1.4 Information Security Management

Data reference: CISP official 

Table of contents

• Fundamentals of Information Security Management
• Information Security Management System
• Information Security Management Practices

1. Fundamentals of information security management 

1. Information

• Information is an asset that, like other critical business assets, is essential to an organization's business and therefore needs to be properly protected.

2. The value of information

• Enterprises : The protection of user information has become a new focus
• Users : Users regard security as one of the important basis for choosing services
• Attackers : Inconspicuous data may be of high value to attackers, forcing companies and individuals to pay more attention to information security

3. Management

• Activities such as planning, organizing, directing, coordinating, and controlling for a specific object, following certain principles, following prescribed procedures, and using appropriate methods to accomplish a task and achieve established goals

4. Information security management

• Information security management is an important part of the organization management system
• constitutes the active part of information security and is the coordinated activity of directing and controlling an organization with respect to information security risks
• Targeted objects are the information assets of the organization. 

5. The role of information security management

• Information security management is an important and inherent part of the overall management of the organization, and an important guarantee for the organization to achieve its business goals
• Information security management is the fusion agent of information security technology, ensuring that various technical measures can play a role
• Information security management can prevent, prevent or reduce the occurrence of information security incidents 

6. The value of information security management to the organization

internally

• Ability to protect critical information assets and intellectual property to maintain competitive advantage;
• When the system is attacked, ensure business continuity and minimize losses;
• Establish an information security audit framework and implement supervision and inspection;
• Establish a documented information security management specification to achieve "laws" to follow, rules to follow, and evidence to check;

foreign

• Able to give stakeholders confidence in the organization;
• Can help define the information security responsibilities of both parties when outsourcing;
• Can enable the organization to better meet the audit requirements of customers or other organizations;
• Can make the organization better comply with the requirements of laws and regulations;
• If it has passed the ISO27001 certification, it can improve the credibility of the organization;
• Suppliers can be explicitly required to improve the level of information security to ensure information security in data exchange.

2. Information Security Management System

1. What is an Information Security Management System (ISMS)?

• A part of an organization's overall management system is the system by which the organization establishes information security policies and objectives, as well as the methods used to achieve these objectives, either as a whole or within a specific scope.
• Consists of policies, procedures, guidelines and related resources and activities jointly managed by organizations to protect their information assets.
• Based on the risk assessment and the organization's risk acceptance level, it aims to effectively address and manage risks.
• The information security management system has been formed, which refers to a set of mature standards represented by ISO/IEC 27001.
• The information security management standard adopted in my country is GB/T 22080, which is equivalent to ISO/IEC 27001.

2. Why do we need an information security management system?

Asymmetry of offense and defense (barrel principle):

• The level of information security management of an organization depends on the weakest link in management , and implementing information security management in a systematic manner can effectively avoid management shortcomings.

3. Factors for the successful construction of information security management system

• information security policy, objectives and activities consistent with objectives;
• A methodology and framework for information security design, implementation, monitoring, maintenance and improvement consistent with the organizational culture;
• Visible support and commitment from all levels of management, especially top management;
• An understanding of the application of information security risk management (see ISO/IEC 27005) to achieve the protection of information assets;
• Effective information security awareness, training and education programs have made all employees and other relevant parties aware of their information security obligations in information security policies, standards, etc., and motivated them to take corresponding actions;
• An effective information security incident management process;
• An effective business continuity management approach;
• Recommendations for improvement of measurement systems and feedback for evaluating information security management performance.

4. PDCA process method

Process model commonly used in management science

• P (Plan) plan : formulate goals and plans, and determine how to achieve and achieve the goals. At this stage, risk assessments, policies and objectives are formulated, implementation plans are drawn up, and so on.
• D (Do) Implementation : Execute according to the plan and collect data and information. At this stage, it is necessary to implement objectives, implement policies, conduct operations and implement relevant control measures, etc.
• C (Check) inspection : evaluate and inspect the results of the implementation, and conduct comparative analysis with the plan. At this stage, data is analyzed, performance and risk are assessed, controls are checked, and so on.
• A (Act) action : take action according to the results of the inspection, make adjustments and improvements. At this stage, improvement measures are proposed, corrective and preventive action plans are developed, implemented and monitored.

