Purpose of Information Security Management

The purpose of the information security management process is to align IT security with business security. IT and business security requires that the confidentiality, integrity, and availability of the organization’s assets, information, data, and IT services always match the agreed needs of the business.

Objectives of Information Security Management

The objective of information security management is to protect the interests of those relying on information. It should also ensure that the systems and communications that deliver the information are protected from harm resulting from failures of confidentiality, integrity, and availability.

For most organizations, the security objective is met when the following terms are fulfilled:

• Confidentiality, where information is observed by or disclosed to only those who have a right to know
• Integrity, where information is complete, accurate, and protected against unauthorized modification
• Availability, where information is available and usable when required and the systems that provide it can appropriately resist attacks and recover from or prevent failures
• Business transactions, as well as information exchanges between enterprises or with partners, can be trusted. This is referred to as authenticity and, where there is control of the denial of access, nonrepudiation.

Scope of Information Security Management

The scope of ISM includes all aspects of information security that are important to the business. It is the responsibility of the business to define what requires protection and how strong this protection should be. Risks to security must be recognized, and appropriate countermeasures should be implemented. These may include physical aspects (restricting access to secure areas through swipe cards) as well as technical aspects (password policies, use of biometrics, and so on). Information security is an integral part of corporate governance.

The information security management process should be the focal point for all IT security issues. A key responsibility of the process is the production of an information security policy that is maintained and enforced and covers the use and misuse of all IT systems and services.

Information security management needs to understand the total IT and business security environment. Important aspects that must be included in the policy are the business security policy and plans along with the current business operation and its security requirements. Consideration must also be given to future business plans and requirements. External factors should also be included in the policy, such as legislative and regulatory requirements.

IT’s obligations and responsibilities with regard to security should be contained within the service level agreements with their customers. The policy should also include reference to the business and IT risks and their management.

The information security management process should include the production, maintenance, distribution, and enforcement of an information security policy and supporting security policies. This will include understanding the agreed current and future security requirements of the business and the existing business security policy and plans.

The process will be responsible for implementation of a set of security controls that support the information security policy. This will support the management of risks associated with access to services, information, and systems. Information security management is responsible for the documentation of all security controls together with the operation and maintenance of the controls and their associated risks.

In association with supplier management, the process will also address the management of suppliers and contracts regarding access to systems and services.

Operationally, information security management will be involved in the management of all security breaches, incidents, and problems associated with all systems and services. It will also be responsible for the proactive improvement of security controls and security risk management and the reduction of security risks.

Information security management is also responsible for the integration of security aspects within all other IT service management processes. In order to achieve effective information security governance, the process must establish and maintain an information security management system (ISMS).

Information Security Management Value to the Business

Security has become a critical issue for organizations as their reliance on IT systems increases and more electronic media is used for confidential transactions within and between organizations.

Information security management ensures that an information security policy that fulfils the needs of the business security policy and the requirements of corporate governance is maintained and enforced. The information security policy provides assurance of business processes by enforcing appropriate security controls in all areas of IT. The process is responsible for the management of IT risk in line with business and corporate risk management processes and guidelines.

Information Security Management Policies

Information security management activities should be focused on and driven by an overall information security policy and a set of underpinning specific security policies.

The information security policy should have the full support of the top executive IT management. Ideally, the top executive business management should also be in support of and committed to the security policy. The policy should cover all areas of security, be appropriate, and meet the needs of the business.

Email usage policies, antivirus policies, and remote access policies are examples of specific security policies.

The information security process is responsible for creating, managing, and maintaining an information security management system. The elements of the management system are shown in Figure 15.1. It begins with the identification of the customer requirements and business needs.

Planning the system incorporates use of the details and targets captured in the various agreements and contracts. It also covers use of the various policies agreed between the business and IT.

Implementation of the system requires awareness of the policies and the systems by all who are affected by them. This will need the engagement of all parts of the organization because the policies will cover everything from personnel security to the procedures for security incidents.

The next stage is evaluation, which requires internal and external audits of the state of system security, but there may also be self-assessments. Security incidents will also be evaluated as part of this stage of the management of the system.

Maintaining the system requires that the information security process captures the lessons learned so that improvements can be planned and implemented.

The overall approach is designed to maintain control and establish a framework for managing security throughout the organization. Part of this will be to allocate appropriate responsibilities for ensuring that the information security management system is maintained, within both the IT department and the rest of the organization.

IT Security Management Process Activities, Methods, and Techniques

We are not going to explore the process in detail, but you should make sure you are familiar with all the aspects of the process and the management requirements for each.

In Figure 15.2, you can see the full scope of the information security management process and its techniques and activities.

The information security management process ensures that the security aspects are appropriately managed and controlled in line with business needs and risks.

A key activity within the information security management process is the production and maintenance of an overall information security policy and a set of supporting specific policies. The process is also responsible for the communication, implementation, and enforcement of the security policies, including the provision of advice and guidance to all other areas of the business and IT on all issues related to information security.

