Security Management

IT risk management - Organization for security management 1 The set up of the organization in charge of risk management is foreseen as partially fulfilling the requirement to provide the resources needed to establish, implement, operate, monitor, review, maintain and improve an ISMS. The main roles inside this organization are:

IT risk management - Organization for security management 1 the business and functional managers

IT risk management - Organization for security management 1 the Information System Security Officer (ISSO) or Chief information security officer (CISO)

IT risk management - Organization for security management 1 IT Security Practitioners

Information Technology Infrastructure Library - Information security management system 1 The ITIL-process Security Management describes the structured fitting of information security in the management organization. ITIL security management is based on the code of practice for information security management system (ISMS) now known as ISO/IEC

Information Technology Infrastructure Library - Information security management system 1 A basic goal of security management is to ensure adequate information security. The primary goal of information security, in turn, is to protect information assets against risks, and thus to maintain their value to the organization. This is commonly expressed in terms of ensuring their confidentiality, integrity and availability, along with related properties or goals such as authenticity, accountability, non-repudiation and reliability.

Information Technology Infrastructure Library - Information security management system 1 Mounting pressure for many organizations to structure their information security management systems in accordance with ISO/IEC requires revision of the ITIL v2 security management volume, which culminated in the release of the 2007 edition.

Network security - Security management 1 Security management for networks is different for all kinds of situations. A home or small office may only require basic security while large businesses may require high-maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.

Business continuity - Security management 1 In today's global business environment, security must be the top priority in managing Information Technology. For most organizations, security is mandated by law, and conformance to those mandates is investigated regularly in the form of audits. Failure to pass security audits can have financial and management changing impacts upon an organization.

Security - Security management in organizations 1 In the corporate world, various aspects of security were historically addressed separately - notably by distinct and often noncommunicating departments for IT security, physical security, and fraud prevention. Today there is a greater recognition of the interconnected nature of security requirements, an approach variously known as holistic security, "all hazards" management, and other terms.

Security - Security management in organizations 1 Inciting factors in the convergence of security disciplines include the development of digital video surveillance technologies (see Professional video over IP) and the digitization and networking of physical control systems (see SCADA)

Security - Security management in organizations 1 Although the title supply chain is included, this Standard specifies the requirements for a security management system, including those aspects critical to security assurance for any organisation or enterprise wishing to management the security of the organisation and its activities

Information security management 1 Information security management

Information security management 1 Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.

Information security management 1 The risks to these assets can be calculated by analysis of the following issues:

Information security management 1 Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets

Information security management 1 Vulnerabilities. How susceptible your assets are to attack

Information security management 1 Impact. The magnitude of the potential loss or the seriousness of the event.

Information security management 1 Standards that are available to assist organizations implement the appropriate programmes and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT.

ITIL security management 1 The ITIL security management process describes the structured fitting of security in the management organization.

ITIL security management 1 ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks.

ITIL security management 1 It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof.

ITIL security management 1 ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."

ITIL security management 1 A basic concept of security management is the information security.

ITIL security management 1 The primary goal of information security is to guarantee safety of information. When protecting information it is the value of the information that must be protected.

ITIL security management 1 These values are stipulated by the confidentiality, integrity and availability.

ITIL security management 1 The goal of the Security Management is split up in two parts:

ITIL security management 1 The realization of the security requirements defined in the service level agreement (SLA) and other external requirements which are specified in underpinning contracts, legislation and possible internal or external imposed policies.

ITIL security management 1 The realization of a basic level of security.

ITIL security management 1 This is necessary to guarantee the continuity of the management organization.

ITIL security management 1 This is also necessary in order to reach a simplified service-level management for the information security, as it happens to be easier to manage a limited number of SLAs than it is to manage a large number of SLAs.

ITIL security management 1 The input of the security management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external) underpinning contracts.

ITIL security management 1 These requirements can also act as key performance indicators (KPIs) which can be used for the process management and for the justification of the results of the security management process.

ITIL security management 1 The output gives justification information to the realization of the SLAs and a report with deviations from the requirements.

ITIL security management 1 The security management process has relations with almost all other ITIL-processes.

ITIL security management 1 However, in this particular section the most obvious relations will be the relations to the service level management process, the incident management process and the Change Management process.

ITIL security management - The security management process 1 The security management process consists of activities that are carried out by the security management itself or activities that are controlled by the security management.

ITIL security management - The security management process 1 Because organizations and their information systems constantly change, the activities within the security management process must be revised continuously, in order to stay up-to-date and effective. Security management is a continuous process and it can be compared to W. Edwards Deming's Quality Circle (Plan, Do, Check, Act).

ITIL security management - The security management process 1 The inputs are the requirements which are formed by the clients

ITIL security management - The security management process 1 The activities, results/products and the process are documented. External reports are written and sent to the clients. The clients are then able to adapt their requirements based on the information received through the reports. Furthermore, the service provider can adjust their plan or the implementation based on their findings in order to satisfy all the requirements stated in the SLA (including new requirements).

ITIL security management - Control 1 The first activity in the security management process is the “Control” sub- process. The Control sub-process organizes and manages the security management process itself. The Control sub-process defines the processes, the allocation of responsibility the policy statements and the management framework.

ITIL security management - Control 1 The security management framework defines the sub-processes for: the development of security plans, the implementation of the security plans, the evaluation and how the results of the evaluations are translated into action plans. Furthermore, the management framework defines how should be reported to clients.

ITIL security management - Control 1 The activities that take place in the Control process are summed up in the following table, which contains the name of the (sub) activity and a short definition of the activity.