5. Documentation and file control

System file classification

• Level 1 documents: Issued by senior management , applicable to all members of the entire organization as well as external related third-party institutions and personnel.
• Second-level documents: Signed and released by representatives of the organization's managers , establishing the internal "law" of the organization based on the goals proposed by the organization's macro strategy.
• Level 3 documents: including manuals, guides and work instructions required by employees for specific implementation . Publish and implement specific positions and roles to ensure that members can perform tasks according to documents and form sufficient records.
• Level 4 documents: In order to support the execution of documents, they include forms, logs, audit reports, etc. for recording and controlling information . Ensure the validity and traceability of document execution.

document Control

• Establishment of documents, approval and release of documents, review and update of documents, preservation of documents, invalidation of documents

records management

The role of records

• Records are not only evidence for auditing the execution of the information security management system, but also important evidence for the organization to establish effective accountability and event tracking

records management

• The information security management system should take into account any relevant legal, regulatory and contractual obligations; records need to be kept legible, easily identifiable and retrievable. 

6. The PDCA process method phase work defined in 27001 

7. Planning and establishment

Organizational Background·

• The basis for establishing an information security management system
• Understand the organization's internal (people, management, process, etc.) and external (partners, suppliers, outsourcers, etc.) issues with regard to information security
• Determine the ISMS management scope : clearly define the ISMS management scope, and determine which departments, processes, systems and data will be included in the ISMS management scope. Also, determine which aspects are not applicable to ISMS.
• Establish, implement, operate, maintain and continuously improve an ISMS that complies with international standards

leadership

• Management commitment is one of the key success factors in establishing an information security management system
• Based on the overall management of the organization, it requires the participation of the entire organization
• The information security policy determined by the top management of the organization and documented, clearly describing the role responsibilities and authorities of the organization 

plan

• Plans are based on risk assessment : Before developing a plan, it is critical to conduct a comprehensive risk assessment. By identifying and assessing the risks faced by the organization, the security needs of critical information assets and systems can be determined, along with the required controls and improvement plans
• The plan must align with the organization's security goals : The plan must align with the organization's security goals and strategy. Based on the results of the risk assessment, develop specific plans and goals to meet the organization's security needs. These goals should be measurable and consistent with the information security policy.
• Hierarchical improvement : The planning process should be based on phased improvements. The gradual implementation and improvement of the information security management system will enable the organization to gradually improve the capability and effectiveness of information security. At the same time, ensure program continuity and consistency to facilitate continuous improvement and adherence to international standard requirements.

support

• Access to resource support : The successful implementation of the plan requires appropriate resource support. This includes resources in terms of funding, technical facilities, personnel and training. Ensure that sufficient resource support is obtained according to the needs of the plan to ensure the effective implementation of the plan.
• Publicity and training for all staff : the successful implementation of the plan is inseparable from the active participation and support of all members of the organization. Through the organization of publicity and implementation training for all employees, strengthen employees' awareness and understanding of the information security management system, and improve their information security awareness and behavioral norms to ensure the effective implementation of the plan.

8. Implementation and operation, monitoring and review, maintenance and improvement 

Implementation and Operation

• Perform risk assessments to determine information security risks for identified information assets and decisions to address information security risks to develop information security requirements
• Controls Moderately Safe
• Controls are documented in the Statement of Suitability

monitoring and review

• Maintain and improve the ISMS by monitoring and evaluating performance against organizational policies and objectives

Maintenance and Improvement

• Non-conformity and corrective actions : During the monitoring and review process, non-compliance with information security requirements may be discovered. When a nonconformity occurs, appropriate corrective action shall be taken immediately to eliminate the nonconformity and prevent recurrence. Corrective actions should be based on a root cause analysis so that the root cause of the problem is addressed, not just the symptoms.
• Continuous Improvement : Continuous improvement is a key element of an ISMS. The goal of continuous improvement is to improve the effectiveness, efficiency and adaptability of the information security management system by continuously looking for opportunities.

