Information security management (ISM) codifies the protection of your environment’s confidentiality, integrity, and availability (CIA) as part of an organization’s overall IT management objectives. ISM involves planning, building, and managing security controls that protect systems and data in the organization against security risks and threats. Furthermore, ISM deals with ensuring
ISM is the practice of protecting information and information systems by maintaining its tenets, namely confidentiality, integrity, and availability (CIA) triad.
- Confidentiality: focuses on limiting access to data to authorized entities only and further prevents exposure of information to anyone who is not intended entity.
- Integrity: Deals with maintaining the accuracy, validity, and completeness of information and information systems. And it ensures that data is not modified with anyone other than an authorized entity with valid intent.
- Availability: concerned with ensuring that authorized entities can access required data whenever and wherever they need it.
One critical component of information security management (ISM) is risk management. And risk management deals with identifying and analyzing security threats, and vulnerability thereby quantifying and addressing the risks associated with each of them.
- Threats: Anything harmful that is capable of intentionally or inadvertently compromising security of organizational assets.
- Vulnerability: Weakness or gap existing within an information and/or information systems.
- Risk: the intersection of threat and vulnerability that defines the probability of a vulnerability being exploited by a threat agent and the consequence should that exploitation occurs. Risk = Threat * Vulnerability.
ISM is a practice that focuses on establishing access controls, security controls, encryption techniques, physical security, incident management, business continuity/disaster recovery, and so on safeguards in an organization.
Information security management (ISM) establishes and describes a set of frameworks, policies, standards, procedure, processes and guidelines that organizations manage to protect their assets from various security threats and vulnerabilities. Furthermore, it is a mechanism of protecting sensitive and critical organizational assets from potential security threats, risks and vulnerabilities. The goal of ISMS is to reduce risks and ensure business continuity (BC) by proactively limiting the impact of a security incident and breach to an organizational asset. And it further provides systematic approach to manage the information security of an organization. Moreover, information security includes a range of frameworks and policies that control and manage organizational security risk appetite across the entire organization.
The three most prominent pillars of information security management are confidentiality, integrity and availability (CIA) concepts.
- Confidentiality: Prevents data theft and/or exposure
- Integrity: protects unauthorized modifications/tampering of data
- Availability: Protects denial of access to resources or disruption of services for authorized entities
Organizations should identify the following issues to achieve the objectives of information security management through risk management endeavors:
- Vulnerabilities: A flaw or weakness in any resource or asset that has value to the organization
- Threats: A potential danger to the valuable asset should a threat-agent take advantage of the vulnerabilities in the organizational asset A threat-agent or threat-source is anything and/or anyone that has the potential to cause a harm to the organization.
- Impact: Defines how disastrous an event or security incident would be if it were to happen
- Likelihood: Describes the probability that an event or security incident will occur.
- Security controls: Safeguards and countermeasures that organizations employ protect the confidentiality, integrity and availability (CIA) of data. The controls can be technical, administrative, and physical controls with the aim of reducing risk to an acceptable level in the organization.
Therefore, risk is a function of the likelihood of a given threat-source practicing a particular potential vulnerability and the resulting consequence or impact of that adverse event on the assets of the organization.
In order to establish information security management that achieves business objectives and strategic goal of the organization, the following standards and compliance frameworks are helpful to protect organizational assets.
- Information Security Management System (ISMS)
- Cybersecurity Framework (CSF)
- Risk Management Framework (RMF)
- Center for Internet Security (CIS)
- COBIT 5
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- More
Some benefits of information security management (ISM) include one or more of the following:
- Improve organizational security culture and awareness
- Reduce information security costs
- Protect sensitive and critical data
- Meet regulatory compliance requirements
- Provide business continuity (BC) functions
- Adapt to emerging security threats
- More