Information Security

Why information security is needed?

Organizations and their information systems and networks are faced with security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Causes of damage such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated.

Many information systems have not been designed to be secure. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties, customers or
other external parties. Specialist advice from outside organizations may also be needed.


Information Security Management System

Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and systems. ISO/IEC 27001:2005 is the latest International Standard an organization must be measured against to implement a successful ISMS. The overall approach to Information Security, and integration of different security initiatives need to be managed in order for each element to be most effective. That's where an Information Security Management System comes in - it allows you to coordinate your security efforts effectively.

The key concept of information security management systems (ISMS) is that an organization is to equivalently maintain and improve confidentiality, integrity, and availability of its information assets that should be protected by the organization.
Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes;
Integrity: The property of safeguarding the accuracy and completeness of assets;
Availability: The property of being accessible and usable upon demand by an authorized entity


ISO/IEC 27001:2005

ISO/IEC 27001:2005 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimize the range of threats to which information is regularly subjected.
ISO/IEC 27001:2005 covers the following topics:

1) Security policy
2) Organization of information security
3) Asset management
4) Human Resource Security
5) Physical and Environmental Security
6) Communication and Operations Management
7) Access Control
8) Information Systems Acquisition, Development and Maintenance
9) Information Security Incident Management
10) Business Continuity Management
11) Compliance

Critical success factors in ISMS Implementation

Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:

a) Information security policy, objectives, and activities that reflect business objectives;
b) An approach and framework to implementing, maintaining, monitoring, and improving information security that is consistent with the organizational culture;
c) Visible support and commitment from all levels of management;
d) A good understanding of the information security requirements, risk assessment, and risk management;
e) Effective marketing of information security to all managers, employees, and other parties to achieve awareness;
f) Distribution of guidance on information security policy and standards to all managers, employees and other parties;
g) Provision to fund information security management activities;
h) Providing appropriate awareness, training, and education;
i) Establishing an effective information security incident management process;
j) Implementation of a measurement 1 system that is used to evaluate performance in information security management and feedback suggestions for improvement.