Security Management

• Security Management

https://store.theartofservice.com/the-security-management-toolkit.html

IT risk management - Organization for security management

1 The set up of the organization in charge of risk management is

foreseen as partially fulfilling the requirement to provide the resources

needed to establish, implement, operate, monitor, review, maintain

and improve an ISMS. The main roles inside this organization are:



1 the business and functional managers



1 the Information System Security Officer (ISSO) or Chief information security officer

(CISO)



1 IT Security Practitioners


Information Technology Infrastructure Library - Information security management system

1 The ITIL-process Security Management describes the

structured fitting of information security in the management

organization. ITIL security management is based on the code of

practice for information security management system (ISMS) now

known as ISO/IEC 27002.https://store.theartofservice.com/the-security-management-toolkit.html


1 A basic goal of security management is to ensure adequate information security. The

primary goal of information security, in turn, is to protect information assets against risks,

and thus to maintain their value to the organization. This is commonly expressed in

terms of ensuring their confidentiality, integrity and availability, along with related

properties or goals such as authenticity, accountability, non-repudiation and reliability.



1 Mounting pressure for many organizations to structure their

information security management systems in accordance with ISO/IEC

27001 requires revision of the ITIL v2 security management volume, which culminated in the release of the 2007

edition.


Network security - Security management

1 Security management for networks is different for all kinds of situations. A

home or small office may only require basic security while large

businesses may require high-maintenance and advanced software and hardware to prevent malicious

attacks from hacking and spamming.


Business continuity - Security management

1 In today's global business environment, security must be the top priority in

managing Information Technology. For most organizations, security is mandated

by law, and conformance to those mandates is investigated regularly in the

form of audits. Failure to pass security audits can have financial and

management changing impacts upon an organization.


Security - Security management in organizations

1 In the corporate world, various aspects of security were historically addressed

separately - notably by distinct and often noncommunicating departments for IT security, physical security, and fraud prevention. Today there is a greater

recognition of the interconnected nature of security requirements, an approach

variously known as holistic security, "all hazards" management, and other terms.



1 Inciting factors in the convergence of security disciplines include the development of digital video

surveillance technologies (see Professional video over IP) and the

digitization and networking of physical control systems (see

SCADA)



1 Although the title supply chain is included, this Standard specifies the

requirements for a security management system, including those aspects critical to security assurance

for any organisation or enterprise wishing to management the security of the organisation and its activities


Information security management

1 Information security

management



1 Information security (ISec) describes activities that relate to the protection

of information and information infrastructure assets against the risks

of loss, misuse, disclosure or damage. Information security management (ISM) describes

controls that an organization needs to implement to ensure that it is sensibly managing these risks.



1 The risks to these assets can be calculated by analysis of the following issues:



1 Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets



1 Vulnerabilities. How susceptible your assets

are to attack



1 Impact. The magnitude of the potential loss or the seriousness of the

event.



1 Standards that are available to assist organizations implement the appropriate programmes and

controls to mitigate these risks are for example BS7799/ISO 17799,

Information Technology Infrastructure Library and COBIT.


ITIL security management

1 The ITIL security management process describes the structured

fitting of security in the management organization.



1 ISO/IEC 27001:2005 specifies the requirements for establishing,

implementing, operating, monitoring, reviewing, maintaining and

improving a documented Information Security Management System within

the context of the organization's overall business risks.



1 It specifies requirements for the implementation of security controls

customized to the needs of individual organizations or parts thereof.



1 ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."



1 A basic concept of security management is the information

security.



1 The primary goal of information security is to guarantee safety of

information. When protecting information it is the value of the

information that must be protected.



1 These values are stipulated by the confidentiality, integrity and availability.



1 The goal of the Security Management is split up in two

parts:



1 The realization of the security requirements defined in the service

level agreement (SLA) and other external requirements which are

specified in underpinning contracts, legislation and possible internal or

external imposed policies.



1 The realization of a basic level of security.



1 This is necessary to guarantee the continuity of the management organization.



1 This is also necessary in order to reach a simplified service-level

management for the information security, as it happens to be easier

to manage a limited number of SLAs than it is to manage a large number

of SLAs.



1 The input of the security management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external)

underpinning contracts.



1 These requirements can also act as key performance indicators (KPIs) which can be used for the process

management and for the justification of the results of the security

management process.



1 The output gives justification information to the realization of the SLAs and a report with deviations

from the requirements.



1 The security management process has relations with almost all other ITIL-processes.



1 However, in this particular section the most obvious relations will be the

relations to the service level management process, the incident

management process and the Change Management process.


ITIL security management - The security management process

1 The security management process consists of activities that are carried

out by the security management itself or activities that are controlled

by the security management.



1 Because organizations and their information systems constantly change, the activities within the

security management process must be revised continuously, in order to

stay up-to-date and effective. Security management is a

continuous process and it can be compared to W. Edwards Deming's

Quality Circle (Plan, Do, Check, Act).https://store.theartofservice.com/the-security-management-toolkit.html


1 The inputs are the requirements which are formed by the

clients



1 The activities, results/products and the process are documented. External reports

are written and sent to the clients. The clients are then able to adapt their

requirements based on the information received through the reports. Furthermore, the service provider can adjust their plan or

the implementation based on their findings in order to satisfy all the requirements stated in

the SLA (including new requirements).


