In Today every organisations business is automated, digitised and online, and the confidentiality, integrity and availability of its data is a key concern. Verizons 2010 Data Breach Investigation Report (DBIR) shows that malware and hacking are the top two threats, leading to data breaches, contributing 38 per cent and 40 per cent respectively to the total this further reinforces the inherent but necessary risk of automation and digitisation. While there is no silver bullet for systems security, the existence of healthy and continually improvised security management systems can go a long way towards mitigating risks.
ISMS Information Security Management System is a globally accepted term for the design and implementation of information security controls within an enterprise. For ISMS to be successful within an organisation, three key phases need to be considered: design, implementation, and maintenance.
The design phase of ISMS can make or break the overall implementation. However, if organisations take a few simple factors in mind, they will be well placed to achieve success. Key considerations in ISMS design are as follows:
- Set business objectives: Security controls must be designed to support overall business objectives, and an upfront clarification of these across the business is vital;
- Identify information assets (such as electronic documents, hardware, software, paper, people etc.): The next step is to identify those key information assets that support business processes. These will be prioritised for protection;
- Secure organisational commitment: If ISMS is to work, the overall projects objectives need to be understood and endorsed throughout the organisation. Cross-functional organisational participation but most important, management engagement is paramount to implementation success. ISMS design documentation must also finally be approved and endorsed by senior management and appropriate stakeholders in the organisation.
- Develop an asset-based risk assessment and risk treatment plan: By prioritising information assets, and correlating against potential threats, an idea of perceived risk can be developed, which supports the development of an effective risk management strategy;
- Consider compliance requirements (legal/statutory/regulatory) and contractual agreements: External factors outside the business environment must be translated into the implementation design. Compliance requirements such as SOX (Sarbanes-Oxley) 404, HIPAA (Health Insurance Portability and Accountability Act),
PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), DPA (Data Protection Act), among others, are quite common these days and can be impossible to assimilate if not factored into the early stages of ISMS design; - Engage third-parties/partners: Entities that are involved in business processes need to be advised, monitored and controlled. Too often, security control implementation can be delayed, thanks to third-party ignorance
A further word of caution here: Organisations also need to ensure that the effort and cost involved in designing and implementing information security controls is commensurate with the value of the information asset being protected. If not, the risk of failure can be increased.
Implementing ISMS is a tougher challenge. Implementation requires organisations to move from theory to practice, and (perhaps more importantly) bridge the gap between flexibility and control. Best practices are not always easiest practices, and organisations often face significant challenges for example, when trying to implement security controls on legacy systems and un-supported platforms.
The question then is how to balance achieving business objectives with maintaining business continuity. Organisations also need to develop a security exception process that evaluates the residual risk of not implementing a security control, but that also suggests alternative security controls to reduce this risk to an acceptable level. This can only be done if the risk strategy has been properly assessed in the design phase.
The most common pitfalls of ISMS implementation can be summarised as follows:
- Lack of management support: Senior management support is of paramount importance for a successful ISMS implementation. Without it, the project is generally doomed to failure;
- Organisational dis-engagement: Implementing ISMS is not an IT Managers job, but rather the responsibility of the organisation as a whole;
- Non-prioritisation of tasks and milestones: Prioritising tasks is a best practice in taking up any big task and ISMS is no different. An organisation must focus on the low hanging fruits to ensure continuous focus and interest in the project, but should also keep the end goal in mind or key milestones may be missed;
- Lack of status checks: It is essential to develop key security metrics and measure these regularly to ensure ongoing improvement;
- Unclear project management tenets: Best practice project management tools will help ensure project success;
- Disconnect from business processes: Project leads must always remember that information security is meant to help, not hinder, the functioning of the business which it is trying to protect and secure. Security controls should support the realisation of business objectives, however in a secure and protected manner.
Last but not the least, all the hard work done by an organisation is meaningless if the ISMS is not maintained. Organisations should establish an ISMS governance team as part of their information security organisation structure. The team can ensure that the potential impact of any changes to business environment, IT infrastructure and compliance landscape are considered against the organisations security stature. And, in that way, ISMS can be reassessed and if needed, updated to support the business new goals.
The implementation of effective security management controls has a fundamental role to play in todays business world. But by following simple steps, organisations can help simplify ISMS implementation and secure their future.
The author is a Principal Consultant-Professional Services with Verizon Business.
Add new comment