IVI Framework Viewer

The Information Security Management (ISM) capability aims to protect the information held by the organization from damage, to prevent its harmful use (to people or organizations), and to facilitate its legitimate operational and business use.

• Facilitate information security approaches, policies, and controls, both during normal business operations and in the event of significant information security incidents, to safeguard the organization’s information resource’s:
  • Integrity (that is, its accuracy and completeness).
  • Confidentiality (that is, its protection from theft or unauthorized disclosure).
  • Accountability (that is, its traceability and authenticity).
  • Usability (that is, its fitness for purpose).
  • Availability (that is, its accessibility and access controls).
• Ensure that all information security incidents and suspected security weaknesses are reported through suitable channels, so that they are appropriately investigated and dealt with.
• Help employees maintain appropriate levels of awareness and skills to minimize the occurrence and severity of information security incidents.
• Provide assurance to stakeholders and regulators that information security approaches, policies, and controls function as intended – that is, they help discover, prevent, and minimize threats and breaches.
• Ensure key stakeholders are accepting of the residual risk remaining after the information security technical analysis and mitigation actions for identified security threats have been taken.

The Information Security Management (ISM) capability can help reduce the frequency and limit the adverse effects of information security breaches.

With the rise of mobile computing, cloud computing, and social media usage, and the increased digitization of business processes, information security threats are also increasing¹. Poor oversight, and inadequate protocols and procedures are the main causes of information security incidents. Organizations vary in their approaches to preventing such security breaches: some are overly restrictive, making even routine business activities difficult, while others are too relaxed, creating unnecessary exposures. Implementing overly restrictive or excessively weak information security controls can result in the loss of trust, reputation, and money. The organization has to find the right balance in order to secure its information resources without impeding effective business operations.

By developing an effective Information Security Management (ISM) capability, an organization can develop the structures and language necessary for discussing, analysing, and addressing security considerations, thereby helping to protect its information resources and to ensure their confidentiality, integrity, accountability, and availability³⁴.

The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accessibility, accountability, and usability of digitized information resources⁵. The Information Security Management (ISM) capability covers:

• Preventing unauthorized access, use, disclosure, disruption, modification, or destruction of digitized information resources.
• Establishing an information security governance model, including allocating roles, responsibilities, and accountabilities.
• Measuring the effectiveness of existing security approaches, policies, and controls – for example, by applying security standards and conducting internal audits.
• Managing security-related communications and training of employees.
• Assessing, prioritizing, responding to, and monitoring information security risks and incidents.
• Securing physical IT components and IT areas.
• Providing expertise to protect, preserve, and/or destroy data in line with business, regulatory, and/or other security requirements.
• Reporting on information security activities and compliance levels.

Representative POMs are described for ISM at each level of maturity.

2Basic

• Practice

  Establish an intelligence gathering and threat profiling process that identifies information security threat levels and new and emergent threat types.

  Outcome

  There is greater awareness of emerging and recurring information security threats.

  Metric

  Number of preventive measures adopted in response to identified security threats.

• Practice

  Implement security classifications in metadata for data life cycle management and data access control.

  Outcome

  Data can be more reliably managed using metadata.

  Metric

  Number of security classes defined. Percentage of data sources that have associated security metadata.

• Practice

  Establish information security training and awareness raising campaigns, starting in the IT function.

  Outcome

  A growing information security awareness promotes good practices by employees.

  Metric

  Percentage of employees who have attended information security training.

• Practice

  Measure the efficacy of key information security activities.

  Outcome

  The security measures that are most effective in protecting the business can be understood, while inadequate security measures can be addressed.

  Metric

  Time taken from the identification of a security threat to the implementation of a suitable counter measure. Number of security incidents causing service interruption or reduced availability. Number of virus infections attempted (detected and prevented). Number of infections that had to be cleaned.

3Intermediate

• Practice

  Specify security requirements for suppliers.

  Outcome

  Suppliers increasingly understand and meet consistent security requirements, reducing the risk of security breaches.

  Metric

  Person hours expended on validating security protocols for new IT components and services.

• Practice

  Define data security classes for data sets – for example, ‘trade secret’ (for competitive information such as know-how, or product development information), ‘confidential’ (for sensitive information such as financials, or employee records), ‘internal business use only’ (for sales figures and financially sensitive data until/unless published), or ‘public’ (for company publicity collateral).

  Outcome

  Appropriate levels of security can be applied consistently to business data, helping to ensure its protection and appropriate use.

