Information Security Management System (ISMS) - A closer Look ISMS Definition

An Information Security Management System (ISMS) is way to protect and manage information based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational approach to information security.

Key elements for ISMS Implementation

ISMS implementation has to be customised to suit each organisation based on size, risk profile, management's risk appetite, industry, etc. The following are essential components in the process of implementing ISMS in any organisation. The details of each component will vary, however all these components have to be considered during ISMS implementation. A. Management commitment - This is the most essential element, as the starting point for implementing an ISMS is to obtain management commitment and support. Ideally, the motivation and direction will come from senior management, but success will come more easily if, management understand the reasons for implementing an ISMS and fully support its design and operation. The following items demonstrate management commitment: An information security policy; Information security objectives and plans; Roles and responsibilities for information security; Announcement or communication to the organization about the importance of adhering to the information security policy;and Sufficient resources to afre dedicated to implement the ISMS. B. Implementation team organisation - This process requires significant time and effort. Hence it is essential that organisations commit to identifying and engaging key stakeholders, and assemble the correct project team. Team size and the appropriate project leader are specific to each organisation. The project team should be able to devote sufficient time to the implementation. A smaller group of closely involved individuals is usually more effective than a larger team of occasional part-timers. If Consultants are engaged, it is important that they are supported by internal resources. Also eventual knowledge transfer to internal personnel should be ensured, else when consultants leave, knowledge can walk out. Overall responsibility for information security is often given to the IT Manager, but information security has a wider impact than just IT systems, including personnel, security, physical security and legal compliance. C. Define the scope of ISMS - In this step, the organisation determines the extent of ISMS applicability it wants. This is done after considering the various overall policy documents discussed above such as Information security policy, objectives and plans, etc. In addition, the following will be required:

Information Security Management System (ISMS) - A closer Look

Lists of the areas, locations, assets, and technologies of the organization that will be controlled by the ISMS. While reviewing these lists, the organisation has to consider questions similar to the following: What areas of the organization will be covered by the ISMS? What are the characteristics of those areas; its locations, assets, technologies to be included in the ISMS? Will it require its suppliers to abide by this ISMS? Are there dependencies on other organizations? Should they be considered?

It is important to keep the scope manageable. Only parts of the organization, such as a logical or physical grouping within the organization should be considered. Large organizations might need several Information Security Management Systems in order to maintain manageability. For example, they might have one ISMS for their Finance department and the networks used by that department and a separate ISMS for their Software Development department and systems. The end result of this exercise should be a documented scope for the ISMS. This may be a few statements or paragraphs. The documented scope often becomes one of the first sections of an organizations Security Manual. D. Risk Management i) Define method of Risk Assessment - Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence. Choosing a risk assessment method is one of the most important parts of establishing an ISMS. The method chosen must help Evaluate risk based on levels of confidentiality, integrity, and availability; Set objectives to reduce risk to an acceptable level; Determine criteria for accepting risk; and Evaluate risk treatment options. The organizations approach to information security risk management and the criteria for information security risk evaluation and the degree of assurance required have to be clearly determined and documented. ii) Information Asset Inventory - Organisation has to prepare e a list of the information assets to be protected and an owner for each of those assets. It has to also identify where the information is located and how critical or difficult it would be to replace. This list should be part of the risk assessment methodology document that was created in the previous step. A sample of such a list is given in Table 1 below:
Table 1: Information Asset Inventory
Asset 1. Strategic Details Medium and long Owner CEO Location CEO PC CIA Profile Replacement Value High Risk Value Control Sufficient control?

Information Security Management System (ISMS) - A closer Look

Information Project Plans .....etc. term plans Short Term Plans

2. 3.

CEO

CEO PC

Medium

iii) Identify Risks - For each asset defined in the previous step, risks have to be identified and classified according to their severity and vulnerability. In addition, the impact that loss of confidentiality, integrity, and availability may have on the assets has to be determined. A sample is shown in Table 2. To begin identifying risks, actual or potential threats and vulnerabilities for each asset have to be identified. A threat is something that could cause harm. For example, a threat could be an Intentional, accidental, or man-made act that could inflict harm or an act of God (such as a hurricane or tsunami) A vulnerability is a source or situation with a potential for harm (for example, a broken window is a vulnerability; it might encourage harm, such as a break in). A Risk is a combination of the likelihood and severity or frequency that a specific threat will occur.
Table 2: Information Asset Risk Identification
Asset 1. 2. 3. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO CEO Location CEO PC CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacement Value High Medium Risk Value Control Sufficient control?

iv) Assess Risks & Probability of Occurance - After the Organisation has identified the risks, it needs to assign values to the risks. The values will help the Organisation determine if the risk is tolerable or not and whether it needs to implement a control to either eliminate or reduce the risk. To assign values to risks, the considerations will be: The value of the asset being protected, The frequency with which the threat or vulnerability might occur, and The damage that the risk might inflict on the company or its customers or partners.
Table 3: Information Asset Risk Assessment
Asset 1. 2. 3. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO CEO Location CEO PC CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacem ent Value High Medium Risk Value High Medium Control Sufficient control?

Information Security Management System (ISMS) - A closer Look

v) Risk Mitigation - Next, for the risks that have been determined to be intolerable, the Organisation must take one of the following actions: decide to accept the risk, for example, actions are not possible because they are out of the Organisation's control (such as natural disaster or political uprising) or are too expensive. transfer the risk, for example, purchase insurance against the risk, subcontract the activity so that the risk is passed on to the subcontractor, etc. reduce the risk to an acceptable level through the use of controls. To reduce the risk, it should evaluate and identify appropriate controls. These controls might be controls that an organization already has in place or controls that are defined in the ISO/IEC 27002 (ISO/IEC 17799) standard. A sample is given in Table 4.
Table 4: Information Asset Risk/Control Profile
Asset 1. Strategic Information Project Plans .....etc. Details Medium and long term plans Short Term Plans Owner CEO Location CEO PC CIA Profile C:High I: High A: Med C: High I: High A: Low Replacem ent Value High Risk Value High Control Ref to ISO Clause/ Internal Control doc Ref to ISO Clause/ Internal Control doc Sufficient control? Yes

2.

