IVI Framework Viewer

Information Security Management

ISM

The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accessibility, accountability, and usability of digitized information resources5. The Information Security Management (ISM) capability covers:

  • Preventing unauthorized access, use, disclosure, disruption, modification, or destruction of digitized information resources.
  • Establishing an information security governance model, including allocating roles, responsibilities, and accountabilities.
  • Measuring the effectiveness of existing security approaches, policies, and controls – for example, by applying security standards and conducting internal audits.
  • Managing security-related communications and training of employees.
  • Assessing, prioritizing, responding to, and monitoring information security risks and incidents.
  • Securing physical IT components and IT areas.
  • Providing expertise to protect, preserve, and/or destroy data in line with business, regulatory, and/or other security requirements.
  • Reporting on information security activities and compliance levels.

Structure

ISM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.

AGovernance

Establishes the oversight structures to support the execution of information security management.

A1Information Security Strategy

Develop, communicate, and support the organization’s information security objectives.

A2Security Policies and Controls

Establish and maintain security policies and controls, taking into account relevant security standards, regulatory and legislative security requirements, and the organization’s security objectives.

A3Security Roles, Responsibilities, and Accountabilities

Establish responsibilities and accountabilities for information security roles, and check enforcement.

A4Communication and Training

Disseminate security approaches, policies, and other relevant information to develop security awareness and skills.

A5Security Performance Reporting

Report on the effectiveness and efficiency of information security policies and activities, and the level of compliance with them.

A6Supplier Security

Define security requirements pertaining to the procurement and supply of hardware, software, services, and data.

BTechnical Security

Securing IT components and the physical environment.

B1Security Architecture

Build security criteria into the design of IT solutions – for example, by defining coding protocols, depth of defence, configuration of security features, and so on.

B2IT Component Security

Implement measures to protect all IT components, both physical and virtual, such as client computing devices, servers, networks, storage devices, printers, and smart phones.

B3Physical Infrastructure Security

Establish and maintain measures to safeguard the IT physical infrastructure from harm. Threats to be addressed include extremes of temperature, malicious intent, and utility supply disruptions.

CSecurity Risk Control

Assesses and prioritizes risks so that appropriate handling and monitoring activities can be put in place.

C1Security Threat Profiling

Gather intelligence on IT security threats and vulnerabilities to better understand the IT security threat landscape within which the organization operates – including, for example, the actors, scenarios, and campaigns that might pose a threat.

C2Security Risk Assessment

Identify exposures to security-related risks, and quantify their likelihood and potential impact.

C3Security Risk Prioritization

Prioritize information security risks and risk handling strategies based on residual risks and the organization’s risk appetite.

C4Security Risk Handling

Implement strategies for handling information security risk, including risk acceptance, transfer, absorption, and mitigation, as appropriate. Promote interaction with incident management functions.

C5Security Risk Monitoring

Manage the on-going efficacy of information security risk handling strategies and control options.

DSecurity Data Administration

Classifies data and information into security groupings, and provides guidance for managing their access rights and life cycles.

D1Data Identification and Classification

Define information security classes, and provide guidance on protection and access control appropriate to each class.

D2Access Rights Management

Manage user access rights to information throughout its life cycle, including granting, denying, and revoking access privileges.

D3Data Life Cycle Management

Provide the security expertise and guidance to ensure that data throughout its life cycle is appropriately available, adequately preserved, and/or destroyed to meet business, regulatory, and/or other security requirements.

EBusiness Continuity Management

Managing security inputs into incident management and business continuity planning and testing.

E1Business Continuity Planning

Provide stakeholders throughout the organization with security advice to assist in the analysis of incidents and to ensure that data is secure before, during, and after the execution of the business continuity plan.

E2Incident Management

Manage security-related incidents and near incidents. Develop and train incident response teams to identify and limit exposure, manage communications, and coordinate with regulatory bodies as appropriate.

Overview

Goal

The Information Security Management (ISM) capability aims to protect the information held by the organization from damage, to prevent its harmful use (to people or organizations), and to facilitate its legitimate operational and business use.