ITIL security management - Control 1 ActivitiesSub- ActivitiesDescriptions

ITIL security management - Control 1 ControlImplement policiesThis process outlines the specific requirements and rules that have to be met in order to implement security management. The process ends with policy statement.

ITIL security management - Control 1 Setup the security organizationThis process sets up the organizations for information security. For example in this process the structure the responsibilities are set up. This process ends with security management framework.

ITIL security management - Control 1 ReportingIn this process the whole targeting process is documented in a specific way. This process ends with reports.

ITIL security management - Control 1 The meta-modeling technique was used in order to model the activities of the control sub-process

ITIL security management - Control 1 Furthermore, it is noticeable that the first two activities are not linked with an arrow and that there is a black stripe with an arrow leading to the reporting activity. This means that the two first activities are not sequential. They are unordered activities and after these two activities have taken place the reporting activity will sequentially follow. For a more extensive explanation of the meta-modeling technique consult the Meta-modeling wiki.

ITIL security management - Control 1 CONTROL DOCUMENTSCONTROL is a description of how SECURITY MANAGEMENT will be organized and how it will be managed.

ITIL security management - Control 1 POLICY STATEMENTSPOLICY STATEMENTS are documents that outlines specific requirements or rules that must be met. In the information security realm, policies are usually point-specific, covering a single area. For example, an “Acceptable Use” policy would cover the rules and regulations for appropriate use of the computing facilities.

ITIL security management - Control 1 SECURITY MANAGEMENT FRAMEWORKSECURITY MANAGEMENT FRAMEWORK is an established management framework to initiate and control the implementation of information security within your organization and to manage ongoing information security provision.

ITIL security management - Control 1 The meta-data model of the control sub- process is based on a UML class diagram. In figure is the meta-data model of the control sub-process.

ITIL security management - Control 1 The CONTROL rectangle with a white shadow is an open complex concept. This means that the CONTROL rectangle consists of a collection of (sub) concepts and these concepts are expanded in this particular context.

ITIL security management - Plan 1 The Plan sub-process contains activities that in cooperation with the Service Level Management lead to the (information) Security section in the SLA.

ITIL security management - Plan 1 Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are specific for (information) security.

ITIL security management - Plan 1 In the Plan sub-process the goals formulated in the SLA are specified in the form of Operational Level Agreements (OLA).

ITIL security management - Plan 1 These OLA’s can be defined as security plans for a specific internal organization entity of the service provider.

ITIL security management - Plan 1 Besides the input of the SLA, the Plan sub-process also works with the policy statements of the service provider itself.

ITIL security management - Plan 1 As said earlier these policy statements are defined in the control sub-process.

ITIL security management - Plan 1 The Operational Level Agreements for information security are set up and implemented based on the ITIL process.

ITIL security management - Plan 1 For example if the security management wishes to change the IT infrastructure in order to achieve maximum security, these changes will only be done through the Change Management process.

ITIL security management - Plan 1 The Security Management will deliver the input (Request for change) for this change.

ITIL security management - Plan 1 PlanCreate Security section for SLA This process contains activities that lead to the security agreements paragraph in the service level agreements.

ITIL security management - Plan 1 At the end of this process the Security section of the service level agreement is created.

ITIL security management - Plan 1 Create underpinning ContractsThis process contains activities that lead to UNDERPINNING CONTRACTS.

ITIL security management - Plan 1 These contracts are specific for security.

ITIL security management - Plan 1 Create Operational level agreementsThe general formulated goals in the SLA are specified in operational level agreements.

ITIL security management - Plan 1 plans for specific organization units.

ITIL security management - Plan 1 ReportingIn this process the whole Create plan process is documented in a specific way.

ITIL security management - Plan 1 As well as for the Control sub-process the Plan sub-process has been modeled using the meta-modeling technique.

ITIL security management - Plan 1 On the right side of figure the meta-process model of the Plan sub-process is given.

ITIL security management - Plan 1 As you can see the Plan sub-process consists of a combination of unordered and ordered (sub) activities.

ITIL security management - Plan 1 Furthermore, it is noticeable that the sub- process contains three complex activities which are all closed activities and one standard activity.

ITIL security management - Plan 1 Table consists of concepts that are created or adjusted during the plan sub-process.

ITIL security management - Plan 1 PLANFormulated schemes for the security agreements.

ITIL security management - Plan 1 Security section of the security level agreementsThe security agreements paragraph in the written agreements between a Service Provider and the customer(s) that documents agreed Service Levels for a service.

ITIL security management - Plan 1 UNDERPINNING CONTRACTSA contract with an external supplier covering delivery of services that support the IT organisation in their delivery of services.

ITIL security management - Plan 1 OPERATIONAL LEVEL AGREEMENTS An internal agreement covering the delivery of services which support the IT organization in their delivery of services.

ITIL security management - Plan 1 The two closed concepts are not expanded in this particular context.

ITIL security management - Plan 1 The following picture (figure 2.2.1) is the process- data diagram of the Plan sub-process.

ITIL security management - Plan 1 This picture shows the integration of the two models.

ITIL security management - Plan 1 The dotted arrows indicate which concepts are created or adjusted in the corresponding activities of the Plan sub- process.

ITIL security management - Implementation 1 The Implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented.

ITIL security management - Implementation 1 During the Implementation sub-process no (new) measures are defined nor changed.

ITIL security management - Implementation 1 The definition or change of measures will take place in the Plan sub-process in cooperation with the Change Management Process.

