Post on 06-Jan-2018
description
transcript
• Security Management
https://store.theartofservice.com/the-security-management-toolkit.html
IT risk management - Organization for security management
1 The set up of the organization in charge of risk management is
foreseen as partially fulfilling the requirement to provide the resources
needed to establish, implement, operate, monitor, review, maintain
and improve an ISMS. The main roles inside this organization are:
https://store.theartofservice.com/the-security-management-toolkit.html
IT risk management - Organization for security management
1 the business and functional managers
https://store.theartofservice.com/the-security-management-toolkit.html
IT risk management - Organization for security management
1 the Information System Security Officer (ISSO) or Chief information security officer
(CISO)
https://store.theartofservice.com/the-security-management-toolkit.html
IT risk management - Organization for security management
1 IT Security Practitioners
https://store.theartofservice.com/the-security-management-toolkit.html
Information Technology Infrastructure Library - Information security management system
1 The ITIL-process Security Management describes the
structured fitting of information security in the management
organization. ITIL security management is based on the code of
practice for information security management system (ISMS) now
known as ISO/IEC 27002.https://store.theartofservice.com/the-security-management-toolkit.html
Information Technology Infrastructure Library - Information security management system
1 A basic goal of security management is to ensure adequate information security. The
primary goal of information security, in turn, is to protect information assets against risks,
and thus to maintain their value to the organization. This is commonly expressed in
terms of ensuring their confidentiality, integrity and availability, along with related
properties or goals such as authenticity, accountability, non-repudiation and reliability.
https://store.theartofservice.com/the-security-management-toolkit.html
Information Technology Infrastructure Library - Information security management system
1 Mounting pressure for many organizations to structure their
information security management systems in accordance with ISO/IEC
27001 requires revision of the ITIL v2 security management volume, which culminated in the release of the 2007
edition.
https://store.theartofservice.com/the-security-management-toolkit.html
Network security - Security management
1 Security management for networks is different for all kinds of situations. A
home or small office may only require basic security while large
businesses may require high-maintenance and advanced software and hardware to prevent malicious
attacks from hacking and spamming.
https://store.theartofservice.com/the-security-management-toolkit.html
Business continuity - Security management
1 In today's global business environment, security must be the top priority in
managing Information Technology. For most organizations, security is mandated
by law, and conformance to those mandates is investigated regularly in the
form of audits. Failure to pass security audits can have financial and
management changing impacts upon an organization.
https://store.theartofservice.com/the-security-management-toolkit.html
Security - Security management in organizations
1 In the corporate world, various aspects of security were historically addressed
separately - notably by distinct and often noncommunicating departments for IT security, physical security, and fraud prevention. Today there is a greater
recognition of the interconnected nature of security requirements, an approach
variously known as holistic security, "all hazards" management, and other terms.
https://store.theartofservice.com/the-security-management-toolkit.html
Security - Security management in organizations
1 Inciting factors in the convergence of security disciplines include the development of digital video
surveillance technologies (see Professional video over IP) and the
digitization and networking of physical control systems (see
SCADA)
https://store.theartofservice.com/the-security-management-toolkit.html
Security - Security management in organizations
1 Although the title supply chain is included, this Standard specifies the
requirements for a security management system, including those aspects critical to security assurance
for any organisation or enterprise wishing to management the security of the organisation and its activities
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 Information security
management
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 Information security (ISec) describes activities that relate to the protection
of information and information infrastructure assets against the risks
of loss, misuse, disclosure or damage. Information security management (ISM) describes
controls that an organization needs to implement to ensure that it is sensibly managing these risks.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 The risks to these assets can be calculated by analysis of the following issues:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 Vulnerabilities. How susceptible your assets
are to attack
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 Impact. The magnitude of the potential loss or the seriousness of the
event.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management
1 Standards that are available to assist organizations implement the appropriate programmes and
controls to mitigate these risks are for example BS7799/ISO 17799,
Information Technology Infrastructure Library and COBIT.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The ITIL security management process describes the structured
fitting of security in the management organization.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 ISO/IEC 27001:2005 specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and
improving a documented Information Security Management System within
the context of the organization's overall business risks.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 It specifies requirements for the implementation of security controls
customized to the needs of individual organizations or parts thereof.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 A basic concept of security management is the information
security.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The primary goal of information security is to guarantee safety of
information. When protecting information it is the value of the
information that must be protected.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 These values are stipulated by the confidentiality, integrity and availability.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The goal of the Security Management is split up in two
parts:
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The realization of the security requirements defined in the service
level agreement (SLA) and other external requirements which are
specified in underpinning contracts, legislation and possible internal or
external imposed policies.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The realization of a basic level of security.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 This is necessary to guarantee the continuity of the management organization.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 This is also necessary in order to reach a simplified service-level
management for the information security, as it happens to be easier
to manage a limited number of SLAs than it is to manage a large number
of SLAs.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The input of the security management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external)
underpinning contracts.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 These requirements can also act as key performance indicators (KPIs) which can be used for the process
management and for the justification of the results of the security
management process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The output gives justification information to the realization of the SLAs and a report with deviations
from the requirements.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 The security management process has relations with almost all other ITIL-processes.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management
1 However, in this particular section the most obvious relations will be the
relations to the service level management process, the incident
management process and the Change Management process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - The security management process
1 The security management process consists of activities that are carried
out by the security management itself or activities that are controlled