ITIL security management - Control

1 The first activity in the security management process is the “Control” sub-process. The Control sub-process organizes and manages the security

management process itself. The Control sub-process defines the

processes, the allocation of responsibility the policy statements and the management framework.



1 The security management framework defines the sub-processes for: the development of security plans, the

implementation of the security plans, the evaluation and how the results of

the evaluations are translated into action plans. Furthermore, the

management framework defines how should be reported to clients.



1 The activities that take place in the Control process are summed up in the following table, which contains

the name of the (sub) activity and a short definition of the activity.



1 Activities Sub-Activities

Descriptions



1 Control Implement policies This process outlines the specific

requirements and rules that have to be met in order to implement

security management. The process ends with policy statement.



1 Setup the security organizationThis process sets up the organizations for information security. For example in

this process the structure the responsibilities are set up. This

process ends with security management framework.



1 Reporting In this process the whole targeting process is

documented in a specific way. This process ends with reports.



1 The meta-modeling technique was used in order to model the activities of the control

sub-process



1 Furthermore, it is noticeable that the first two activities are not linked with an arrow and that there is a black stripe with an arrow

leading to the reporting activity. This means that the two first activities are not sequential. They are unordered activities and after these two activities have taken place the reporting activity will sequentially follow. For a more

extensive explanation of the meta-modeling technique consult the Meta-modeling wiki.



1 CONTROL DOCUMENTS CONTROL is a description of how SECURITY

MANAGEMENT will be organized and how it will be managed.



1 POLICY STATEMENTS POLICY STATEMENTS are documents that outlines specific requirements or

rules that must be met. In the information security realm, policies

are usually point-specific, covering a single area. For example, an

“Acceptable Use” policy would cover the rules and regulations for

appropriate use of the computing facilities.https://store.theartofservice.com/the-security-management-toolkit.html


1 SECURITY MANAGEMENT FRAMEWORK SECURITY

MANAGEMENT FRAMEWORK is an established management framework

to initiate and control the implementation of information

security within your organization and to manage ongoing information

security provision.https://store.theartofservice.com/the-security-management-toolkit.html


1 The meta-data model of the control sub-process is based on a UML class diagram. In figure 2.1.2 is the meta-

data model of the control sub-process.



1 The CONTROL rectangle with a white shadow is an open complex concept.

This means that the CONTROL rectangle consists of a collection of (sub) concepts and these concepts

are expanded in this particular context.


ITIL security management - Plan

1 The Plan sub-process contains activities that in cooperation with the

Service Level Management lead to the (information) Security section in

the SLA.



1 Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are

specific for (information) security.



1 In the Plan sub-process the goals formulated in the SLA are specified in

the form of Operational Level Agreements (OLA).



1 These OLA’s can be defined as security plans for a specific internal

organization entity of the service provider.



1 Besides the input of the SLA, the Plan sub-process also works with the policy statements of the service

provider itself.



1 As said earlier these policy statements are defined in the control sub-process.



1 The Operational Level Agreements for information security are set up and implemented based on the ITIL

process.



1 For example if the security management wishes to change the IT

infrastructure in order to achieve maximum security, these changes

will only be done through the Change Management process.



1 The Security Management will deliver the input (Request for change) for this change.



1 PlanCreate Security section for SLAThis process contains activities that

lead to the security agreements paragraph in the service level

agreements.



1 At the end of this process the Security section of the service level agreement is created.



1 Create underpinning Contracts This process contains activities that lead

to UNDERPINNING CONTRACTS.



1 These contracts are specific for security.



1 Create Operational level agreementsThe general formulated goals in

the SLA are specified in operational level agreements.



1 plans for specific organization units.



1 Reporting In this process the whole Create plan process is documented in a specific way.



1 As well as for the Control sub-process the Plan sub-process has been

modeled using the meta-modeling technique.



1 On the right side of figure 2.2.1 the meta-process model of the Plan sub-process is

given.



1 As you can see the Plan sub-process consists of a combination of unordered and ordered (sub)

activities.



1 Furthermore, it is noticeable that the sub-process contains three complex

activities which are all closed activities and one standard activity.



1 Table 2.2.1 consists of concepts that are created or adjusted during the plan sub-

process.



1 PLAN Formulated schemes for the

security agreements.



1 Security section of the security level agreements The security

agreements paragraph in the written agreements between a Service

Provider and the customer(s) that documents agreed Service Levels for

a service.



1 UNDERPINNING CONTRACTS A contract with an external supplier covering delivery of services that

support the IT organisation in their delivery of services.



1 OPERATIONAL LEVEL AGREEMENTSAn internal agreement covering the delivery of services which support

the IT organization in their delivery of services.



1 The two closed concepts are not expanded in this particular

context.



1 The following picture (figure 2.2.1) is the process-data diagram of the Plan sub-process.



1 This picture shows the integration of the two models.



1 The dotted arrows indicate which concepts are created or adjusted in the corresponding activities of the

Plan sub-process.


ITIL security management - Implementation

1 The Implementation sub-process makes sure that all measures, as

specified in the plans, are properly implemented.



1 During the Implementation sub-process no (new) measures are defined nor changed.



1 The definition or change of measures will take place in the Plan sub-process in cooperation with the Change Management Process.



1 The activities that take place in the implementation sub-process are summed up in the following table

(table 2.3.1).



