INFORMATION SECURITY MANAGEMENT SYSTEM



Similar documents
STRATEGIC AND FINANCIAL PERFORMANCE USING BUSINESS INTELLIGENCE SOLUTIONS

Security Controls What Works. Southside Virginia Community College: Security Awareness

Certified Information Security Manager (CISM)

Risk Management: Implementation principles and Inventories for Risk Management/Risk Assessment methods and tools

ISO 27001:2005 & ISO 9001:2008

Governance, Risk, and Compliance (GRC) White Paper

How To Write A Cybersecurity Framework

Security metrics to improve information security management

Preparing for the Convergence of Risk Management & Business Continuity

Client information note Assessment process Management systems service outline

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

Ecom Infotech. Page 1 of 6

T141 Computer Systems Technician MTCU Code Program Learning Outcomes

Outsourcing and Information Security

NEW SCHEME FOR THE INFORMATION SECURITY MANAGEMENT WITH ISO 27001:2013

Information Security Management

Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Policies and Procedures Development Framework for Government Agencies. First Edition AH

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

NICE and Framework Overview

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

THE ISO QUALITY MANAGEMENT PRINCIPLES AND THE EFQM MODEL

Cloud Computing and Privacy Toolkit. Protecting Privacy Online. May 2016 CLOUD COMPUTING AND PRIVACY TOOLKIT 1

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

The Information Security Management System According ISO The Value for Services

An Overview of ISO/IEC family of Information Security Management System Standards

Enhancing Information Security in Cloud Computing Services using SLA Based Metrics

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Achieving Business Imperatives through IT Governance and Risk

SecSDM: A Model for Integrating Security into the Software Development Life Cycle

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

2008 by Bundesamt für Sicherheit in der Informationstechnik (BSI) Godesberger Allee , Bonn

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, PARIS

ISMS Implementation Guide

Information Security Management Systems

Log management and ISO 27001

ISO/IEC Information Security Management. Securing your information assets Product Guide

Risk Management in IT Governance Framework

The benefits of ISO certification and Total Quality Management in a radiology department

SECURITY RISK MANAGEMENT

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity

National Institute of Standards and Technology Smart Grid Cybersecurity

Security Control Standard

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Securing the Microsoft Cloud

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

IT Governance: The benefits of an Information Security Management System

Governance and Management of Information Security

Implementing a CRM System in the Context of Internet Technologies

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

White paper. Secure Cloud Services: An Integrated Approach

Security and Privacy Controls for Federal Information Systems and Organizations

ISO Information Security Management Systems Foundation

Cybersecurity. Cloud. and the. 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013

A collaborative approach of Business Intelligence systems

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

Cyber Risk Management Guidance for FHFA Regulated Entities

Integrated Information Management Systems

Information Technology Auditing for Non-IT Specialist

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

our enterprise security Empowering business

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Information Security Officer (# 1773) Salary: Grade 25 ($81,808-$102,167) / Grade 27 ($90,595 to $113,141) Summary of Duties. Minimum Qualifications

Information Security Management System (ISMS) Policy

ISSA Guidelines on Master Data Management in Social Security

Sytorus Information Security Assessment Overview

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Security Services. 30 years of experience in IT business

Cyber Security VTT and the Finnish Approach

Customer-Facing Information Security Policy

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Practitioner Certificate in Information Assurance Architecture (PCiIAA)

Information technology Security techniques Information security management systems Overview and vocabulary

Transcription:

