensicherheit - DuD 35 (1): 7–11. doi:10.1007/s11623-011-0004-3.
  3. 1 2 3 Jo, Heasuk; Kim, Seungjoo; Won, Dongho (1 January 2011). "Advanced information security management evaluation system". KSII Transactions on Internet and Information Systems 5 (6): 1192–1213. doi:10.3837/tiis.2011.06.006.
  4. 1 2 NIST: FISMA Overview
  5. Caballero, Albert. (2009). "14". Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc. p. 232. ISBN 978-0-12-374354-1.
  6. CERT Governing for Enterprise Security Implementation Guide
  7. 1 2 3 4 5 6 7 Enisa Risk management, Risk assessment inventory, page 8
  8. Ma, Qingxiong; Schmidt, Mark B.; Pearson, Michael (2009). "An integrated framework for information security management". Review of Business 30 (1): 58–69. Retrieved 26 October 2013.
  9. 1 2 3 4 Abbas, Haider; Magnusson, Christer; Yngstrom, Louise; Hemani, Ahmed (1 January 2011). "Addressing dynamic issues in information security management". Information Management & Computer Security 19 (1): 5–24. doi:10.1108/09685221111115836.
This article is issued from Wikipedia - version of the Wednesday, January 20, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.