1 The table contains the name of the (sub) activity and a short definition of the activity.



1 Implement Classifying and managing of IT applications

Process of formally grouping configuration items by type, e.g.,

software, hardware, documentation, environment, application.



1 Process of formally identifying changes by type e.g., project scope change request, validation change

request, infrastructure change request this process leads to asset

classification and control documents.



1 Implement personnel security Here measures are adopted in order to

give personnel safety and confidence and measures to prevent a

crime/fraud.



1 Implement security management In this process specific security

requirements and/or security rules that must be met are outlined and

documented.



1 Implement access control In this process specific access security

requirements and/or access security rules that must be met are outlined

and documented.



1 Reporting In this process the whole implement as planned process is documented

in a specific way.



1 Table 2.3.1: (Sub) activities and descriptions Implementation sub-process ITIL Security

Management



1 The left side of figure 2.3.1 is the meta-process model of the Implementation phase.



1 The four labels with a black shadow mean that these activities are closed concepts and they are not expanded

in this context.



1 It is also noticeable that there are no arrows connecting these four

activities this means that these activities are unordered and the

reporting will be carried out after the completion of al the four activities.



1 During the implementation phase there are a number of concepts that are created and /or

adjusted.



1 Implementation Accomplished security management according to the security

management plan.



1 Asset classification and control documents A comprehensive

inventory of assets with responsibility assigned to ensure that

effective security protection is maintained.



1 Personnel security Well defined job descriptions for all staff outlining

security roles and responsibilities.



1 Security policies Security policies are documents that outlines specific

security requirements or security rules that must be met.



1 Access control Network management to ensure that only

those with the appropriate responsibility have access to

information in the networks and the protection of the supporting

infrastructure.



1 Table 2.3.2: Concept and definition Implementation sub-process Security

management



1 The concepts created and/or adjusted are modeled using the meta-modeling technique.



1 The right side of figure 2.3.1 is the meta-data model of the implementation sub-process.



1 The implementation documents are an open concept and is expanded upon in this context.



1 It consists of four closed concepts which are not expanded because

they are irrelevant in this particular context.



1 In order to make the relations between the two models clearer the

integration of the two models are illustrated in figure 2.3.1.



1 The dotted arrows running from the activities to the concepts illustrate

which concepts are created/ adjusted in the corresponding activities.



1 Figure 2.3.1: Process-data model

Implementation sub-process


ITIL security management - Evaluation

1 The evaluation of the implementation and the plans is very important.



1 The evaluation is necessary to measure the success of the implementation and the

Security plans.



1 The evaluation is also very important for the clients (and possibly third parties).



1 The results of the Evaluation sub-process are used to maintain the

agreed measures and the implementation itself.



1 Evaluation results can lead to new requirements and so lead to a Request for

Change.



1 The request for change is then defined and it is then send to the Change Management

process.



1 Mainly there are three sorts of evaluation; the Self-assessment; internal audit, and external audit.



1 The self-assessment is mainly carried out in the organization of the processes.



1 The internal audits are carried out by internal IT-auditors and the external audits are carried out by external

independent IT-auditors.



1 Besides, the evaluations already mentioned an evaluation based on

the communicated security incidents will also take place.



1 The most important activities for this evaluation are the security

monitoring of IT-systems; verify if the security legislation and the

implementation of the security plans are complied; trace and react to

undesirable use of the IT-supplies.



1 The activities that take place in the evaluation sub-process are summed

up in the following table (Table 2.4.1).



1 EvaluateSelf-assessment In this process an examination of the

implemented security agreements is done by the organization of the

process itself.



1 The result of this process is SELF ASSESSMENT DOCUMENTS.



1 Internal Audit In this process an examination of the implemented

security agreements is done by an internal EDP auditor.



1 External audit In this process an examination of the implemented

security agreements is done by an external EDP auditor.



1 Evaluation based on security incidents In this process an

examination of the implemented security agreements is done based on security events which is not part

of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the

quality of that service. https://store.theartofservice.com/the-security-management-toolkit.html


1 Reporting In this process the whole Evaluate implementation

process is documented in a specific way.



1 Table 2.4.1: (Sub) activities and descriptions Evaluation sub-process ITIL Security

Management



1 Figure 2.4.1: Process-data model Evaluation sub-process



1 The process-data diagram illustrated in the figure 2.4.1 consists of a meta-

process model and a meta-data model.



1 The Evaluation sub-process was

modeled using the meta-modeling

technique. https://store.theartofservice.com/the-security-management-toolkit.html


1 The dotted arrows running from the meta-process diagram (left) to the meta-data diagram (right) indicate

which concepts are created/ adjusted in the corresponding activities.



1 All of the activities in the evaluation phase are standard

activities.



1 For a short description of the Evaluation phase concepts see Table 2.4.2 where the concepts are listed

and defined.



1 EVALUATIONEvaluated/checked implementation.



1 RESULTSThe outcome of the evaluated

implementation.



1 SELF ASSESSMENT DOCUMENTSResult of the examination of the

security management by the organization of the process itself.



1 INTERNAL AUDIT Result of the examination of the security management by

the internal EDP auditor.



1 EXTERNAL AUDIT Result of the examination of the security management by

the external EDP auditor.



1 SECURITY INCIDENTS DOCUMENTSResults of evaluating security events

which is not part of the standard operation of a service and which

causes, or may cause, an interruption to, or a reduction in, the

quality of that service.



