Главная Обратная связь


Challenges, Critical Success Factors and risks. ISM faces many challenges in establishing an appropriate Information Security Policy with an effective supporting process and controls

ISM faces many challenges in establishing an appropriate Information Security Policy with an effective supporting process and controls. One of the biggest challenges is to ensure that there is adequate support from the business, business security and senior management. If these are not available, it will be impossible to establish an effective ISM process. If there is senior IT management support, but there is no support from the business, IT security controls and risk assessment will be severely limited in what they can achieve because of this lack of support from the business. It is pointless implementing security policies, procedures and controls in IT if these cannot be enforced throughout the business. The major use of IT services and assets is outside of IT, and so are the majority of security threats and risks.

In some organizations the business perception is that security is an IT responsibility, and therefore the business assumes that IT will be responsible for all aspects of IT security and that IT services will be adequately protected. However, without the commitment and support of the business and business personnel, money invested in expensive security controls and procedures will be largely wasted and they will mostly be ineffective.

If there is a business security process established, then the challenge becomes one of alignment and integration. ISM must ensure that accurate information is obtained from the business security process on the needs, risks, impact and priorities of the business and that the ISM policies, information and plans are aligned and integrated with those of the business. Having achieved that alignment, the challenge becomes one of keeping them aligned by management and control of business and IT change using strict Change Management and Configuration Management control. Again, this requires support and commitment from the business and senior management.

The main CSFs for the ISM process are:

  • Business protected against security violations
  • The determination of a clear and agreed policy, integrated with the needs of the business
  • Security procedures that are justified, appropriate and supported by senior management
  • Effective marketing and education in security requirements
  • A mechanism for improvement
  • Information security is an integral part of all IT services and all ITSM processes
  • The availability of services is not compromised by security incidents
  • Clear ownership and awareness of the security policies amongst the customer community.

Information systems can generate many direct and indirect benefits, and as many direct and indirect risks. These risks have led to a gap between the need to protect systems and services and the degree of protection applied. The gap is caused by internal and external factors, including the widespread use of technology, increasing dependence of the business on IT, increasing complexity and interconnectivity of systems, disappearance of the traditional organizational boundaries and increasingly onerous regulatory requirements.

This means that there are new risk areas that could have a significant impact on critical business operations, such as:

  • Increasing requirements for availability and robustness
  • Growing potential for misuse and abuse of information systems affecting privacy and ethical values
  • External dangers from hackers, leading to denial-of-service and virus attacks, extortion, industrial espionage and leakage of organizational information or private data.

Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated information security can add real value to the organization by contributing to interaction with trading partners, closer customer relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process electronic transactions and generate trust. In today’s competitive global economy, if an organization wants to do business, it may well be asked to present details of its security posture and results of its past performance in terms of tests conducted to ensure security of its information resources.

Other areas of major risks associated with ISM include:

sdamzavas.net - 2020 год. Все права принадлежат их авторам! В случае нарушение авторского права, обращайтесь по форме обратной связи...