Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring. A meteorite crashing into a server room is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat. After appropriate asset identification and valuation has occurred, risk management and mitigation of risks to those assets involves the analysis of the following issues:
Threats: Unwanted events that could cause the deliberate or accidental loss, damage, or misuse of information assets
Vulnerabilities: How susceptible information assets and associated controls are to exploitation by one or more threats
Impact and likelihood: The magnitude of potential damage to information assets from threats and vulnerabilities and how serious of a risk they pose to the assets; cost–benefit analysis may also be part of the impact assessment or separate from it
Mitigation: The proposed method for minimizing the impact and likelihood of potential threats and vulnerabilities
Once a threat and/or vulnerability has been identified and assessed as having sufficient impact/likelihood to information assets, a mitigation plan can be enacted. The mitigation method chosen largely depends on which of the seven information technology domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies will require a much different mitigation plan than one used to limit the threat of unauthorized probing and scanning of a network.
Information security management system
An information security management system represents the collation of all the interrelated/interacting information security elements of an organization so as to ensure policies, procedures, and objectives can be created, implemented, communicated, and evaluated to better guarantee an organization's overall information security. This system is typically influenced by organization's needs, objectives, security requirements, size, and processes. An ISMS includes and lends to effective risk management and mitigation strategies. Additionally, an organization's adoption of an ISMS largely indicates that it is systematically identifying, assessing, and managing information security risks and "will be capable of successfully addressing information confidentiality, integrity, and availability requirements." However, the human factors associated with ISMS development, implementation, and practice must also be considered to best ensure the ISMS' ultimate success.
Implementation and education strategy components
Implementing effective information security management requires a management strategy that takes note of the following:
Upper-level management must strongly support information security initiatives, allowing information security officers the opportunity "to obtain the resources necessary to have a fully functional and effective education program" and, by extension, information security management system.
Information security strategy and training must be integrated into and communicated through departmental strategies to ensure all personnel are positively affected by the organization's information security plan.
A privacy training and awareness "risk assessment" can help an organization identify critical gaps in stakeholder knowledge and attitude towards security.
Proper evaluation methods for "measuring the overall effectiveness of the training and awareness program" ensure policies, procedures, and training materials remain relevant.
Policies and procedures that are appropriately developed, implemented, communicated, and enforced "mitigate risk and ensure not only risk reduction, but also ongoing compliance with applicable laws, regulations, standards, and policies."
Milestones and timelines for all aspects of information security management help ensure future success.
Without sufficient budgetary considerations for all the above—in addition to the money allotted to standard regulatory, IT, privacy, and security issues—an information security management plan/system can not fully succeed.
Relevant standards
Standards that are available to assist organizations with implementing the appropriate programs and controls to mitigate threats and vulnerabilities include the ISO/IEC 27000 family of standards, the ITIL framework, the COBIT framework, and O-ISM3 2.0. The ISO/IEC 27000 family represent some of the most well-known standards governing information security management and the ISMS and are based on global expert opinion. They lay out the requirements for best "establishing, implementing, deploying, monitoring, reviewing, maintaining, updating, and improving information security management systems." ITIL acts as a collection of concepts, policies, and best practices for the effective management of information technology infrastructure, service, and security, differing from ISO/IEC 27001 in only a few ways. COBIT, developed by ISACA, is a framework for helping information security personnel develop and implement strategies for information management and governance while minimizing negative impacts and controlling information security and risk management, and O-ISM3 2.0 is The Open Group's technology-neutral information security model for enterprise.