ITIL security management - Implementation 1 The activities that take place in the implementation sub-process are summed up in the following table (table 2.3.1).

ITIL security management - Implementation 1 The table contains the name of the (sub) activity and a short definition of the activity.

ITIL security management - Implementation 1 ImplementClassifying and managing of IT applicationsProcess of formally grouping configuration items by type, e.g., software, hardware, documentation, environment, application.

ITIL security management - Implementation 1 Process of formally identifying changes by type e.g., project scope change request, validation change request, infrastructure change request this process leads to asset classification and control documents.

ITIL security management - Implementation 1 Implement personnel securityHere measures are adopted in order to give personnel safety and confidence and measures to prevent a crime/fraud.

ITIL security management - Implementation 1 Implement security managementIn this process specific security requirements and/or security rules that must be met are outlined and documented.

ITIL security management - Implementation 1 Implement access controlIn this process specific access security requirements and/or access security rules that must be met are outlined and documented.

ITIL security management - Implementation 1 ReportingIn this process the whole implement as planned process is documented in a specific way.

ITIL security management - Implementation 1 Table 2.3.1: (Sub) activities and descriptions Implementation sub-process ITIL Security Management

ITIL security management - Implementation 1 The left side of figure is the meta-process model of the Implementation phase.

ITIL security management - Implementation 1 The four labels with a black shadow mean that these activities are closed concepts and they are not expanded in this context.

ITIL security management - Implementation 1 It is also noticeable that there are no arrows connecting these four activities this means that these activities are unordered and the reporting will be carried out after the completion of al the four activities.

ITIL security management - Implementation 1 During the implementation phase there are a number of concepts that are created and /or adjusted.

ITIL security management - Implementation 1 ImplementationAccomplished security management according to the security management plan.

ITIL security management - Implementation 1 Asset classification and control documents A comprehensive inventory of assets with responsibility assigned to ensure that effective security protection is maintained.

ITIL security management - Implementation 1 Personnel securityWell defined job descriptions for all staff outlining security roles and responsibilities.

ITIL security management - Implementation 1 Security policiesSecurity policies are documents that outlines specific security requirements or security rules that must be met.

ITIL security management - Implementation 1 Access controlNetwork management to ensure that only those with the appropriate responsibility have access to information in the networks and the protection of the supporting infrastructure.

ITIL security management - Implementation 1 Table 2.3.2: Concept and definition Implementation sub-process Security management

ITIL security management - Implementation 1 The concepts created and/or adjusted are modeled using the meta-modeling technique.

ITIL security management - Implementation 1 The right side of figure is the meta-data model of the implementation sub-process.

ITIL security management - Implementation 1 The implementation documents are an open concept and is expanded upon in this context.

ITIL security management - Implementation 1 It consists of four closed concepts which are not expanded because they are irrelevant in this particular context.

ITIL security management - Implementation 1 In order to make the relations between the two models clearer the integration of the two models are illustrated in figure

ITIL security management - Implementation 1 The dotted arrows running from the activities to the concepts illustrate which concepts are created/ adjusted in the corresponding activities.

ITIL security management - Implementation 1 Figure 2.3.1: Process-data model Implementation sub- process

ITIL security management - Evaluation 1 The evaluation of the implementation and the plans is very important.

ITIL security management - Evaluation 1 The evaluation is necessary to measure the success of the implementation and the Security plans.

ITIL security management - Evaluation 1 The evaluation is also very important for the clients (and possibly third parties).

ITIL security management - Evaluation 1 The results of the Evaluation sub-process are used to maintain the agreed measures and the implementation itself.

ITIL security management - Evaluation 1 Evaluation results can lead to new requirements and so lead to a Request for Change.

ITIL security management - Evaluation 1 The request for change is then defined and it is then send to the Change Management process.

ITIL security management - Evaluation 1 Mainly there are three sorts of evaluation; the Self-assessment; internal audit, and external audit.

ITIL security management - Evaluation 1 The self-assessment is mainly carried out in the organization of the processes.

ITIL security management - Evaluation 1 The internal audits are carried out by internal IT-auditors and the external audits are carried out by external independent IT- auditors.

ITIL security management - Evaluation 1 Besides, the evaluations already mentioned an evaluation based on the communicated security incidents will also take place.

ITIL security management - Evaluation 1 The most important activities for this evaluation are the security monitoring of IT-systems; verify if the security legislation and the implementation of the security plans are complied; trace and react to undesirable use of the IT-supplies.

ITIL security management - Evaluation 1 The activities that take place in the evaluation sub-process are summed up in the following table (Table 2.4.1).

ITIL security management - Evaluation 1 EvaluateSelf-assessmentIn this process an examination of the implemented security agreements is done by the organization of the process itself.

ITIL security management - Evaluation 1 The result of this process is SELF ASSESSMENT DOCUMENTS.

ITIL security management - Evaluation 1 Internal AuditIn this process an examination of the implemented security agreements is done by an internal EDP auditor.

ITIL security management - Evaluation 1 External auditIn this process an examination of the implemented security agreements is done by an external EDP auditor.

ITIL security management - Evaluation 1 Evaluation based on security incidentsIn this process an examination of the implemented security agreements is done based on security events which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service.

ITIL security management - Evaluation 1 ReportingIn this process the whole Evaluate implementation process is documented in a specific way.

ITIL security management - Evaluation 1 Table 2.4.1: (Sub) activities and descriptions Evaluation sub-process ITIL Security Management

ITIL security management - Evaluation 1 Figure 2.4.1: Process-data model Evaluation sub-process

ITIL security management - Evaluation 1 The process-data diagram illustrated in the figure consists of a meta-process model and a meta-data model.

