Information security management

In most organizations, the scope of responsibilities and range of activities of Information security management (ISM) has increased dramatically during the past years.

lockRole of Legal & Compliance

The growing role of the information security management has been driven by the impact of a number of new laws and regulations coupled with a massive growth in cyber crime. Finally, organizations became aware of their near total dependence on information assets.

Legal requirements in many countries (as in Switzerland) demand that organizations (by the way, this is true for public authorities as well) provide for the protection of personal information, the retention of certain types of information for specific periods, and the public disclosure of financial-related information. Many of these regulations hold senior management personally responsible.

The increasing recognition by organizations of their near absolute dependence on their information is also driving information security issues to the highest levels of management. Although, in some organizations, the level of management commitment is still less than complete, restricting the security manager in his/her effectiveness

 

From IT to Information security

Information security management is becoming more about management than technology. The charter of IT security managers is to ensure the secure operation of the technical infrastructure. Information security management is by necessity more generalized and encompasses a greater scope. It includes technical but essentially non technical aspects of information security. There is a great involvement in business processes, but also in regulatory compliance, risk management and governance.

As a fact information security management is information centric and comprises of strategy, processes, people, technology, physical aspects, risk management, legal & compliance, business continuity and others.

Information security is a process not an event. It provides assurance that the organization’s vital information assets are protected and that legal and regulatory obligations are met. Information security management is a very complex task requiring a security strategy and the implementation of a security program, which must be well managed on an ongoing basis. The outcome or main achievement of the security program is “security governance” – or in other words, security governance assures that all aspects of information security have been or will be dealt with.

 

Governance objectives for metrics

Effective security management is measured to what extend the governance objectives have been achieved. These are:

 

Standards

There are a number of useful standards and approaches helping in developing and managing a security program. They can be categorized as followed:

 

In closing, information security governance is vital task for today’s organizations and authorities in the responsibility of the executive management and board of directors.