by the security management.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - The security management process
1 Because organizations and their information systems constantly change, the activities within the
security management process must be revised continuously, in order to
stay up-to-date and effective. Security management is a
continuous process and it can be compared to W. Edwards Deming's
Quality Circle (Plan, Do, Check, Act).https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - The security management process
1 The inputs are the requirements which are formed by the
clients
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - The security management process
1 The activities, results/products and the process are documented. External reports
are written and sent to the clients. The clients are then able to adapt their
requirements based on the information received through the reports. Furthermore, the service provider can adjust their plan or
the implementation based on their findings in order to satisfy all the requirements stated in
the SLA (including new requirements).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 The first activity in the security management process is the “Control” sub-process. The Control sub-process organizes and manages the security
management process itself. The Control sub-process defines the
processes, the allocation of responsibility the policy statements and the management framework.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 The security management framework defines the sub-processes for: the development of security plans, the
implementation of the security plans, the evaluation and how the results of
the evaluations are translated into action plans. Furthermore, the
management framework defines how should be reported to clients.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 The activities that take place in the Control process are summed up in the following table, which contains
the name of the (sub) activity and a short definition of the activity.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 Activities Sub-Activities
Descriptions
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 Control Implement policies This process outlines the specific
requirements and rules that have to be met in order to implement
security management. The process ends with policy statement.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 Setup the security organizationThis process sets up the organizations for information security. For example in
this process the structure the responsibilities are set up. This
process ends with security management framework.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 Reporting In this process the whole targeting process is
documented in a specific way. This process ends with reports.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 The meta-modeling technique was used in order to model the activities of the control
sub-process
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 Furthermore, it is noticeable that the first two activities are not linked with an arrow and that there is a black stripe with an arrow
leading to the reporting activity. This means that the two first activities are not sequential. They are unordered activities and after these two activities have taken place the reporting activity will sequentially follow. For a more
extensive explanation of the meta-modeling technique consult the Meta-modeling wiki.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 CONTROL DOCUMENTS CONTROL is a description of how SECURITY
MANAGEMENT will be organized and how it will be managed.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 POLICY STATEMENTS POLICY STATEMENTS are documents that outlines specific requirements or
rules that must be met. In the information security realm, policies
are usually point-specific, covering a single area. For example, an
“Acceptable Use” policy would cover the rules and regulations for
appropriate use of the computing facilities.https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 SECURITY MANAGEMENT FRAMEWORK SECURITY
MANAGEMENT FRAMEWORK is an established management framework
to initiate and control the implementation of information
security within your organization and to manage ongoing information
security provision.https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 The meta-data model of the control sub-process is based on a UML class diagram. In figure 2.1.2 is the meta-
data model of the control sub-process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Control
1 The CONTROL rectangle with a white shadow is an open complex concept.
This means that the CONTROL rectangle consists of a collection of (sub) concepts and these concepts
are expanded in this particular context.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 The Plan sub-process contains activities that in cooperation with the
Service Level Management lead to the (information) Security section in
the SLA.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are
specific for (information) security.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 In the Plan sub-process the goals formulated in the SLA are specified in
the form of Operational Level Agreements (OLA).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 These OLA’s can be defined as security plans for a specific internal
organization entity of the service provider.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Besides the input of the SLA, the Plan sub-process also works with the policy statements of the service
provider itself.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 As said earlier these policy statements are defined in the control sub-process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 The Operational Level Agreements for information security are set up and implemented based on the ITIL
process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 For example if the security management wishes to change the IT
infrastructure in order to achieve maximum security, these changes
will only be done through the Change Management process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 The Security Management will deliver the input (Request for change) for this change.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 PlanCreate Security section for SLAThis process contains activities that
lead to the security agreements paragraph in the service level
agreements.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 At the end of this process the Security section of the service level agreement is created.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Create underpinning Contracts This process contains activities that lead
to UNDERPINNING CONTRACTS.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 These contracts are specific for security.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Create Operational level agreementsThe general formulated goals in
the SLA are specified in operational level agreements.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 plans for specific organization units.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Reporting In this process the whole Create plan process is documented in a specific way.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 As well as for the Control sub-process the Plan sub-process has been
modeled using the meta-modeling technique.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 On the right side of figure 2.2.1 the meta-process model of the Plan sub-process is
given.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 As you can see the Plan sub-process consists of a combination of unordered and ordered (sub)
activities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Furthermore, it is noticeable that the sub-process contains three complex
activities which are all closed activities and one standard activity.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Table 2.2.1 consists of concepts that are created or adjusted during the plan sub-
process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 PLAN Formulated schemes for the
security agreements.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 Security section of the security level agreements The security
agreements paragraph in the written agreements between a Service
Provider and the customer(s) that documents agreed Service Levels for
a service.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 UNDERPINNING CONTRACTS A contract with an external supplier covering delivery of services that
support the IT organisation in their delivery of services.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 OPERATIONAL LEVEL AGREEMENTSAn internal agreement covering the delivery of services which support
the IT organization in their delivery of services.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 The two closed concepts are not expanded in this particular