ITIL security management - Evaluation 1 The Evaluation sub- process was modeled using the meta- modeling technique.

ITIL security management - Evaluation 1 The dotted arrows running from the meta- process diagram (left) to the meta-data diagram (right) indicate which concepts are created/ adjusted in the corresponding activities.

ITIL security management - Evaluation 1 All of the activities in the evaluation phase are standard activities.

ITIL security management - Evaluation 1 For a short description of the Evaluation phase concepts see Table where the concepts are listed and defined.

ITIL security management - Evaluation 1 EVALUATION Evaluated/checked implementation.

ITIL security management - Evaluation 1 RESULTSThe outcome of the evaluated implementation.

ITIL security management - Evaluation 1 SELF ASSESSMENT DOCUMENTS Result of the examination of the security management by the organization of the process itself.

ITIL security management - Evaluation 1 INTERNAL AUDITResult of the examination of the security management by the internal EDP auditor.

ITIL security management - Evaluation 1 EXTERNAL AUDITResult of the examination of the security management by the external EDP auditor.

ITIL security management - Evaluation 1 SECURITY INCIDENTS DOCUMENTS Results of evaluating security events which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service.

ITIL security management - Evaluation 1 Table 2.4.2: Concept and definition evaluation sub- process Security management

ITIL security management - Maintenance 1 It is necessary for the security to be maintained.

ITIL security management - Maintenance 1 Because of changes in the IT- infrastructure and changes in the organization itself security risks are bound to change over time.

ITIL security management - Maintenance 1 The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more detailed security plans.

ITIL security management - Maintenance 1 The maintenance is based on the results of the Evaluation sub-process and insight in the changing risks.

ITIL security management - Maintenance 1 These activities will only produce proposals.

ITIL security management - Maintenance 1 The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the service level agreements.

ITIL security management - Maintenance 1 In both cases the proposals could lead to activities in the action plan.

ITIL security management - Maintenance 1 The actual changes will be carried by the Change Management process.

ITIL security management - Maintenance 1 For more information about the Change Management Process consult the Change Management Wiki.

ITIL security management - Maintenance 1 The activities that take place in the maintain sub-process are summed up in the following table (Table 2.5.1).

ITIL security management - Maintenance 1 Request for change to SLA and/or OLARequest for a change to the SLA and/or OLA is formulated.

ITIL security management - Maintenance 1 ReportingIn this process the whole maintain implemented security policies process is documented in a specific way.

ITIL security management - Maintenance 1 Table 2.5.1: (Sub) activities and descriptions Maintenance sub-process ITIL Security Management

ITIL security management - Maintenance 1 Figure is the process-data diagram of the implementation sub-process.

ITIL security management - Maintenance 1 This picture shows the integration of the meta-process model (left) and the meta- data model (right).

ITIL security management - Maintenance 1 Figure 2.5.1: Process-data model Maintenance sub- process

ITIL security management - Maintenance 1 The maintenance sub-process starts with the maintenance of the service level agreements and the maintenance of the operational level agreements.

ITIL security management - Maintenance 1 After these activities take place (in no particular order) and there is a request for a change the request for change activity will take place and after the request for change activity is concluded the reporting activity starts.

ITIL security management - Maintenance 1 If there is no request for a change then the reporting activity will start directly after the first two activities.

ITIL security management - Maintenance 1 The concepts in the meta-data model are created/ adjusted during the maintenance phase.

ITIL security management - Maintenance 1 MAINTENANCE DOCUMENTS Agreements kept in proper condition.

ITIL security management - Maintenance 1 MAINTAINED SERVICE LEVEL AGREEMENTSService Level Agreements(security paragraph) kept in proper condition.

ITIL security management - Maintenance 1 REQUEST FOR CHANGEForm, or screen, used to record details of a request for a change to the SLA/OLA.

ITIL security management - Maintenance 1 Table 2.5.2: Concept and definition Plan sub-process Security management

ITIL security management - Complete process-data model 1 The following picture shows the complete process-data model of the Security Management process. This means that the complete meta-process model and the complete meta-data model and the integrations of the two models of the Security Management process are shown.

ITIL security management - Complete process-data model 1 Figure 2.6.1: Process- data model Security Management process

ITIL security management - Relations with other ITIL processes 1 The security Management Process, as stated in the introduction, has relations with almost all other ITIL-processes.

ITIL security management - Relations with other ITIL processes 1 IT Customer Relationship Management

ITIL security management - Relations with other ITIL processes 1 IT Service Continuity Management

ITIL security management - Relations with other ITIL processes 1 Within these processes there are a couple of activities concerning security that have to take place.

ITIL security management - Relations with other ITIL processes 1 However, the Security Management will give indications to the concerning process on how these (security specific) activities should be structured.

ITIL security management - Example 1 The use of internal in an organization has a lot of security risks. So if an organization chooses to use as a means of communication, it is highly needed that the organization implements a well thought security plan/policies. In this example the ITIL security Management approach is used to implement policies in an organization.

ITIL security management - Example 1 First of the Security management team is formed and the guidelines, of how the process should be carried out, are formulated and made clear to all employees and provider concerned. These actions are carried out in the Control phase of the Security Management process.

ITIL security management - Example 1 The next step in to process to implement policies is the Planning. In the Plan phase of the process the policies are formulated. Besides the policies that are already written in the Service Level Agreements the policies that are specific for the security are formulated and added to the service level agreements. At the end of this phase the entire plan is formulated and is ready to be implemented.

