Главная Обратная связь


Information Security Management

4.6.1 Purpose/goal/objective

‘The goal of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities’.

ISM needs to be considered within the overall corporate governance framework. Corporate governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring the objectives are achieved, ascertaining the risks are being managed appropriately and verifying that the enterprise’s resources are used effectively.

Information security is a management activity within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved. It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly. The purpose of ISM is to provide a focus for all aspects of IT security and manage all IT security activities.

The term ‘information’ is used as a general term and includes data stores, databases and metadata. The objective of information security is to protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.

For most organizations, the security objective is met when:

  • Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability)
  • Information is observed by or disclosed to only those who have a right to know (confidentiality)
  • Information is complete, accurate and protected against unauthorized modification (integrity)
  • Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted (authenticity and non-repudiation).

Prioritization of confidentiality, integrity and availability must be considered in the context of business and business processes. The primary guide to defining what must be protected and the level of protection has to come from the business. To be effective, security must address entire business processes from end to end and cover the physical and technical aspects. Only within the context of business needs and risks can management define security.


The ISM process should be the focal point for all IT security issues, and must ensure that an Information Security Policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services. ISM needs to understand the total IT and business security environment, including the:

  • Business Security Policy and plans
  • Current business operation and its security requirements
  • Future business plans and requirements
  • Legislative requirements
  • Obligations and responsibilities with regard to security contained within SLAs
  • The business and IT risks and their management.

Understanding all of this will enable ISM to ensure that all the current and future security aspects and risks of the business are cost-effectively managed.

The ISM process should include:

  • The production, maintenance, distribution and enforcement of an Information Security Policy and supporting security policies
  • Understanding the agreed current and future security requirements of the business and the existing Business Security Policy and plans
  • Implementation of a set of security controls that support the Information Security Policy and manage risks associated with access to services, information and systems
  • Documentation of all security controls, together with the operation and maintenance of the controls and their associated risks
  • Management of suppliers and contracts regarding access to systems and services, in conjunction with Supplier Management
  • Management of all security breaches and incidents associated with all systems and services
  • The proactive improvement of security controls, and security risk management and the reduction of security risks
  • Integration of security aspects within all other IT SM processes.

To achieve effective information security governance, management must establish and maintain an Information Security Management System (ISMS) to guide the development and management of a comprehensive information security programme that supports the business objectives.

sdamzavas.net - 2020 год. Все права принадлежат их авторам! В случае нарушение авторского права, обращайтесь по форме обратной связи...