Information Security Management Systems Definitions Information Technology Essay
According to T. Carlson there are two parts of Information Security Management Systems; the first part, Information security can be defined as a preservation of confidentiality, Integrity and availability of information assets. On the other hand, Management systems are the co-ordinated activities to govern and control an organisation. Therefore, ISMS is simply the co-ordinated activities to govern and control the preservation of CIA of information assets.
Obviously, ISMS is an example of applying the management systems a conceptual model to the discipline of information security (IS). Distinctive attributes to this instance of a management system (MS) may include the following: (1) Risk management (RM) applied to information and based upon metrics of confidentiality, integrity, and availability. (2) Total Quality Management applied to information security (IS) processes and based upon metrics of efficiency and effectiveness. (3) A gate-keeping and reporting model based upon abstraction layers that filter and calculate operational details for management presentation. (4) A structured approach toward integrating people, process, and technology to administer Enterprise Information Security Services (EISS)is an extensible framework from which to manage Information Security (IS) compliance (Tipton and Krause, 2008).
Controls applied or deployed for one principle, and administered by crucial ISMS, typically meet the requirements of multiple principles simultaneously. Most legal principles also require authoritative and reliable management of information security, something inherent in ISMS.It is obvious the capacity of legal and regulatory cost savings of overarching Information Security Management Systems. Generally, Information security management systems are based upon risk. The risk analysis and risk rating may serve as a significant reason for the selection and deployment of controls that generate or produce the Information Security Management Systems. The risk-based Information security Management Systems, including the ISO27001 standard, allows for business to accept risk-based upon informed choice decision making. This kind of ability to accept risks enables institutions to react to their environment, not someone else’s judgement of their environment. ISMS standards offer the basis of improved interoperability with trading partners’ information. The Information Security management systems’ framework simplifies interfacing and is expandable to absorb future changes or expansions.
An Information Security Management Systems (ISMS) brings structure to the Information Security (InfoSec) Program. Directions and authorization roles are clearly understood. Defined services and, or functions allowfoundation of tasks that can be delegated. Metrics can be analysed, creating feedback for continuous process enhancement. In many different situations, establishing of an Information Security Management Systems produces and generates conclusive management systems in other disciplines like Human Resources (HR), Physical Security, Business continuity and so forth. The management system principles framework advances disciplines and tend to improve multi-disciplinary interoperations.
The Board of Directors provide the institutional vision and guiding policy in response to managing risk on different fronts, for example, from the managing compliance to fiduciary responsibility. The board takes part in the information Security Management Systems through authorisation. This kind of authorisation is a strategic control in response risks, like managing non-compliance and fiduciary irresponsibility. On the other hand, Executive staff is the owners of programs that might be administered by a management system. Management systems improve institution’s horizontal and vertical integration and visibility. In addition, senior executives participate in the Information Security Management Systems through definition and provision of services to the organisation by the program, like incident management. The third participants are the Management. They are a group of directors who manage the tactics required to give the program services. In a process based Information Security Management Systems, program services are provided by a group or chunk of complementary and integrated processes. Directors in the Information security management systems participate through the definition, achievements and continuous improvements of these relevant information security processes, including contain, eradicate, and restore. The fourth and final participant in the Information security management systems is the operations managers. Their main duty is to implement the program services on an operational level. The Information Security Management Systems will create standardised procedures and requirements, codified in institutional process and standards. In principle, managers participate in the Information Security Management Systems through integration of people, procedures, and the technology in response to the institutional directives.
Fig.4: ISMS program risk operational level
Where Does Information Security Management Systems Live?
An Information Security Management Systems lives within the corporate from the directors’ room to the production ¬‚oor, each level is addressing a different needs.At the operational level, an Information Security Management Systems live in different places and instances. This is based upon functional areas, or information security domains. A typical information security domain (ISD) can be a data centre, an office area, or a reception area, each with an exclusive security pro¬le. The ISD provide as the basis for enterprise information security baseline implementation. Each domain is an autonomous in how it modifies and adjusts the enterprise information security baseline requirements to its unique environment.
How Is Information Security Management Systems Built?
Information Security Management System is typically a risk based and process oriented. There are various layers of abstraction to accommodate the different audiences whose concerns must be addressed. For example, ISO27001 standard recommends the following procedure, a Plan, a Do, and Act process-based approach which is defined as:
Plan: Planning is to establish the Information Security Management Systems. Planning is also to understand the environment, and able to assess the risks of the enterprise. In addition, planning can be assessed program risk, and so forth. While Do is to implement and operate the Information Security Management Systems (ISMS). The Do can also be used to create enterprise information security baseline. In this level may also be created domain specific implementations. And the third category Check is to monitor and review the Information Security Management Systems (ISMS). It can also be used to assess any operational risks. The fourth and the final category is Act, which is maintaining and improving the Information Security Management Systems (ISMS).
Fig.5: PDCA diagram
Environment must be understood
The structure and the composition of the Information Security Management System must take into consideration the management environment to be successful. Institutional or organisational considerations will influence the Information Security Management System’s framework. Administrative requirements will certainly influence approach, contents and also packaging.
