Security Management. Security is taken for granted until something goes wrong.

Similar documents
Need to protect your business from potential disruption? Prepare for the unexpected with ISO

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Top Ten Technology Risks Facing Colleges and Universities

Information Security: Business Assurance Guidelines

Application Lifecycle Management

10 Hidden IT Risks That Might Threaten Your Law Firm

Best Value toolkit: Information management

Securing Information in an Outsourcing Environment (Guidance for Critical Infrastructure Providers) Executive Overview Supplement.

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

INFORMATION SECURITY: UNDERSTANDING BS BS 7799 is the most influential, globally recognised standard for information security management.

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Achieve. Performance objectives

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

EPA Victoria Engagement Policy ENVIRONMENT PROTECTION AUTHORITY

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Information Governance Strategy :

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

Somerset County Council - Data Protection Policy - Final

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Participants Manual Video Seven The OSCAR Coaching Model

Legislative Council Panel on Information Technology and Broadcasting. Information Security


The ISO standard

Operational Risk Publication Date: May Operational Risk... 3

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

Outsourcing and third party access

Archiving, Retrieval and Analysis The Key Issues

AN OVERVIEW OF THE QUALITY ASSURANCE OF SCQF CREDIT RATING BODIES

The Big Assurance Picture

Technology and Cyber Resilience Benchmarking Report December 2013

Corporate Risk Management Policy

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Need to protect your information? Take action with BSI s ISO/IEC

Comparison of internet connection records in the Investigatory Powers Bill with Danish Internet Session Logging legislation

Business Continuity Management Framework

UoB Risk Assessment Methodology

GENERIC STANDARDS CUSTOMER RELATIONSHIPS FURTHER EXCELLENCE CUSTOMISED SOLUTIONS INDUSTRY STANDARDS TRAINING SERVICES THE ROUTE TO

Scotland s Commissioner for Children and Young People Records Management Policy

When being a good lawyer is not enough: Understanding how In-house lawyers really create value

Data Protection Act Guidance on the use of cloud computing

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

AUDITOR GUIDELINES. Responsibilities Supporting Inputs. Receive AAA, Sign and return to IMS with audit report. Document Review required?

Inclusion in the Mainstream. The Challenge for Childcare Providers

HSCIC Audit of Data Sharing Activities:

EMBEDDING BCM IN THE ORGANIZATION S CULTURE

Our Code is for all of us

The potential legal consequences of a personal data breach


BBA submission on the HM Treasury (HMT) Consultation Competition in banking: improving access to SME credit data

TG TRANSITIONAL GUIDELINES FOR ISO/IEC :2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES

Data Protection and Information Security. Procedure for reporting a breach of data security. April 2013

The Department for Business, Innovation and Skills IMA Action Plan PRIORITY RECOMMENDATIONS

Independent Trustee (Corporate)

ISO 9001:2015. A look at the Revised Standard 9/23/2015 1

Do you know how your grants are being used?

Information Security Policies. Version 6.1

The Regulatory Framework for Social Housing in England Governance and Financial Viability standard requirement: Governance Annual Assessment

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

Security Controls What Works. Southside Virginia Community College: Security Awareness

Urban Big Data Centre. Data services: Guide for researchers. December 2014 Version 2.0 Authors: Nick Bailey

Explanatory Memorandum to the Conservation of Habitats and Species (Amendment) Regulations 2012

Corporate Information Security Management Policy

Governance and Management of Information Security

ISO IEC ( ) TRANSLATED INTO PLAIN ENGLISH

Checklist of ISO Mandatory Documentation

An Introduction to in-depth Pest Control Surveys: The Role and Responsibilities of the Pest Control Field Biologist

Housing Association Regulatory Assessment

Overview TECHIS Carry out security testing activities

Mike Casey Director of IT

Kevin Hayler. Where I m from

Business Continuity Management

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

Civil Aviation Authority. Regulatory Enforcement Policy

Information Governance Management Framework

ISO/IEC 27001:2013 Your implementation guide

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Internal Audit and supervisory expectations building on progress

INFORMATION TECHNOLOGY SECURITY STANDARDS

White Paper. Managed IT Services as a Business Solution

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Supporting information technology risk management

PARLIAMENTARY AND HEALTH SERVICE OMBUDSMAN. Records Management Policy. Version 4.0. Page 1 of 11 Policy PHSO Records Management Policy v4.