ITIL security management - Example 1 The following phase in the process is the actual implementation of the policies. The implementation is done according to the plan which was formulated in the preceding phase (Plan phase).

ITIL security management - Example 1 After the actual implementation the policies will be evaluated. In order to evaluate the implemented policies the organization will perform;

ITIL security management - Example 1 The last phase is the maintenance phase. In the maintenance phase the implemented policies are maintained. The organization now knows which policies are properly implemented and are properly followed and, which policies need more work in order to help the security plan of the organization and, if there are new policies that have to be implemented. At the end of this process the Request for change are formulated (if needed) and the policies are properly maintained.

ITIL security management - Example 1 In order for the organization to keep its security plan up-to-date the organization will have to perform the security management process continuously. There is no end to this process an organization can always better its security.

Security management 1 Security management is the identification of an organization's assets (including information assets), followed by the development, documentation, and implementation of policies and procedures for protecting these assets.

Security management 1 An organisation uses such security management procedures as information classification, risk assessment, and risk analysis to identify threats, categorise assets, and rate system vulnerabilities so that they can implement effective controls.

Security management - Loss prevention 1 Loss prevention focuses on what your critical assets are and how you are going to protect them. A key component to loss prevention is assessing the potential threats to the successful achievement of the goal. This must include the potential opportunities that further the object (why take the risk unless there's an upside?) Balance probability and impact determine and implement measures to minimize or eliminate those threats.

Security management - Security risk management 1 Management of security risks applies the principles of risk management to the management of security threats. It consists of identifying threats (or risk causes), assessing the effectiveness of existing controls to face those threats, determining the risks' consequence(s), prioritising the risks by rating the likelihood and impact, classifying the type of risk and selecting and appropriate risk option or risk response.

Security management - External 1 Strategic: like competition and customer demand

Security management - External 1 Operational: Regulation, suppliers, contracts

Security management - External 1 Compliance: new regulatory or legal requirements are introduced, or existing ones are changed, exposing the organisation to a non-compliance risk if measures are not taken to ensure compliance

Security management - Internal 1 Hazard: Safety and security; employees and equipment

Security management - Internal 1 Compliance: Actual or potential changes in the organisation's systems, processes, suppliers, etc. may create exposure to a legal or regulatory non-compliance.

Security management - Risk avoidance 1 The first choice to be considered. The possibility of eliminating the existence of criminal opportunity or avoiding the creation of such an opportunity is always the best solution, when additional considerations or factors are not created as a result of this action that would create a greater risk. As an example, removing all the cash from a retail outlet would eliminate the opportunity for stealing the cash–but it would also eliminate the ability to conduct business.

Security management - Risk reduction 1 When avoiding or eliminating the criminal opportunity conflicts with the ability to conduct business, the next step is the reduction of the opportunity and potential loss to the lowest level consistent with the function of the business. In the example above, the application of risk reduction might result in the business keeping only enough cash on hand for one day’s operation.

Security management - Risk spreading 1 Assets that remain exposed after the application of reduction and avoidance are the subjects of risk spreading. This is the concept that limits loss or potential losses by exposing the perpetrator to the probability of detection and apprehension prior to the consummation of the crime through the application of perimeter lighting, barred windows and intrusion detection systems. The idea here is to reduce the time available to steal assets and escape without apprehension.

Security management - Risk transfer 1 Transferring risks to other alternatives when those risks have not been reduced to acceptable levels. The two primary methods of accomplishing risk transfer are to insure the assets or raise prices to cover the loss in the event of a criminal act. Generally speaking, when the first three steps have been properly applied, the cost of transferring risks are much lower.

Security management - Risk acceptance 1 All remaining risks must simply be assumed by the business as a risk of doing business. Included with these accepted losses are deductibles which have been made as part of the insurance coverage.

Security management - Access control 1 Locks, simple or sophisticated, such as biometric authentication and keycard locks

Security management - Physical security 1 Security guards (armed or unarmed) with wireless communication devices (e.g., two-way radio)

Federal Information Security Management Act of Federal Information Security Management Act of

Federal Information Security Management Act of The Federal Information Security Management Act of 2002 ("FISMA", 44 U.S.C

Federal Information Security Management Act of FISMA has brought attention within the federal government to cybersecurity and explicitly emphasized a "risk-based policy for cost-effective security." FISMA requires agency program officials, chief information officers, and inspectors general (IGs) to conduct annual reviews of the agency’s information security program and report the results to Office of Management and Budget (OMB)

Federal Information Security Management Act of Purpose of the act 1 FISMA assigns specific responsibilities to federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.

Federal Information Security Management Act of Purpose of the act 1 According to FISMA, the term information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability.

Federal Information Security Management Act of Implementation of FISMA 1 In accordance with FISMA, NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems

Federal Information Security Management Act of Implementation of FISMA 1 Information Security Automation Program (ISAP)

Federal Information Security Management Act of Implementation of FISMA 1 National Vulnerability Database (NVD) – the U.S. government content repository for ISAP and SCAP. NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA)

Federal Information Security Management Act of Compliance framework defined by FISMA and supporting standards 1 FISMA defines a framework for managing information security that must be followed for all information systems used or operated by a U.S. federal government agency in the executive or legislative branches, or by a contractor or other organization on behalf of a federal agency in those branches. This framework is further defined by the standards and guidelines developed by National Institute of Standards and Technology|NIST.The 2002 Federal Information Security Management Act (FISMA)

Federal Information Security Management Act of Inventory of information systems 1 FISMA requires that agencies have in place an information systems inventory

Federal Information Security Management Act of Categorize information and information systems according to risk level 1 All information and information systems should be categorized based on the objectives of providing appropriate levels of information security according to a range of risk levels

Federal Information Security Management Act of Categorize information and information systems according to risk level 1 The first mandatory security standard required by the FISMA legislation, FIPS 199 Standards for Security Categorization of Federal Information and Information Systems provides the definitions of security categories. The guidelines are provided by NIST SP Guide for Mapping Types of Information and Information Systems to Security Categories.

