ITIL foundation certification training teaches us that services are developed in a five-step ITIL lifecycle. The second stage of the ITIL lifecycle is Service Design. As discussed in online ITIL training, the ITIL Service Design stage has many processes that are needed for the stage to be successfully completed. One of the key processes in the Service Design stage is Information Security Management.
The goal of Information Security Management
The main goal of this process is aligning IT Security with business security and ensuring that information security is effectively managed. Depending on the context and nature of the industry, an IT service provider might be processing or using confidential data of a company.
For instance, let’s consider that IT service provider is using data from the human resources or finance department in a company. All employee records, compensation and benefit details are confidential data of the human resources department. And similarly, transactions, details of the accounts etc. are confidential data of the finance department. Therefore, these kinds of corporate and confidential data used by the IT Service provider must be secured.
The objectives of Information Security Management
This is an activity within a corporate governance framework. Corporate governance of a company prepares, declares and dictates policies on how a certain set of activities must be done in a company. In this context, information security management is one of the topics that is covered by the corporate governance of the company as well.
Information Security management provides the strategic direction for security activities and ensures that objectives are achieved. Based on the security policies and strategies of the company, plans and actions are generated. And these plans and activities are managed and ensured by this process.
Another objective is information security risks are appropriately managed. There can be weak points and lacks in the information security of a company. And the IT service provider has to manage these risks properly. In the long-term, these risks have to be minimized.
The final objective is ensuring the confidentiality, integrity, availability and authenticity/non-repudiation.
If we explain each item here:
- Confidentiality means the security of the data. As we described before, employee details, transaction or account details are all confidential data of a company and the Information Security management process aims to protect these data.
- Integrity means cohesiveness of all data. For instance, the address of an employee is meaningful only if it is associated with the employee name and ID in the database, or a transaction detail is meaningful only if it is associated with the bank and customer in the database. Therefore, while ensuring the security of the data, integrity must be also provided.
- Availability ensures that the required information or data can be reached when needed.
- And finally, authenticity and non-repudiation of the information security management ensure that only authorized people can access to confidential data. If you consider the employee details data, should all employees of a company access all employee details of a company? Of course not. Because the employee details will include confidential data of employees such as salary or bonus information. These data must not be visible to all employees of the company. Therefore, Information Security Management process ensures the authentication for confidential data.
The Information Security Management Framework
The information security management process and the security framework will generally consist of the following items:
An information security policy and specific security policies.
An information security policy or security policies define how the security of the data in a company will be ensured. For instance, prompting for password change in each 3 months and requiring a new password in each password change are examples of the implications of such policies of the information security management.
An information security management system
An information security system will store the login and password details of each user, log the activities of each user, lock if an unauthorized user tries to log on a system etc. These are all done with the help of information security management system.
A comprehensive security strategy
There can be several systems or locations where information of the organization is stored. Information Security Management process has to ensure a comprehensive security strategy to cover the security of all information and data of the company.
An effective organizational security structure
This means that an official department and employees must be assigned to ensure information security in an organization and that this department must have policies and a set of activities to ensure the security of confidential data in the company.
A set of security controls to support the policy
For instance, prompting re-login of users in case of 10 minutes of inactivity, auditing of the system in each hour to check whether there are any anonymous users in the system doing unauthorized activities etc. These kinds of controls can be done in the scope of an Information Security Management framework.
Management of security risks
The management of security risks is done within the scope of the security framework as well. Although appropriate actions, plans, and strategies are developed and implemented to ensure information security in an organization, there can be still weaknesses or leakages from a security point of view. These risks must be managed and the actions that must be taken to mitigate these risks have to be documented. And in future plans, these risks must be eliminated as far as possible to ensure a stronger information security in the organization.
Monitoring processes to ensure compliance
And the last item that is included in the Information Security Management framework is the monitoring of processes to ensure compliance. Although information security is ensured with policies, plans, and strategies, these must be monitored with processes to check whether the required security could be ensured with the actions taken. If the required security could not be met, corrective actions must be taken.
Review by: Colleen Graham