Information Security Management System
Information Security Management System
Too often the security management has a technical perspective. The messages from sales people and marketing present the acquisition of novel technical solutions as a fast and easy path to obtain information security.
However, satisfactory information security cannot be achieved by technical means only. Equally important is the recognition that everyone in the organization needs to have a full understanding of the information security procedures and that they contribute by supporting the system when needed.
To be able to carry through this work and to choose the right combination of education and technical measures, you have to make a careful analysis of the business objectives. The security management activities must be done top-down starting from a general level and finally, after several steps, become realized as a technical implementation. Only then, one have the possibilities to handle the complex and changing reality. You cannot go the opposite way by assuming that a certain technical equipment should solve all problems.
Security policy
The information security goals and visions of the organization are described in a policy.
The general security policy must be short and may not contain technical details in order
to live for a long time without changes. The details are elaborated in issue-specific
policies.
Risk analysis
The risk analysis is the core of the security activities. Here, all assets and the
threats against them are identified to get an understanding of the risks.
The risk analysis creates proposals of measures that could be taken to increase the
information security.
Security planning
In the planning step, resources are assigned in order to realize the policy.
Starting from policies and the risk analysis results, activities are initiated
to increase the information security, such as
- security education
- process and routines development
- audits and security checks
Security architecture
On the architecture level we approach the technology but in a
product-independent way. Here we choose the combination of various security techniques
that gives the best properties in the infrastructure of the organization and
its IT systems.
Implementation
Not until we reach this lowest level, we begin to consider specific products and
their properties. Before we choose security products the whole
security management process must be completed. It is of no use to procure security products before we
have analyzed what is worth protection and how to protect it. On this level we also
consider the security configurations of the IT systems.
