Security management is responsive to the needs arising from information security. Its main objective is to ensure the security of the information. Security seems to be only known risk is not vulnerable to attack, and avoid unknown risks as much as possible.
1.1 goals
The goal of security management is to protect the value of information depends on confidentiality, integrity and availability.
Confidentiality: protecting information from unauthorized access and use.
Integrity: The accuracy, completeness and timeliness of the information.
Availability: information can be accessed at any predetermined time.
Objective 1: To meet the needs of security service level agreement.
Objective 2: to provide a basic level of security is independent of external demand.
The goal of security management is to ensure effective information security measures to be carried through the strategic, tactical and operational levels of three layers.
Safety management activities
2, activity
2.1, control
The activities of the central control is the first child of the safety management process, it is mainly about the organization and management of the process. Including information security management framework. The framework describes the following sub-processes: security plan, the implementation of the security plan, implement and evaluate the results of the evaluation in the annual security plan (improvement plan) .
The campaign defines the subprocesses, security functions, roles and responsibilities . It describes the organizational structure and reporting arrangements control structure (Who guide, who do something, how to report the status of implementation).
2.2 plan
Plans include the development of security sub-process part service level agreements, as well as security-related activities in support of the contract after consultation with Service Level Management. Service Level Agreement targets are generally used to define some of the terms of the all-inclusive. In the Operational Level Agreements you will need further refinement and provisions of these goals.
2.3 Embodiment
The implementation of sub-processes responsible for the implementation of all safety measures planned.
Access control:
Implementation of the policy of access and access control.
Access rights of users and network maintenance, network application services, computer systems and applications maintenance.
Maintain network security barrier (firewall, dial-up services, bridges and routers).
Embodiment identification and authentication measures for computer systems, workstations and computers connected to the network.
2.4 assess
The results of the implementation of the measures planned to conduct an independent assessment is very important. Results of the assessment sub-processes can be used to update the security measures agreed in consultation with the customer, they can also be used to improve the implementation of the results.
Assessment form:
Self-assessment - the main straight of the implementation of organizational processes.
Internal Audit - have internal IT auditors.
External audits - have external IT auditors.
When security incidents have implemented assessment, including:
To verify the implementation of the follow security policies as well as safety programs.
IT security audit of the system.
To find the incorrect use of IT resources, and make the appropriate treatment.
Undertake other IT security audit.
2.5 Maintenance
Maintenance needs to be based on the results of evaluation of sub-processes as well as the results of the risk assessment changes.
2.6, the report
Report is the result of other sub-processes output. So that customers understand the security issues.