1 Table 2.4.2: Concept and definition evaluation sub-process Security management


ITIL security management - Maintenance

1 It is necessary for the security to be

maintained.



1 Because of changes in the IT-infrastructure and changes in the

organization itself security risks are bound to change over time.



1 The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more

detailed security plans.



1 The maintenance is based on the results of the Evaluation sub-process

and insight in the changing risks.



1 These activities will only produce proposals.



1 The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the

service level agreements.



1 In both cases the proposals could lead

to activities in the action plan.



1 The actual changes will be carried by the Change Management process.



1 For more information about the Change Management Process consult the Change

Management Wiki.



1 The activities that take place in the maintain sub-process are summed up in the following table (Table 2.5.1).



1 Request for change to SLA and/or OLARequest for a change to the SLA and/or OLA is

formulated.



1 Reporting In this process the whole maintain implemented

security policies process is documented in a specific way.



1 Table 2.5.1: (Sub) activities and descriptions Maintenance sub-process ITIL Security

Management



1 Figure 2.5.1 is the process-data

diagram of the implementation sub-

process. https://store.theartofservice.com/the-security-management-toolkit.html


1 This picture shows the integration of the meta-process model (left) and

the meta-data model (right).



1 Figure 2.5.1: Process-data model Maintenance

sub-process



1 The maintenance sub-process starts with the maintenance of the service

level agreements and the maintenance of the operational level

agreements.



1 After these activities take place (in no particular order) and there is a

request for a change the request for change activity will take place and

after the request for change activity is concluded the reporting activity

starts.



1 If there is no request for a change then the reporting activity will start directly after the first two activities.



1 The concepts in the meta-data model are created/ adjusted during the maintenance

phase.



1 MAINTENANCE DOCUMENTS

Agreements kept in proper condition.



1 MAINTAINED SERVICE LEVEL AGREEMENTS Service Level

Agreements(security paragraph) kept in proper condition.



1 REQUEST FOR CHANGE Form, or screen, used to record details of a

request for a change to the SLA/OLA.



1 Table 2.5.2: Concept and definition Plan sub-

process Security management


ITIL security management - Complete process-data model

1 The following picture shows the complete process-data model of the Security Management process. This

means that the complete meta-process model and the complete

meta-data model and the integrations of the two models of the

Security Management process are shown.https://store.theartofservice.com/the-security-management-toolkit.html

ITIL security management - Complete process-data model

1 Figure 2.6.1: Process-data model

Security Management

processhttps://store.theartofservice.com/the-security-management-toolkit.html

ITIL security management - Relations with other ITIL processes

1 The security Management Process, as stated in the introduction, has

relations with almost all other ITIL-processes.



1 IT Customer Relationship Management



1 IT Service Continuity Management



1 Within these processes there are a couple of activities concerning

security that have to take place.



1 However, the Security Management will give indications to the

concerning process on how these (security specific) activities should be

structured.


ITIL security management - Example

1 The use of internal e-mail in an organization has a lot of security

risks. So if an organization chooses to use e-mail as a means of

communication, it is highly needed that the organization implements a

well thought e-mail security plan/policies. In this example the ITIL

security Management approach is used to implement e-mail policies in

an organization.https://store.theartofservice.com/the-security-management-toolkit.html


1 First of the Security management team is formed and the guidelines, of

how the process should be carried out, are formulated and made clear

to all employees and provider concerned. These actions are carried

out in the Control phase of the Security Management process.



1 The next step in to process to implement e-mail policies is the Planning. In the Plan

phase of the process the policies are formulated. Besides the policies that are

already written in the Service Level Agreements the policies that are specific for

the e-mail security are formulated and added to the service level agreements. At

the end of this phase the entire plan is formulated and is ready to be implemented.



1 The following phase in the process is the actual implementation of the e-mail policies. The implementation is

done according to the plan which was formulated in the preceding

phase (Plan phase).



1 After the actual implementation the e-mail policies will be evaluated. In order to evaluate the implemented

policies the organization will perform;



1 The last phase is the maintenance phase. In the maintenance phase the

implemented e-mail policies are maintained. The organization now knows which policies are properly

implemented and are properly followed and, which policies need

more work in order to help the security plan of the organization and, if there are new policies that have to be implemented. At the end of this process the Request for change are

formulated (if needed) and the e-mail policies are properly maintained.



1 In order for the organization to keep its security plan up-to-date the

organization will have to perform the security management process

continuously. There is no end to this process an organization can always

better its security.


Security management

1 Security management is the identification of an organization's

assets (including information assets), followed by the development,

documentation, and implementation of policies and procedures for

protecting these assets.


Security management

1 An organisation uses such security management procedures as

information classification, risk assessment, and risk analysis to

identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective

controls.


Security management - Loss prevention

1 Loss prevention focuses on what your critical assets are and how you are going to protect them. A key component to loss prevention is

assessing the potential threats to the successful achievement of the goal. This

must include the potential opportunities that further the object (why take the risk unless there's an upside?) Balance probability and impact determine and implement measures

to minimize or eliminate those threats.


Security management - Security risk management

1 Management of security risks applies the principles of risk management to the

management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing

controls to face those threats, determining the risks' consequence(s), prioritising the risks by rating the likelihood and impact,

classifying the type of risk and selecting and appropriate risk option or risk response.