Gheorghe Mirela INFORMATION SECURITY MANAGEMENT SYSTEM Academia de Studii Economice Bucure ti, Facultatea Contabilitate i Informatic de Gestiune, Pia a Roman nr. 6, sector 1, Bucure ti, CP 010374, Email: mirelaghe@gmail.com, Telefon: 0723858611 Boldeanu Dana Maria Academia de Studii Economice Bucure ti, Facultatea Contabilitate i Informatic de Gestiune, Pia a Roman nr. 6, sector 1, Bucure ti, CP 010374, Email: danabolde@gmail.com Information Security Management System plays a critical role to protect the organization and its ability to perform their business mission, not just its IT assets. Risk Management and Risk Assessment are important components of Information Security Management System Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Information and communications technology management and IT security are responsible for ensuring that technology risks are managed appropriately. The research starts with the conceptual framework of the Information Security Management System and provides an analysis of the IT risks management to the level of the financial institutions in Romania. Key words: information security management system, risk management, risk assessment. 1. Introduction The acceptation of an Information Security Management System (ISMS) constitutes a strategic decision of an organization, the development and the implementation of such a system being influenced by the needs and the strategic objectives of the entity in case. Practically, this system will assure an adequate and proportional selection of the security measurements to protect the information resources. The research starts from the conceptual framework of the ISMS based on the requests of standards: ISO/IEC 27001(2005) Information technology - Security techniques - Information security management systems Requirements and ISO/IEC 17799 Information technology - Security techniques - Code of practice for information security management. These standards, recognized also to the level of the Romanian organizations, offer the methodological framework for developing and implementing an efficient security management system to the level of a certain organization. Concomitantly, the ENISA agency (European Network and Information Security Agency), though the Risk Management / Risk Assessment portal (http://enisa.europa.eu/rmra), offers a series of tools and methods for analyzing and assessing IT risks. The present paper offers also an analysis of implementing IT risks management to the level of the financial institutions in Romania, underlining the most important IT problems pointed out by the respondents in the last year and the most efficient measurements taken by the top management for solving them. 2. The conceptual framework of the Information Security Management System The information security management system (ISO 27001, 2005) is defined as that part of a global management system, based on a certain approach of the business risk, through which it is establishing, implementing, analyzing, monitoring and improving the security of the information. This system includes organizational structures, politics, planning activities, practices, processes and resources. Information security should be an integral part of the organization s operating and business culture. In ENISA vision, the methodological view of developing an ISMS necessitates the covering of 6 steps (figure 1): 1358

Figure 1. The steps of process developing of the information security management system (Source: http://www.enisa.europa.eu) 1. Definition of Security Policy, 2. Definition of ISMS Scope, 3. Risk Assessment (as part of Risk Management), 4. Risk Management, 5. Selection of Appropriate Controls and 6. Statement of Applicability Steps 3 and 4, the Risk Assessment and Management process, comprise the heart of the ISMS and are the processes that transform on one hand the rules and guidelines of security policy and the targets; and on the other to transform objectives of ISMS into specific plans for the implementation of controls and mechanisms that aim at minimizing threats and vulnerabilities. The processes and activities related to the steps 5 and 6 do not concern information risks. They are rather related to the operative actions required for the technical implementation, maintenance and control of security measurements. Appropriate controls may either be derived from existing sets of controls or mechanisms, usually included in information security standards and guidelines, or the outcome of a combination or adaptation of proposed controls to the specific organizational requirements or operational characteristics. In both cases, step 6 is the documented mapping of the identified risks, applied to the specific organization with the technical implementation of security mechanisms the organization has decided to deploy. Finally, although the ISMS is a recurring process as a whole, in most of the types of organizations mentioned above, steps 1 and 2 recur on a longer cycle than steps 3, 4, 5 and 6. This is mainly because the establishment of a security policy and the definition of the ISMS scope are more often management and strategic issues while the Risk Management process is an everyday operational concern. 1359

Risk Management and Risk Assessment are major components of Information Security Management System (ISMS). Risk management can be defined as the process of identifying vulnerabilities and threats within the framework of an organization, as well as producing some measurements to minimize their impact over the informational resources. This process of the risk management includes some basic processes, as we can see in the figure below (figure 2): 1. Risk Assessment requires the covering of three steps: risk identification, risk analysis and risk evaluation. Every organization is continuously exposed to an endless number of new or changing threats and vulnerabilities that may affect its operation or the fulfillment of its objectives. Identification, analysis and evaluation of these threats and vulnerabilities are the only way to understand and measure the impact of the risk involved and hence to decide on the appropriate measures and controls to manage them. 7. 2. Risk Treatment is the process of selecting and implementing of measures to modify risk. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk. The measures (i.e. security measurements) can be selected out of sets of security measurements that are used within the Information Security Management System (ISMS) of the organization. 8. 3. Monitor and Review is a process for measuring the efficiency and effectiveness of the risk management of the organization processes is the establishment of an ongoing monitor and review process. This process makes sure that the specified management action plans remain relevant and updated. 9. 4. Risks Communication, Awareness & Consulting means a process to exchange or share information about risk between the decision-maker and other stakeholders inside and outside an organization. The information can relate to the existence, nature, form, probability, severity, acceptability, treatment or other aspects of risk. Figure 2. Risk Management Process (Source: http://www.enisa.europa.eu) 1360

