In most organizations, the scope of responsibilities and range of activities of Information security management (ISM) has increased dramatically during the past years.
Role of Legal & Compliance
The growing role of the information security management has been driven by the impact of a number of new laws and regulations coupled with a massive growth in cyber crime. Finally, organizations became aware of their near total dependence on information assets.
Legal requirements in many countries (as in Switzerland) demand that organizations (by the way, this is true for public authorities as well) provide for the protection of personal information, the retention of certain types of information for specific periods, and the public disclosure of financial-related information. Many of these regulations hold senior management personally responsible.
The increasing recognition by organizations of their near absolute dependence on their information is also driving information security issues to the highest levels of management. Although, in some organizations, the level of management commitment is still less than complete, restricting the security manager in his/her effectiveness
From IT to Information security
Information security management is becoming more about management than technology. The charter of IT security managers is to ensure the secure operation of the technical infrastructure. Information security management is by necessity more generalized and encompasses a greater scope. It includes technical but essentially non technical aspects of information security. There is a great involvement in business processes, but also in regulatory compliance, risk management and governance.
As a fact information security management is information centric and comprises of strategy, processes, people, technology, physical aspects, risk management, legal & compliance, business continuity and others.
Information security is a process not an event. It provides assurance that the organization’s vital information assets are protected and that legal and regulatory obligations are met. Information security management is a very complex task requiring a security strategy and the implementation of a security program, which must be well managed on an ongoing basis. The outcome or main achievement of the security program is “security governance” – or in other words, security governance assures that all aspects of information security have been or will be dealt with.
Governance objectives for metrics
Effective security management is measured to what extend the governance objectives have been achieved. These are:
- Strategic Alignment – information security must be aligned with business strategy
- Risk Management – threats and vulnerabilities facing the organization must be identified and outlined in the organizations risk profile
- Value Delivery – decisions on security investments must be based on the organizations risk profile = provide protection to areas of greatest impact and business benefit
- Resource Management - limited resources must be utilized efficiently and effectively
- Performance Management – Monitoring and metrics must be developed to provide continuous reporting on the effectiveness of information security processes and controls
- Business process assurance – integrate and connect organizational assurance functions throughout the organization with other processes and organizational units such as Facility, Risk, Privacy, Quality, Change Mgmt, Insurance, Human resources,, Business continuity and maybe others
Standards
There are a number of useful standards and approaches helping in developing and managing a security program. They can be categorized as followed:
- Best practice oriented (e.g. ISO 17799 / 27002, GSHB, COBIT)
- Process oriented (e.g. ISO 27001, ITIL, ISO 9001)
- Controls oriented (COBIT, ISO 13335-4)
- Risk analysis oriented (Octave)
- Product oriented (Common criteria)
In closing, information security governance is vital task for today’s organizations and authorities in the responsibility of the executive management and board of directors.