Information security management is responsible for the assessment and classification of all information assets and documentation. The process covers the implementation, review, revision, and improvement of a set of security controls as well as risk assessment and responses, including assessment of the impact of all changes on information security policies, controls, and measures. Where possible, if it is in the business interest and the cost is justifiable, the process should implement proactive measures to improve information security.

Monitoring and management of all security breaches and major security incidents is a key part of the information security management process. This includes the analysis, reporting, and reduction of the volume and impact of security breaches and incidents.

The process is also responsible for scheduling and completing security reviews, audits, and penetration tests. The outputs from the process will be captured and recorded in the security management information system.

Information Security Management Triggers, Inputs, and Outputs

Let’s consider the triggers, inputs, and outputs for the information security management process. Information security management is a process that has many active connections throughout the organization and its processes. It is important that the triggers, inputs, outputs, and interfaces be clearly defined to avoid duplicated effort or gaps in workflow.

Information Security Management Interfaces

The key interfaces that information security management has with other processes are as follows:

• Service level management
• Access management
• Change management
• Incident and problem management
• IT service continuity management
• Service asset and configuration management
• Availability management
• Capacity management
• Financial management for IT services
• Supplier management
• Legal and human resources issues

Measures, Metrics, and Critical Success Factors for Information Security Management

The following list includes some sample critical success factors for information security management.

• Critical success factor: “Business is protected against security violations.”
  • KPI: Decrease (measured as a percentage) in security breaches reported to the service desk
  • KPI: Decrease (measured as a percentage) in the impact of security breaches and incidents
• Critical success factor: “The determination of a clear and agreed policy, integrated with the needs of the business.”
  • KPI: Decrease in the number of nonconformances of the information security management process with the business security policy and process
• Critical success factor: “Effective marketing and education in security requirements, and IT staff awareness of the technology supporting the services.”
  • KPI: Increased awareness throughout the organization of the security policy and its contents
  • KPI: Increase (measured as a percentage) in completeness of supporting services against the IT components that make up those services
• Critical success factor: “Clear ownership and awareness of the security policies among the customer community.”
  • KPI: Increase (measured as a percentage) in acceptable scores on security awareness questionnaires completed by customers and users

Challenges for Information Security Management

One of the biggest challenges is to ensure that there is adequate support from the business, business security, and senior management. It is pointless to implement security policies, procedures, and controls in IT if they cannot be enforced throughout the business. The major use of IT services and assets is outside of IT, and so are the majority of security threats and risks.

If there is a business security process established, then the challenge becomes alignment and integration. Once there is alignment, the challenge becomes keeping them aligned by management and control of changes to business methods and IT systems using strict change management and service asset and configuration management control. Again, this requires support and commitment from the business and from senior management.

Risks for Information Security Management

Information systems can generate many direct and indirect benefits—and as many direct and indirect risks. This means that there are new risk areas that could have a significant impact on critical business operations:

• Increasing requirements for availability and robustness
• Growing potential for misuse and abuse of information systems affecting privacy and ethical values
• External dangers from hackers, leading to denial of service and virus attacks, extortion, industrial espionage, and leakage of organizational information or private data
• A lack of commitment from the business
• A lack of senior management commitment
• The processes focusing too much on the technology issues and not enough on the IT services and the needs and priorities of the business
• Conducting risk assessment and management in isolation and not in conjunction with availability management and ITSCM
• Information security management policies, plans, risks, and information becoming out of date and losing alignment with the corresponding relevant information and plans of the business and business security
• Security policies becoming bureaucratic and/or excessively difficult to follow, discouraging compliance
• Security policies adding no value to business

Purpose of Supplier Management

The purpose of supplier management is to ensure that suppliers provide value for money. By managing suppliers, the service provider can ensure the best delivery of service to its customer. Managing suppliers ensures that the necessary contracts are in place and enforced.

Objectives of Supplier Management

The main objectives of the supplier management process are to obtain value for money from suppliers and contracts and ensure that contracts with suppliers are aligned to business needs. These contracts should support and align with agreed targets in service level requirements and service level agreements in conjunction with service level management.

Scope of Supplier Management

The supplier management process should include the management of all suppliers and contracts needed to support the provision of IT services to the business. Each service provider should have formal processes for the management of all suppliers and contracts.

The supplier management process should include implementation and enforcement of the supplier policy, including maintenance of a supplier and contract management information system (SCMIS). It is important to ensure that suppliers and contracts are categorized and a risk assessment is carried out. Suppliers and contracts need to be evaluated and selected so that the appropriate suppliers are engaged.

A key part of the process is developing, negotiating, and agreeing of contracts, including contract review, renewal, and termination. This is part of the management of suppliers and supplier performance.

The process will also identify improvement opportunities for inclusion in the CSI register and the implementation of service and supplier improvement plans.

Supplier management will also manage the maintenance of standard contracts, terms and conditions, contractual dispute resolution, and, where applicable, the engagement of subcontracted suppliers.

IT supplier management often has to comply with organizational or corporate standards, guidelines, and requirements, particularly those of corporate legal, finance, and purchasing.

Supplier Management Value to the Business

The process will manage relationships with suppliers and monitor and manage supplier performance. Supplier management is responsible for the negotiation and agreement of contracts with suppliers and managing them through their lifecycle. This is assisted by the development and maintenance of a supplier policy and a supporting supplier and contract management information system (SCMIS).