Federal Information Security Management Act of Categorize information and information systems according to risk level 1 The overall FIPS 199 system categorization is the high water mark for the impact rating of any of the criteria for information types resident in a system. For example, if one information type in the system has a rating of Low for confidentiality, integrity, and availability, and another type has a rating of Low for confidentiality and availability but a rating of Moderate for integrity, then the entire system has a FIPS 199 categorization of Moderate.

Federal Information Security Management Act of Security controls 1 Federal information systems must meet the minimum security requirements. These requirements are defined in the second mandatory security standard required by the FISMA legislation, FIPS 200 Minimum Security Requirements for Federal Information and Information Systems.

Federal Information Security Management Act of Security controls 1 Organizations must meet the minimum security requirements by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication , Recommended Security Controls for Federal Information Systems

Federal Information Security Management Act of Security controls 1 Agencies have flexibility in applying the baseline security controls in accordance with the tailoring guidance provided in Special Publication This allows agencies to adjust the security controls to more closely fit their mission requirements and operational environments.

Federal Information Security Management Act of Security controls 1 The controls selected or planned must be documented in the System Security Plan.

Federal Information Security Management Act of Risk assessment 1 The combination of FIPS 200 and NIST Special Publication requires a foundational level of security for all federal information and information systems

Federal Information Security Management Act of Risk assessment 1 A risk assessment starts by identifying potential threat (computer)|threats and vulnerability (computing)|vulnerabilities and mapping implemented security control|controls to individual vulnerabilities

Federal Information Security Management Act of Risk assessment 1 NIST also initiated the Information Security Automation Program (ISAP) and Security Content Automation Protocol (SCAP) that support and complement the approach for achieving consistent, cost-effective security control assessments.

Federal Information Security Management Act of System security plan 1 Agencies should develop policy on the system security planning process. NIST SP introduces the concept of a System Security Plan. System security plans are living documents that require periodic review, modification, and plans of action and milestones for implementing security controls. Procedures should be in place outlining who reviews the plans, keeps the plan current, and follows up on planned security controls.

Federal Information Security Management Act of System security plan 1 The System security plan is the major input to the security certification and accreditation process for the system

Federal Information Security Management Act of Certification and accreditation 1 Once the system documentation and risk assessment has been completed, the system's controls must be reviewed and certified to be functioning appropriately. Based on the results of the review, the information system is accredited. The certification and accreditation process is defined in NIST SP Guide for the Security Certification and Accreditation of Federal Information Systems.NIST SP Guide for Applying the Risk Management Framework to Federal Information Systems

Federal Information Security Management Act of Certification and accreditation 1 Security accreditation is the official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations, agency assets, or individuals based on the implementation of an agreed-upon set of security controls

Federal Information Security Management Act of Certification and accreditation 1 The information and supporting evidence needed for security accreditation is developed during a detailed security review of an information system, typically referred to as security certification

Federal Information Security Management Act of Continuous monitoring 1 All accredited systems are required to monitor a selected set of security controls and the system documentation is updated to reflect changes and modifications to the system. Large changes to the security profile of the system should trigger an updated risk assessment, and controls that are significantly modified may need to be re-certified.

Federal Information Security Management Act of Continuous monitoring 1 Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting

Federal Information Security Management Act of Critique 1 Security experts Bruce Brody, a former federal chief information security officer, and Alan Paller, director of research for the SANS Institute – have described FISMA as a well-intentioned but fundamentally flawed tool, and argued that the compliance and reporting methodology mandated by FISMA measures security planning rather than measuring information security

Information security management system 1 An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS

Information security management system 1 The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.

Information security management system - ISMS description 1 As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do- Check-Act" (PDCA), or Deming cycle, approach:

Information security management system - ISMS description 1 The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls.

Information security management system - ISMS description 1 The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.

Information security management system - ISMS description 1 ISO/IEC 27001:2005 is a risk based information security standard, which means that organizations need to have a risk management process in place. The risk management process fits into the PDCA model given above.

Information security management system - ISMS description 1 However, the latest standard, ISO/IEC 27001:2013, does not use this cycle.

Information security management system - ISMS description 1 Another competing ISMS is Information Security Forum's Standard of Good Practice (SOGP). It is more best practice- based as it comes from ISF's industry experiences.

Information security management system - ISMS description 1 Some other best known ISMSs include Common Criteria (CC) international standard and IT Security Evaluation Criteria (ITSEC)

Information security management system - ISMS description 1 Some nations use their own ISMS, e.g., Department of Defense(DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, Department of Defense Information Assurance Certification and Accreditation Process(DIACAP) of USA, Trusted Computer System Evaluation Criteria (TCSEC) of USA, IT Baseline Protection Manual (ITBPM) of Germany, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.

Information security management system - ISMS description 1 Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework Risk IT dedicated to Information security.