9. Information security management system control type

preventive control

• Preventive control is to avoid errors or minimize future corrective activities, and is a preventive assurance measure taken to prevent loss of funds, time or other resources.

Detective Control

• The purpose of establishing investigative controls is to discover possible security issues that may occur in the process

corrective control

• Corrective controls cannot prevent a security incident from happening, but provide a systematic way to detect when a security incident occurs and to correct the impact of the security incident.

10. Information security management control measures

The description structure of the control measures is as follows

control measures

• A statement defining specific control measures to meet control objectives.

Implementation Guide

• Provide more detailed information to support the implementation of control measures and to meet control objectives. Certain elements of this guidance may not be applicable in all situations and may not meet an organization's specific control requirements.

other information

• Provides further information that needs to be considered, such as legal considerations and references to other standards. This item is omitted if no other information is available. 

Examples of Control Measures

control class

• Information Security Policy Information Security Management Guidance

Control objectives

• Provide management guidance and support information security in accordance with business requirements and relevant laws and regulations.

control measures

• Information Security Policy
• The information security policy shall be approved by management, issued and communicated to all employees and external interested parties.

Implementation Guide

• The organization shall define at the highest level an "Information Security Policy" which shall be approved by management and describe the organization's approach to managing information security objectives

other information

3. Information security management practice

1. Internal structure of security control measures

2. Information Security Policy 

Control objectives

• The organization's security policy provides management guidance and supports information security in accordance with business requirements and relevant laws and regulations

control measures

Information Security Policy

• The information security policy shall be approved by management, issued and communicated to all employees and external interested parties

Information Security Policy Review

• The information security policy should be reviewed at planned intervals or when significant changes occur to ensure its continuing suitability, adequacy and effectiveness

3. Information Security Organization

internal organization

Control objectives

• Establish a management framework to initiate and control the implementation and operation of information security within the organization

control measures

• Roles and responsibilities for information security, segregation of duties, linkages with government agencies, linkages with relevant stakeholders, information security for project management

Mobile Devices and Telecommuting

Control objective: Ensure security when telecommuting and using mobile devices

control measures

• Mobile Devices Policy, Managing the Risks of Mobile
• Secure information access, processing and storage at remote workplaces 

4. Human resource security

Before appointment

• Control Objective: To ensure that employees, contractors understand their responsibilities and are appropriate for their considered roles
• Control measures: review, terms and conditions of appointment

Appointment

• Control objective: to ensure that employees and contractors are aware of and fulfill their information security responsibilities
• Control Measures: Management Responsibilities, Awareness Education and Training, Disciplinary Actions

Appointment Termination and Changes

• Control Objective: To protect the interests of the organization by making changes or terminations of employment part of the organizational process
• Control Measures: Change and End of Employment Responsibilities

5. Asset management

responsible for assets

• Control Objectives: Identify organizational assets and determine appropriate protection responsibilities
• Control measures: inventory of assets, persons responsible for assets, acceptable use of assets, return of assets

Category

• Control Objective: To ensure that information is protected at an appropriate level
• Controls: Classification Guidelines, Labeling of Information, Disposal of Assets

media handling

• Control objective: prevent unauthorized disclosure, modification, movement or destruction of information stored on media
• Controls: Removable media management, media disposal, physical media transfers

6. Access control 

Business Requirements for Access Control

• Control objective: Restrict access to information and information processing facilities.
• Controls: access control policies, access to networks and web services

User Access Management

• Control Objective: To ensure that authorized users have access to systems and services and to prevent unauthorized access
• Control measures: user registration and logout, user access configuration, special authority management, user secret authentication information management, review of user access rights, removal or adjustment of access rights 

User Responsibilities

• Control Objective: Make users responsible for maintaining their authorization information.
• Control: Use of secret authentication information

System and Application Access Control

• Control Objective: Prevent unauthorized access to systems and applications
• Controls: Information access restrictions, secure login procedures, password management systems, use of privileged utilities, access control of program source code 

7. Cryptography

Control objectives:

• The confidentiality, authenticity or integrity of information is protected by encryption methods.

