IVI Framework Viewer

Information Security Management

ISM

The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accountability, usability, and availability of information.

Structure

ISM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.

AGovernance

A1Information Security Principles, Policies, and Controls

Define the principles that underpin the organization's approach to information security management. Define the information security policies and controls to be put in place, taking into account relevant information security standards, legislative and regulatory compliance requirements, contractual obligations, information security objectives, and incident reports.

A2Information Security Strategy

Develop an information security strategic plan to define how the organization's information security objectives can be achieved, and put the plan into operation.

A3Governance Structures

Establish governance structures for information security management. Define the scope of information security management governance bodies, and outline decision rights and authorizations. Establish reporting arrangements, audit log designs, issue escalation protocols, and rules to govern and control the application of information security management authority within the organization.

A4Roles, Responsibilities, and Accountabilities

Identify the roles required for information security management tasks, and assign employees with the requisite knowledge and experience to those roles. Define the associated responsibilities and assign these to employees who will be accountable for ensuring that information security management objectives are met.

A5Skills and Competence Development

Put in place an information security management training curriculum and other employee developmental mechanisms to enhance the skills and competences of employees in this area.

A6Culture and Stakeholder Management

Establish an information security management aware culture. Motivate stakeholders, secure their support for key information security management initiatives, and create a shared understanding of how they can help ensure that information security management objectives are met.

A7Security Performance Measurement

Monitor and report on the effectiveness/efficiency of the information security principles, policies, controls, strategy, and activities.

A8Supplier Security Requirements

Define security requirements for the procurement and supply of hardware, software, data, and cloud and other IT services to satisfy the information security strategy and objectives of the organization.

BTechnical Security

B1Security Architecture

Build security criteria into the design of IT solutions and services — for example, by defining coding protocols, depth of defence, and configuration of security features.

B2IT Device Security

Define, implement, and monitor measures to protect all IT devices such as networks, servers, client computing devices, storage devices, printers, and smart phones.

B3Physical Infrastructure Security

Implement, monitor, and maintain measures to safeguard the IT physical infrastructure from threats including extremes of temperature, fire, flooding, malicious intent, and utility supply disruptions.

CSecurity Data Administration

C1Data Security Classification

Define information security classes, and provide guidelines on protection levels and access controls appropriate to each class.

C2Access Rights Management

Manage user access rights to information throughout its life cycles, including the granting, denying, and revoking of access privileges.

C3Data Life Cycle Management

Provide the security expertise and guidance to ensure that data throughout its life cycles is appropriately available, adequately preserved, and/or destroyed so that it meets business, regulatory, and/or other security requirements.

DBusiness Continuity Management

D1Business Continuity Planning

Provide information security advice to assist in the analysis of incidents and to ensure that data is secure before, during, and after the execution of the business continuity plan.

D2Security Risk Management

Establish an approach to the profiling of security threats and the assessment, prioritization, treatment, and monitoring of security risks and vulnerabilities.

D3Incident Management

Manage information security-related incidents and near incidents. Establish incident response teams to identify and limit exposure, and to coordinate with regulatory bodies as appropriate. Undertake forensic analysis of incident-related data leading to an understanding of their underlying causes and business impact.

Overview

Goal & Objectives

An effective Information Security Management (ISM) capability aims to:

  • Develop and maintain information security approaches, policies, and controls to safeguard the organization's information and information held in its custody (both when it is stored and when it is being transmitted).
  • Provide assurance to stakeholders and regulators that information security approaches, policies, and controls function as intended.
  • Help employees maintain appropriate levels of understanding and awareness to reduce the occurrence and severity of information security incidents.
  • Ensure that all identified incidents, near incidents, and suspected security weaknesses are appropriately investigated and addressed.
  • Ensure that the residual risk remaining after the information security technical analysis and mitigation actions for identified security threats have been carried out does not exceed the organization's risk appetite.
  • Balance the application of information security controls and compliance with regulatory/contractual obligations with the organization's ability to engage in innovative initiatives that may support growth and competitiveness.

Scope

Definition

The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accountability, usability, and availability of information.

Improvement Planning

Practices-Outcomes-Metrics (POM)

Representative POMs are described for ISM at each level of maturity.

2Basic
  • Practice
    Establish an intelligence gathering and threat profiling process to identify information security threat levels and new threat types.
    Outcome
    There is greater awareness of emerging and recurring information security threats.
    Metric
    Number of preventive measures adopted in response to identified security threats.
  • Practice
    Implement security classifications in metadata for data life cycle management and access control.
    Outcome
    Data can be more reliably managed using metadata.
    Metrics
    • Number of security classes.
    • Percentage of data sources that have associated security metadata.
  • Practice
    Develop and begin to roll out some basic security training and development programmes.
    Outcome
    A growing information security awareness promotes good practices by employees.
    Metric
    Percentage of employees who have attended information security training.
3Intermediate
  • Practice
    Specify security requirements for suppliers.
    Outcome
    Suppliers increasingly understand and consistently meet security requirements, reducing the risk of security breaches.
    Metric
    Person hours expended on validating security protocols for new IT components and services.
  • Practice
    Define data security classes for data sets — for example, ‘trade secret’, ‘confidential’, ‘internal business use only’, or ‘public’.
    Outcome
    Appropriate levels of security can be applied consistently to business data, helping to ensure its protection and appropriate use.
    Metric
    Number of security classes supported at each architecture layer; in each IT service; and at each device type.
  • Practice
    Integrate the security management of IT infrastructure sites with facilities security management.
    Outcome
    Appropriate IT infrastructure sites are more secure and monitored appropriately.
    Metric
    Percentage of systems covered by uninterruptable power supplies.
  • Practice
    Audit the process for prioritizing and treating security risks.
    Outcome
    Prioritized security risks are reliably treated.
    Metric
    Percentage of prioritized security risks that have audited risk treatment strategies.
4Advanced
  • Practice
    Check all devices, architecture layers, networks, applications, and storage systems for compliance with security features.
    Outcome
    Security features are deployed consistently, and the risk from weak links is reduced.
    Metric
    Percentage of applications and devices complying with recommended security features.
  • Practice
    Promote active membership of appropriate security forums and associations.
    Outcome
    The organization is kept abreast of security threats and security practices, and is better able to make decisions on security investments and the deployment of security resources.
    Metric
    Percentage of threats identified through security special interest groups or associations.
  • Practice
    Audit account usage and use real-time systems to detect any compromised accounts (user and administrative).
    Outcome
    There are fewer security violations and greater security vigilance among employees at all levels.
    Metrics
    • Number of employee security lapses and deliberate security violations.
    • Number of security issues detected by employees.
5Optimized
  • Practice
    Continually revise security policies and controls to reflect insights from the latest research, vendor recommendations, and legislative changes.
    Outcome
    Security policies and controls are continually refreshed to combat the latest security threats, and to optimize data and information security across all relevant jurisdictions.
    Metrics
    • Number and severity of security breaches resulting from previously unknown security vulnerabilities.
    • Number of security breaches prevented.
  • Practice
    Implement measures to record attempts to tamper with compliance verification data.
    Outcome
    Confidence in security compliance is increased.
    Metric
    Number of false positives regarding security compliance.
  • Practice
    Use sophisticated profiles and real-time monitoring in collaboration with business partners to detect intrusions and compromised accounts across the ecosystem.
    Outcome
    There are fewer security audit violations and greater security vigilance among employees and business partners at all levels.
    Metrics
    • Number of account security violations.
    • Number of security issues detected by an account holder.

Reference

History

This capability was introduced in Revision 18.01 as an update to Information Security Management (16).