What is Information Security Management system?
- 27th Feb, 2019
- 15:24 PM
Information Security Management system is a set of policies governing the confidentiality of resources relating to Information Technology of an organization. Many organizations conform to the Information Security Management System standard while coordinating and certifying their systems. A good number of these frameworks revolve around using technology to secure theinformation systems. All the measures in the Information Security Management System aim at enhancing cyber security and protection of the integrity of the data that belongs to organization from unauthorized access and malicious attacks. A malicious interest is normally developed towards gaining information concerning products and services that are not yet released through the right channel to the public domain. Information regarding such products and services should therefore remain highly confidential until it is good and ready enough to be released to the public. Threats to the information security systems can cause damages that ranges from very small loses to extremely big losses. In recent days, organizations battle to know the real threats to their systems and obtain solutions and measures to combat these challenges. An understanding of these threats can be easier if the threats are put into threat classification models. This document aims at classifying the information into levels that limits access to such information to a restricted group of individuals, identify possible threats that may lead to attack of the information in the system and examining their effects thereof, and develop an information security plan prior to the release of the new product. Accomplishment of these aims were done through the review of materials and literatures on Information Security Management Systems that already exist. In essence, it was found that there is need for every organization to incorporate an information management system that can adequately protect the integrity of data in the system and to put in place measures that ensure employees of the organization stay true to their oath of conduct and help make the information in the organization more secure.
A manager of an organization’s confidential information security system should put into consideration the degree of information control, the nature of the business and the security risks within the environment. This helps the manager to put in place a reliable and quality management for the resources of the organization to which he is entrusted. He is to ensure a quick and effective answer to IT security incidences and professionally manage them. He is to conduct technical vulnerability valuations of the IT processes, thereby identifying the weaknesses and make recommendations to control the risks identified if any, and ensure their implementation is done. The manager also should develop and maintain an excellent and effective working relationship with the security team. As a way of ensuring control of his team, he is to provide a high quality security guidance documentation and training, and most importantly lead by example. (Laslo Tot, 2015)
An Information Management System depicts the people, procedures and know-hows used to emphasize and manage the activities of an organization. It is in order for each organization to build a unique system that will help it achieve its objectives and goals. Consequently, the people trusted with the maintenance of this information are also on test to ensure this information remains within the organization until the right time to be released to the public domain. Depending on the culture and values of an organization, the system tends to reflect different disciplines.
Threats to the information security systems have their causes ranging from the employers behavior and conduct to hacker’s attack.
Even with the fact that each organization puts in place a unique system, the management systems have numerous mutual essentials, and are based around an upgrading cycle. One commonly used is the popular “Plan-Do-Check-Act” (PDCA) cycle lectured in Japan (Deming, 1950). This cycle is used as a guide in planning theaction of what needs to be implemented and how best and effectively go about it, put in place the controls needed, supervisedevelopment,and advance the system - taking precautionary and counteractive actions and identifying the areas for improvement. The study of management systems has pointed out that there are several common features composing of strategy, planning, execution and operation, performance valuation, improvement, and super vision review. (Amarachi A.A, 2013)
The idea here revolves around ensuring the information is safe and always in the right hands. This is effectively achievable by ensuring an implementation of an information classification schema. This helps to classify information about the organization as confidential, restricted, private and public. For this case, the information is still in the private stage. So the organization is to be very strict on who hands the information and how they handle it. This classification is done based on the assessment, that is, the higher the value of the information, (the greater the consequences of gaining access to the information content), the higher the classification and security measures. Information classified as confidential is has the most security measures put in place, followed by restricted, then to private and finally public. (Yildirim, 2007)
This document will address a near comprehensive review of management systems for information security usingmaterials provided by various scientists in the field of ISMS. It will also report on the vulnerabilities and countermeasures that should be put in place and further develop an information security plan prior to the release of the new product to the market.
Classification of information
Information is classified depending on the level of risk that associates with accessing it. Information whose access poses more risk is classified on their own while those whose access pose little threats are also classified on their own. These classes are as follows:
- Private : Private information are further classified according to their degree of privacy. These sub classes include
- Confidential: This is the information that has the highest risk when invaded by unauthorized users.
- Restricted: These have a medium confidentiality level.
- Internal use: These are information with low confidentiality level. Their access has the lowest risk to the security of the organization.