Enterprise risks is commonly evaluated and addressed through the upper management directives like corporate policies. The evaluation of high level enterprise risk, like regulatory compliance and fiduciary responsibility, is mostly understood and possibly addressed. It is the upper management directives who serve as the final authorisation of the supporting enterprise risk reducing or mitigating programs. For example, a corporate acceptable-use policy allows pro-active behavioural training as well as re-active behavioural detection mechanisms.
The corporate administrative policy allows efficiency initiatives supported by operational metrics and everlasting process improvement.
Program risk provides as the basis to select controls managed by the Information Security Management System. Some program risk has been evaluated and addressed by others who believe that they know the practitioner’s environment better than the practitioner, concluding in binding regulations. Some program risk is explicit and inherent, like the risk of unpatched information processing systems. Other program risk is more dangerous, such as aggregation when person insufficient risks combine to create risk disproportionate to the sum. For example, Let us assume that LondonMet University has an Intranet consist of two different LANs, and there is no firewall between these two LANs. This kind of security vulnerability is treated as a low rated minor risk and has been accepted by either departments or LAN. LAN one then deploys a Web server. The risk of opening HTTP port 80 through the LAN one external firewall is regarded as a minor risk and has been accepted by LAN one. LAN two’s previously isolated network segment is now no longer isolated. A minor risk accepted by LAN one caused an unknown risk acceptance by LAN one. Information Security Management System acts as the vehicle pulling together the management of risk and risk mitigating controls. Any identified risks are quantified and control objectives designated. Control objectives serve as the glue that attaches each risk to its corresponding control. The achievement of control objectives is prioritised by the risk quantification.
Directives
Directives are regulatory or controls that describes hard and measurable requirements. They may be derivedfrom legislation or constitution, from industry standards and practices, or in response to risks. Directive controls are basically codified in a collection of criteria, with the content based upon informed-choice decisionmaking. Care must be taken in the know-how of the directives because informed-choice decisionmaking refersa degree of risk acceptance that which is not addressed is by default accepted.
Procedures and methodologies
Methodologies are controls that describe measurable and reproducible processes. They maybe derived to meet the requirements of directives or may be part of a collection of processes that maintaina program service. Procedures are typically codified as a process flow. Care must be taken inknow-how process flows to guarantee that the process can be measured and monitored. As it said, “that which cannotbe measured, cannot be improved” (Darling Hammond 2000).
Responsibilities
Clear assignment of responsibilities is a control that connects a role to an activity. Activities may bedetermined to meet the requirements of directives and may be implemented by executing a methodology.Responsibilities are typically codified through functional role definitions. Care must be taken when describing functional roles to guarantee that role-assigned responsibilities are supported by rolerequired authorizations and qualifications. Those assigned responsibilities must have the essential authorisation, qualifications, and resources.
Create Domain-Specific Implementations
Specifications
Specifications are domain-specific operational controls that define hard and measurable details such as configurations or attributes. Specifications are derived from enterprise information securitystandards, with each domain potentially deriving unique interpretations for a common standard,dependent on each unique environment. This allows a degree of autonomy in execution.Care must be taken when deriving specifications to ensure domain-specific interpretations; whilemeeting the spirit and intent of the parent standards, do not cause inter-domain incompatibility.
To preclude introduction of unidentified risk, specifications must meet the spirit and intent of theparent standard.
Procedures
Standard operating procedures are controls that define measurable and repeatable work instructions.
Standard operating procedures are derived from enterprise information security processes,with each domain potentially deriving unique interpretations dependent on each unique environment. This allows a degree of autonomy in execution. Care must be taken in deriving standardoperating procedures to ensure parent process attributes are preserved. The execution of domainstandard operating procedures is the basis of enterprise information security services.
Tasks
Tasks are activities assigned a functional role executing a standard operating procedure. Tasks are domain-specific and schedule-driven, with frequency of execution based upon risk. Individuals executing tasks while filling a role are performing their employment duties. Performance of duty isan employee metric. Care must be taken when scheduling tasks and assigning duties to ensure theschedule is defensible and the individual competent. Tasking is an employee performance metric.
Assess Operational Risk
Operational risk is based upon the risk that a domain will not be able to meet its enterpriseinformation security baseline-derived obligations, such as specifications, procedures, and scheduledtasks. This risk is many times resource-driven, putting a risk justification to budgeting.Acceptance of operational risk may change residual program risk, and aggregation may cause thisprogram risk to rise to an unacceptable level.
Measure and Monitor
Measuring and monitoring are the feedback mechanism required for continuous process improvement.
What to monitor and how to measure require well-defined metrics. Typical domains will
obtain multiple varieties of metrics.
Environmental Metrics
Environmental metrics are based upon the surroundings. The focus is on identifying the enterprise’s risk profile. Industry groups are a consideration. Banking and financial services may, for
example, attract highly motivated attackers. Level of organizational sophistication may influence
therisk level. An ISO27001-certified domain may, for example, have a lower perceived risk level.
