Process activities, methods and techniques. The purpose of the ISM process is to ensure that the security aspects with regard to services and all Service Management activities are appropriately managed
The purpose of the ISM process is to ensure that the security aspects with regard to services and all Service Management activities are appropriately managed and controlled in line with business needs and risks:
The key activities within the ISM process are:
The interactions between these key activities are illustrated in Figure 4.27.
Figure 4.27 IT Security Management process
The developed Information Security Management processes, together with the methods, tools and techniques, constitute the security strategy. The security manager should ensure that technologies, products and services are in place and that the overall policy is developed and well published. The security manager is also responsible for security architecture, authentication, authorization, administration and recovery.
The security strategy also needs to consider how it will embed good security practices into every area of the business. Training and awareness are vital in the overall strategy, as security is often weakest at the end-user stage. It is here, as well, that there is a need to develop methods and processes that enable the policies and standards to be more easily followed and implemented.
Resources need to be assigned to track developments in these enabling technologies and the products they support. For example, privacy continues to be important and, increasingly, the focus of government regulation, making privacy compliance technologies an important enabling technology.
220.127.116.11 Security controls
The Information Security Manager must understand that security is not a step in the lifecycle of services and systems and that security cannot be solved through technology. Rather, information security must be an integral part of all services and systems and is an ongoing process that needs to be continuously managed using a set of security controls, as shown in Figure 4.28.
Figure 4.28 Security controls for threats and incidents
The set of security controls should be designed to support and enforce the Information Security Policy and to minimize all recognized and identified threats. The controls will be considerably more cost-effective if included within the design of all services. This will ensure the continued protection of all existing services and that new services and access to them are in line with the policy.
Security measures can be used at a specific stage in the prevention and handling of security incidents, as illustrated in Figure 4.28. Security incidents are not solely caused by technical threats – statistics show that, for example, the large majority stem from human errors (intended or not) or procedural errors, and often have implications in other fields such as safety, legal or health.
The following stages can be identified. At the start there is a risk that a threat will materialize. A threat can be anything that disrupts the business process or has negative impact on the business. When a threat materializes, we speak of a security incident. This security incident may result in damage (to information or to assets) that has to be repaired or otherwise corrected. Suitable measures can be selected for each of these stages. The choice of measures will depend on the importance attached to the information.
The documentation of all controls should be maintained to reflect accurately their operation, maintenance and their method of operation.
18.104.22.168 Management of security breaches and incidents
In the case of serious security breaches or incidents, an evaluation is necessary in due course, to determine what went wrong, what caused it and how it can be prevented in the future. However, this process should not be limited to serious security incidents. All breaches of security and security incidents need to be studied in order to gain a full picture of the effectiveness of the security measures as a whole. A reporting procedure for security incidents is required to be able to evaluate the effectiveness and efficiency of the present security measures based on an insight into all security incidents. This is facilitated by the maintenance of log files and audit files and, of course, the incident records of the Service Desk function. The analysis of these statistics on security issues should lead to improvement actions focused on the reduction of the impact and volume of all security breaches and incidents, in conjunction with Problem Management.