context.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 The following picture (figure 2.2.1) is the process-data diagram of the Plan sub-process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 This picture shows the integration of the two models.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Plan
1 The dotted arrows indicate which concepts are created or adjusted in the corresponding activities of the
Plan sub-process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The Implementation sub-process makes sure that all measures, as
specified in the plans, are properly implemented.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 During the Implementation sub-process no (new) measures are defined nor changed.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The definition or change of measures will take place in the Plan sub-process in cooperation with the Change Management Process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The activities that take place in the implementation sub-process are summed up in the following table
(table 2.3.1).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The table contains the name of the (sub) activity and a short definition of the activity.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Implement Classifying and managing of IT applications
Process of formally grouping configuration items by type, e.g.,
software, hardware, documentation, environment, application.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Process of formally identifying changes by type e.g., project scope change request, validation change
request, infrastructure change request this process leads to asset
classification and control documents.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Implement personnel security Here measures are adopted in order to
give personnel safety and confidence and measures to prevent a
crime/fraud.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Implement security management In this process specific security
requirements and/or security rules that must be met are outlined and
documented.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Implement access control In this process specific access security
requirements and/or access security rules that must be met are outlined
and documented.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Reporting In this process the whole implement as planned process is documented
in a specific way.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Table 2.3.1: (Sub) activities and descriptions Implementation sub-process ITIL Security
Management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The left side of figure 2.3.1 is the meta-process model of the Implementation phase.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The four labels with a black shadow mean that these activities are closed concepts and they are not expanded
in this context.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 It is also noticeable that there are no arrows connecting these four
activities this means that these activities are unordered and the
reporting will be carried out after the completion of al the four activities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 During the implementation phase there are a number of concepts that are created and /or
adjusted.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Implementation Accomplished security management according to the security
management plan.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Asset classification and control documents A comprehensive
inventory of assets with responsibility assigned to ensure that
effective security protection is maintained.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Personnel security Well defined job descriptions for all staff outlining
security roles and responsibilities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Security policies Security policies are documents that outlines specific
security requirements or security rules that must be met.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Access control Network management to ensure that only
those with the appropriate responsibility have access to
information in the networks and the protection of the supporting
infrastructure.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Table 2.3.2: Concept and definition Implementation sub-process Security
management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The concepts created and/or adjusted are modeled using the meta-modeling technique.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The right side of figure 2.3.1 is the meta-data model of the implementation sub-process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The implementation documents are an open concept and is expanded upon in this context.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 It consists of four closed concepts which are not expanded because
they are irrelevant in this particular context.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 In order to make the relations between the two models clearer the
integration of the two models are illustrated in figure 2.3.1.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 The dotted arrows running from the activities to the concepts illustrate
which concepts are created/ adjusted in the corresponding activities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Implementation
1 Figure 2.3.1: Process-data model
Implementation sub-process
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The evaluation of the implementation and the plans is very important.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The evaluation is necessary to measure the success of the implementation and the
Security plans.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The evaluation is also very important for the clients (and possibly third parties).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The results of the Evaluation sub-process are used to maintain the
agreed measures and the implementation itself.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Evaluation results can lead to new requirements and so lead to a Request for
Change.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The request for change is then defined and it is then send to the Change Management
process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Mainly there are three sorts of evaluation; the Self-assessment; internal audit, and external audit.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The self-assessment is mainly carried out in the organization of the processes.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The internal audits are carried out by internal IT-auditors and the external audits are carried out by external
independent IT-auditors.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Besides, the evaluations already mentioned an evaluation based on
the communicated security incidents will also take place.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The most important activities for this evaluation are the security
monitoring of IT-systems; verify if the security legislation and the
implementation of the security plans are complied; trace and react to
undesirable use of the IT-supplies.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The activities that take place in the evaluation sub-process are summed
up in the following table (Table 2.4.1).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 EvaluateSelf-assessment In this process an examination of the
implemented security agreements is done by the organization of the
process itself.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The result of this process is SELF ASSESSMENT DOCUMENTS.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Internal Audit In this process an examination of the implemented
security agreements is done by an internal EDP auditor.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 External audit In this process an examination of the implemented
security agreements is done by an external EDP auditor.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Evaluation based on security incidents In this process an
examination of the implemented security agreements is done based on security events which is not part
of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the
quality of that service. https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Reporting In this process the whole Evaluate implementation
process is documented in a specific way.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Table 2.4.1: (Sub) activities and descriptions Evaluation sub-process ITIL Security
Management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Figure 2.4.1: Process-data model Evaluation sub-process