Security management - External

1 Strategic: like competition and

customer demand



1 Operational: Regulation, suppliers, contracts



1 Compliance: new regulatory or legal requirements are introduced, or

existing ones are changed, exposing the organisation to a non-compliance

risk if measures are not taken to ensure compliance


Security management - Internal

1 Hazard: Safety and security; employees and equipment


Security management - Internal

1 Compliance: Actual or potential changes in the organisation's

systems, processes, suppliers, etc. may create exposure to a legal or

regulatory non-compliance.


Security management - Risk avoidance

1 The first choice to be considered. The possibility of eliminating the existence of

criminal opportunity or avoiding the creation of such an opportunity is always the best

solution, when additional considerations or factors are not created as a result of this

action that would create a greater risk. As an example, removing all the cash from a retail outlet would eliminate the opportunity for

stealing the cash–but it would also eliminate the ability to conduct business.


Security management - Risk reduction

1 When avoiding or eliminating the criminal opportunity conflicts with the ability to conduct business, the

next step is the reduction of the opportunity and potential loss to the

lowest level consistent with the function of the business. In the

example above, the application of risk reduction might result in the

business keeping only enough cash on hand for one day’s operation.https://store.theartofservice.com/the-security-management-toolkit.html

Security management - Risk spreading

1 Assets that remain exposed after the application of reduction and

avoidance are the subjects of risk spreading. This is the concept that

limits loss or potential losses by exposing the perpetrator to the

probability of detection and apprehension prior to the

consummation of the crime through the application of perimeter lighting,

barred windows and intrusion detection systems. The idea here is to reduce the time available to steal

assets and escape without apprehension.


Security management - Risk transfer

1 Transferring risks to other alternatives when those risks have

not been reduced to acceptable levels. The two primary methods of accomplishing risk transfer are to insure the assets or raise prices to

cover the loss in the event of a criminal act. Generally speaking,

when the first three steps have been properly applied, the cost of

transferring risks are much lower.https://store.theartofservice.com/the-security-management-toolkit.html

Security management - Risk acceptance

1 All remaining risks must simply be assumed by the business as a risk of doing business. Included with these

accepted losses are deductibles which have been made as part of the

insurance coverage.


Security management - Access control

1 Locks, simple or sophisticated, such as biometric authentication and keycard locks


Security management - Physical security

1 Security guards (armed or unarmed) with wireless communication devices (e.g., two-

way radio)


Federal Information Security Management Act of 2002

1 Federal Information Security Management Act of

2002



1 The Federal Information Security Management

Act of 2002 ("FISMA", 44 U.S.C



1 FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires

agency program officials, chief information officers, and inspectors

general (IGs) to conduct annual reviews of the agency’s information security program

and report the results to Office of Management and Budget (OMB)


Federal Information Security Management Act of 2002 - Purpose of the act

1 FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the

head of each agency to implement policies and procedures to cost-effectively

reduce information technology security risks to an acceptable level.



1 According to FISMA, the term information security means protecting information and information systems from

unauthorized access, use, disclosure, disruption, modification, or

destruction in order to provide integrity, confidentiality and

availability.https://store.theartofservice.com/the-security-management-toolkit.html

Federal Information Security Management Act of 2002 - Implementation of FISMA

1 In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods

and techniques for providing adequate information security for all

agency operations and assets, excluding national security systems



1 Information Security Automation Program

(ISAP)



1 National Vulnerability Database (NVD) – the U.S. government content repository for ISAP and SCAP. NVD is the U.S. government repository of

standards based vulnerability management data. This data enables

automation of vulnerability management, security

measurement, and compliance (e.g., FISMA)https://store.theartofservice.com/the-security-management-toolkit.html

Federal Information Security Management Act of 2002 - Compliance framework defined by FISMA and supporting standards

1 FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other

organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines

developed by National Institute of Standards and Technology|NIST.The 2002 Federal Information

Security Management Act (FISMA)


Federal Information Security Management Act of 2002 - Inventory of information systems

1 FISMA requires that agencies have in place an information systems

inventory


Federal Information Security Management Act of 2002 - Categorize information and information systems according to risk level

1 All information and information systems should be categorized based

on the objectives of providing appropriate levels of information

security according to a range of risk levels



1 The first mandatory security standard required by the FISMA

legislation, FIPS 199 Standards for Security Categorization of Federal

Information and Information Systems provides the definitions of security

categories. The guidelines are provided by NIST SP 800-60 Guide for

Mapping Types of Information and Information Systems to Security

Categories.https://store.theartofservice.com/the-security-management-toolkit.html


1 The overall FIPS 199 system categorization is the high water mark

for the impact rating of any of the criteria for information types resident

in a system. For example, if one information type in the system has a

rating of Low for confidentiality, integrity, and availability, and

another type has a rating of Low for confidentiality and availability but a rating of Moderate for integrity, then

the entire system has a FIPS 199 categorization of Moderate.


Federal Information Security Management Act of 2002 - Security controls

1 Federal information systems must meet the minimum security

requirements. These requirements are defined in the second mandatory

security standard required by the FISMA legislation, FIPS 200 Minimum

Security Requirements for Federal Information and Information

Systems.https://store.theartofservice.com/the-security-management-toolkit.html


1 Organizations must meet the minimum security requirements by selecting the appropriate security

controls and assurance requirements as described in NIST Special

Publication 800-53, Recommended Security Controls for Federal

Information Systems



1 Agencies have flexibility in applying the baseline security controls in

accordance with the tailoring guidance provided in Special

Publication 800-53. This allows agencies to adjust the security controls to more closely fit their

mission requirements and operational environments.



