Wednesday, February 29, 2012

Information Security Management Systems (ISMS)



Overview

                                    The main objective of an Information Security Management Systems or ISMS, as the name implies is, for an organization to design, implement and maintain a understandable and clearly defined suite of processes and systems for effectively managing information security, thus ensuring the confidentiality, integrity and availability of information assets and minimizing information security risks. As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. The best known ISMS is described in ISO/IEC 27001 related standards published jointly by ISO and IEC.
                                      The Internet gateway of an organization is expected to provide security to its information resources in the internal network from the Internet. To implement the ISMS it should be considered the internet gateway as the Information System. Implementing an ISMS is consists with four major phases; Plan, Do, Check and Act.

Plan is about designing the ISMS, estimating information security risks and selecting appropriate controls.

Do is all about implementing and operating the controls.

Check phase's objective is to review and evaluate the efficiency and effectiveness, basically the performance of the ISMS.

Act phase, changes are made where necessary to bring the ISMS back to peak performance.

Steps to follow to implement ISMS for your organization

                                  Firstly, the top management needs to have a better understanding of what the information security management and how it affects for the organizations information protection. Support from the top management of the organization, and their commitment to and understanding of the problems of information security was seen as one of the most important success factors for an efficient implementation of ISMS.
                       The commanding capability would appreciate from the top management sponsorship for the success of the project. It is this capability that gives the project the authority to decide on issues regarding information security. Without any real decision-making power, it is very hard, if not impossible to do reach the project goals.
                        Well structured project plan is another factor of successful ISMS implementation. Goals, resources and the time plan for the project are developed and documented in a project description, and that the resources in the project are well balanced.
                        Also, all information security projects need budgeted resources. A project without this capability is unable to estimate costs realistically.
                      Most of the ISMS implementations stop at security manager’s level. To avoid that regular communication with the people involved in the project is need.
                      Projects with better analytic capability can accurately analyze the preceding security situation, and therefore develop a well balanced ISMS which is also incorporated with existing management systems.
Communication and Operations management have to be done properly for a better implementation of ISMS. When planning the system we have to consider about the future requirements as well. It is the most crucial part in planning process. Considering performance, future capacity management has to be done since it leads the ISMS to achieve its goals in a proper manner. Without considering the future capacity requirements it is difficult to handle upgrades that have to do to the ISMS in the future.
                           Protection against malicious and mobile code is also has to be considered when talking about future requirements. Detection, prevention and recovery against future threats also need. It can be achieved by a better risk-analysis. Proper backup systems are another factor for better ISMS.
                                Another aspect we have to consider is access control when think of a better implementation of ISMS. The main consideration is a better access policy in this aspect.  User access management, user responsibilities, operating system access controls have to be maintained for better access control strategy.
                                Motivation of individuals participating in the ISMS project, such as project participants, project managers, and those responsible for different areas in the organization is a must for an efficient implementation. After the development of the ISMS, it will also have to be implemented, and at that stage the importance of this success factor grow – at that time; all employees in the whole organization will have to be motivated to adhere to the rules. Further, they should regularly use the technical solutions that the projects have developed and the management decided on –they need motivation.
                                     Thinking about security and writing policies as I mentioned in my last post is one thing, Implementing the ideas, rules, controls, and procedures is another. The executive capability is that the project can do things. One of the things that will need to be done is to put the policy into practice and this in turn often requires for example the ability to influence people in the IT department, in IT development and in other parts of the organization.
                                          Though ISMS involved with the IT department we have to look at it as a whole of the organization. That is called as the holistic approach. This is another plus approach for a better implementation of the project. It is mainly the connection between the information security and the organizations foundation activities that is seen as important, that the ISMS does take into account and that it covers the whole organization, so that the ISMS does not end at the security or IT department.
                                       When considering ISMS implementation formal configuration management plan is a must. Without a proper configuration plan accidental mis-configurations can happen in network devices such as firewalls. This would lead to a security breach of the organization. For all the hardware and software that are using in the ISMS must have appropriate warranties and warranty period must be negotiable.                             
                           Also other than motivating employees to stick those rules, have to instruct them to keep their Desktops, Laptops and Mobile devices up-to-date with patches. All the organization PCs and Laptops must be standardized on a licensed OS. 
                                        These are some of the usages of an ISMS that identified by ourselves referring to ISO/IEC27001 and ISMS7799.
  1. Identification and clarification of existing information security management processes.
  2. Formulation of security requirements and objectives.
  3. To ensure that security risks are cost effectively managed.
  4. To ensure agreement with laws and regulations.
  5. As a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met.
  6. To be used by management to determine the status of information security management activities.
  7. To be used by internal and external auditors to determine the degree of compliance with the policies, directives and standards adopted by an organization.
  8. To provide relevant information about information security policies, commands, standards and procedures to trading partners.
  9. To provide relevant information about information security to customers.









Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)