Information security management system - ISMS description 1 Below table illustrate the certification structure comparison of some best known ISMSs:

Information security management system - ISMS description 1 BS 7799Common Criteria(CC)IT Security Evaluation Criteria(ITSEC)

Information security management system - ISMS description 1 Operation Area EnglandAbout 25 CountriesEuropean Countries

Information security management system - ISMS description Security domains

Information security management system - ISMS description Security controls- 3 Parts

Information security management system - ISMS description Security functional requirements

Information security management system - ISMS description 1 6- Prepare a statement of applicability1- PP/ST introduction

Information security management system - ISMS description 1 7- TOE summary specification

Information security management system - ISMS description 1 Difference of ProcessEmphasis on managerial securityEmphasis on technical securityEmphasis on managerial security

Information security management system - ISMS description 1 Specification Control PointProvide best code of practice for information security managementProvide common set of requirements for the security functionality of IT productsProvide common set of requirements for the security functionality of IT products

Information security management system - ISMS description 1 Evaluation MethodUse the PDAC model cycleFollow each certification evaluation procedureFollow commission of European communities

Information security management system - ISMS description 1 There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem:

Information security management system - ISMS description 1 Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of information security to the economic and national security interests of the United States

Information security management system - ISMS description 1 Governing for Enterprise Security Implementation Guide of the Carnegie Mellon University Software Engineering Institute CERT is designed to help business leaders implement an effective program to govern information technology (IT) and information security.

Information security management system - ISMS description 1 A Capability Maturity Model (CMM) for system security engineering was standardized in ISO/IEC

Information security management system - ISMS description 1 ISM3 is a standard for security management (how to achieve the organizations mission despite of errors, attacks and accidents with a given budget)

Information security management system - Need for an ISMS 1 Security experts say and statistics confirm that:

Information security management system - Need for an ISMS 1 information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects. The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;

Information security management system - Need for an ISMS 1 security depends on people more than on technology;

Information security management system - Need for an ISMS 1 employees are a far greater threat to information security than outsiders;

Information security management system - Need for an ISMS 1 security is like a chain. It is only as strong as its weakest link;

Information security management system - Need for an ISMS 1 the degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;

Information security management system - Need for an ISMS 1 security is not a status or a snapshot, but a running process.

Information security management system - Need for an ISMS 1 These facts inevitably lead to the conclusion that security administration is a management issue, and not a purely technical issue.

Information security management system - Need for an ISMS 1 The establishment, maintenance and continuous update of an ISMS provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks. Critical factors of ISMS:

Information security management system - Need for an ISMS 1 Confidentiality: Protecting information from unauthorized parties.

Information security management system - Need for an ISMS 1 Integrity: Protecting information from modification by unauthorized users.

Information security management system - Need for an ISMS 1 Availability: Making the information available to authorized users.

Information security management system - Need for an ISMS 1 A company will be capable of successfully addressing information confidentiality, integrity and availability requirements which in turn have implications:

Information security management system - Need for an ISMS 1 In doing so, information security management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e

Information security management system - Need for an ISMS 1 Large organizations or organizations such as banks and financial institutes, telecommunication operators, hospital and health institutes and public or governmental bodies have many reasons for addressing information security very seriously. Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks.

Information security management system - Need for an ISMS 1 Under these circumstances the development and implementation of a separate and independent management process namely an Information Security Management System is the one and only alternative.

Information security management system - Critical success factors for ISMS 1 have the continuous, unshakeable and visible support and commitment of the organization’s top management;

Information security management system - Critical success factors for ISMS 1 be an integral part of the overall management of the organization related to and reflecting the organization’s approach to risk management, the control objectives and controls and the degree of assurance required;

Information security management system - Critical success factors for ISMS 1 have security objectives and activities be based on business objectives and requirements and led by business management;

Information security management system - Critical success factors for ISMS 1 undertake only necessary tasks and avoiding over- control and waste of valuable resources;

Information security management system - Critical success factors for ISMS 1 fully comply with the organization philosophy and mindset by providing a system that instead of preventing people from doing what they are employed to do, it will enable them to do it in control and demonstrate their fulfilled accountabilities;

Information security management system - Critical success factors for ISMS 1 be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices;

Information security management system - Dynamic issues in ISMS 1 There are three main problems which lead to uncertainty in information security management systems (ISMS):

Information security management system - Dynamic issues in ISMS 1 Dynamically changing security requirements of an organization

Information security management system - Dynamic issues in ISMS 1 Rapid technological development raises new security concerns for organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organize and manage dynamically changing requirements and keep the system up-to-date.

Information security management system - Dynamic issues in ISMS 1 Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction

Information security management system - Dynamic issues in ISMS 1 Obsolete evaluation of security concerns

Information security management system - Dynamic issues in ISMS 1 The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise

ITIL - Information security management system 1 A basic goal of security management is to ensure adequate information security

Security systems - Security management in organizations 1 Inciting factors in the convergence of security disciplines include the development of digital video surveillance technologies (see Professional video over IP) and the digitization and networking of physical control systems (see SCADA).[ Taming the Two-Headed Beast], CSOonline, September 2002[ Security 2.0], CSOonline, April 2005 Greater interdisciplinary cooperation is further evidenced by the February 2005 creation of the Alliance for Enterprise Security Risk Management, a joint venture including leading associations in security (ASIS International|ASIS), information security (Information Systems Security Association|ISSA, the Information Systems Security Association), and IT audit (ISACA, the Information Systems Audit and Control Association).