Location may become a factor influenced by crime rates or fi re response times. Risk profiles affectprobability. This can be utilized to influence risk ratings in the vulnerability management process.
For example, the probability of a specific vulnerability being exploited at a bank is perhaps higherthan at a home user site because of attacker motivation and targeting. Consideration should betaken to weighting risk and response based upon these environmental metrics. Another focus forenvironmental metrics is to establish an information security frame of reference or threshold.
Intrusion sensors, for example, utilize environmental metrics to establish detection noise baselinesand thresholds.
Program Metrics
Program metrics are based upon effectiveness. The focus is on validating that the ISMS is successfullyproviding the services that justify its existence. Consider vulnerability management. This ISMS service measures effectiveness, for example, not by how rapidly a vulnerability can be identified and processed (efficiency). Vulnerability management effectiveness is measured by how manyvulnerabilities were never identified or fully processed.
Process Metrics
Process metrics are based upon efficiency. The focus is on fi ne-tuning procedures to maximize
performance. Consider a vulnerability tracking process. Th e acquisition of new software may, for
example, decrease the “time to resolve,” thus improving metrics efficiency.
When Does an ISMS Protect?
An ISMS protects by degrees.
Responsibility Owner Focus
Degree of assurance Program management Program risk
Degree of maturity ISMS management ISMS process
Degree of implementation Project management People, procedure, and technology
Degree of Assurance
In a risk-based ISMS, the risk assessment process is an integral part of the feedback loop that provides
continuous process improvement. Because risk can never be completely eliminated, a compromise
is sought by which residual risk has been reduced to an acceptable level. This is known
as degree of assurance. Th e Information Security Program is a risk management tool. From the
program perspective, the ISMS protects when risk has been reduced to an acceptable level.
Th e important question is how to defi ne this “acceptable level” threshold. Degree of assurance
implies a level of risk acceptance, but risk may be scattered throughout the ISMS. This may
preclude a straightforward assignment of risk acceptance authorization. An ISMS, by nature of
its structure, recognizes the need to delegate risk acceptance as well as taking into consideration
aggregate risk.
Degree of Maturity
A process-based ISMS is conducive to maturity modeling, because processes by definition should
produce feedback metrics that enhance the maturation of the process. Maturity modeling scales,
such as seen in the Capability Maturity Model schemas and others, serve as a common language
with consistent definition of scale. Th e desired degree of maturity is hence bound to the maturity
scale selected, as well as to the specific process under evaluation. A defensible degree of maturity is
based upon informed choice. Processes may vary in their acceptable degree of maturity, dependent
on external factors such as risk. Nevertheless, the ISMS protects as its processes reach the desired
degree of maturity.
Degree of Implementation
Degree of implementation is tied to operations and project management. Information securityprojects at the operational level are tied to specific operational areas, or security domains. These projects deploy domain-specific controls in response to domain-specific risk, aggregating to raisethe enterprise degree of assurance. On project completion, degree of implementation is complete,and the control is now bound to degree of maturity. The ISMS protects as people, procedure, andproduct integrate into process.
Summary
ISMS and risk assessment frameworks add structure to the Information Security program, clearly defining and characterised risk roles and responsibilities. A process-based approach is repeatable, logical, defensible, and expandable, offering metrics to optimize efficiency and effectiveness while mitigating risk to an acceptable level. ISMS is an addressed or focused application of risk management, managing risk to information in any form based upon the risk standard of CIA. An ISMS program is therefore a subset of an organisation’s risk management program and is readily managed within the context of process-based ISMS.
The management system concept is being applied across many different disciplines. With the approval and ratification of the ISO27001 standard, ISMS have achieved new popularity, in some platforms becoming a de facto requirement.
In conclusion, ISMS Integrates information security risks into enterprise risk management. In addition, ISMS provides a framework for regulatory compliance. It also offers a structure to integrate people, processes, and technologies efficiently and effectively. And finally, ISMS is a business friendly and a market differentiator, which furnishes a mechanism for monitoring and reporting.
Reference
Information Security Management Best Practice Based on ISOIIEC 17799Rene Saint-GennainInformation Management Journal; Jul/Aug 2005; 39, 4; ABI/INFORMGlobalpg.
Nick Halvorson, 2003…Information risk management: A process approach to risk diagnosis and treatment
Harold F. Tipton and Micki Krause Information Security Management, Auerbach Publications, New York, 6th Edition, 2008
Linda Darling-Hammond, Teacher Quality and Student Achievement: A Review of State Policy Evidence Stanford University 2000
http://en.wikipedia.org/wiki/Information_security_management_system, accessed on 28/02/11
http://www.bsi-emea.com/InformationSecurity/Overview/WhatisanISMS.xalter, accessed on 01/03/11
http://www.isaca-sd.org/Uploads/March09/ISO27001%20ISACA%20Preso.pdf, accessed on 01/03/11
http://www.maxi-pedia.com/ISMS accessed by 29/02/11