1 The controls selected or planned must be documented in the System Security Plan.


Federal Information Security Management Act of 2002 - Risk assessment

1 The combination of FIPS 200 and NIST Special Publication 800-53 requires a foundational level of

security for all federal information and information systems



1 A risk assessment starts by identifying potential threat

(computer)|threats and vulnerability (computing)|vulnerabilities and mapping implemented security

control|controls to individual vulnerabilities



1 NIST also initiated the Information Security Automation Program (ISAP)

and Security Content Automation Protocol (SCAP) that support and

complement the approach for achieving consistent, cost-effective

security control assessments.


Federal Information Security Management Act of 2002 - System security plan

1 Agencies should develop policy on the system security planning

process. NIST SP-800-18 introduces the concept of a System Security

Plan. System security plans are living documents that require periodic

review, modification, and plans of action and milestones for

implementing security controls. Procedures should be in place

outlining who reviews the plans, keeps the plan current, and follows

up on planned security controls.


Federal Information Security Management Act of 2002 - System security plan

1 The System security plan is the major input to the security

certification and accreditation process for the system


Federal Information Security Management Act of 2002 - Certification and accreditation

1 Once the system documentation and risk assessment has been completed,

the system's controls must be reviewed and certified to be

functioning appropriately. Based on the results of the review, the

information system is accredited. The certification and accreditation

process is defined in NIST SP 800-37 Guide for the Security Certification

and Accreditation of Federal Information Systems.NIST SP 800-37

Guide for Applying the Risk Management Framework to Federal

Information Systems



1 Security accreditation is the official management decision given by a senior agency official to authorize

operation of an information system and to explicitly accept the risk to

agency operations, agency assets, or individuals based on the

implementation of an agreed-upon set of security controls



1 The information and supporting evidence needed for security

accreditation is developed during a detailed security review of an

information system, typically referred to as security certification


Federal Information Security Management Act of 2002 - Continuous monitoring

1 All accredited systems are required to monitor a selected set of security

controls and the system documentation is updated to reflect

changes and modifications to the system. Large changes to the

security profile of the system should trigger an updated risk assessment, and controls that are significantly

modified may need to be re-certified.https://store.theartofservice.com/the-security-management-toolkit.html

Federal Information Security Management Act of 2002 - Continuous monitoring

1 Continuous monitoring activities include configuration management and control of information system

components, security impact analyses of changes to the system,

ongoing assessment of security controls, and status reporting


Federal Information Security Management Act of 2002 - Critique

1 Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS

Institute – have described FISMA as a well-intentioned but fundamentally

flawed tool, and argued that the compliance and reporting

methodology mandated by FISMA measures security planning rather

than measuring information securityhttps://store.theartofservice.com/the-security-management-toolkit.html

Information security management system

1 An information security management system (ISMS) is a set of policies

concerned with information security management or IT related risks. The

idioms arose primarily out of BS 7799.


Information security management system

1 The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information

security risk.


Information security management system - ISMS description

1 As with all management processes, an ISMS must remain effective and

efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or

Deming cycle, approach:



1 The Plan phase is about designing the ISMS, assessing information

security risks and selecting appropriate controls.



1 The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the

ISMS.



1 ISO/IEC 27001:2005 is a risk based information security standard, which

means that organizations need to have a risk management process in place. The risk management process

fits into the PDCA model given above.



1 However, the latest standard, ISO/IEC 27001:2013, does not use this cycle.



1 Another competing ISMS is Information Security Forum's

Standard of Good Practice (SOGP). It is more best practice-based as it

comes from ISF's industry experiences.



1 Some other best known ISMSs include Common Criteria (CC) international standard and IT

Security Evaluation Criteria (ITSEC)



1 Some nations use their own ISMS, e.g., Department of Defense(DoD) Information

Technology Security Certification and Accreditation Process (DITSCAP) of USA,

Department of Defense Information Assurance Certification and Accreditation Process(DIACAP) of USA, Trusted Computer System Evaluation Criteria (TCSEC) of USA, IT Baseline Protection

Manual (ITBPM) of Germany, ISMS of Japan, ISMS of Korea, Information Security Check

Service (ISCS) of Korea.



1 Other frameworks such as COBIT and ITIL touch on security issues, but are

mainly geared toward creating a governance framework for

information and IT more generally. COBIT has a companion framework

Risk IT dedicated to Information security.



1 Below table illustrate the certification structure comparison of some best known

ISMSs:



1 BS 7799 Common Criteria(CC) IT Security

Evaluation Criteria(ITSEC)



1 Operation AreaEngland About 25 Countries European

Countries



1 - 11 Security domains



1 - 133 Security controls - 3 Parts



1 - 11 Security functional requirements



1 6- Prepare a statement of applicability 1- PP/ST

introduction



1 7- TOE summary specification



1 Difference of Process Emphasis on managerial security Emphasis on

technical securityEmphasis on managerial security



1 Specification Control Point Provide best code of practice for information

security management Provide common set of requirements for the security functionality of IT productsProvide common set of requirements

for the security functionality of IT products



1 Evaluation Method Use the PDAC model cycle Follow each certification

evaluation procedure Follow commission of European

communities



1 There are a number of initiatives focused to the governance and

organizational issues of securing information systems having in mind that it is business and organizational

problem, not only a technical problem:



1 Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of

information security to the economic and national security interests of the

United States



1 Governing for Enterprise Security Implementation Guide of the

Carnegie Mellon University Software Engineering Institute CERT is

designed to help business leaders implement an effective program to govern information technology (IT)

and information security.