- Public :
This is the information that everyone can see without posing a risk to the organization. It is available everywhere. Mostly, it advertises the good and services an organization offers, contact information for the organization and the location of the organization. (Daniel Jardim Pardini, 2017)
For this organization, the product development information now, even in the future is very essential and its protection thereof should be so good. This information is classified under the category of confidential information. This should be kept as a top secret to the competitors and even the public in social media until it is very ready for use to the public.
A major threat to the information and confidentiality of the product development was the actions of the previous manager of the Awesome Media Communication Limited, Paul Smith.Additional threats could be as a result of hacker’s activities. All these threats have an impact on the state of the product as the information gathered by the competitors and the social media can be used to their disadvantage. (Mouna Jouini, 2014)
The proposed model :
Most classification of information in organizations are limited two private and public information. This basically addresses the restriction of individuals that access the information. This is easier to implement in small-scaled organizations where security threats are relatively stable and manageable. However, for larger organizations, it is a big challenge which affects their reputations. Thus it is very necessary to identify the possible sources of leakage of information from within and create necessary blocks to cub this leakage.
Classification of the information system helps the organization to easily identify possible causes of threats, as every group of data has a specific group responsible for its access, manipulation and storage. In addition, this helps the manager to put in place a less vulnerable system.
Given that data access is the main deal here, our proposed information classification model is called The Thorough-verify model. The main idea of our model is to ensure and implement regulated access to the information, as well as assets of the organization. This model aims at dictating not only who has the access to the assets, but also where they access it from and the medium through which they use to access the information.
The model seeks to implement this using the following steps:
1) Determine the elements of the business information. These include the customer details, employee details, business plans, banking records and market plans. This will help the organization in the following ways.
• Customer information - This helps monitor the customer behavior, likes and dislikes and even monitor their trends. This helps to ensure that we always address their demands to avoid losing them to our competitors.
• Employee details - This will help us monitor the conduct of our employees. We will be able to track where exactly the employee is, what the employee is doing and how safe the information about the organization is as pertains to what he is doing there. Security measures are also easier to put in place as they require their details to access the log into the company asset areas. This will help minimize unauthorized access to the organization’s assets.
• Business plan - This helps the business or organization to perform its activities in a structured way. This will help to assess the performance of the business, strategize to achieve more and cub unfair competition from the competitors and rivals.
• Banking records- This involves saving of the records safely, with minimized and thoroughly verified access to them. This will help to ensure the records are more secure and safe.
• Market plans - This will help the organization to properly strategize and to ensure they maximize on their strengths as well as exploit the weaknesses of the competitors. (Afshin Rezakhani, 2011)
The business will need a properly channeled flow of information in the system in order to perform best. Essential assets must always remain protected and a properly defined way be used to access them at every time. This dictates the security details of the assets. In order for the business to operate, it is noticeable that it needs the capital, proper management or its resources and a disciplined staff.
2) Assess the threats and risk of each element - The organization is at a very high risk when confidential information is accessed by unauthorized individuals or parties. These parties are the competitors and customers. The competitors can use the information to establish unfair and biased competition. Consequently, the customers can use the information to develop a bad attitude and avoid our goods and services, especially if the information obtained or leaked is negative, or exploits their ignorance.
For internal information that is not so confidential, the organization doesn’t go at a very big loss when they are accessed in an undefined way.The safest information to circulate to the public are the public information. These pose no threat to the organization whenever they are accessed by the public. System hackers also have a hand in the attempt to maliciously access the data of specific organizations. Some do it for fun, while others have specific intentions as to whether they want to access the data. This can be addressed by developing proper cyber security system that ensures better firewalls and security measures are put in place.
3) Assess the value of the information to the organization and to other parties - Here, the organization is supposed to assess the value of the information that is released to different parties within the organization and out of the organization. Information that is essential and confidential should not be allowed by any standards to reach the public domain. On the other hand, information that is public and that give the organization a leg ahead in the market such as advertisements should be allowed to circulate freely to the public.
In most cases, the organization should be careful to give details on what services and goods they offer but now how they do go through the process of making this good or service ready. Some competitors may copy your method of operation and use it to your disadvantage. It may be too expensive to loose confidential information to the public. For this organization, information about the development progress and process of the mobile application is still very confidential and therefore the organization should seriously invest in keeping it as a secret as possible. This is because when this is pre maturely known by the competitors, they may rush to implement the idea and still the intellect tual property that is involved in the whole process. Likely, if the social media knows it pre maturely, this information will no longer be a surprise to the target customers. Due to lack of proper information by the social media, the information about the product may be misrepresented, thereby bringing a negative picture, and thought about the noble and good idea yet to be implemented. (Joobin Choobinech, 2007)
4) Determine classification system appropriate for the organization - This noble course of the new process underway is still very vital and important information and therefore is classified as confidential. All the security measures should be put in place to ensure that not even a hint of the information about the product is leaked to the public. Some other information that should be put private and confidential are the customer details, the employee details and the methods used in operation in order to bring the desired outcome. This helps to ensure all the entities within the organization are undisturbed and contented. On the other hand, information such as the advertisements of ready products and marketing should be made public to ensure that all interested parties that may like to consume the goods and services are kept in the light.