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The process-data diagram illustrated in the figure 2.4.1 consists of a meta-
process model and a meta-data model.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The Evaluation sub-process was
modeled using the meta-modeling
technique. https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 The dotted arrows running from the meta-process diagram (left) to the meta-data diagram (right) indicate
which concepts are created/ adjusted in the corresponding activities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 All of the activities in the evaluation phase are standard
activities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 For a short description of the Evaluation phase concepts see Table 2.4.2 where the concepts are listed
and defined.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 EVALUATIONEvaluated/checked implementation.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 RESULTSThe outcome of the evaluated
implementation.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 SELF ASSESSMENT DOCUMENTSResult of the examination of the
security management by the organization of the process itself.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 INTERNAL AUDIT Result of the examination of the security management by
the internal EDP auditor.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 EXTERNAL AUDIT Result of the examination of the security management by
the external EDP auditor.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 SECURITY INCIDENTS DOCUMENTSResults of evaluating security events
which is not part of the standard operation of a service and which
causes, or may cause, an interruption to, or a reduction in, the
quality of that service.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Evaluation
1 Table 2.4.2: Concept and definition evaluation sub-process Security management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 It is necessary for the security to be
maintained.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Because of changes in the IT-infrastructure and changes in the
organization itself security risks are bound to change over time.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more
detailed security plans.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The maintenance is based on the results of the Evaluation sub-process
and insight in the changing risks.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 These activities will only produce proposals.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the
service level agreements.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 In both cases the proposals could lead
to activities in the action plan.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The actual changes will be carried by the Change Management process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 For more information about the Change Management Process consult the Change
Management Wiki.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The activities that take place in the maintain sub-process are summed up in the following table (Table 2.5.1).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Request for change to SLA and/or OLARequest for a change to the SLA and/or OLA is
formulated.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Reporting In this process the whole maintain implemented
security policies process is documented in a specific way.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Table 2.5.1: (Sub) activities and descriptions Maintenance sub-process ITIL Security
Management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Figure 2.5.1 is the process-data
diagram of the implementation sub-
process. https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 This picture shows the integration of the meta-process model (left) and
the meta-data model (right).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Figure 2.5.1: Process-data model Maintenance
sub-process
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The maintenance sub-process starts with the maintenance of the service
level agreements and the maintenance of the operational level
agreements.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 After these activities take place (in no particular order) and there is a
request for a change the request for change activity will take place and
after the request for change activity is concluded the reporting activity
starts.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 If there is no request for a change then the reporting activity will start directly after the first two activities.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 The concepts in the meta-data model are created/ adjusted during the maintenance
phase.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 MAINTENANCE DOCUMENTS
Agreements kept in proper condition.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 MAINTAINED SERVICE LEVEL AGREEMENTS Service Level
Agreements(security paragraph) kept in proper condition.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 REQUEST FOR CHANGE Form, or screen, used to record details of a
request for a change to the SLA/OLA.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Maintenance
1 Table 2.5.2: Concept and definition Plan sub-
process Security management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Complete process-data model
1 The following picture shows the complete process-data model of the Security Management process. This
means that the complete meta-process model and the complete
meta-data model and the integrations of the two models of the
Security Management process are shown.https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Complete process-data model
1 Figure 2.6.1: Process-data model
Security Management
processhttps://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Relations with other ITIL processes
1 The security Management Process, as stated in the introduction, has
relations with almost all other ITIL-processes.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Relations with other ITIL processes
1 IT Customer Relationship Management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Relations with other ITIL processes
1 IT Service Continuity Management
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Relations with other ITIL processes
1 Within these processes there are a couple of activities concerning
security that have to take place.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Relations with other ITIL processes
1 However, the Security Management will give indications to the
concerning process on how these (security specific) activities should be
structured.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 The use of internal e-mail in an organization has a lot of security
risks. So if an organization chooses to use e-mail as a means of
communication, it is highly needed that the organization implements a
well thought e-mail security plan/policies. In this example the ITIL
security Management approach is used to implement e-mail policies in
an organization.https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 First of the Security management team is formed and the guidelines, of
how the process should be carried out, are formulated and made clear
to all employees and provider concerned. These actions are carried
out in the Control phase of the Security Management process.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 The next step in to process to implement e-mail policies is the Planning. In the Plan
phase of the process the policies are formulated. Besides the policies that are
already written in the Service Level Agreements the policies that are specific for
the e-mail security are formulated and added to the service level agreements. At
the end of this phase the entire plan is formulated and is ready to be implemented.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 The following phase in the process is the actual implementation of the e-mail policies. The implementation is
done according to the plan which was formulated in the preceding
phase (Plan phase).
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 After the actual implementation the e-mail policies will be evaluated. In order to evaluate the implemented
policies the organization will perform;
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 The last phase is the maintenance phase. In the maintenance phase the
implemented e-mail policies are maintained. The organization now knows which policies are properly
implemented and are properly followed and, which policies need
more work in order to help the security plan of the organization and, if there are new policies that have to be implemented. At the end of this process the Request for change are
formulated (if needed) and the e-mail policies are properly maintained.