Committees Date: Subject: Public Report of: For Information Summary

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

ISO27001 Controls and Objectives

Framework for a Digital Forensic Investigation

WHITE PAPER. How to simplify and control the cardholder security environment

Transcription:

Security Management

Security Management Security is taken for granted until something goes wrong. Concerns about security have existed for as long as has mankind. The most obvious manifestation of this relates to ourselves, where we rely on basic needs such as food, clothing and security to be satisfied in order for the more discretionary aspects to be enjoyed. One popular attribution about security was voiced by William Shakespeare in Macbeth, from where the quotation Security is mortals chiefest enemy came in the 16th Century. This white paper explains how security management and service management are part of the same overall remit to run an effective enterprise information architecture. As they are but different aspects of the same objective, it can be argued that security management can sit in the service department. Security is taken for granted until something goes wrong, when visibility goes through the roof and management start to hunt for someone to blame. Whilst this is understandable, it can also be quickly recognised that exactly the same characteristic applies to service delivery as well. Information Security is a topic that has its own terminology, standards and champions and is either given too much prominence or not enough, depending on who is involved. However, we use information more today than at any time in our collective past and access to and the accuracy of that information is an assumed right. So what is Information Security and why is it relevant to the discipline of Service Delivery? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 2

Definition of Security Information is an asset which, like any other business asset, has value to an organisation and so needs protecting. Whether that information is in paper or electronic format doesn t matter in terms of the business safeguards needed, although our main interest level is clearly in the electronic format as this is what IT deals with everyday. Information Security is defined here as representing the preservation of: Good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. Confidentiality ensuring that information is accessible only to those authorised to access it Integrity safeguarding the accuracy & completeness of information and its processing Availability ensuring that users can get access to information and any associated assets when required So it isn t hard to understand the correlation between the objectives of information security management and what service managers should be doing everyday. For instance, good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. This is so like how formal service management disciplines are structured that information security management should become a natural extension to scope, especially once it is realised that 42 of the 133 control objectives within the security world are also described in ISO 20000, the standard for service management. Security controls and regulation There are few formal controls governing service management in isolation but there are many concerning security management. These actually determine what controls should exist and what level of compliance with rules, statutes, regulations and industry standards must be achieved. There are several control regimes that govern security, with the most obvious one being ISO/IEC 27001, the international standard for information security management. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 3

Figure 1 The control objectives of ISO 27001 ISO 27001 clause Security Categories Control Objectives Security policy 1 2 Organising security Asset management Human Resources security Physical and environmental security Communications and operations management Access control Systems development and maintenance Security incident management Business continuity management Compliance Security policy 2 11 2 5 3 9 2 13 10 32 7 25 6 16 2 5 1 5 3 10 Total 39 133 This standard details 133 control objectives grouped in 11 key clauses, as shown in figure 1, although not all of these will be needed in every organisation and many of them are capable of interpretation. This is where care is needed because unlike service management, security management can be overdone to be on the safe side and organisations end up being burdened by the weight of control. Whilst we do not want just anyone to be able to see our bank accounts, the protection needed over, say, our social media profile is a bit less important and so the controls need to be different. It is this aspect of security which confuses people most, because an element of judgement is required and this is exercised by means of Risk Assessments, which will return different results for different types of enterprise. The process for carrying out risk assessments is described by ISO 27005 and there are common themes in every organisation highlighted below, along with some of the underlying legal and regulatory requirements. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 4

Figure 2 Laptop theft reported in The Times newspaper Data Protection all organisations have to comply with the 1998 Data Protection Act (DPA), which came into effect in 2000. Do you know what your responsibilities for this are? Enforcement of the DPA is the responsibility of the Information Commissioner who can impose heavy fines for data loss and non-compliance with the Act. Into this category also comes the Regulation of Investigatory Powers (RIP) Act 2000 which specifies who can take responsibility for the interception, monitoring and investigation of incidents and this is of particular relevance to organisations who need to determine who had access to information held or processed electronically. Use of Email and telephone call monitoring procedures by an employer of its staff is covered by this RIP legislation. Business Continuity all organisations need to protect their equipment, software and data from intentional or unintentional loss. Do you have a plan to show how your business operates when key information goes missing? Business continuity in a 24x7x52 business environment is far more complex than having a Disaster Recovery plan involving cold standby facilities for if you are on online retailer handling 2500 revenue a minute, can the business cash flow survive a 36 hour restore period? And would your customers accept this even if the business did? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 5

