Information Security Management
The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accountability, usability, and availability of information.
Structure
ISM is made up of the following Categories and CBBs. Maturity and Planning are described at both the CC and the CBB level.
- AGovernance
- A1Information Security Principles, Policies, and Controls
Define the principles that underpin the organization's approach to information security management. Define the information security policies and controls to be put in place, taking into account relevant information security standards, legislative and regulatory compliance requirements, contractual obligations, information security objectives, and incident reports.
- A2Information Security Strategy
Develop an information security strategic plan to define how the organization's information security objectives can be achieved, and put the plan into operation.
- A3Governance Structures
Establish governance structures for information security management. Define the scope of information security management governance bodies, and outline decision rights and authorizations. Establish reporting arrangements, audit log designs, issue escalation protocols, and rules to govern and control the application of information security management authority within the organization.
- A4Roles, Responsibilities, and Accountabilities
Identify the roles required for information security management tasks, and assign employees with the requisite knowledge and experience to those roles. Define the associated responsibilities and assign these to employees who will be accountable for ensuring that information security management objectives are met.
- A5Skills and Competence Development
Put in place an information security management training curriculum and other employee developmental mechanisms to enhance the skills and competences of employees in this area.
- A6Culture and Stakeholder Management
Establish an information security management aware culture. Motivate stakeholders, secure their support for key information security management initiatives, and create a shared understanding of how they can help ensure that information security management objectives are met.
- A7Security Performance Measurement
Monitor and report on the effectiveness/efficiency of the information security principles, policies, controls, strategy, and activities.
- A8Supplier Security Requirements
Define security requirements for the procurement and supply of hardware, software, data, and cloud and other IT services to satisfy the information security strategy and objectives of the organization.
- BTechnical Security
- B1Security Architecture
Build security criteria into the design of IT solutions and services — for example, by defining coding protocols, depth of defence, and configuration of security features.
- B2IT Device Security
Define, implement, and monitor measures to protect all IT devices such as networks, servers, client computing devices, storage devices, printers, and smart phones.
- B3Physical Infrastructure Security
Implement, monitor, and maintain measures to safeguard the IT physical infrastructure from threats including extremes of temperature, fire, flooding, malicious intent, and utility supply disruptions.
- CSecurity Data Administration
- C1Data Security Classification
Define information security classes, and provide guidelines on protection levels and access controls appropriate to each class.
- C2Access Rights Management
Manage user access rights to information throughout its life cycles, including the granting, denying, and revoking of access privileges.
- C3Data Life Cycle Management
Provide the security expertise and guidance to ensure that data throughout its life cycles is appropriately available, adequately preserved, and/or destroyed so that it meets business, regulatory, and/or other security requirements.
- DBusiness Continuity Management
- D1Business Continuity Planning
Provide information security advice to assist in the analysis of incidents and to ensure that data is secure before, during, and after the execution of the business continuity plan.
- D2Security Risk Management
Establish an approach to the profiling of security threats and the assessment, prioritization, treatment, and monitoring of security risks and vulnerabilities.
- D3Incident Management
Manage information security-related incidents and near incidents. Establish incident response teams to identify and limit exposure, and to coordinate with regulatory bodies as appropriate. Undertake forensic analysis of incident-related data leading to an understanding of their underlying causes and business impact.
Overview
Goal & Objectives
An effective Information Security Management (ISM) capability aims to:
- Develop and maintain information security approaches, policies, and controls to safeguard the organization's information and information held in its custody (both when it is stored and when it is being transmitted).
- Provide assurance to stakeholders and regulators that information security approaches, policies, and controls function as intended.
- Help employees maintain appropriate levels of understanding and awareness to reduce the occurrence and severity of information security incidents.
- Ensure that all identified incidents, near incidents, and suspected security weaknesses are appropriately investigated and addressed.
- Ensure that the residual risk remaining after the information security technical analysis and mitigation actions for identified security threats have been carried out does not exceed the organization's risk appetite.