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL security management - Example
1 In order for the organization to keep its security plan up-to-date the
organization will have to perform the security management process
continuously. There is no end to this process an organization can always
better its security.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management
1 Security management is the identification of an organization's
assets (including information assets), followed by the development,
documentation, and implementation of policies and procedures for
protecting these assets.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management
1 An organisation uses such security management procedures as
information classification, risk assessment, and risk analysis to
identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective
controls.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Loss prevention
1 Loss prevention focuses on what your critical assets are and how you are going to protect them. A key component to loss prevention is
assessing the potential threats to the successful achievement of the goal. This
must include the potential opportunities that further the object (why take the risk unless there's an upside?) Balance probability and impact determine and implement measures
to minimize or eliminate those threats.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Security risk management
1 Management of security risks applies the principles of risk management to the
management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing
controls to face those threats, determining the risks' consequence(s), prioritising the risks by rating the likelihood and impact,
classifying the type of risk and selecting and appropriate risk option or risk response.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - External
1 Strategic: like competition and
customer demand
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - External
1 Operational: Regulation, suppliers, contracts
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - External
1 Compliance: new regulatory or legal requirements are introduced, or
existing ones are changed, exposing the organisation to a non-compliance
risk if measures are not taken to ensure compliance
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Internal
1 Hazard: Safety and security; employees and equipment
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Internal
1 Compliance: Actual or potential changes in the organisation's
systems, processes, suppliers, etc. may create exposure to a legal or
regulatory non-compliance.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Risk avoidance
1 The first choice to be considered. The possibility of eliminating the existence of
criminal opportunity or avoiding the creation of such an opportunity is always the best
solution, when additional considerations or factors are not created as a result of this
action that would create a greater risk. As an example, removing all the cash from a retail outlet would eliminate the opportunity for
stealing the cash–but it would also eliminate the ability to conduct business.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Risk reduction
1 When avoiding or eliminating the criminal opportunity conflicts with the ability to conduct business, the
next step is the reduction of the opportunity and potential loss to the
lowest level consistent with the function of the business. In the
example above, the application of risk reduction might result in the
business keeping only enough cash on hand for one day’s operation.https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Risk spreading
1 Assets that remain exposed after the application of reduction and
avoidance are the subjects of risk spreading. This is the concept that
limits loss or potential losses by exposing the perpetrator to the
probability of detection and apprehension prior to the
consummation of the crime through the application of perimeter lighting,
barred windows and intrusion detection systems. The idea here is to reduce the time available to steal
assets and escape without apprehension.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Risk transfer
1 Transferring risks to other alternatives when those risks have
not been reduced to acceptable levels. The two primary methods of accomplishing risk transfer are to insure the assets or raise prices to
cover the loss in the event of a criminal act. Generally speaking,
when the first three steps have been properly applied, the cost of
transferring risks are much lower.https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Risk acceptance
1 All remaining risks must simply be assumed by the business as a risk of doing business. Included with these
accepted losses are deductibles which have been made as part of the
insurance coverage.
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Access control
1 Locks, simple or sophisticated, such as biometric authentication and keycard locks
https://store.theartofservice.com/the-security-management-toolkit.html
Security management - Physical security
1 Security guards (armed or unarmed) with wireless communication devices (e.g., two-
way radio)
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002
1 Federal Information Security Management Act of
2002
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002
1 The Federal Information Security Management
Act of 2002 ("FISMA", 44 U.S.C
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002
1 FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires
agency program officials, chief information officers, and inspectors
general (IGs) to conduct annual reviews of the agency’s information security program
and report the results to Office of Management and Budget (OMB)
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Purpose of the act
1 FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the
head of each agency to implement policies and procedures to cost-effectively
reduce information technology security risks to an acceptable level.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Purpose of the act
1 According to FISMA, the term information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or
destruction in order to provide integrity, confidentiality and
availability.https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Implementation of FISMA
1 In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods
and techniques for providing adequate information security for all
agency operations and assets, excluding national security systems
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Implementation of FISMA
1 Information Security Automation Program
(ISAP)
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Implementation of FISMA
1 National Vulnerability Database (NVD) – the U.S. government content repository for ISAP and SCAP. NVD is the U.S. government repository of
standards based vulnerability management data. This data enables
automation of vulnerability management, security
measurement, and compliance (e.g., FISMA)https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Compliance framework defined by FISMA and supporting standards
1 FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other
organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines
developed by National Institute of Standards and Technology|NIST.The 2002 Federal Information
Security Management Act (FISMA)
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Inventory of information systems
1 FISMA requires that agencies have in place an information systems
inventory
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level
1 All information and information systems should be categorized based
on the objectives of providing appropriate levels of information
security according to a range of risk levels
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level
1 The first mandatory security standard required by the FISMA
legislation, FIPS 199 Standards for Security Categorization of Federal
Information and Information Systems provides the definitions of security
categories. The guidelines are provided by NIST SP 800-60 Guide for
Mapping Types of Information and Information Systems to Security
Categories.https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level
1 The overall FIPS 199 system categorization is the high water mark
for the impact rating of any of the criteria for information types resident
in a system. For example, if one information type in the system has a
rating of Low for confidentiality, integrity, and availability, and
another type has a rating of Low for confidentiality and availability but a rating of Moderate for integrity, then
the entire system has a FIPS 199 categorization of Moderate.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Security controls
1 Federal information systems must meet the minimum security
requirements. These requirements are defined in the second mandatory
security standard required by the FISMA legislation, FIPS 200 Minimum
Security Requirements for Federal Information and Information
