Information Security Management

The goal of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities. Security Management is the process of managing a defined level of security on information and IT services. Included is managing the reaction to security incidents. (ITIL, 2003) (ITIL, 2007).
Information security incidents are those events that can cause damage to confidentiality, integrity or availability of the information or information processing” (ITIL, 2003)

Participants: 1 to 4
Hours: 1
Participants are involved in:

  • Following and supervision of information security.
  • Security Metrics.
  • Following and supervision of security incidents

1) Mark with an “X”, the values of the information defined in your organization:

  • Confidentiality: protecting sensitive information from unauthorised disclosure or intelligible interception (  )
  • Integrity: safeguarding the accuracy and completeness of information and software (  )
  • Availability: ensuring that information and vital IT services are available when required (  )


Based on the values selected which documents, roles and organizational units can be referred:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Others values of the information defined in the organization:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

 

2) Mark with an “X”, the security measures Type defined in your organization:

  • Security organisation, with clear responsibilities and tasks, guidelines, reporting procedures and measures that are properly matched to the needs ofthe business and the IT. (  )
  •  Physical security measures, such as the physical separation of the computer room (  )
  • Technical security measures provide security in a computer system or network (  )
  • Procedural security measures describe how the staff are required to act in particular cases (  )
  • Preventive security measures are used to prevent a security incident from occurring (  )
    • control of access rights (granting, maintenance and withdrawal of rights)
    • authorisation (identifYing who is allowed access to which information and using which tools)
    • identification and authentication (confirming who is seeking access)
    • access control (ensuring that only authorised personnel can gain access)
  • reduction measures are making regular backups and the development, testing and maintenance of contingency plans (  )
  • Repressive measures are then used to counteract any continuation or repetition of the security incident (  )
  • Corrective measures include restoring the backup, or returning to a previous stable situation (roll back, back out). Fallback can also been seen as a corrective measure (  )

Based on the security measures type selected which documents, roles and organizational units can be referred:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Others security measures type defined in the organization:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

 

3) Mark with an “X”, the  activities of Information security defined in your organization:

  • Control—defines  the (sub) processes, functions, roles, allocation of responsibilities within the sub-processes, the organisation structure between these and the reporting structure/line of command (  )
  • Plan—includes  the way the security section of the SLA is established as well as the underpinning contracts (  )
  • Implement—implements  a whole range of measures as defined in the plans  (  )
    • Maintaining awareness - Information security works because of discipline, and only when supported by clear documentation and procedures.
    • Security incident handling - The handling of security incidents has to be dealt with appropriately.
    • Security incident registration - is part of security incident control.
  • Evaluate (  )
    • Internal audits (reviews performed by internal Electronic Data Processing (EDP) auditors)
    • External audits (performed by external independent EDP auditors)
    • Self assessments (performed within the line-organisation itself).
  • Maintain—is  based on the results of the periodic reviews, insight into the changing risk picture, and, of course, changes in the input material (the security section in the SLA). (  )
  • Report (  )

Based on the activities selected which documents, roles and organizational units can be referred:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Others activities defined in the organization:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

 

4) Mark with an “X”, the  security  measures defined in your organization:

Control

  • Establishment of a 'Management forum for information security' (  )
  • Information security co-ordination (  )
  • Allocation of information security responsibilities (  )
  • Authorisation process for IT facilities (  )
  • Specialist advice (  )
  • Co-operation between organisations (  )
  • Independent review (  )
  • Security of third party access (  )

Implement

  • Accountability for assets (  )
  • Information classification (  )
  • Guidelines (  )

Personnel Security

  • Job descriptions (  )
  • Screening: screen applicants for jobs involving sensitive information (  )
  • Confidentiality agreement (  )
  • Training for all personnel (  )
  • Responding to security incidents (  )
  • Security weaknesses (  )
  • Disciplinary measures (  )
  • Security awareness (  )

Communications and operations management

  • Operational procedures and responsibilities (  )
  • Documented operating procedures (  )
  • Incident management procedures (  )
  • Segregation of duties (  )
  • Separation of development and production (  )
  • External facilities management (  )
  • Handling and security of data carriers (  )
  • Network management (  )
  • Network services (  )

Access control

  • Maintenance of effective control over access (  )
  • End-user responsibilities (  )
  • Network access control (  )
  • Computer access control (  )
  • Application access control (  )
  • Anti-virus control policy (  )
  • Monitoring and auditing information system access and use (  )

Security reviews of IT systems

  • Undesirable use of IT facilities (  )
  • Compliance with security policy and standards (  )
  • Legal compliance, including prevention of illegal copying of software (  )

Maintenance

  • analysis of the evaluation reports (  )
  • providing input for the security plants) and the yearly improvement activities (  )
  • providing input for the SLA maintenance activities (  )

Based on the security measures selected which documents, roles and organizational units can be referred:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Others security measures defined in the organization:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

 

5) Mark with an “X”, the  Performance indicators of SM defined in your organization:

Business protected against security violations:

  • Percentage decrease in security breaches reported to the Service Desk (  )
  • Percentage decrease in the impact of security breaches and incidents (  )
  • Percentage increase in SLA conformance to security clauses (  )

The determination of a clear and agreed policy, integrated with the needs of the business:

  • Decrease in the number of non-confromances of the ISM process with the business security policy and process (  )

Security procedures that are justified, appropiate and supported by senior management:

  • Increase in the acceptance and conformance of security procedures (  )
  • Increased support and commitment of senior management (  )

A mechanism for improvement:

  • The number of suggested improvements to security procedures and controls (  )
  • Decrease in the number of security non-conformance detected during audits an security testing (  )

Information security is an integral part of all IT services and all ITSM processes.

  • Increase in the number of services and processses conformant with security procedures and controls (  )

Effective marketing and education in security requirements, IT Staff awareness of the technology supporting the services:

  • Increased awareness of the security policy and its contents, througout the organization (  )
  • Percentage increase in completeness of the technical Service Catalogue against IT  components supporting the services (  )
  • Service Desk supporting all services (  )

Based on the performance indicators selected which documents, roles and organizational units can be referred:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
Others performance indicators defined in the organization:
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________

 

Research Group at the National University of Engineering in Nicaragua

Authors Johnny Flores Leonel Plazaola

 

References

ITIL. 2003. Security Management. s.l. : Office of Government Commerce, 2003. 0 11 330014 X.
—. 2007. Service Design. s.l. : The Stationary Office, 2007. 978-11-331047-0.