An overview of Information Security Management in ITIL

An overview of Information Security Management in ITIL

Information security describes the activities which are related to the protection of information and infrastructure assets against the risk of being misused, lost, disclosed and damaged. Information Security Management (ISM) is a governance activity within the corporate government framework. ISM describes the controls which are necessary to be implemented by an organization to make sure that is sensibly managing the risks.

Purpose of Information Security Management

The main purpose of Information Security Management is to align IT security with business security and make sure that it matches the required needs of the business.

Objective of Information Security Management

The objectives of Information Security Management are to ensure that:

  • Information is available and ready to use whenever it is required.

  • The systems which provide information can resist attacks adequately and recover from failures/prevent them.

  • The information is visible or disclosed to only those people who have the necessary clearance and have the right to know.

  • The information is complete, accurate and has complete protection against modification by unauthorized personnel.

  • The business transactions and exchange of information between enterprises or partners are trustworthy.

Scope of Information Security Management

Things such as data stores, databases, metadata and all the channels used to exchange that information. Information Security Management raises awareness all across the organization regarding the need to keep all the information assets safe. Information Security Management should understand the following:

  • The plans and policies of business security

  • The present operations the business and security requirements

  • The plans and requirements of the business for the future.

  • The legislative requirements

  • The responsibilities and obligations regarding the security contained in the service level agreements

  • The risks in business and IT and their management

Value of Information Security Management

Implementing Information Security Management in an organization imparts a lot of benefits such as:

  • It ensures that the information security policy is maintained and enforced properly such that the needs of the business security policy and corporate governance are fulfilled.

  • It helps to protect all forms of information such as the ones which are digitally stored on devices and the cloud, paper-based, company secrets and intellectual property.

  • It increases the resistance to cyber-attacks and malware by if implemented properly.

  • It provides a framework for keeping all the information safe which is managed from one place.

  • It adapts to constant changes in the threat environment and reduces the security threats which are constantly evolving.

  • It helps to reduce the costs which are associated with information security by adding only the protection layers which are necessary and removing the redundant ones.

Basic Concepts of Information Security Management

The following basic concepts are necessary to understand Information Security Management.

Information security policy

The information security policy needs to have complete support and commitment from the senior level IT and business management in the organization. It should have under its purview all the areas of information security and the appropriate measures to meet the objectives of Information security management.

Risk assessment and management

It is vital to have a formal risk assessment and management policy which is related to information security and processing. Information security management often collaborates with the business, It service continuity management and availability management in order to perform risk assessments.

Information Security Management System

The Information Security Management System forms the basis for developing a cost-effective program for information security which supports the objectives of the business. It focuses on the five key elements which are control, plan, implement, evaluate and maintain. Organizations can seek independent certification of their Information Security Management against the ISO/IEC 27001 standard.

Framework of Information Security Management

There are five key elements which are addressed in an Information Security Management system framework. They are:

Framework of Information Security Management

  1. Control

    A management framework should be established to manage information security, to prepare and implement an information security policy, to allocate responsibilities, to establish and control the documentation.

  2. Plan

    This phase of the framework involves the collection of information and understanding the security requirements of the organization. Afterward, the appropriate solutions should be recommended keeping in mind the budget and corporate culture.

  3. Implement

    In the implementation phase, the plan will be put into action. While doing so, it is important to ensure that the adequate safeguards are in place to enact and enforce the information security policy.

  4. Evaluate

    After the security policies and plans have been implemented, it is necessary to monitor them and make sure that the systems are completely secure and operating in accordance with the policies, security requirements and service level agreements of the organization.

  5. Maintain

    For an information management system to be effective, it needs to be improved on a continuous basis. This involves revising the service level agreements, security policies and the techniques used to monitor and control.

Process Activities of Information Security Management

The main activities of Information Security Management are:

Process Activities of Information Security Management

  • Create, review and revise the information security policy as per the requirements.

  • Communicate, implement and enforce the security policies adequately.

  • Analyze and classify all the information and documentation in possession.

  • Implement a set of security controls and risk responses and improve them.

  • Constantly monitor and manage all breaches of security and any major security incidents.

  • Analyze, report on and take the necessary actions in order to decrease the volume and effect of security incidents.

  • Schedule and perform security reviews, audits, and penetration tests.

Challenges of Information Security Management

The challenges faced by information security management are:

  • It has to ensure that there is adequate support for the information security policy from the business. This is because information security objects cannot be fulfilled with adequate support and endorsement from the top level management.

  • A constantly evolving threat scenario where newer and stronger threats keep popping up.

Risks of Information Security Management

The risks which are encountered by information security management are:

  • A lack of commitment from the business to the information security management process.

  • A lack of resources or budget for the information security management process.

  • Risk assessment being conducted in an isolated manner without combining with availability management and IT Service Continuity Management.

Through proper implementation, Information Security Management ensures that information is available and ready to use whenever it is required, and the systems which provide information can resist attacks adequately and recover from failures or prevent them.

Subscribe to receive awesome resources, offers, and updates straight to your inbox

Success! Thank You for Your Subscription.