This is to ensure the delivery to the business of end-to-end, seamless, quality IT services that are aligned to the business’s expectations. The supplier management process should align with all corporate requirements and the requirements of all other IT and service management processes, particularly information security management and IT service continuity management. This ensures that the business obtains value from supporting supplier services and that they are aligned with business needs.

Supplier Management Principles, Policies, and Basic Concepts

The supplier management process attempts to ensure that suppliers meet the terms, conditions, and targets of their contracts while trying to increase the value for money obtained from suppliers and the services they provide.

All supplier management process activity should be driven by a supplier strategy and policy from service strategy. The supplier strategy, sometimes called the sourcing strategy, defines the service provider’s plan for how it will leverage the contribution of suppliers in the achievement of the overall service strategy. Some organizations might adopt a strategy that dictates the use of suppliers only in very specific and limited circumstances, while other organizations might choose to make extensive use of suppliers in IT service provision. In Figure 15.3, you can see the engagement of the process with the contracts manager and the various supplier managers in the organization.

You can also see the interaction with finance and purchasing and the legal department, all of which are important when engaging with third parties outside of the main organization.

You can see the management of the services provided by or supported by the suppliers and their subcontracted partners.

Supplier Management Process, Methods, and Techniques

The process should be subject to the corporate supplier management policy, but an IT supplier strategy should be developed to manage the specific requirements for IT service delivery. Figure 15.4 shows the main activities of the supplier management process.

Once the requirements for suppliers have been defined as part of the overall approach to the delivery of a service, the supplier management process needs to evaluate the appropriate suppliers and ensure that the contracts are fit for purpose and use. It is important to establish relationships with new suppliers and ensure that there are the appropriate measures and management in place to monitor supplier performance. All contracts should have references to renewal and termination, which should be included in regular reviews of the contract.

All information, reports, and measures should be stored in the supplier and contract management information system (SCMIS).

It is important for the supplier management process to understand the importance of the suppliers to the organization. This requires that the suppliers are categorized according to their value and importance and according to the risk of the supplier not performing as contracted and the impact to the organization if that happens. There are four layers of categorization:

Strategic For significant “partnering” relationships that involve senior managers sharing confidential strategic information to facilitate long-term plans. These relationships would normally be managed and owned at a senior management level within the service provider organization and would involve regular and frequent contact and performance reviews.

Tactical For relationships involving significant commercial activity and business interaction. These relationships would normally be managed by middle management and would involve regular contact and performance reviews, often including an ongoing improvement program.

Operational For suppliers of operational products or services. These relationships would normally be managed by junior operational management and would involve infrequent but regular contact and performance reviews.

Commodity For suppliers providing low-value and/or readily available products and services, which could be alternatively sourced relatively easily.

Supplier Management Triggers, Inputs, and Outputs

We will now review the triggers, inputs, and outputs of supplier management.

Supplier Management Interfaces

The following list includes the key interfaces that supplier management has with other processes:

Service Level Management Supplier management provides assistance with determining targets, requirements, and responsibilities for suppliers. SLM assists supplier management in the investigation of SLA and SLR breaches caused by poor supplier performance. SLM also provides invaluable input into the supplier management review process.

Change Management Contractual documents should be managed through change control.

Information Security Management Information security management relies on supplier management for the management of suppliers and their access to services and systems as well as their responsibilities with regard to conformance to the service provider’s ISM policies and requirements.

Financial Management for IT Services This process provides adequate funds to finance supplier management requirements and contracts and provides financial advice and guidance on purchase and procurement matters.

Service Portfolio Management This process looks to supplier management input to ensure that all supporting services and their details and relationships are accurately reflected within the service portfolio.

IT Service Continuity Management This process works with supplier management with regard to the management of continuity service suppliers.

Information Management

The information required by supplier management should be stored in the supplier and contract management information system (SCMIS).

All information relating to suppliers and contracts as well as all information relating to the operation of the supporting services provided by suppliers should be held in the system. Information relating to these supporting services should also be contained within the service portfolio, together with information on their relationships to all other services and components. This information should be integrated and maintained in alignment with all other IT management information systems, particularly the service portfolio and the CMS.

Supplier Management Critical Success Factors and KPIs

The following list includes some sample critical success factors for supplier management.

• Critical success factor: “Business protected from poor supplier performance or disruption.”
  • KPI: Increase in the number of suppliers meeting the targets within the contract
  • KPI: Reduction in the number of breaches of contractual targets
• Critical success factor: “Supporting services and their targets align with business needs and targets.”
  • KPI: Increase in the number of service and contractual reviews held with suppliers
  • KPI: Increase in the number of supplier and contractual targets aligned with SLA and SLR targets
• Critical success factor: “Availability of services is not compromised by supplier performance.”
  • KPI: Reduction in the number of service breaches caused by suppliers
  • KPI: Reduction in the number of threatened service breaches caused by suppliers

Supplier Management Challenges and Risks

We’ll begin by looking at the key challenges for the process.