|
Therefore, it is always important to consider
the relative significance of each of the above dimensions when implementing
an information security system. With this in mind, there are a number
of factors contributing to the successful implementation of an information
security management system:
- there is visible commitment and support from
senior management
- the Security Policy is aligned to the business
objectives of the organisation
- the security system is implemented in a manner
consistent with the culture of the organisation
- the organisation has a good understanding of
their security requirements and are aware of the associated risks
- the security concept has been effectively marketed
to, and understood by all employees of the organisation β not just
managers
- guidance on the information security policy
and standards has been distributed to all employees and contractors
- all employees and contractors have been appropriately
trained
- key measurements have been identified that will
be used to evaluate the effectiveness of the information security
management system
Information security protects information from
a wide range of threats in order to ensure business continuity,
minimise business damage and maximise return on investment. Every
organisation will have a differing set of requirements in terms
of control and also in the level of confidentiality, integrity and
availability.
From a standards perspective there are two
main tenants:
- BS7799-2:2002 - Specification for Information
Security Management Systems:
- Provides instructions on how to apply BS ISO
17799
- Organisations are assessed against this document
- Replaced in Oct/Nov 2005 by ISO 27001:2005
It should be noted that BS7799 is not actually
an IT standard. It can, and should, be applied across all parts
of the organisation to all forms of information assets, for example,
the controlled and timely distribution of marketing collateral or
HR hand written notes during a disciplinary process.
As previously indicated there are 127 security
controls structured under 10 main headings as follows:
- Security Policy
- Organisational Security
- Asset Classification and Control
- Personnel Security
- Physical and Environment Security
- Communications and Operations Management
- Access Control
- System Development and Maintenance
- Business Continuity Management
- Compliance
In addition, the standard documents four clauses
which it is mandatory to follow:
ο· Clause 4 β Information Security Management System:
Specifies that an organisation must develop, implement, maintain
and continually improve a documented ISMS appropriate to itβs business
activities and risk
ο· Clause 5 β Management Responsibility: Ensures
that there is visible and consistent management commitment to the
ISMS
ο· Clause 6 β Management Review of the ISMS: Specifies
that there must be regular planned reviews of the ISMS by management
to ensure the continual suitability of the ISMS
ο· Clause 7 β ISMS Improvement: There is an expectation
that an organisation will continually improve the effectiveness
of their ISMS
The standard requires an organisation to define,
create and maintain an Information Security Management System (ISMS)
appropriate to its business activities and the risks it faces. The
purpose of the ISMS is to ensure information security matters are
addressed in a structured manner and covers:
- Organisational structure
- Information security policies
- Planning
- Roles and Responsibilities
- Processes, Practices & Procedures
The ISMS is the means by which the senior management
in an organisation monitor and control the security of their information
assets, minimising the residual business risk and ensuring that
the security function continues to fulfil corporate, client and
legal requirements.
The standard defines a six step process as the
route-map to achieving BS7799-2 compliance:
The key steps are defining the Information Security
Policy and the creation of the Statement of Applicability.
The policy document defines the organisational
expectations for information security and makes these expectations
visible to the entire organisation. In general, senior management
is responsible for establishing and communicating guiding principles,
direction, and expectations for the organisation.
The Statement of Applicability describes the controls
and control objectives that are relevant and applicable to the organisations
ISMS, based on the outcome of the risk assessment. It is also important
to describe why any controls are not relevant and provide a justification.
In conclusion, it is important to ensure that
all the information assets of your organisation are appropriately
secured. The adoption of the appropriate best practice and the visible
commitment of Senior Management will go along way in ensuring that
your information security efforts are effective.
|
