Information Security Management – it seems more complicated than it is By Jacques A. Cazemier Introduction There is a difference between the management effort to keep information security up to standard and information security management. The first is aimed at keeping information processing adequate secured, the latter uses ISO27001 and is aimed at auditors. In this article the practice of management of information security is explained; both to the business side of the organization and IT. It is shown that using existing processes and information, there is no need for extension of the organization for the information security management system. To make it easier to relate to practices and processes in IT, ITIL is used to provide context. This article is based on my book: Information Security Management with ITL V3 (ISBN 97890-8753-552-0) and experiences thereafter. Throughout my practice I have followed the line: 'not more security than necessary'. For two very simple reasons: it is less expensive and it easier for the organization. More security than needed is counter productive: people in organizations invent shortcuts and cheat to circumvent the rules. That creates a practice of trying to be smarter than the security people. The thinking that is implied in how much security is actually needed, makes it possible to focus on the real risks. The worst that can happen to any organization is implementing security for the benefit of security. The problem For Information Security Management, ISO 27001 describes the management system: the Information Security Management System or ISMS. The first question organizations always ask themselves is invariably: are we using ISO27001 and are we getting a certificate for that? However, the first question should be: we are going to manage our efforts to maintain secure information processing, but do we need an ISMS? The management system as described in the international standard resembles the management systems that are defined for quality (in ISO 9000) and environmental control (in ISO 14000). Evidently, with one of those management systems in place, it is easier to implement the next. The use of those standards seems to be a goal in itself. It pushes organizations in implementing a management system even when that is not needed. The management systems tend to regard the organization as a whole. That is encouraged by certification because certain management system functions are provided by parts of the organization that are not subject of the certification. Those functions will have to be made part of certification or their functions have to be duplicated. Furthermore, new developments like outsourcing or services in the cloud, will have a profound influence on information security management. When major parts of information processing are outside the organization, it will become more difficult to close the management system. The solution The importance of management of information security is in the maintenance of protection of information and information processing while organizations, processes, technology and the people are changing.
In the ITIL book on Information Security (Version 2), security management is described as a series of actions and activities in stead of a complete process. The reason for that was two fold: to make it as easy as possible (no organization likes to implement a new process or dedicate a part of the organization for this) and to prevent double bookkeeping. In every ISMS there are three major parts visible: • Evaluation, to determine whether information security is up to speed, • Correction, improvements in both directions should be possible: make it heavier when it looks like security is too light, and make it lighter when security limits processes, • Registration, to have a history, to learn from the past and to perform trend analysis to predict the future. Furthermore it shows management what the results of information security are. These three activities form the most important parts of the Plan, Do, Check, Act cycle that is favored in ISO management systems. When one of the parts is missing, management of information security is no longer possible. In the standards and especially in the best practices, the management system is described with more steps than the three above. That is understandable because those documents are used in very different types of organizations. During the development of ISO, ITIL, COBIT and even SABSA, theoretical completeness is achieved. In reality, the world is a bit different. Unfortunately, all those steps are often regarded as mandatory. That will lead to inflexible situations; ultimately preventing organizations to adapt to changing situations. While that flexibility was what management of information security was all about. By using existing processes there is no need for a separate information security organization. Every security incident can be reported through the Service Desk and be handled through Incident Management. In the Code of Practice for Information Security (ISO27002) incident handling counts for a separate chapter for which the ITIL process can be used. If there is a need for modification of security functionality, that can be managed through Change Management and kept accounted for by Configuration Management. The implementation of Continuous Service Improvement (ITIL CSI) requires evaluation, registration of defects and improvement of the processes. Therefore, the use of existing ITIL practices and processes for information security management is supported It is often overlooked that Management has the power to decide what controls to implement and what management activities to employ. Even the ISO standard recognizes this; it is visible in the Statement of Applicability of controls that has to be endorsed by Management. In spite of the details given in the ISO standards, it is the management decision on implementation details of the information security management system that should be used as reference. By using existing processes and focusing on the three major activities, it is easier to implement information security management than it seems from the ISO standard.
Jacques A. Cazemier is Principal Consultant on the subjects of Information Security Management and Business Continuity Management at Verdonck, Klooster and Associates BV in The Netherlands. VKA is one of the leading consultancy firms on organization and IT in The Netherlands. Jacques is one of the authors of the ITIL Information Security Management book (V1 and V2) and the book on Information Security Management and ITIL V3. [email protected]