Systems.https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Security controls
1 Organizations must meet the minimum security requirements by selecting the appropriate security
controls and assurance requirements as described in NIST Special
Publication 800-53, Recommended Security Controls for Federal
Information Systems
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Security controls
1 Agencies have flexibility in applying the baseline security controls in
accordance with the tailoring guidance provided in Special
Publication 800-53. This allows agencies to adjust the security controls to more closely fit their
mission requirements and operational environments.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Security controls
1 The controls selected or planned must be documented in the System Security Plan.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Risk assessment
1 The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of
security for all federal information and information systems
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Risk assessment
1 A risk assessment starts by identifying potential threat
(computer)|threats and vulnerability (computing)|vulnerabilities and mapping implemented security
control|controls to individual vulnerabilities
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Risk assessment
1 NIST also initiated the Information Security Automation Program (ISAP)
and Security Content Automation Protocol (SCAP) that support and
complement the approach for achieving consistent, cost-effective
security control assessments.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - System security plan
1 Agencies should develop policy on the system security planning
process. NIST SP-800-18 introduces the concept of a System Security
Plan. System security plans are living documents that require periodic
review, modification, and plans of action and milestones for
implementing security controls. Procedures should be in place
outlining who reviews the plans, keeps the plan current, and follows
up on planned security controls.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - System security plan
1 The System security plan is the major input to the security
certification and accreditation process for the system
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Certification and accreditation
1 Once the system documentation and risk assessment has been completed,
the system's controls must be reviewed and certified to be
functioning appropriately. Based on the results of the review, the
information system is accredited. The certification and accreditation
process is defined in NIST SP 800-37 Guide for the Security Certification
and Accreditation of Federal Information Systems.NIST SP 800-37
Guide for Applying the Risk Management Framework to Federal
Information Systems
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Certification and accreditation
1 Security accreditation is the official management decision given by a senior agency official to authorize
operation of an information system and to explicitly accept the risk to
agency operations, agency assets, or individuals based on the
implementation of an agreed-upon set of security controls
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Certification and accreditation
1 The information and supporting evidence needed for security
accreditation is developed during a detailed security review of an
information system, typically referred to as security certification
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Continuous monitoring
1 All accredited systems are required to monitor a selected set of security
controls and the system documentation is updated to reflect
changes and modifications to the system. Large changes to the
security profile of the system should trigger an updated risk assessment, and controls that are significantly
modified may need to be re-certified.https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Continuous monitoring
1 Continuous monitoring activities include configuration management and control of information system
components, security impact analyses of changes to the system,
ongoing assessment of security controls, and status reporting
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Critique
1 Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS
Institute – have described FISMA as a well-intentioned but fundamentally
flawed tool, and argued that the compliance and reporting
methodology mandated by FISMA measures security planning rather
than measuring information securityhttps://store.theartofservice.com/the-security-management-toolkit.html
Information security management system
1 An information security management system (ISMS) is a set of policies
concerned with information security management or IT related risks. The
idioms arose primarily out of BS 7799.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system
1 The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information
security risk.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 As with all management processes, an ISMS must remain effective and
efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or
Deming cycle, approach:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 The Plan phase is about designing the ISMS, assessing information
security risks and selecting appropriate controls.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the
ISMS.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 ISO/IEC 27001:2005 is a risk based information security standard, which
means that organizations need to have a risk management process in place. The risk management process
fits into the PDCA model given above.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 However, the latest standard, ISO/IEC 27001:2013, does not use this cycle.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Another competing ISMS is Information Security Forum's
Standard of Good Practice (SOGP). It is more best practice-based as it
comes from ISF's industry experiences.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Some other best known ISMSs include Common Criteria (CC) international standard and IT
Security Evaluation Criteria (ITSEC)
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Some nations use their own ISMS, e.g., Department of Defense(DoD) Information
Technology Security Certification and Accreditation Process (DITSCAP) of USA,
Department of Defense Information Assurance Certification and Accreditation Process(DIACAP) of USA, Trusted Computer System Evaluation Criteria (TCSEC) of USA, IT Baseline Protection
Manual (ITBPM) of Germany, ISMS of Japan, ISMS of Korea, Information Security Check
Service (ISCS) of Korea.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Other frameworks such as COBIT and ITIL touch on security issues, but are
mainly geared toward creating a governance framework for
information and IT more generally. COBIT has a companion framework
Risk IT dedicated to Information security.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Below table illustrate the certification structure comparison of some best known
ISMSs:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 BS 7799 Common Criteria(CC) IT Security
Evaluation Criteria(ITSEC)
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Operation AreaEngland About 25 Countries European
Countries
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 - 11 Security domains
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 - 133 Security controls - 3 Parts
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 - 11 Security functional requirements
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 6- Prepare a statement of applicability 1- PP/ST
introduction
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 7- TOE summary specification
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Difference of Process Emphasis on managerial security Emphasis on
technical securityEmphasis on managerial security
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Specification Control Point Provide best code of practice for information
security management Provide common set of requirements for the security functionality of IT productsProvide common set of requirements
for the security functionality of IT products
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Evaluation Method Use the PDAC model cycle Follow each certification
evaluation procedure Follow commission of European
communities
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 There are a number of initiatives focused to the governance and
organizational issues of securing information systems having in mind that it is business and organizational
problem, not only a technical problem:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of
information security to the economic and national security interests of the
United States
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 Governing for Enterprise Security Implementation Guide of the
Carnegie Mellon University Software Engineering Institute CERT is