  Metric

  Number of security classes supported at each architecture layer (network, storage, database, applications, and so on). Number of security classes supported in each IT service. Number of security classes supported at each device type.

• Practice

  Ensure information security is an integral part of business continuity planning.

  Outcome

  Business continuity planning is increasingly more security aware.

  Metric

  Number of information security management recommendations adopted and implemented in business continuity plans.

• Practice

  Integrate the security management of IT infrastructure sites with facilities security management.

  Outcome

  Appropriate IT infrastructure sites are increasingly more secure and monitored appropriately.

  Metric

  Percentage of locations with integrated management plans. Percentage of systems covered by uninterruptable power supplies (UPS) and managed shutdown processes in the event of a power outage.

• Practice

  Audit the process for prioritizing and handling security risks.

  Outcome

  Prioritized security risks are increasingly handled more reliably.

  Metric

  Percentage of prioritized security risks mitigated using audited risk handling strategies.

4Advanced

• Practice

  Check all devices (physical, virtual, and user), architecture layers, networks, applications, and storage systems for compliance with recommended security features.

  Outcome

  Security features are deployed consistently, and the risk from weak links is reduced.

  Metric

  Percentage of applications and devices complying with recommended security features.

• Practice

  Use software tools to monitor account usage, system usage, network usage, and component usage, to detect variances from the norm and issue alerts.

  Outcome

  Breaches can increasingly be detected in real time, contained and fixed quickly, with fewer false alerts.

  Metric

  Percentage of false triggers (or false positives – suggesting over-sensitivity to variance). Percentage of systems, applications, solutions, and services with real-time variance monitoring. Number of (attempted) breaches, intrusions, and compromised accounts detected by real-time monitoring.

• Practice

  Promote active membership of appropriate security forums and associations.

  Outcome

  The organization is kept abreast of new and emerging security threats and security practices, and is better able to make decisions on security investments and the deployment of security resources.

  Metric

  Percentage of threats in the risk register identified through security special interest groups, forums, or associations. Number of new practices brought in from security special interest groups, forums, or associations.

• Practice

  Audit account usage and use real-time systems to detect compromised accounts (user and administrative) organization-wide.

  Outcome

  There are fewer security violations and greater security vigilance among employees at all levels.

  Metric

  Number of employee security lapses and deliberate security violations. Number of security issues detected by employees. Number of breach attempts targeted at users, such as email, telephone, or personal contact attempts to gain passwords or information pertaining to security measures.

5Optimized

• Practice

  Continually review security policies and controls to identify improvement opportunities and to keep up with latest practices.

  Outcome

  Security policies and controls are continually refreshed to combat latest security threats.

  Metric

  Number and severity of security breaches resulting from previously unknown security vulnerabilities. Number of security breaches prevented. Number of denial of service attacks thwarted. Number of virus/spyware incidents prevented or cleaned.

• Practice

  Implement measures to record any attempt to tamper with compliance verification data in prioritized areas. Use time-stamps and checksums to help ensure the integrity of audit log files.

  Outcome

  Confidence in security compliance is increased. The audit logs accurately reflect actions on the data and (failed) attempts to tamper with it.

  Metric

  Number of false positives regarding security compliance.

• Practice

  Systematically collaborate with relevant business ecosystem partners to detect compromised accounts (user and administrative).

  Outcome

  There are fewer security audit violations and greater security vigilance among employees and business partners at all levels.

  Metric

  Number of account security violations. Number of security issues detected by an account holder.

This capability was introduced in Revision 16 as a new critical capability.

It was deprecated in Revision 18.01, being updated by Information Security Management (18.01).

The following CCs cover topics that are related to ISM in some way:

EAMEnterprise Architecture Management

Standards, directions, policies, frameworks, and roadmaps to guide technical infrastructure planning and solution design, which may trigger information security considerations

EIMEnterprise Information Management

Details on information critical to the business and its ownership. Critical information can be afforded enhanced security features and prioritized for business recovery purposes

ITGIT Leadership and Governance

Establishing IT governance structures

ITGIT Leadership and Governance

The overarching IT governance framework, to guide how information security management should operate

PDPPersonal Data Protection

Establishing protection and privacy criteria for personal data

PDPPersonal Data Protection

Guidance on managing the governance and processing of personal data

RMRisk Management

General IT risk-related management approaches, policies, standards, and risk handling strategies for consideration in the management of information security- related risks

RMRisk Management

Managing the broader risks associated with the potential impact of IT on the organization

SPStrategic Planning

The IT function’s strategic plan, which the information security strategy should seek to facilitate and not restrict