Information security management (ISM) establishes and describes a set of frameworks, policies, standards, procedure, processes and guidelines that organizations manage to protect their assets from various security threats and vulnerabilities. Furthermore, it is a mechanism of protecting sensitive and critical organizational assets from potential security threats, risks and vulnerabilities. The goal of ISMS is to reduce risks and ensure business continuity (BC) by proactively limiting the impact of a security incident and breach to an organizational asset. And it further provides systematic approach to manage the information security of an organization. Moreover, information security includes a range of frameworks and policies that control and manage organizational security risk appetite across the entire organization.
The three most prominent pillars of information security management are confidentiality, integrity and availability (CIA) concepts.
- Confidentiality: Prevents data theft and/or exposure
- Integrity: protects unauthorized modifications/tampering of data
- Availability: Protects denial of access to resources or disruption of services for authorized entities
Organizations should identify the following issues to achieve the objectives of information security management through risk management endeavors:
- Vulnerabilities: A flaw or weakness in any resource or asset that has value to the organization
- Threats: A potential danger to the valuable asset should a threat-agent take advantage of the vulnerabilities in the organizational asset A threat-agent or threat-source is anything and/or anyone that has the potential to cause a harm to the organization.
- Impact: Defines how disastrous an event or security incident would be if it were to happen
- Likelihood: Describes the probability that an event or security incident will occur.
- Security controls: Safeguards and countermeasures that organizations employ protect the confidentiality, integrity and availability (CIA) of data. The controls can be technical, administrative, and physical controls with the aim of reducing risk to an acceptable level in the organization.
Therefore, risk is a function of the likelihood of a given threat-source practicing a particular potential vulnerability and the resulting consequence or impact of that adverse event on the assets of the organization.
In order to establish information security management that achieves business objectives and strategic goal of the organization, the following standards and compliance frameworks are helpful to protect organizational assets.
- Information Security Management System (ISMS)
- Cybersecurity Framework (CSF)
- Risk Management Framework (RMF)
- Center for Internet Security (CIS)
- COBIT 5
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- More
Some benefits of information security management (ISM) include one or more of the following:
- Improve organizational security culture and awareness
- Reduce information security costs
- Protect sensitive and critical data
- Meet regulatory compliance requirements
- Provide business continuity (BC) functions
- Adapt to emerging security threats
- More