designed to help business leaders implement an effective program to govern information technology (IT)
and information security.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 A Capability Maturity Model (CMM) for system security engineering was
standardized in ISO/IEC 21827.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - ISMS description
1 ISM3 is a standard for security management (how to achieve the organizations mission despite of
errors, attacks and accidents with a given budget)
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 Security experts say and statistics confirm that:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 information technology security administrators should expect to
devote approximately one-third of their time addressing technical
aspects. The remaining two-thirds should be spent developing policies and procedures, performing security
reviews and analyzing risk, addressing contingency planning and
promoting security awareness;https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 security depends on people more than on
technology;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 employees are a far greater threat to information security
than outsiders;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 security is like a chain. It is only as strong as its
weakest link;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 the degree of security depends on three factors: the risk you are willing
to take, the functionality of the system and the costs you are
prepared to pay;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 security is not a status or a snapshot, but a
running process.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 These facts inevitably lead to the conclusion that security
administration is a management issue, and not a purely technical
issue.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 The establishment, maintenance and continuous update of an ISMS
provide a strong indication that a company is using a systematic approach for the identification,
assessment and management of information security risks. Critical
factors of ISMS:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 Confidentiality: Protecting
information from unauthorized
parties.https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 Integrity: Protecting information from modification
by unauthorized users.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 Availability: Making the information
available to authorized users.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 A company will be capable of successfully addressing information
confidentiality, integrity and availability requirements which in
turn have implications:
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 In doing so, information security management will enable
implementing the desirable qualitative characteristics of the
services offered by the organization (i.e
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 Large organizations or organizations such as banks and financial institutes,
telecommunication operators, hospital and health institutes and public or governmental
bodies have many reasons for addressing information security very seriously. Legal and
regulatory requirements which aim at protecting sensitive or personal data as well
as general public security requirements impel them to devote the utmost attention and
priority to information security risks.https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Need for an ISMS
1 Under these circumstances the development and implementation of
a separate and independent management process namely an
Information Security Management System is the one and only
alternative.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Critical success factors for ISMS
1 have the continuous, unshakeable and visible support and commitment
of the organization’s top management;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Critical success factors for ISMS
1 be an integral part of the overall management of the organization
related to and reflecting the organization’s approach to risk
management, the control objectives and controls and the degree of
assurance required;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Critical success factors for ISMS
1 have security objectives and activities be based on business
objectives and requirements and led by business management;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Critical success factors for ISMS
1 undertake only necessary tasks and avoiding over-control and waste of valuable resources;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Critical success factors for ISMS
1 fully comply with the organization philosophy and mindset by providing a system that instead of preventing
people from doing what they are employed to do, it will enable them to do it in control and demonstrate
their fulfilled accountabilities;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Critical success factors for ISMS
1 be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police”
or “military” practices;
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Dynamic issues in ISMS
1 There are three main problems which lead to uncertainty in information
security management systems (ISMS):
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Dynamic issues in ISMS
1 Dynamically changing security requirements of an
organization
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Dynamic issues in ISMS
1 Rapid technological development raises new security concerns for
organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology.
To overcome this issue, the ISMS should organize and manage
dynamically changing requirements and keep the system up-to-date.
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Dynamic issues in ISMS
1 Externality is an economic concept for the effects borne by the party that is not directly involved in a
transaction
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Dynamic issues in ISMS
1 Obsolete evaluation of security concerns
https://store.theartofservice.com/the-security-management-toolkit.html
Information security management system - Dynamic issues in ISMS
1 The evaluations of security concerns used in ISMS become obsolete as the
technology progresses and new threats and vulnerabilities arise
https://store.theartofservice.com/the-security-management-toolkit.html
ITIL - Information security management system
1 A basic goal of security management is to ensure adequate information security
https://store.theartofservice.com/the-security-management-toolkit.html
Security systems - Security management in organizations
1 Inciting factors in the convergence of security disciplines include the development of digital video surveillance technologies (see
Professional video over IP) and the digitization and networking of physical control systems (see SCADA).[
http://www.csoonline.com/read/090402/beast.html Taming the Two-Headed Beast], CSOonline, September 2002[
http://www.csoonline.com/read/041505/constellation.html Security 2.0], CSOonline, April 2005 Greater interdisciplinary cooperation is further evidenced by the February 2005 creation of the Alliance for
Enterprise Security Risk Management, a joint venture including leading associations in security (ASIS International|ASIS),
information security (Information Systems Security Association|ISSA, the Information Systems Security Association), and IT audit (ISACA, the Information Systems Audit and Control Association).
https://store.theartofservice.com/the-security-management-toolkit.html
Fraud Squad - NHS Counter Fraud and Security Management Service
1 The National Health Service|NHS Counter Fraud and Security Management Service is an
independent Division of the NHS Business Services Authority and has responsibility for all policy and operational matters relating to
the prevention, detection and investigation of fraud and corruption and the management of
security in the National Health Service.[http://www.cfsms.nhs.uk/ NHS Counter Fraud and Security Management Service (accessed
20/152/06)]https://store.theartofservice.com/the-security-management-toolkit.html
Fraud Squad - NHS Counter Fraud and Security Management Service
1 * NHS Counter Fraud Service established in September 1998
https://store.theartofservice.com/the-security-management-toolkit.html
Fraud Squad - NHS Counter Fraud and Security Management Service
1 * NHS Security Management Service was established in 2003 to form the
NHS Counter Fraud and Security Management Service.
https://store.theartofservice.com/the-security-management-toolkit.html
Fraud Squad - NHS Counter Fraud and Security Management Service
1 * To reduce fraud to an absolute minimum and hold it permanently at
that level, releasing resources for better patient care and services
https://store.theartofservice.com/the-security-management-toolkit.html
Fraud Squad - NHS Counter Fraud and Security Management Service
1 * With the delivery of an environment for those who use or work in the NHS which is properly secure so that the highest possible standard of clinical
care can be made available to patients.
