Information Security

Why information security is needed?

Organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Causes of damage such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.

Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties, customers or
other external parties. Specialist advice from outside organizations may also be needed.


Information Security Management System

Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and systems. ISO/IEC 27001:2005 is the latest International Standard an organization must be measured against to implement a successful ISMS. The overall approach to Information Security, and integration of different security initiatives need to be managed in order for each element to be most effective. That's where an Information Security Management System comes in - it allows you to coordinate your security efforts effectively.

The key concept of information security management systems (ISMS) is that an organization is to equivalently maintain and improve confidentiality, integrity, and availability of its information assets that should be protected by the organization.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes;
Integrity: The property of safeguarding the accuracy and completeness of assets;
Availability: The property of being accessible and usable upon demand by an authorized entity


ISO/IEC 27001:2005

ISO/IEC 27001:2005 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.
ISO/IEC 27001:2005 covers the following topics:

1) Security policy
2) Organization of information security
3) Asset management
4) Human Resource Security
5) Physical and Environmental Security
6) Communication and Operations Management
7) Access Control
8) Information Systems Acquisition, Development and Maintenance
9) Information Security Incident Management
10) Business Continuity Management
11) Compliance

Critical success factors in ISMS Implementation

Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:

a) Information security policy, objectives, and activities that reflect business objectives;
b) An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;
c) Visible support and commitment from all levels of management;
d) A good understanding of the information security requirements, risk assessment, and risk management;
e) Effective marketing of information security to all managers, employees, and other parties to achieve awareness;
f) Distribution of guidance on information security policy and standards to all managers, employees and other parties;
g) Provision to fund information security management activities;
h) Providing appropriate awareness, training, and education;
i) Establishing an effective information security incident management process;
j) Implementation of a measurement 1 system that is used to evaluate performance in information security management and feedback suggestions for improvement.

Continual Improvement vs. Continuous Improvement Dilemma.......

This issue has received wide discussion on many fronts. Both terms are commonly used. There are substantial differences between continual and continuous.

Some explanation found in Google search……
=========================================================================
“Continuous” refers to a single, uninterrupted, non-stop event. “Continual”, on the other hand, refers to a series of finite events. Continuous improvement has often been cited as one of the goals of a Quality Management System; however, in the real world, it is not possible to continuously improve anything or any process. Improvement comes about through observation, measurement, and analysis, all discrete, finite processes. That is why section 8.5.1 of ISO 9001 is entitled “Continual Improvement”.
=========================================================================
The concept of "continual" improvement is the term that Deming always used in reference to the general processes of improvement. He never used the term "continuous improvement". He often objected when people associated him with continuous improvement. Continual improvement is broader in scope than continuous improvement. Continuous improvement is a subset of continual improvement. Continual improvement also includes room for *discontinuous* improvements (improvements that are not like in kind to what came before - another term for this might be innovative or radical improvements such as are sought after in most reengineering efforts, or in the lean manufacturing movement). Continuous improvements are linear, incremental improvements to an existing process (Kaizen). Continual improvement includes this, as well as discontinuous/innovative improvement. In other words, continual improvement speaks to the PROCESS of improvement (always and forever (continually) ongoing, in all of its forms and in all areas) rather than the NATURE of the improvements (continuous vs discontinuous).

Thinking of continual improvement vs. continuous improvement serves to highlight the importance of developing learning disciplines on a much deeper level than most organizations seem interested in considering. If continual improvement is to be attained, the organization will be, by definition a learning organization.
=========================================================================

Some important Certification Standards

ISO 9001:2000 - Quality Management System - General

ISO 14001:2004 - Environmental Management System

OHSAS 18001 - Occupational Health & Safety Management System

ISO / IEC 27001 - Information Security Management System

ISO / TS 16949 - Quality Management System for Automotive

ISO 22000 - Food Safety Management System

AS 9100 - Quality Management System for Aerospace

ISO 13485 - Quality Management System for Medical Devices

TL 9000 - Quality Management System for Telecommunication

SA 8000 - Social Accountability System

Understand the meanings of Certification, Registration and Accreditation

“Certification” refers to the issuing of written assurance (the certificate) by an independent external body that it has audited a management system and verified that it conforms to the requirements specified in the standard.

“Registration” means that the auditing body then records the certification in its client register. So, the organization’s management system has been both certified and registered.

Therefore, in the ISO 9001:2000 or ISO 14001:2004 context, the difference between the two terms is not significant and both are acceptable for general use. “Certification” is the term most widely used worldwide, although registration is often preferred in North America, and the two are used interchangeably.

On the contrary, using “accreditation” as an interchangeable alternative for certification or registration is a mistake, because it means something different.

“Accreditation” means the evaluation and periodic review of the competence of Certifying Bodies or auditors or training bodies. To see ISO's World Wide Directory of Accreditation Bodies - visit http://www.praxiom.com/accrediters.htm

Accreditation and Certification Mechanism in General

In the ISO 9001:2000 or ISO 14001:2004 context, accreditation refers to the formal recognition by a specialized body – an accreditation body – that a certification body is competent to carry out ISO 9001:2000 or ISO 14001:2004 certification in specified business sectors.

In simple terms, accreditation is like certification of the certification body. Certificates issued by accredited certification bodies may be perceived on the market as having increased credibility.

ISO Standard Development Stages

Operating Principle of ISO's Management System Standards

Plan – Do – Check – Act

The Plan – Do – Check – Act (PDCA) cycle is the operating principle of ISO's management system standards.

Plan – establish objectives and make plans (analyze your organization's situation, establish your overall objectives and set your interim targets, and develop plans to achieve them).

Do – implement your plans (do what you planned do).

Check – measure your results (measure/monitor how far your actual achievements meet your planned objectives).

Act – correct and improve your plans and how you put them into practice (correct and learn from your mistakes to improve your plans in order to achieve better results next time).