5. Risk acceptance is the decision to accept a risk by the responsible management of the organization. For each risk area, the options are: a) reduce: lower the risk through controls, or technology; b) transfer: offload the risk by placing it on some other entity; c) accept: decide the risk is acceptable based on the benefit; d) ignore: choose not to reduce, transfer or accept the risk - this is equivalent to accepting the risk, but without due diligence. 3. The analysis of the IT risk management to the level of Romanian s financial institutions To the level of financial institutions in Romania, the European requests for Basel II implementation have had major implications in the governance way of the information technologies. For many information systems in the banks is absolutely necessary an architectural rethinking which will allow a consolidated and, also, flexible approach of the market, as well as the selling of some complex products and financial services adequate to the permanent change of the economic environment. Basel II involves a bigger responsibility in the well functioning of the banks informatics systems both for the IT department and for the management of the bank. In our research, the analysis of the IT risk management has been based on the data gathered from a number of 30 subjects (financial institutions) through a questionnaire. The gathered information allowed us to point us the following: the most severe IT problems distinguished by the respondents in the last year, the most efficient measurements taken into consideration by the top management for resolving the pointed out problems. As we can notice also in figure no. 3 the most severe IT problems pointed out in the last period (year 2007) have been bonded by the personnel (staff problems 24%) and high cost of IT with low improvement of ROI (19%). We can also mention between stringent problems serious IT operational incidents and low IT performances (both with 13%). Staff Problems 24% High cost of IT w ith low or unproven return on investment (ROI) 19% Problems w ith outsourcers 6% Security and privacy incidents, perhaps involving people, intrusion, etc 6% Serious IT operational incidents 13% Performante IT reduse (invizibile) 13% A disconnect betw een IT strategy and business strategy 6% IT not meeting nor supporting compliance requirements 13% Figure 3. The most serious IT problems pointed out in the last year 1361

The most efficient measurements taken into consideration by the management for resolving their problems have been the following: the alignment between IT strategy and overall strategy and a more efficient IT risk management. IT risk management Active management of ROI of IT IT resource (people, systems, financials) management Outsourcing IT Yes No Alignment between IT strategy and overall strategy Actual performance measurement of IT 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 4. The most efficient measurements taken into consideration by the management for issuing pointed out problems In conclusion, although the last years have been remarked through rapid changes to the level of informational architecture of the Romanian financial institutions, which implicated major investments, the efficiency of the IT management risks is valuated and the real issues in the area aimed more the human side than the technical one. 4. Conclusions Therefore the establishment, maintenance and continuous update of ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Furthermore such a company will be capable of successfully addressing information confidentiality, integrity and availability requirements which in turn have implications for: business continuity; minimization of damages and losses; competitive edge; profitability and cash-flow; respected organization image; legal compliance. References 1. ENISA (European Network and Information Security Agency), Risk Management /Risk Assessment (available on-line at http://www.enisa.europa.eu/rmra) 2. ISO/IEC 17799 (2005) Information technology - Security techniques - Code of practice for information security management. 3. ISO/IEC 27001(2005) Information technology - Security techniques - Information security management systems Requirements. 1362

4. NIST, Risk Management Guide for Information Technology Systems NIST Special Publication 800-30 ; available on-line at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf 5. Pradhan P.L. and Meher P.K. (2004), Risk Assessment on IT Infrastructure, available on-line at http://www.infosecwriters.com/text_resources 6. Symantec (2007), IT Risk Management Report. Trends through December 2006, Volume 1, Published February, 2007. 7. Symantec (2008), IT Risk Management Report2, Myths and Realities, Volume 2, Published January, 2008. 1363

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information