Internet Threats anyone with PC based systems and/or internet access is vulnerable to information being lost or rendered inaccessible due to a virus. This can also seriously affect service stability it is estimated that 50% of all emails contain a virus and there are 62tn of them annually around the world. Courts of law can use emails as formal records of the company that you work for, which is why they are sequestered by the police. We can see that the email is often more deadly than the mail! A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technologybased. Denial of Service most often interpreted as being a sustained bombardment of your website, denial of service can be achieved in other ways, often inadvertently if your network is not in a Closed User Group or has not been designed to use alternate routing and you get cut off from the outside world. This happens and if you do online business, then you re out of it until the outage is repaired and service is restored. Theft and Loss of Assets the growth in the number of laptops, tablets and smart phones means that both the hardware and information contained on them can and do go missing. Would you be happy if it was your medical records that were left behind on the bus? Or that your company tax return was being examined by your competitors? Security is a deeply personal issue as well as one of corporate embarrassment witness the high profile information leaks in recent years, such as that in figure 2 and the theft of identity of two high profile banking executives. ISO 27001 is not the only control regime that can be applied to security management, however. Another mature offering is CobiT, standing for Control Objectives for Information and related Technology and this methodology has been in existence since 1996. It is positioned as a practical toolkit for IT governance because following the Turnbull report, corporate governance and risk management have become increasingly important issues to businesses. A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technology-based. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 6

Figure 3 How ISO 20000 and ISO 27001 clauses overlap Change Management Clause ISO 20000 ISO 27001 9.2.1 Planning and implementation 10.2.3; 12.4.1 Control of implementation Clause Clause Clause Clause 9.2.2 Closing and reviewing 9.2.3 Emergency changes 9.2.4 Reporting and analysis 9.1.5 Verification and audit 10.1.2; 12.5.1 Formal change procedures 12.5.3 Control of essential changes 10.2.2 Review, reporting and auditing 15.1.2 Compliance with software IPR Just as the role of any auditor will, as a matter of course, include an information systems component, so effective corporate governance and risk management necessitates effective IT governance and risk management. CobiT is primarily an auditing tool but offers an alternative to ISO 27001 by introducing controls from a much wider set of standards; however, ISO 20000 has always relied on a security standard like ISO 27001 to discharge security specific requirements and a third of controls are shared between ISO 20000 and ISO 27001. An example, using change management, of how these controls are evidenced in the two standards is shown in figure 3. Service and Security synergy This paper has already asserted that there is significant synergy between the disciplines of security management and service management. If this is made obvious by a few examples, such as Disaster Management, then it can be readily seen how close the disciplines are. However, it is important not to take the leap towards organisational synergy without considering an important aspect of governance segregation of duties. IT staff with deep technical skills are the ones who have the means and arguably the time to hack into systems for their own ends and it is necessary to establish effective monitoring and control procedures to ensure they don t. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 7

Figure 4 An example of an ISO 27001 controls assessment Business Continuity Management Compliance Security policy 100% 75% Organisation of security 50% Asset management 25% Security Incident Management 0% Human Resources Security System Development & MTCE Access control Operations management Physical & environmental security Score This may be more difficult when everyone is under the same management umbrella but given that the benefits of synergy can outweigh the drawbacks then self policing, assuming suitable external oversight and effective access control systems, becomes possible even in the most highly regulated organisations. The way ahead for organisations All good ideas start off with either a feasibility study or a visionary statement. There are a number of ways that the security management regime appropriate to your organisation can be determined and a survey, taking no more than a few hours to complete, that will assess conformance to ISO 27001 is a very good start. An example of the output from a security assessment is shown in figure 4 and provides an overview of control status. Management of security can be made cost effective if taken alongside a service improvement programme where the changes can be dovetailed together and this approach works in practice. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 8

If you are seeking the most effective way of delivering high quality services alongside robust operational KPIs and security appropriate for the Electronic Business, then consider making security management part of your IT service improvement programme. This can be regarded as offering savings of about 10% of the cost of having separate teams, whilst delivering better service. Anyone considering accreditation to ISO 20000 will know that a key focus area for compliance is information security management. An organisation having accreditation to ISO 27001 is deemed to have fully satisfied the requirements of ISO 20000 in this regard, thus proving the link between Security Management and Service Delivery. For More Information: Contact Fruition Partners at +1 888-604-0055 or info@fruitionpartners.com. You can also browse some related resources on our website: ESM Showcase Case Studies Webinars SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 9

www.fruitionpartners.com info@fruitionpartners.com +1 888.604.0055 SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information