Information Security Management System is concerned with ensuring the information security of all information and the systems, processes and procedures relating to the management. Like other valuable business assets, information must be regarded as an asset too which is valuable to the organization and need a suitable protection against any types of threats. The threats are not just from the internet, nearly over 50% all security breaches occur from the insiders.
Information security management system is achieved by implementing a suitable set of controls in the form of policies, procedures, organizational structures, systems and functions to ensure that the security objectives of the organization are met.
Unlike securing the simple network environment in home which you can enhance the protection with robust home protection software such as BitDefender, Information Security Management system deals with a number of important concepts which some of them based according to the data collected during the network design.
Information security management system should be applied to all corporate operations and each operation should ensure protection to their information assets appropriately. And all the elements of the employee must be responsible for the information they utilize, and management must ensure that information security controls are implemented properly.
This information security management system provides a framework and reference point for management to implement appropriate information security controls, and is a means of raising awareness of users’ responsibilities relating to information security.
Information and its supporting processes, systems, and networks should be available to employees and approved business partners to achieve the objectives of information security management system which is known as CIA triad.
- Confidentiality: ensuring that information is accessible to only authorized users.
- Integrity: safeguarding the accuracy and completeness of information and associated processing methods.
- Availability: ensuring that authorized users have access to information and its supporting processes, systems and networks when required.
This information security management system provides a framework for management to implement and maintain a level of information security that is commensurate with information security risks by ensuring the following:
- The trust between corporate operations and business partner that share public and private network.
- Information is secure and is protected commensurate with its level of sensitivity and security risk.
Information security management organization
Implementation of information security management system across business operations and partners must be initiated and controlled by ensuring that information security is managed effectively. While corporate will ensure the implementation of information security management is coordinated in a consistent manner across business operation and partner.
Information Security Risk assessment
All business operations should undertake security risk assessment for all information security assets to ensure that the risks are identified. All of the risks identified must be applied appropriate control. The control applied should be beyond minimum requirements guided by the corporate policy.
Assets classification and control
Information security management system should manage assets classification and control. All business operations and partners must classify significant information assets to indicate the need, priorities and degree of protection required. The Objective is to ensure that all the significant assets are applied with appropriate control.
Outsourcing
Information security management system should manage outsourcing of the information by ensuring that all information security risks and controls must be addressed in contracts. The objective is to maintain the security of information when responsibility for information processing is outsourced to another organization.
Personal security
Information security management system should also manage personal security. Information security responsibilities must be addressed at the recruitment stage and monitored during an individual’s employment. Awareness of security procedures and the correct use of information systems facilities must be enforce to all users. The objective is to reduce the risks of human error, theft, fraud or misuse of facilities.
Responding to security incidents
Information security management system should also manage the awareness of the users regarding the response to security incidents by ensuring that security incidents must be reported promptly and managed effectively. The objective is to prevent unauthorized access to, and possible damage or interference to information assets and facilities.
Physical and environmental security
Information security management system should also manage physical and environmental security by ensuring that all business information and information processing facilities must be applied a level of physical protection from security threats and environmental. The objective is to prevent unauthorized access to and interference with information assets and facilities. Read more detail about office and environment security policy.
Operating Procedures
Information security management system should manage the establishment of operating procedures of all information processing facilities, including appropriate backup and fault logging processes. The objective is to ensure that information processing facilities are operated and maintained correctly and securely.
System planning and acceptance
Information security management system should manage system planning and acceptance. Operational requirements and projections of future capacity of new systems must be established, documented and tested prior to their acceptance and use. The objective is to minimize the risk of information asset failures.
Virus and internet threats Protection
Information security management system should manage virus and other internet threats protection. Controls must be established to prevent and detect the introduction of viruses and other malicious software and other internet threats. The objective is to protect the integrity of software and information assets.
System Security configuration
Information security management system should manage system security configuration. Default system installations and configurations must be secured and maintained to prevent potential exposure to security threats and vulnerabilities. The objective is to ensure that systems are secured and maintained to an appropriate level.
Network management
Information security management system should manage network management. Information within networks and passing over public networks must be kept secure and protected from unauthorized access. The objective is to ensure that information is securely stored and transmitted within networks and that the supporting infrastructure is protected.
Media Handling and Security
Information security management system should manage media handling and security. Procedures must be established for the proper handling, storage and disposal of documents and computer media. The objective is to protect information assets from damage, theft and unauthorized access.
Exchange of information and software
Information security management system should manage and control the way information and software are exchanged with other organizations including email. The objective is to prevent loss, modification or misuse of information exchanged between organizations.
Access Control
Information security management system should manage access control to information, processing facilities and systems on the basis of business and security requirements. The objective is to ensure that access to information is appropriate and authorized with the principle of the need to know.
Mobile Computing and Remote Access
Information security management system should manage mobile computing and remote access to mitigate the particular security risks associated with them. The objective is to ensure security of information when using mobile computing and tele-working facilities.
Development and Maintenance of Information System
Security requirements must be identified and agreed upon prior to the development or modification of information systems. The objective is to ensure that security is built into information systems, and maintained.
Business Continuity Management
Information security management system should establish Business Continuity and Disaster Recovery plans to protect critical business processes and information systems from the effects of major failures or disasters. The objective is to mitigate interruptions to business activities and to protect information assets from the effects of major failures and disasters.
Compliance
Information systems must be audited on a regular basis for compliance with the Information Security Management and regulatory requirements.