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002
1 The 'Federal Information Security Management Act of 2002' ('FISMA', , et seq.) is a United States federal law enacted in 2002 as Title III of the E-
Government Act of 2002 (, )
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002
1 OMB uses this data to assist in its oversight responsibilities and to prepare this annual report
to Congress on agency compliance with the act.FY 2005 Report to Congress on Implementation of The
Federal Information Security Management Act of 2002 In FY 2008, federal agencies spent $6.2
billion securing the government’s total information technology investment of approximately $68
billion or about 9.2 percent of the total information technology portfolio.FY 2008 Report to Congress on Implementation of The Federal Information
Security Management Act of 2002
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Purpose of the act
1 FISMA assigns specific responsibilities to Government agency#Government agencies in
the United States|federal agencies, the National Institute of Standards and Technology
(NIST) and the Office of Management and Budget (OMB) in order to strengthen
information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology
security risks to an acceptable level.https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Implementation of FISMA
1 In accordance with FISMA, National Institute of Standards and
Technology|NIST is responsible for developing standards, guidelines,
and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding
national security systemshttps://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Implementation of FISMA
1 * Information Security Automation
Program (ISAP)
https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Implementation of FISMA
1 * National Vulnerability Database (NVD) – the U.S. government content
repository for ISAP and Security Content Automation Protocol|SCAP.
NVD is the U.S. government repository of standards based
vulnerability management data. This data enables automation of
vulnerability management, security measurement, and compliance (e.g.,
FISMA)https://store.theartofservice.com/the-security-management-toolkit.html
Federal Information Security Management Act of 2002 - Inventory of information systems
1 The identification of information systems in an inventory under this
subsection shall include an identification of the interfaces
between each such system and all other systems or networks, including those not operated by or under the
control of the agency
https://store.theartofservice.com/the-security-management-toolkit.html
Information Security Management Certified Professional
1 'Information Security Management Certified Professional (ISMCP) ' is a designation awarded by INFINIDOX.
https://store.theartofservice.com/the-security-management-toolkit.html
Information Security Management Certified Professional
1 Relevant information security background, both theoretical and practical, is required to pass the
ISMCP http://www.infinidox.com/?a=ismcp examination.
https://store.theartofservice.com/the-security-management-toolkit.html
Information Security Management Certified Professional
1 * Security administration
https://store.theartofservice.com/the-security-management-toolkit.html
Information Security Management Certified Professional
1 * Communication systems security
https://store.theartofservice.com/the-security-management-toolkit.html
Information Security Management Certified Professional
1 * Applications security
https://store.theartofservice.com/the-security-management-toolkit.html
Information Security Management Certified Professional
1 Candidates are recommended to have a minimum of 5 years of
experience in one or more of the six topic areas that the exam covers.
https://store.theartofservice.com/the-security-management-toolkit.html
FCAPS - Security management
1 Security management is the process of controlling access to assets in the
network. Data security can be achieved mainly with authentication and encryption. Authorization to it
configured with Operating system|OS and Database management system|
DBMS access control settings.
https://store.theartofservice.com/the-security-management-toolkit.html
FCAPS - Security management
1 Security management functions include managing network
authentication, authorization, and auditing, such that both internal and external users only have access to
appropriate network resources
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management
1 'Total Security Management' ('TSM') is the business practice of
developing and implementing comprehensive risk management and security practices for a firm’s
entire value chain
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management
1 TSM encourages companies to manage security initiatives as
investments with a measurable return and seeks to transform
security from a net cost to a net benefit
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Formulation
1 The concept of Total Security Management was first introduced in
the book Securing Global Transportation Networks: A Total Security Management Approach, published by McGraw Hill in 2006
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Formulation
1 According to Dr
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Formulation
1 The TSM approach built upon scholarly research on the issue that stressed the importance of security as a key component of the supply
chain
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Relation to Total Quality Management
1 The TSM name borrows from the management concept Total Quality Management (TQM), an approach made famous by the work of W
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Relation to Total Quality Management
1 I suspect that there are many professionals in the transportation
industry today who may not endorse security management as a core
business function that can create value
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Companies employing TSM
1 A company using the TSM methodology is meant to be able to
establish a framework of focus points, metrics and feedback loops in
order to elevate risk management from a non-core objective to an
essential business function
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Companies employing TSM
1 Securing Global Transportation Networks details case studies of many large companies that benefited from the
implementation of aspects of the TSM approach, including FedEx, Home Depot, Hutchison Port Holdings, Maersk, Procter Gamble, and Target Corporation|Target,
amongst others.McGraw Hill, Book Release, October 2006, http://www.manhattan-
institute.org/securing_networks/, 5/5/10
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Criticism
1 There are some useful ideas in the book, but the overall program may be too ambitious for many corporations to realistically consider,”
writes Ross Johnson in a 2007 Security Management review.Ross Johnson, Security Management: Book Review, October 2007,
http://www.securitymanagement.com/article/securing-global-transportation-networks-
total-security-management-approach, 5/5/10
https://store.theartofservice.com/the-security-management-toolkit.html
Total Security Management - Other developments
1 33-9089, 2009, http://www.sec.gov/rules/final/2009/33-9089.pdf,
5/5/10 In January 2010, ISO 28000 (ISO/PAS 28000 – Specification for security management systems for the supply chain) was updated to include an
explicit reference to the Plan-Do-Check-Act model of quality management popularized by
Deming.Continuity Compliance, ISO 28002 – What’s The Buzz About?, October 2009,
http://www.continuitycompliance.org/information/organizational-resiliency/iso-28002-whats-the-buzz-
about/, 5/5/10
https://store.theartofservice.com/the-security-management-toolkit.html
For More Information, Visit:
• https://store.theartofservice.com/the-security-management-toolkit.html
The Art of Servicehttps://store.theartofservice.com