- Balance the application of information security controls and compliance with regulatory/contractual obligations with the organization's ability to engage in innovative initiatives that may support growth and competitiveness.
Scope
Definition
The Information Security Management (ISM) capability is the ability to manage approaches, policies, and controls that safeguard the integrity, confidentiality, accountability, usability, and availability of information.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for ISM at each level of maturity.
- 2Basic
- Practice
- Establish an intelligence gathering and threat profiling process to identify information security threat levels and new threat types.
- Outcome
- There is greater awareness of emerging and recurring information security threats.
- Metric
- Number of preventive measures adopted in response to identified security threats.
- Practice
- Implement security classifications in metadata for data life cycle management and access control.
- Outcome
- Data can be more reliably managed using metadata.
- Metrics
- Number of security classes.
- Percentage of data sources that have associated security metadata.
- Practice
- Develop and begin to roll out some basic security training and development programmes.
- Outcome
- A growing information security awareness promotes good practices by employees.
- Metric
- Percentage of employees who have attended information security training.
- 3Intermediate
- Practice
- Specify security requirements for suppliers.
- Outcome
- Suppliers increasingly understand and consistently meet security requirements, reducing the risk of security breaches.
- Metric
- Person hours expended on validating security protocols for new IT components and services.
- Practice
- Define data security classes for data sets — for example, ‘trade secret’, ‘confidential’, ‘internal business use only’, or ‘public’.
- Outcome
- Appropriate levels of security can be applied consistently to business data, helping to ensure its protection and appropriate use.
- Metric
- Number of security classes supported at each architecture layer; in each IT service; and at each device type.
- Practice
- Integrate the security management of IT infrastructure sites with facilities security management.
- Outcome
- Appropriate IT infrastructure sites are more secure and monitored appropriately.
- Metric
- Percentage of systems covered by uninterruptable power supplies.
- Practice
- Audit the process for prioritizing and treating security risks.
- Outcome
- Prioritized security risks are reliably treated.
- Metric
- Percentage of prioritized security risks that have audited risk treatment strategies.
- 4Advanced
- Practice
- Check all devices, architecture layers, networks, applications, and storage systems for compliance with security features.
- Outcome
- Security features are deployed consistently, and the risk from weak links is reduced.
- Metric
- Percentage of applications and devices complying with recommended security features.
- Practice
- Promote active membership of appropriate security forums and associations.
- Outcome
- The organization is kept abreast of security threats and security practices, and is better able to make decisions on security investments and the deployment of security resources.
- Metric
- Percentage of threats identified through security special interest groups or associations.
- Practice
- Audit account usage and use real-time systems to detect any compromised accounts (user and administrative).
- Outcome
- There are fewer security violations and greater security vigilance among employees at all levels.
- Metrics
- Number of employee security lapses and deliberate security violations.
- Number of security issues detected by employees.
- 5Optimized
- Practice
- Continually revise security policies and controls to reflect insights from the latest research, vendor recommendations, and legislative changes.
- Outcome
- Security policies and controls are continually refreshed to combat the latest security threats, and to optimize data and information security across all relevant jurisdictions.
- Metrics
- Number and severity of security breaches resulting from previously unknown security vulnerabilities.
- Number of security breaches prevented.
- Practice
- Implement measures to record attempts to tamper with compliance verification data.
- Outcome
- Confidence in security compliance is increased.
- Metric
- Number of false positives regarding security compliance.
- Practice
- Use sophisticated profiles and real-time monitoring in collaboration with business partners to detect intrusions and compromised accounts across the ecosystem.
- Outcome
- There are fewer security audit violations and greater security vigilance among employees and business partners at all levels.
- Metrics
- Number of account security violations.
- Number of security issues detected by an account holder.
Reference
History
This capability was introduced in Revision 18.01 as an update to Information Security Management (16).