CEO

CEO PC

Medium

Mediu m

Yes

3.

Information Security Management System (ISMS) - A closer Look

E. Business Impact Analysis (BIA) A BIA report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibilities of failures are likely to be assessed in terms of their impacts on safety, finances, marketing, legal compliance, and quality assurance. Where possible, impact is expressed monetarily for purposes of comparison. For example, a business may spend three times as much on marketing in the wake of a disaster to rebuild customer confidence. This is an essential component of an organization's business continuance plan; it includes an exploratory component to reveal any vulnerabilities, and a planning component to develop strategies for minimizing risk. The result of analysis is a business impact analysis report, which describes the potential risks specific to the organization studied. One of the basic assumptions behind BIA is that every component of the organization is reliant upon the continued functioning of every other component, but that some are more crucial than others and require a greater allocation of funds in the wake of a disaster. For example, a business may be able to continue more or less normally if the cafeteria has to close, but would come to a complete halt if the information system crashes. A sample series of questions a BIA team must look to answer will be: What critical interdependencies exist between internal systems, applications, business processes, and departments? What specialized equipment is required and how is it used? How would the department function if the mainframe, network and/or Internet access were not available? What single points of failure exist and how significant are those risks? What are the critical outsourced relationships and dependencies?

F. Business Continuity Planning (BCP) & Disaster Recovery (DR) Business Continuity Planning involves identifying, developing, acquiring, documenting and testing procedures and resources that will ensure continuity of an organisation's key operations in the event of an accident, disaster, emergency, and/or threat. It involves risk mitigation planning (reducing possibility of the occurrence of adverse events), and Disaster Recovery planning (ensuring continued operation in the aftermath of a disaster). These plans are drawn up based on the BIA Report, as this gives a clear indication of the business critical processes that have to be focussed on. Some basics to cover in a Business Continuity plan are: Develop and practice a contingency plan that includes a succession plan for the CEO. Train backup employees to perform emergency tasks. Determine offsite crisis meeting places and crisis communication plans for top executives.

Information Security Management System (ISMS) - A closer Look

Practice crisis communication with employees, customers and the outside world. Invest in an alternate means of communication in case the phone networks go down. Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency. Make business continuity exercises realistic. Form partnerships with local emergency response groupsfire fighters, police and EMTsto establish a good working relationship. Evaluate the company's performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses. Test the continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

Disaster Recovery Plan is a subset of BCP. But covers elaborate details such as a documentation of the procedures as to declaring emergency, evacuation of site pertaining to nature of disaster, active backup, notification of the related officials/DR team/staff, notification of procedures to be followed when disaster breaks out, alternate location specifications, etc. It is beneficial to be prepared in advance with sample DRPs and disaster recovery examples so that every individual in an organization are better educated on the basics. Documentation should include identification and contact details of key personnel in the disaster recovery team, their roles and responsibilities in the team.

The lifecycle in information security

Security is not a permanent state which, once achieved, will never change. Every organisation and public agency is subject to continuous dynamic changes. Many of these changes also affect information security due to changes in the business processes, tasks, infrastructure, organisational Plan structures and the IT. Besides the Establish obvious changes within an ISMS institution, changes to the external conditions can also occur, for example, the statutory or contractual stipulations as well as the available Act Do information and communications Maintain & Implement Improve & Operate technologies might change ISMS ISMS considerably. It is therefore necessary to manage security actively so that the security level that has been reached is also maintained Check over the long term. Monitor &
ISMS Not only business processes and IT systems have a "lifecycle"; the policy for information security, information security organisation and ultimately the entire information security process all have a lifecycle. The information security process is commonly divided into the following phases: Review

Information Security Management System (ISMS) - A closer Look

1. 2. 3. 4. Planning Implementing the plan and carrying out the project Performance review and monitoring the achievement of objectives Eliminating discovered flaws and weaknesses and making optimisations as well as improvements

Phase 4 describes the immediate elimination of minor flaws. If fundamental or extensive changes are needed, one must of course return to the planning phase again. This model is named after the individual phases ("Plan", "Do", "Check", "Act") and is thus also referred to as the PDCA model. The PDCA cycle is considered as an upward spiral as each cycle will be perfecting the ISMS resulting in the next cycle's extent being a little lesser than the previous.

Concluding Remarks
The management system concept is being applied across many new disciplines. With the ratification of the ISO27001 standard, information security management systems have achieved new prominence, in some arenas becoming an essential requirement. In conclusion, an ISMS: Integrates information security risk into enterprise risk management. Documents informed choice decision making and due diligence. Provides a framework for regulatory compliance. Offers a structure to efficiently and effectively integrate people, process, and technology. Furnishes a mechanism for monitoring and reporting. Is business friendly, and a market differentiator.

References: http://www.csoonline.com

Useful Books and information on Business Continuity and Disaster Recovery: The Disaster Recovery Handbook: A Step-By-Step Plan - By Wallace and Webber (Anacom 2010) Building an Enterprise-Wide Business Continuity Program - By Kelley Okolita (CRC Press 2009) A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance - by Julia Graham et al (Rothstein Associates 2006)