Triggers, inputs, outputs and interfaces. ISM activity can be triggered by many events
ISM activity can be triggered by many events. These include:
- New or changed corporate governance guidelines
- New or changed Business Security Policy
- New or changed corporate risk management processes and guidelines
- New or changed business needs or new or changed services
- New or changed requirements within agreements, such as SLRs, SLAs, OLAs or contracts
- Review and revision of business and IT plans and strategies
- Review and revision of designs and strategies
- Service or component security breaches or warnings, events and alerts, including threshold events, exception reports
- Periodic activities, such as reviewing, revising or reporting, including review and revision of ISM policies, reports and plans
- Recognition or notification of a change of risk or impact of a business process or VBF, an IT service or component
- Requests from other areas, particularly SLM for assistance with security issues.
The effective and efficient implementation of an Information Security Policy within an organization will, to a large extent, be dependent on good Service Management processes. Indeed, the effective implementation of some processes can be seen as a pre-requisite for effective security control. The key interfaces that ISM has with other processes are as follows:
- Incident and Problem Management: in providing assistance with the resolution and subsequent justification and correction of security incidents and problems. The Incident Management process must include the ability to identify and deal with security incidents. Service Desk and Service Operations staff must ‘recognize’ a security incident.
- ITSCM: with the assessment of business impact and risk, and the provision of resilience, fail-over and recovery mechanisms. Security is a major issue when continuity plans are tested or invoked. A working ITSCM plan is a mandatory requirement for ISO 27001.
- SLM: assistance with the determining of security requirements and responsibilities and their inclusion within SLRs and SLAs, together with the investigation and resolution of service and component security breaches.
- Change Management: ISM should assist with the assessment of every change for impact on security and security controls. Also ISM can provide information on unauthorized changes.
- Legal and HR issues must be considered when investigating security issues.
- Configuration Management will give the ability to provide accurate asset information to assist with security classifications. Having an accurate CMS is therefore an extremely useful ISM input.
- Security is often seen as an element of Availability Management, with Confidentiality Integrity and Availability (CIA) being the essence of Availability and ISM. Also, ISM should work with both Availability Management and ITSCM to conduct integrated Risk Analysis and Management exercises.
- Capacity Management must consider security implications when selecting and introducing new technology. Security is an important consideration when procuring any new technology or software.
- Financial Management should provide adequate funds to finance security requirements.
- Supplier Management should assist with the joint management of suppliers and their access to services and systems, and the terms and conditions to be included within contracts concerning supplier responsibilities.
Information Security Management will need to obtain input from many areas, including:
- Business information: from the organization’s business strategy, plans and financial plans, and information on their current and future requirements.
- Corporate governance and business security policies and guidelines, security plans, Risk Analysis and responses
- IT information: from the IT strategy and plans and current budgets
- Service information: from the SLM process with details of the services from the Service Portfolio and the Service Catalogue and service level targets within SLAs and SLRs, and possibly from the monitoring of SLAs, service reviews and breaches of the SLAs
- Risk Analysis processes and reports: from ISM, Availability Management and ITSCM
- Details of all security events and breaches: from all areas of IT and SM, especially Incident Management and Problem Management
- Change information: from the Change Management process with a Change Schedule and a need to assess all changes for their impact on all security policies, plans and controls
- CMS: containing information on the relationships between the business, the services, supporting services and the technology
- Details of partner and supplier access: from Supplier Management and Availability Management on external access to services and systems.
The outputs produced by the Information Security Management process are used in all areas and should include:
- An overall Information Security Management Policy, together with a set of specific security policies
- A Security Management Information System (SMIS), containing all the information relating to ISM
Revised security risk assessment processes and reports