Fraud Squad - NHS Counter Fraud and Security Management Service 1 The National Health Service|NHS Counter Fraud and Security Management Service is an independent Division of the NHS Business Services Authority and has responsibility for all policy and operational matters relating to the prevention, detection and investigation of fraud and corruption and the management of security in the National Health Service.[ NHS Counter Fraud and Security Management Service (accessed 20/152/06)]

Fraud Squad - NHS Counter Fraud and Security Management Service 1 * NHS Counter Fraud Service established in September

Fraud Squad - NHS Counter Fraud and Security Management Service 1 * NHS Security Management Service was established in 2003 to form the NHS Counter Fraud and Security Management Service.

Fraud Squad - NHS Counter Fraud and Security Management Service 1 * To reduce fraud to an absolute minimum and hold it permanently at that level, releasing resources for better patient care and services

Fraud Squad - NHS Counter Fraud and Security Management Service 1 * With the delivery of an environment for those who use or work in the NHS which is properly secure so that the highest possible standard of clinical care can be made available to patients.

Federal Information Security Management Act of The 'Federal Information Security Management Act of 2002' ('FISMA',, et seq.) is a United States federal law enacted in 2002 as Title III of the E- Government Act of 2002 (, )

Federal Information Security Management Act of OMB uses this data to assist in its oversight responsibilities and to prepare this annual report to Congress on agency compliance with the act.FY 2005 Report to Congress on Implementation of The Federal Information Security Management Act of 2002 In FY 2008, federal agencies spent $6.2 billion securing the government’s total information technology investment of approximately $68 billion or about 9.2 percent of the total information technology portfolio.FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of

Federal Information Security Management Act of Purpose of the act 1 FISMA assigns specific responsibilities to Government agency#Government agencies in the United States|federal agencies, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) in order to strengthen information system security. In particular, FISMA requires the head of each agency to implement policies and procedures to cost-effectively reduce information technology security risks to an acceptable level.

Federal Information Security Management Act of Implementation of FISMA 1 In accordance with FISMA, National Institute of Standards and Technology|NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets, excluding national security systems

Federal Information Security Management Act of Implementation of FISMA 1 * Information Security Automation Program (ISAP)

Federal Information Security Management Act of Implementation of FISMA 1 * National Vulnerability Database (NVD) – the U.S. government content repository for ISAP and Security Content Automation Protocol|SCAP. NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g., FISMA)

Federal Information Security Management Act of Inventory of information systems 1 The identification of information systems in an inventory under this subsection shall include an identification of the interfaces between each such system and all other systems or networks, including those not operated by or under the control of the agency

Information Security Management Certified Professional 1 'Information Security Management Certified Professional (ISMCP) ' is a designation awarded by INFINIDOX.

Information Security Management Certified Professional 1 Relevant information security background, both theoretical and practical, is required to pass the ISMCP examination.

Information Security Management Certified Professional 1 * Security administration

Information Security Management Certified Professional 1 * Communication systems security

Information Security Management Certified Professional 1 * Applications security

Information Security Management Certified Professional 1 Candidates are recommended to have a minimum of 5 years of experience in one or more of the six topic areas that the exam covers.

FCAPS - Security management 1 Security management is the process of controlling access to assets in the network. Data security can be achieved mainly with authentication and encryption. Authorization to it configured with Operating system|OS and Database management system|DBMS access control settings.

FCAPS - Security management 1 Security management functions include managing network authentication, authorization, and auditing, such that both internal and external users only have access to appropriate network resources

Total Security Management 1 'Total Security Management' ('TSM') is the business practice of developing and implementing comprehensive risk management and security practices for a firm’s entire value chain

Total Security Management 1 TSM encourages companies to manage security initiatives as investments with a measurable return and seeks to transform security from a net cost to a net benefit

Total Security Management - Formulation 1 The concept of Total Security Management was first introduced in the book Securing Global Transportation Networks: A Total Security Management Approach, published by McGraw Hill in

Total Security Management - Formulation 1 According to Dr

Total Security Management - Formulation 1 The TSM approach built upon scholarly research on the issue that stressed the importance of security as a key component of the supply chain

Total Security Management - Relation to Total Quality Management 1 The TSM name borrows from the management concept Total Quality Management (TQM), an approach made famous by the work of W

Total Security Management - Relation to Total Quality Management 1 I suspect that there are many professionals in the transportation industry today who may not endorse security management as a core business function that can create value

Total Security Management - Companies employing TSM 1 A company using the TSM methodology is meant to be able to establish a framework of focus points, metrics and feedback loops in order to elevate risk management from a non-core objective to an essential business function

Total Security Management - Companies employing TSM 1 Securing Global Transportation Networks details case studies of many large companies that benefited from the implementation of aspects of the TSM approach, including FedEx, Home Depot, Hutchison Port Holdings, Maersk, Procter Gamble, and Target Corporation|Target, amongst others.McGraw Hill, Book Release, October 2006, institute.org/securing_networks/, 5/5/10

Total Security Management - Criticism 1 There are some useful ideas in the book, but the overall program may be too ambitious for many corporations to realistically consider,” writes Ross Johnson in a 2007 Security Management review.Ross Johnson, Security Management: Book Review, October 2007, e/securing-global-transportation-networks- total-security-management-approach, 5/5/10

Total Security Management - Other developments , 2009, pdf, 5/5/10 In January 2010, ISO (ISO/PAS – Specification for security management systems for the supply chain) was updated to include an explicit reference to the Plan-Do-Check-Act model of quality management popularized by Deming.Continuity Compliance, ISO – What’s The Buzz About?, October 2009, on/organizational-resiliency/iso whats- the-buzz-about/, 5/5/10

For More Information, Visit: m/the-security-management- toolkit.html m/the-security-management- toolkit.html The Art of Service