1 A Capability Maturity Model (CMM) for system security engineering was

standardized in ISO/IEC 21827.



1 ISM3 is a standard for security management (how to achieve the organizations mission despite of

errors, attacks and accidents with a given budget)


Information security management system - Need for an ISMS

1 Security experts say and statistics confirm that:



1 information technology security administrators should expect to

devote approximately one-third of their time addressing technical

aspects. The remaining two-thirds should be spent developing policies and procedures, performing security

reviews and analyzing risk, addressing contingency planning and

promoting security awareness;https://store.theartofservice.com/the-security-management-toolkit.html


1 security depends on people more than on

technology;



1 employees are a far greater threat to information security

than outsiders;



1 security is like a chain. It is only as strong as its

weakest link;



1 the degree of security depends on three factors: the risk you are willing

to take, the functionality of the system and the costs you are

prepared to pay;



1 security is not a status or a snapshot, but a

running process.



1 These facts inevitably lead to the conclusion that security

administration is a management issue, and not a purely technical

issue.



1 The establishment, maintenance and continuous update of an ISMS

provide a strong indication that a company is using a systematic approach for the identification,

assessment and management of information security risks. Critical

factors of ISMS:



1 Confidentiality: Protecting

information from unauthorized

parties.https://store.theartofservice.com/the-security-management-toolkit.html


1 Integrity: Protecting information from modification

by unauthorized users.



1 Availability: Making the information

available to authorized users.



1 A company will be capable of successfully addressing information

confidentiality, integrity and availability requirements which in

turn have implications:



1 In doing so, information security management will enable

implementing the desirable qualitative characteristics of the

services offered by the organization (i.e



1 Large organizations or organizations such as banks and financial institutes,

telecommunication operators, hospital and health institutes and public or governmental

bodies have many reasons for addressing information security very seriously. Legal and

regulatory requirements which aim at protecting sensitive or personal data as well

as general public security requirements impel them to devote the utmost attention and

priority to information security risks.https://store.theartofservice.com/the-security-management-toolkit.html


1 Under these circumstances the development and implementation of

a separate and independent management process namely an

Information Security Management System is the one and only

alternative.


Information security management system - Critical success factors for ISMS

1 have the continuous, unshakeable and visible support and commitment

of the organization’s top management;



1 be an integral part of the overall management of the organization

related to and reflecting the organization’s approach to risk

management, the control objectives and controls and the degree of

assurance required;



1 have security objectives and activities be based on business

objectives and requirements and led by business management;



1 undertake only necessary tasks and avoiding over-control and waste of valuable resources;



1 fully comply with the organization philosophy and mindset by providing a system that instead of preventing

people from doing what they are employed to do, it will enable them to do it in control and demonstrate

their fulfilled accountabilities;



1 be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police”

or “military” practices;


Information security management system - Dynamic issues in ISMS

1 There are three main problems which lead to uncertainty in information

security management systems (ISMS):



1 Dynamically changing security requirements of an

organization



1 Rapid technological development raises new security concerns for

organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology.

To overcome this issue, the ISMS should organize and manage

dynamically changing requirements and keep the system up-to-date.



1 Externality is an economic concept for the effects borne by the party that is not directly involved in a

transaction



1 Obsolete evaluation of security concerns



1 The evaluations of security concerns used in ISMS become obsolete as the

technology progresses and new threats and vulnerabilities arise


ITIL - Information security management system

1 A basic goal of security management is to ensure adequate information security


Security systems - Security management in organizations

1 Inciting factors in the convergence of security disciplines include the development of digital video surveillance technologies (see

Professional video over IP) and the digitization and networking of physical control systems (see SCADA).[

http://www.csoonline.com/read/090402/beast.html Taming the Two-Headed Beast], CSOonline, September 2002[

http://www.csoonline.com/read/041505/constellation.html Security 2.0], CSOonline, April 2005 Greater interdisciplinary cooperation is further evidenced by the February 2005 creation of the Alliance for

Enterprise Security Risk Management, a joint venture including leading associations in security (ASIS International|ASIS),

information security (Information Systems Security Association|ISSA, the Information Systems Security Association), and IT audit (ISACA, the Information Systems Audit and Control Association).


Fraud Squad - NHS Counter Fraud and Security Management Service

1 The National Health Service|NHS Counter Fraud and Security Management Service is an

independent Division of the NHS Business Services Authority and has responsibility for all policy and operational matters relating to

the prevention, detection and investigation of fraud and corruption and the management of

security in the National Health Service.[http://www.cfsms.nhs.uk/ NHS Counter Fraud and Security Management Service (accessed

20/152/06)]https://store.theartofservice.com/the-security-management-toolkit.html


1 * NHS Counter Fraud Service established in September 1998



1 * NHS Security Management Service was established in 2003 to form the

NHS Counter Fraud and Security Management Service.



