Information security is an important aspect of business and technology. It involves the prevention of information security threats, which may come from a number of sources. These include insider threat, external threats, internal threats and even mis-appropriation of information by businesses and other organizations. This article focuses on one aspect of information security management – identification and planning of strategic goals and objectives.
Information security management refers to the set of processes and policies that organizations use to protect their information assets from security threats and liabilities. Responsibility for information security can be assigned to an individual, to a group, or to a committee. The responsibilities and duties may include the development and implementation of controls, the maintenance of controls, or the training of personnel involved in information security management.
A business or organization’s information security management system is not complete without a whole set of risk management activities. One such activity is identification and assessment of the level of risk associated with an organization’s information assets. In this regard, the level of risk should be compared to the objectives of the organization. The results of such comparison may
be used to determine the amount of funding required to mitigate the risk, as well as the manner in which the risks may best be mitigated.
In some cases organizations may not wish to apply information security management controls for certain information assets. For example, there may be customer data that is confidential or protected. In such cases it is not necessary to apply controls to the assets directly.
Organizations instead store customer data in remote locations, off-site storage service providers or on third party network servers. Such off-site storage providers are responsible for data security, including backup and recovery. Information security managers apply the appropriate level of controls to the off-site stored data in order to ensure that it is kept secure at all times.
There are multiple threats to information security in organizations today. Some of these include: intrusions from the outside, attacks by internal sources and employee negligence. Since these threats do not always directly affect the employees of organizations, information security management systems don’t always apply the appropriate controls. It only applies to external threats, such as those that come from the outside. However, intrusions from the outside may involve improper security clearance procedures, including lax access to sensitive information and an unwillingness to comply with reasonable safeguards.
While the level of threat may not directly affect employees of organizations, the information assets they store are also a significant asset. This information assets may include sensitive and classified information, such as financial records. Employees may use the information in a manner that compromises their safety and privacy. Organizations may require information security management systems to apply controls to protect information assets. They may also need to protect their information assets from employees who misuse them or from other unauthorized users. Information security management systems may require information assets to be backed up on a regular basis so that they can be retrieved if needed.
Information security management also requires that organizations protect confidentiality controls. Confidential information security controls prevent employees and executives from releasing information that is not relevant to the organization. Organization-wide information security management plans may include policies and procedures for handling confidential information securely. Organizations also need to develop and implement rules for the transfer of confidential information to authorized personnel. Information security policies and procedures also need to
cover third party information security liabilities.
To be effective, information security management must address all of these issues. Organizations may apply the strategies and techniques that they have developed in relation to their own needs. Organizations may also hire consultants to assist them in implementing information security policies and procedures. Finally, organizations may require information security management systems to perform risk assessment. The goal of a risk assessment is to identify the opportunities for vulnerabilities and how to mitigate them.