Objectives

  • Facilitate information security approaches, policies, and controls, both during normal business operations and in the event of significant information security incidents, to safeguard the organization’s information resource’s:
    • Integrity (that is, its accuracy and completeness).
    • Confidentiality (that is, its protection from theft or unauthorized disclosure).
    • Accountability (that is, its traceability and authenticity).
    • Usability (that is, its fitness for purpose).
    • Availability (that is, its accessibility and access controls).
  • Ensure that all information security incidents and suspected security weaknesses are reported through suitable channels, so that they are appropriately investigated and dealt with.
  • Help employees maintain appropriate levels of awareness and skills to minimize the occurrence and severity of information security incidents.
  • Provide assurance to stakeholders and regulators that information security approaches, policies, and controls function as intended – that is, they help discover, prevent, and minimize threats and breaches.
  • Ensure key stakeholders are accepting of the residual risk remaining after the information security technical analysis and mitigation actions for identified security threats have been taken.

Value

The Information Security Management (ISM) capability can help reduce the frequency and limit the adverse effects of information security breaches.

Relevance

With the rise of mobile computing, cloud computing, and social media usage, and the increased digitization of business processes, information security threats are also increasing1. Poor oversight, and inadequate protocols and procedures are the main causes of information security incidents. Organizations vary in their approaches to preventing such security breaches: some are overly restrictive, making even routine business activities difficult, while others are too relaxed, creating unnecessary exposures. Implementing overly restrictive or excessively weak information security controls can result in the loss of trust, reputation, and money. The organization has to find the right balance in order to secure its information resources without impeding effective business operations.

By developing an effective Information Security Management (ISM) capability, an organization can develop the structures and language necessary for discussing, analysing, and addressing security considerations, thereby helping to protect its information resources and to ensure their confidentiality, integrity, accountability, and availability34.

Scope

Definition

The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accessibility, accountability, and usability of digitized information resources5. The Information Security Management (ISM) capability covers:

  • Preventing unauthorized access, use, disclosure, disruption, modification, or destruction of digitized information resources.
  • Establishing an information security governance model, including allocating roles, responsibilities, and accountabilities.
  • Measuring the effectiveness of existing security approaches, policies, and controls – for example, by applying security standards and conducting internal audits.
  • Managing security-related communications and training of employees.
  • Assessing, prioritizing, responding to, and monitoring information security risks and incidents.
  • Securing physical IT components and IT areas.
  • Providing expertise to protect, preserve, and/or destroy data in line with business, regulatory, and/or other security requirements.
  • Reporting on information security activities and compliance levels.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for ISM at each level of maturity.