1 * To reduce fraud to an absolute minimum and hold it permanently at

that level, releasing resources for better patient care and services



1 * With the delivery of an environment for those who use or work in the NHS which is properly secure so that the highest possible standard of clinical

care can be made available to patients.



1 The 'Federal Information Security Management Act of 2002' ('FISMA', , et seq.) is a United States federal law enacted in 2002 as Title III of the E-

Government Act of 2002 (, )



1 OMB uses this data to assist in its oversight responsibilities and to prepare this annual report

to Congress on agency compliance with the act.FY 2005 Report to Congress on Implementation of The

Federal Information Security Management Act of 2002 In FY 2008, federal agencies spent $6.2

billion securing the government’s total information technology investment of approximately $68

billion or about 9.2 percent of the total information technology portfolio.FY 2008 Report to Congress on Implementation of The Federal Information

Security Management Act of 2002



1 FISMA assigns specific responsibilities to Government agency#Government agencies in

the United States|federal agencies, the National Institute of Standards and Technology

(NIST) and the Office of Management and Budget (OMB) in order to strengthen

information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology

security risks to an acceptable level.https://store.theartofservice.com/the-security-management-toolkit.html


1 In accordance with FISMA, National Institute of Standards and

Technology|NIST is responsible for developing standards, guidelines,

and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding

national security systemshttps://store.theartofservice.com/the-security-management-toolkit.html


1 * Information Security Automation

Program (ISAP)



1 * National Vulnerability Database (NVD) – the U.S. government content

repository for ISAP and Security Content Automation Protocol|SCAP.

NVD is the U.S. government repository of standards based

vulnerability management data. This data enables automation of

vulnerability management, security measurement, and compliance (e.g.,

FISMA)https://store.theartofservice.com/the-security-management-toolkit.html

Federal Information Security Management Act of 2002 - Inventory of information systems

1 The identification of information systems in an inventory under this

subsection shall include an identification of the interfaces

between each such system and all other systems or networks, including those not operated by or under the

control of the agency


Information Security Management Certified Professional

1 'Information Security Management Certified Professional (ISMCP) ' is a designation awarded by INFINIDOX.



1 Relevant information security background, both theoretical and practical, is required to pass the

ISMCP http://www.infinidox.com/?a=ismcp examination.



1 * Security administration



1 * Communication systems security



1 * Applications security



1 Candidates are recommended to have a minimum of 5 years of

experience in one or more of the six topic areas that the exam covers.


FCAPS - Security management

1 Security management is the process of controlling access to assets in the

network. Data security can be achieved mainly with authentication and encryption. Authorization to it

configured with Operating system|OS and Database management system|

DBMS access control settings.


FCAPS - Security management

1 Security management functions include managing network

authentication, authorization, and auditing, such that both internal and external users only have access to

appropriate network resources


Total Security Management

1 'Total Security Management' ('TSM') is the business practice of

developing and implementing comprehensive risk management and security practices for a firm’s

entire value chain


Total Security Management

1 TSM encourages companies to manage security initiatives as

investments with a measurable return and seeks to transform

security from a net cost to a net benefit


Total Security Management - Formulation

1 The concept of Total Security Management was first introduced in

the book Securing Global Transportation Networks: A Total Security Management Approach, published by McGraw Hill in 2006



1 According to Dr



1 The TSM approach built upon scholarly research on the issue that stressed the importance of security as a key component of the supply

chain


Total Security Management - Relation to Total Quality Management

1 The TSM name borrows from the management concept Total Quality Management (TQM), an approach made famous by the work of W


Total Security Management - Relation to Total Quality Management

1 I suspect that there are many professionals in the transportation

industry today who may not endorse security management as a core

business function that can create value


Total Security Management - Companies employing TSM

1 A company using the TSM methodology is meant to be able to

establish a framework of focus points, metrics and feedback loops in

order to elevate risk management from a non-core objective to an

essential business function


Total Security Management - Companies employing TSM

1 Securing Global Transportation Networks details case studies of many large companies that benefited from the

implementation of aspects of the TSM approach, including FedEx, Home Depot, Hutchison Port Holdings, Maersk, Procter Gamble, and Target Corporation|Target,

amongst others.McGraw Hill, Book Release, October 2006, http://www.manhattan-

institute.org/securing_networks/, 5/5/10


Total Security Management - Criticism

1 There are some useful ideas in the book, but the overall program may be too ambitious for many corporations to realistically consider,”

writes Ross Johnson in a 2007 Security Management review.Ross Johnson, Security Management: Book Review, October 2007,

http://www.securitymanagement.com/article/securing-global-transportation-networks-

total-security-management-approach, 5/5/10


Total Security Management - Other developments

1 33-9089, 2009, http://www.sec.gov/rules/final/2009/33-9089.pdf,

5/5/10 In January 2010, ISO 28000 (ISO/PAS 28000 – Specification for security management systems for the supply chain) was updated to include an

explicit reference to the Plan-Do-Check-Act model of quality management popularized by

Deming.Continuity Compliance, ISO 28002 – What’s The Buzz About?, October 2009,

http://www.continuitycompliance.org/information/organizational-resiliency/iso-28002-whats-the-buzz-

about/, 5/5/10


For More Information, Visit:

• https://store.theartofservice.com/the-security-management-toolkit.html

The Art of Servicehttps://store.theartofservice.com






Documents

Security Management