Главная Обратная связь

Дисциплины:






Value to the business. ISM ensures that an Information Security Policy is maintained and enforced that fulfils the needs of the Business Security Policy and the requirements of



ISM ensures that an Information Security Policy is maintained and enforced that fulfils the needs of the Business Security Policy and the requirements of corporate governance. ISM raises awareness of the need for security within all IT services and assets throughout the organization, ensuring that the policy is appropriate for the needs of the organization. ISM manages all aspects of IT and information security within all areas of IT and Service Management activity.

ISM provides assurance of business processes by enforcing appropriate security controls in all areas of IT and by managing IT risk in line with business and corporate risk management processes and guidelines.

4.6.4 Policies/principles/basic concepts

Prudent business practices require that IT processes and initiatives align with business processes and objectives. This is critical when it comes to information security, which must be closely aligned with business security and business needs. Additionally all processes within the IT organization must include security considerations.

Executive management is ultimately responsible for the organization’s information and is tasked with responding to issues that affect its protection. In addition, boards of directors are expected to make information security an integral part of corporate governance. All IT service provider organizations must therefore ensure that they have a comprehensive ISM policy(s) and the necessary security controls in place to monitor and enforce the policies.

4.6.4.1 Security framework

The Information Security Management process and framework will generally consist of:

  • An Information Security Policy and specific security policies that address each aspect of strategy, controls and regulation
  • An Information Security Management System (ISMS), containing the standards, management procedures and guidelines supporting the information security policies
  • A comprehensive security strategy, closely linked to the business objectives, strategies and plans
  • An effective security organizational structure
  • A set of security controls to support the policy
  • The management of security risks
  • Monitoring processes to ensure compliance and provide feedback on effectiveness
  • Communications strategy and plan for security
  • Training and awareness strategy and plan.

4.6.4.2 The Information Security Policy

Information Security Management activities should be focused on and driven by an overall Information Security Policy and a set of underpinning specific security policies. The ITP should have the full support of top executive IT management and ideally the support and commitment of top executive business management. The policy should cover all areas of security, be appropriate, meet the needs of the business and should include:



  • An overall Information Security Policy
  • Use and misuse of IT assets policy
  • An access control policy
  • A password control policy
  • An e-mail policy
  • An internet policy
  • An anti-virus policy
  • An information classification policy
  • A document classification policy
  • A remote access policy
  • A policy with regard to supplier access of IT service, information and components
  • An asset disposal policy.

These policies should be widely available to all customers and users, and their compliance should be referred to in all SLRs, SLAs, contracts and agreements. The policies should be authorized by top executive management within the business and IT, and compliance to them should be endorsed on a regular basis. All security policies should be reviewed – and, where necessary, revised – on at least an annual basis.

4.6.4.3 The Information Security Management System (ISMS)

The framework or the ISMS in turn provides a basis for the development of a cost-effective information security programme that supports the business objectives. It will involve the Four Ps of People, Process, Products and technology as well as Partners and suppliers to ensure high levels of security are in place.

ISO 27001 is the formal standard against which organizations may seek independent certification of their ISMS (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). The ISMS shown in Figure 4.26 shows an approach that is widely used and is based on the advice and guidance described in many sources, including ISO 27001.

Figure 4.26 Framework for managing IT security

The five elements within this framework are as follows:

Control

The objectives of the control element of the ISMS are to:

  • Establish a management framework to initiate and manage information security in the organization
  • Establish an organization structure to prepare, approve and implement the Information Security Policy
  • Allocate responsibilities
  • Establish and control documentation.

Plan

The objective of the plan element of the ISMS is to devise and recommend the appropriate security measures, based on an understanding of the requirements of the organization.

The requirements will be gathered from such sources as business and service risk, plans and strategies, SLAs and OLAs and the legal, moral and ethical responsibilities for information security. Other factors, such as the amount of funding available and the prevailing organization culture and attitudes to security, must be considered.

The Information Security Policy defines the organization’s attitude and stance on security matters. This should be an organization-wide document, not just applicable to the IT service provider. Responsibility for the upkeep of the document rests with the Information Security Manager.

Implement

The objective of the implementation of the ISMS is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy.

Amongst the measures are:

  • Accountability forassets – Configuration Management and the CMS are invaluable here
  • Informationclassification – information and repositories should be classified according to the sensitivity and the impact of disclosure.

The successful implementation of the security controls and measures is dependent on a number of factors:

  • The determination of a clear and agreed policy, integrated with the needs of the business
  • Security procedures that are justified, appropriate and supported by senior management
  • Effective marketing and education in security requirements
  • A mechanism for improvement.

Evaluation

The objectives of the evaluation element of the ISMS are to:

  • Supervise and check compliance with the security policy and security requirements in SLAs and OLAs
  • Carry out regular audits of the technical security of IT systems
  • Provide information to external auditors and regulators, if required.

Maintain

The objectives of this maintain element of the ISMS are to:

  • Improve security agreements as specified in, for example, SLAs and OLAs
  • Improve the implementation of security measures and controls.

This should be achieved using a PDCA (Plan–Do–Check–Act) cycle, which is a formal approach suggested by ISO 27001 for the establishment of the Information Security Management System (ISMS) or framework. This cycle is described in more detail in the Continual Service Improvement publication.





sdamzavas.net - 2020 год. Все права принадлежат их авторам! В случае нарушение авторского права, обращайтесь по форме обратной связи...