5) Assign a security classification to each information based on:
• Threat level and risk - Here, the information is to be classified depending on the risk involved in losing the information. Such risks include giving a bad name to the company, the information being used against the company and the information being used to the disadvantage of the company. Measures should be established to ensure that the level of threat and risk involved when data is leaked is minimized. This can be done by ensuring that the data and other assets are always in the right hands and handled in a proper way. Very sensitive office materials should not be carelessly handled by individuals, however authorized they are in areas where there is a high probability of vulnerability.
• Value of the information - This entails the cost incurred when the data is lost. This is the damage caused by the loss of data in terms of resources. More valuable information about the organization should therefore be put into consideration and implemented. Ensure that information that is much costly is assigned security measures that correspond to their value. This ensures that the information that is much invested in is not lost easily. This in turn helps to minimize too many resources in trying to recover more valuable information. As the saying goes, prevention is better than cure.
• Criticality of the information - This identifies the recoverability of the data once it is lost. This revolves around the question of the integrity of data thereafter. Measures should be put in place to ensure that the integrity of the data is not lost. This should also ensure that the data is recoverable in a good state. This can be achieved by ensuring firewalls and data recovery systems are put in place. (Mouna Jouini, 2014)
• Review and re-classify the information on a regular basis - This should be put in place in order to ensure proper maintenance of the data available in the system. A policy should be put in place to always recheck the system and reclassify the information. This happens since the state of the information in an organization changes with time. An element that may be classified as confidential today and then the next day it becomes a public element. This calls for the regular revision of the system. In doing this, the information security team should be cautious enough to ensure that the data is not leaked in the process.
• Classification of the model according to potential level of harm to national security due to unauthorized disclosure - The information here is classified, with regards to its effect on the national security. Information that is likely to compromise the security status of the country, and even expose the country’s security details are classified as top secret information. For this organization, any information that is likely to compromise the stability of the organization is in this category. After the top secret information, another classification called secret follows. This is relatively not dangerous as the top security information. Following is the confidential information, which needs to be kept safe and secret, yet not very dangerous and sensitive as the preceding classifications. Last in the list is the unclassified information. This is information that is informal and poses no threat to the state of the national security. (Joobin Choobinech, 2007)
It can be observed and stated that the suggested model ensures a step by step verification and authentication of the system users before they are allowed to access the information about the organization. The model addresses the risks and threats involved in using the data and accessing it. This is achieved by ensuring every loop hole that may aid in the loss of data are blocked and addressed. This therefore brings us to an overall conclusion that the model is acceptable and more suitable for the Awesome Media Comm. Ltd based in Perth, Western Australia.
ReferencesAfshin Rezakhani, A. H. (2011). Standardization of all Information Security Management Systems., Vol. 18, No. 8. International Journal of Computer Applications, 4-8.
Amarachi A.A, O. S. (2013). Information Security Management System: Emerging Issies and Prospect, Volume 12, Issue 3. IOSR Journal of Computer Engineering (IOSR-JCE), 96-102.
Daniel Jardim Pardini, A. M. (2017). Cyber Security Governance and Management for Smart Grids in Brazilian Energy Utilities. Journal of Information Systems and Technology Management-Jistem USP, Vol. 14, No. 3, 385-400.
Joobin Choobinech, G. D. (2007). Management of Information Security: Challenges and Research Directions, Vol. 20, Article 57. Communications of the Association for Information System, 958-971.
Laslo Tot, G. G. (2015). Introducing the Information Security Management System in Cloud Computing Environment, Vol.2, No. 3. Acta Polytechnica Hungarica, , 147-166.
Mouna Jouini, L. B. (2014). Classification of security threats in information systems. 5th International Conference on Ambient Systems, Neworks and Technology (ANT-2014) (pp. 489-496). Tunis: Elsevier.
Yildirim, E. Y. (2007). The Importance of Risk Management in Information Security, Vol. 4, Issue 1. International Journal of Advanes in Electronics and Computer Science, 18-21.