Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.
The risks to these assets can be calculated by analysis of the following issues:
Also,standards that are available to assist organizations implement the appropriate programmes and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT.According to BS 7799, Information Security refers to maintaining:
• Confidentiality - Information is accessible only to those authorized.
• Integrity- Safeguarding the accuracy and completeness of information
• Availability– Authorised users have access to information when required.
Contents |
Objectives:
To ensure that it complies with the external requirements-legislation SLA’s etc. To create a secure environment regardless of the external requirements Benefits:
Vital Business Information is kept secure High availability Quality of information
Mission Statement To prevent the occurrence of security-related incidents by managing the cconfidentiality, integrity and availability of IT services and data line with business requirements at acceptable cost.
Function Goal Prevent security related incidents by establishing: Achieve the function mission by implementing:
The critical success factors (CSFs) are:
The key activities for this function are:
Examples of Key Process Performance Indicators (KPIs) are shown in the list below. Each one is mapped to a Critical Success Factor (CSF).
Managing the Confidentiality, Integrity and Availability of IT Services and Data
An information processing facility is defined as any system, service, or infrastructure, or any physical location that houses these things. A facility can be either an activity or a place; it can be either tangible or intangible.
Information security is all about protecting and preserving information. It’s all about protecting and preserving the confidentiality, integrity, authenticity, availability, and reliability of information.
An information security event indicates that the security of an information system, service, or network may have been breached or compromised. An information security event indicates that an information security policy may have been violated or a safeguard may have failed.
An information security incident is made up of one or more unwanted or unexpected information security events that could very likely compromise the security of your information and weaken or impair your business operations.
An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks. An ISMS is part of a larger management system.
An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system.[2]
Short for security information management, a type of software that automates the collection of event log data from security devices, such as such as firewalls, proxy servers, intrusion-detection systems and antivirus software. The SIM translates the logged data into correlated and simplified formats.[3]