2Basic
  • Practice
    Establish an intelligence gathering and threat profiling process that identifies information security threat levels and new and emergent threat types.
    Outcome
    There is greater awareness of emerging and recurring information security threats.
    Metric
    Number of preventive measures adopted in response to identified security threats.
  • Practice
    Implement security classifications in metadata for data life cycle management and data access control.
    Outcome
    Data can be more reliably managed using metadata.
    Metric
    Number of security classes defined. Percentage of data sources that have associated security metadata.
  • Practice
    Establish information security training and awareness raising campaigns, starting in the IT function.
    Outcome
    A growing information security awareness promotes good practices by employees.
    Metric
    Percentage of employees who have attended information security training.
  • Practice
    Measure the efficacy of key information security activities.
    Outcome
    The security measures that are most effective in protecting the business can be understood, while inadequate security measures can be addressed.
    Metric
    Time taken from the identification of a security threat to the implementation of a suitable counter measure. Number of security incidents causing service interruption or reduced availability. Number of virus infections attempted (detected and prevented). Number of infections that had to be cleaned.
3Intermediate
  • Practice
    Specify security requirements for suppliers.
    Outcome
    Suppliers increasingly understand and meet consistent security requirements, reducing the risk of security breaches.
    Metric
    Person hours expended on validating security protocols for new IT components and services.
  • Practice
    Define data security classes for data sets – for example, ‘trade secret’ (for competitive information such as know-how, or product development information), ‘confidential’ (for sensitive information such as financials, or employee records), ‘internal business use only’ (for sales figures and financially sensitive data until/unless published), or ‘public’ (for company publicity collateral).
    Outcome
    Appropriate levels of security can be applied consistently to business data, helping to ensure its protection and appropriate use.
    Metric
    Number of security classes supported at each architecture layer (network, storage, database, applications, and so on). Number of security classes supported in each IT service. Number of security classes supported at each device type.
  • Practice
    Ensure information security is an integral part of business continuity planning.
    Outcome
    Business continuity planning is increasingly more security aware.
    Metric
    Number of information security management recommendations adopted and implemented in business continuity plans.
  • Practice
    Integrate the security management of IT infrastructure sites with facilities security management.
    Outcome
    Appropriate IT infrastructure sites are increasingly more secure and monitored appropriately.
    Metric
    Percentage of locations with integrated management plans. Percentage of systems covered by uninterruptable power supplies (UPS) and managed shutdown processes in the event of a power outage.
  • Practice
    Audit the process for prioritizing and handling security risks.
    Outcome
    Prioritized security risks are increasingly handled more reliably.
    Metric
    Percentage of prioritized security risks mitigated using audited risk handling strategies.
4Advanced
  • Practice
    Check all devices (physical, virtual, and user), architecture layers, networks, applications, and storage systems for compliance with recommended security features.
    Outcome
    Security features are deployed consistently, and the risk from weak links is reduced.
    Metric
    Percentage of applications and devices complying with recommended security features.
  • Practice
    Use software tools to monitor account usage, system usage, network usage, and component usage, to detect variances from the norm and issue alerts.
    Outcome
    Breaches can increasingly be detected in real time, contained and fixed quickly, with fewer false alerts.
    Metric
    Percentage of false triggers (or false positives – suggesting over-sensitivity to variance). Percentage of systems, applications, solutions, and services with real-time variance monitoring. Number of (attempted) breaches, intrusions, and compromised accounts detected by real-time monitoring.
  • Practice
    Promote active membership of appropriate security forums and associations.
    Outcome
    The organization is kept abreast of new and emerging security threats and security practices, and is better able to make decisions on security investments and the deployment of security resources.
    Metric
    Percentage of threats in the risk register identified through security special interest groups, forums, or associations. Number of new practices brought in from security special interest groups, forums, or associations.
  • Practice
    Audit account usage and use real-time systems to detect compromised accounts (user and administrative) organization-wide.
    Outcome
    There are fewer security violations and greater security vigilance among employees at all levels.
    Metric
    Number of employee security lapses and deliberate security violations. Number of security issues detected by employees. Number of breach attempts targeted at users, such as email, telephone, or personal contact attempts to gain passwords or information pertaining to security measures.
5Optimized
  • Practice
    Continually review security policies and controls to identify improvement opportunities and to keep up with latest practices.
    Outcome
    Security policies and controls are continually refreshed to combat latest security threats.
    Metric
    Number and severity of security breaches resulting from previously unknown security vulnerabilities. Number of security breaches prevented. Number of denial of service attacks thwarted. Number of virus/spyware incidents prevented or cleaned.
  • Practice
    Implement measures to record any attempt to tamper with compliance verification data in prioritized areas. Use time-stamps and checksums to help ensure the integrity of audit log files.
    Outcome
    Confidence in security compliance is increased. The audit logs accurately reflect actions on the data and (failed) attempts to tamper with it.
    Metric
    Number of false positives regarding security compliance.
  • Practice
    Systematically collaborate with relevant business ecosystem partners to detect compromised accounts (user and administrative).
    Outcome
    There are fewer security audit violations and greater security vigilance among employees and business partners at all levels.
    Metric
    Number of account security violations. Number of security issues detected by an account holder.

Reference

History

This capability was introduced in Revision 16 as a new critical capability.

It was deprecated in Revision 18.01, being updated by Information Security Management (18.01).