Control measures:

• Policies using encryption controls
• key management 

8. Physical and environmental security

safe area

• Control Objective: To prevent unauthorized physical access to, damage to, and interference with organizational premises and information process equipment.
• Controls: Physical security perimeter, physical access control, security of offices, rooms and facilities, security of external and environmental threats, work delivery and loading areas in all areas

device security

• Control objectives: to prevent the loss, damage, theft or endangerment of assets and the interruption of organizational activities
• Control measures: Equipment placement and protection, support facilities, equipment maintenance
• Movement of Assets,  …

9. Operation safety

Operating Procedures and Responsibilities

• Control objective: To ensure the correct and safe operation of information processing facilities
• Controls: Documented operating procedure change management, capacity management, separation of development, testing and operational facilities

Malicious code prevention

• Control objective: to protect information and information processing facilities from malicious code
• Controls: Control Malicious Code

backup

• Control Objective: Prevent Data Loss
• Control measures: Information backup 

Logging and Monitoring

• Control objective: Record events and generate evidence.
• Controls: event logging, protection of log information, clock synchronization of administrator and operator logs

Operating software control

• Control objective: ensure the integrity of the operating system
• Control: Installation of operating system software

Technical Vulnerability Management

• Control objective: prevent the exploitation of technical vulnerabilities.
• Controls: Technical Vulnerability Management, Software Installation Restrictions 

Information Systems Audit Considerations

• Control objective: Minimize the impact of audit behavior on the business system
• Controls: Information System Audit Controls 

10, communication safety

Network Security Management

• Control Objective: To ensure the security of information and supporting infrastructure in the network
• Control measures: network control, network service security, network isolation

exchange of information

• Control objective: To maintain the security of information exchanged within and outside the organization.
• Controls: Information exchange policies and procedures, information exchange agreements, electronic message confidentiality or non-disclosure agreements 

11. Information acquisition, development and maintenance

Security Requirements for Information Systems

• Control objective: Ensuring information security is an integral part of the information system life cycle. This also includes requirements for information systems that provide services over public networks
• Controls: security requirements analysis and specification, protection of application services exchanges for secure application services on public networks 

Security during development and support

• Control objective: To ensure the design and implementation of information security in the life cycle of information system development.
• Control measures: security development strategy, system change control procedures, technical review of applications after operating system changes, restrictions on software package changes, security system engineering principles,...

Test Data

• Control Objective: Ensure data used for testing is protected
• Controls: Protection of test data

12. Supplier relationship

Information Security in Supplier Relationships

• Control Objective: Ensure that organizational assets accessible to suppliers are protected
• Controls: Information security policy for supplier relationships, addressing security issues in supplier agreements, supply chain for information and communication technology

Supplier Service Delivery Management

• Control objective: Maintain information security and service delivery at agreed levels in accordance with supply agreements
• Controls: Monitoring and review of supplier services, supplier service change management 

13. Information security incident management

Management and improvement of information security incidents

Control objective: To ensure a consistent and effective approach to managing information security incidents, including communications security incidents and vulnerabilities.

Control measures:

• Responsibilities and Procedures
• Information Security Event Report
• Information Security Vulnerability Report
• Information Security Situation Assessment and Decision-Making
• Response to information security incidents
• Learn from information security incidents
• collection of evidence

14. Business continuity management

Continuity of Information Security

• Control objective: Information security continuity should be embedded in the organization's business continuity management.
• Control measures: information security continuity plan, information security continuity implementation information security continuity confirmation, review and assessment

redundancy

• Control objective: To ensure the availability of information process facilities.
• Control: Availability of Information Process Facility 

15. Compliance

Compliance with laws and contracts

• Control objective: to avoid violation of any laws, statutes, regulations or contractual obligations, and any security requirements
• Controls: Identification of applicable legal and contractual requirements, intellectual property rights, protection of records, privacy and protection of personally identifiable information, regulation of encryption controls

Information Security Audit

• Control objective: to ensure that information security is implemented and operated in accordance with organizational policies and procedures.
• Controls: Independent audit of information security, compliance with security policies and standards, technical compliance checks