The Information Security Management Framework (ISMF)

Transcription

1 The Information Security Management Framework (ISMF) Reducing complexity in Information Security SECO-INSTITUTE

2 Setting up information security in an organisation is a complex matter. The breadth of the field and the amount of neighbouring subjects often hamper the establishment and maintenance of information security. The SECO-Institute presents its Information Security Management Framework (ISMF). Our ISMF is a pragmatic model that allows organisations to set up information security at the strategic, tactical and operational level in an organisation in an appropriate way, in line with the business. The ISMF provides an answer to the following question: what should I do and in what order should I do it? SECO-INSTITUTE

3 ISMF at the strategic level Information security should never stand alone. Linking information security to business operations is essential and forms the beating heart of the ISMF. Consequently, the ISMF starts with the corporate vision: what does the organisation want to achieve and where does it see itself in several years? Every organisation has to take into account laws, regulations and standards as well as environmental influences. Laws and regulations determine the requirements imposed on the organisation by the government or a trade association, thus these have a binding character. Standards, however, are generally chosen by the organisation and serve to guarantee the quality of products and services. As such, standards can also constitute business drivers since their implementation could result in a commercial advantage for the organisation. The fourth factor that constitutes the base of ISMF in addition to laws, regulations and standards, is environment. Environment encompasses all political and societal expectations towards the organisation. Nuclear power plants, for instance, have to comply with high standards, otherwise they will face licence denial. The four factors mentioned above all play a part in the ISMF. That is to say, we have to consider the following questions: What does the organisation want to achieve? What does the organisation have to do? What requirements does the organisation have to meet? What is expected from the organisation by the environment? These four factors translate into a vision for information security. The major advantage of this approach is establishing a connection between information security and business. In other words: information security should no longer be seen as an island on its own but as a contributor to the realisation of the organisational goals. A vision for information security first translates into a number of information security principles. For example, if policy sets out that everyone should be individually identifiable or that work should be done in accordance with the ISO27001 standard, we might be able to identify the following underlying information security principles: Technology in service of the company, and not the other way round or We want to work supplier-independent. These are quite important basic issues. Finally, the variety of factors to take into account culminates in another question: What are we going to do now as an organisation? SECO-INSTITUTE

4 The answer to that question is set out in the Information Security Plan (IS plan). Begin with formulating the strategic IS policy, in other words, indicate in general what the organisation will or will not do. You will then work from policy towards a more tactical-operational level. In order to work at tactical-operational level, however, you need to consider two additional elements to ensure effectiveness. The first element is: risk analysis. Without risk analysis, you will not see clearly where the problems lie in the organisation and where you need to invest more. The other important element is awareness. If people (including management!) are not aware of the risks the organisation might be running, no single measure will save your organisation. As people tend to be unaware of the importance of certain things, it might take a lot of effort to accomplish something. ISMF at the tactical level The organisation is managed at the tactical-operational level. Thus, at this level, (IS) standards come into view. You might set a standard for dealing with s, a standard for dealing with social media, and another for dealing with mobile media. You might also want to include a standard regulating third-party access to the corporate network. These are all specific pieces of tactical-operational policy on a particular topic, while strategic policies are very generic and do not cover specific topics. Standards, by nature, are about specific topics. In addition to standards, we might implement guidelines, which fulfil the same function as standards, the only difference being that a standard is mandatory while a guideline is a mere recommendation. Behavioural codes are, for example, guidelines on how employees should behave in the organisation. Along with baselines and benchmarks, we have now taken stock of all the instruments we need to effectively manage operation and innovation within an organisation. SECO-INSTITUTE

5 ISMF at the operational level There are two sorts of activities at the operational level: processes (the ongoing processes) and innovations (projects), both of which have their own rules of play. Ongoing processes From the point of view of information security, the following processes can be identified within operations: management, enforcement and reporting. The IS organisation should manage various things on behalf of the organisation, such as encryption keys. Enforcement/ compliance is also very often laid in the information security organisation (e.g. monitoring network anomalies and other happenings). At last but not least, reporting also belongs to the duties of the information security organisation: let the organisation see how it is going with information security, and provide information on performance in addition to the technical side. Innovative projects In addition to processes, the organisation runs innovative projects. As the implementation of new projects always implies risks, these projects have a point of interaction with information security. The Information Security Program bundles all projects that involve information security. This includes ongoing projects as well as new projects where a Security Manager can immediately jump in by adding security requirements to the raw project. In general, it is wise to align all projects, including those that have nothing to do with information security. Thereafter, it should be checked whether the project agreements are met. The Program Manager reports thereof to the Security Manager who, in turn, reports back to the business. Operational arrangements: procedures, work instructions and technical documentation The ISMF model culminates in Procedures, work instructions and technical documentation. Procedures describe how things are done in an organisation. Whereas policy describes what we expect from each other and who does what, procedures provide an answer to the question how do we do it? Note that procedures describe everything in a generic way. Procedures ensure the measurability of quality, which implies that they must be generic and implementation-neutral. Consequently, it is also necessary to describe less generic implementations in addition to procedures: these more detailed documents are work instructions ( how do I do this? ) and technical documentation. SECO-INSTITUTE

6 ISMF and Reporting There are three types of reporting aimed at three different target groups respectively. 1. The first type of report demonstrates that all legal and regulatory requirements as well as standards chosen by the organisation are met. This is called compliance and this type of report constitutes the auditor s centre of attention. 2. The second type of report shows that information security is in order. There is a substantial difference between the first and second type of reporting. Standards describe everything that must be done, but they do not provide a guarantee for security. Therefore, the second type of reporting is needed to show how safe everything is. This type of report is intended for Security Management. 3. The third type of reporting is performance reporting and is specifically intended for the business. This report demonstrates that the efforts and investments made contribute positively to the overall operating result. ISMF and Audit The ISMF defines two different types of audits. 1. The first type is conducted to prove that all requirements are met. This type of audit is mandatory and the organisation has no influence on its completion. 2. The second type is conducted to monitor whether the organisation has reached a certain level of information security. But what is the difference between the two types of audit? The first type of audit checks whether a certain management objective is set. Even if the Code of Information Security is applied, the first audit does not guarantee the qualitative value of the process. In other words, the first type of audit does not guarantee information security. In summary, there are two types of audits: one to monitor if the organisation actually does what it claims to do, and another to see if the organisation carries out its activities appropriately. ISMF in relation to Information Security Management System (ISMS) The issues as discussed above lead to agreements that need to be implemented by the organisation. This can be done using an Information Security Management System (ISMS). An ISMS is a management tool that ensures that all agreements are effectively controlled through a plan-do-check-act cycle. It is therefore recommended to apply the ISMF within an ISMS, for example based on ISO SECO-INSTITUTE

7 SECO-INSTITUTE 2017