Value to the business. ISM ensures that an Information Security Policy is maintained and enforced that fulfils the needs of the Business Security Policy and the requirements of
ISM ensures that an Information Security Policy is maintained and enforced that fulfils the needs of the Business Security Policy and the requirements of corporate governance. ISM raises awareness of the need for security within all IT services and assets throughout the organization, ensuring that the policy is appropriate for the needs of the organization. ISM manages all aspects of IT and information security within all areas of IT and Service Management activity.
ISM provides assurance of business processes by enforcing appropriate security controls in all areas of IT and by managing IT risk in line with business and corporate risk management processes and guidelines.
4.6.4 Policies/principles/basic concepts
Prudent business practices require that IT processes and initiatives align with business processes and objectives. This is critical when it comes to information security, which must be closely aligned with business security and business needs. Additionally all processes within the IT organization must include security considerations.
Executive management is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. In addition, boards of directors are expected to make information security an integral part of corporate governance. All IT service provider organizations must therefore ensure that they have a comprehensive ISM policy(s) and the necessary security controls in place to monitor and enforce the policies.
188.8.131.52 Security framework
The Information Security Management process and framework will generally consist of:
184.108.40.206 The Information Security Policy
Information Security Management activities should be focused on and driven by an overall Information Security Policy and a set of underpinning specific security policies. The ITP should have the full support of top executive IT management and ideally the support and commitment of top executive business management. The policy should cover all areas of security, be appropriate, meet the needs of the business and should include:
These policies should be widely available to all customers and users, and their compliance should be referred to in all SLRs, SLAs, contracts and agreements. The policies should be authorized by top executive management within the business and IT, and compliance to them should be endorsed on a regular basis. All security policies should be reviewed – and, where necessary, revised – on at least an annual basis.
220.127.116.11 The Information Security Management System (ISMS)
The framework or the ISMS in turn provides a basis for the development of a cost-effective information security programme that supports the business objectives. It will involve the Four Ps of People, Process, Products and technology as well as Partners and suppliers to ensure high levels of security are in place.
ISO 27001 is the formal standard against which organizations may seek independent certification of their ISMS (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). The ISMS shown in Figure 4.26 shows an approach that is widely used and is based on the advice and guidance described in many sources, including ISO 27001.
Figure 4.26 Framework for managing IT security
The five elements within this framework are as follows:
The objectives of the control element of the ISMS are to:
The objective of the plan element of the ISMS is to devise and recommend the appropriate security measures, based on an understanding of the requirements of the organization.
The requirements will be gathered from such sources as business and service risk, plans and strategies, SLAs and OLAs and the legal, moral and ethical responsibilities for information security. Other factors, such as the amount of funding available and the prevailing organization culture and attitudes to security, must be considered.
The Information Security Policy defines the organization’s attitude and stance on security matters. This should be an organization-wide document, not just applicable to the IT service provider. Responsibility for the upkeep of the document rests with the Information Security Manager.
The objective of the implementation of the ISMS is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy.
Amongst the measures are:
The successful implementation of the security controls and measures is dependent on a number of factors:
The objectives of the evaluation element of the ISMS are to:
The objectives of this maintain element of the ISMS are to:
This should be achieved using a PDCA (Plan–Do–Check–Act) cycle, which is a formal approach suggested by ISO 27001 for the establishment of the Information Security Management System (ISMS) or framework. This cycle is described in more detail in the Continual Service Improvement publication.