3.4 IT Security Management – Frameworks, Standards & RegulationsInformation is a crucial asset to companies and government agencies, and must therefore beprotected appropriately. Most information today is generated, stored, transported, or processed at least in part using information technology (IT). In the industry and administrations, no one denies thenecessity to adequately protect its IT landscape. In addition, though, information from all other phasesof business processes must be adequately protected. IT security incidents such as the disclosure ormanipulation of information can have wide-ranging, adverse effects to a business or can prevent theorganisation from performing its tasks, resulting in high costs. No one in industry, commerce and administration would any longer dispute the need for adequateprotection of their IT environment. IT security incidents can have far-reaching repercussions thatharm business or interfere with the performance of tasks and thus result in high costs being incurred.
3.4.1 Introduction to Information Security Practical experience has shown that optimising information security management frequently improvesinformation security more effectively and lastingly than investing in security technology. However,measures originally implemented to improve information security can also have a positive effectoutside a security context and can turn out to be profitable.
Investments in information security can inmany cases even contribute to cost savings in the medium term. Positive side-effects that can beexpected from this are higher quality of work, increased customer confidence, optimisation of the ITlandscape and organisational processes as well as the utilisation of synergy effects through betterintegration of information security management in existing structures.An appropriate level of information security depends primarily on systematic procedures and onlysecondarily on the individual technical measures. The following considerations illustrate thishypothesis:· The management level is responsible for ensuring statutory regulations and contracts with third parties are complied with and that important business processes are not disrupted.
· Information security has interfaces with many areas of an institution and affects highly important business processes and tasks. Only the administration/management level can therefore, ensure that information security management is integrated smoothly in existing organisational structures and processes.· Furthermore, the administration/management level is responsible for the efficient deployment of resources. The administration/management level therefore has a high degree of responsibility for informationsecurity. A lack of supervision, an unsuitable information security strategy or wrong decisions canhave far-reaching negative effects because of security incidents as well as missed opportunities andbad investments. 3.4.1.
1 What is information security? The purpose of information security is to protect information of all kinds and from all sources. Thisinformation might be printed on paper, kept on computer systems or stored in the minds of the users.IT security primarily deals with protecting information stored electronically and with its processing.
The classic core principles of information security, namely confidentiality, integrity and availability,form the basis for its protection. Many users also include additional basic values in themexaminations. They can also be very helpful, depending on the corresponding application case.Additional generic terms used in information security include, for example, authenticity, validity,reliability, and non-deniability. As the following examples illustrate, information security is not only threatened by wilful acts such ascomputer viruses, interception of communications or computer theft: · Force majeure (e.g. fires, flooding, storms and earthquakes) can directly affect data media, IT systems or block access to the computer centre.
Documents, IT systems or services are therefore no longer available as required. · After an unsuccessful software update, applications cease to function, or data has been modified without being noticed. · An important business process is delayed because the only staff members familiar with the software application are ill. · Confidential information is inadvertently passed on to unauthorised persons by a staff member because documents or files have not been marked “confidential”. 3.4.1.
2 A choice of words: IT security versus information security The terms “information technology”, “information and communications technology” and “informationand telecommunications technology” are frequently used synonymously. Due to the length of theseterms, various abbreviations have become established and people therefore generally simply refer toIT. Since the electronic processing of information is a part of almost all areas of our lives,distinguishing between whether information is processed using information technology,communications technology or on paper is no longer up-to-date. The term “information security”instead of IT security is therefore more comprehensive and more appropriate. Since, however, theterm “IT security” is still predominantly used in the literature (among other reasons, because it isshorter), it will continue to be used in this publication as well as other publications of ITGrundschutz,although the documents will place more and more emphasis over time on examininginformation security. Effective and efficient management of information security is not only an important issue for large institutions but also for small and medium-sized public agencies and companies as well as for the self-employed. The structure of an appropriate information security management system depends, ofcourse, on the size of the institution.
This standard and the very specific recommendations of IT-Grundschutz are there to help any person responsible who wishes to improve information security within their sphere of influence. Throughout the following, we shall continuously provide information on how the recommendations of this standard can be adapted to suit the specific needs at hand whilst considering the size of the institution. 3.4.2 Overview of information security standardsIn the area of information security, various standards have been developed in which emphasis isplaced in part on other target groups or subject areas. The use of security standards in companies orgovernment agencies not only improve the level of security, their use also makes it easier fororganisations to agree on which security safeguards must be implemented in what form.
Thefollowing overview points out the basic ideas behind the most important standards.3.4.2.1 ISO standards for information security In the international standards organisations ISO and IEC, it was decided to consolidate the standardsfor information security in the 2700x series since the number of standards is constantly increasing.
The most important standards in this case are: Figure1: ISO 27.0x Standards 1 · ISO 13335 – The ISO 13335 standard “Management of Information and Communications Technology Security” (formerly “Guidelines on the Management of IT Security”) is a general guide for initiating and implementing the IT security management process. It provides instructions but no solutions for managing IT security. The standard is a fundamental work in this area and is the starting point or reference point for a whole series of documents on IT security management. · ISO 17799 – The aim of ISO 17799 “Information Technology – Code of Practice for Information Security Management” is to define a framework for IT security management. ISO 17799 is therefore primarily concerned with the steps necessary for developing a fully-functioning IT security management and for integrating this securely in the organisation. The necessary IT security measures are touched on briefly on the one hundred or so pages of the ISO/IEC 17799 standard.
The recommendations relate to the management level and contain almost no specific technical information. Their implementation is one of the many options available for fulfilling the requirements of the ISO 27001 standard. · ISO 27001 – The ISO 27001 “Information Technology – Security Techniques – Information Security Management Systems Requirements Specification” is the first international standard for management of information security that also allows certification. ISO 27001 provides general recommendations on around ten pages for, among other things, the introduction, operation, and improvement of a documented information security management system that also takes the risks into account. The controls from ISO/IEC 27002 are referred to in a normative annex. · ISO 27002 – The goal of ISO 27002 (previously ISO 17799:2005), “Information technology – Code of practice for information security management”, is to define a framework for information security management. ISO 27002 is therefore mainly concerned with the steps necessary to establish a functioning security management system and anchor it in the organisation. The necessary security safeguards are only described briefly in the approximately 100 pages of the ISO standard ISO/IEC 27002.
The recommendations are primarily intended for the management level and do not contain much specific technical information for this reason. The implementation of the security recommendations in ISO 27002 is one of many ways to fulfil the requirements of ISO Standard 27001. · ISO 27005 – This ISO Standard “Information security risk management” contains general recommendations for risk management for information security. Among other items, it supports the implementation of the requirements from ISO/IEC 27001. In this case, though, no specific method for risk management is prescribed. ISO/IEC 27005 replaces the previous standard ISO 13335-2. This standard, ISO 13335 “Management of information and communications technology security, Part 2: Techniques for information security risk management”, provided guidelines for the management of information security.
· ISO 27006 – ISO Standard 27006 “Information technology – Security techniques – Requirements for the accreditation of bodies providing certification of information security management systems” specifies requirements for the accrediting of certification bodies for ISMS and handles specific details of the ISMS certification process. · Other standards in the ISO 2700 x Series – The ISO 2700x series of standards will probably be made up of ISO standards 27000–27019 and 27030–27044 in the long term. all standards in this series handle different aspects of security management and are based on the requirements in ISO 27001. The other standards should contribute to improved understanding and the practical application of ISO 27001.
They handle, for example, the practical implementation of ISO 27001, i.e. with the measurability of risks or with methods for risk management. 3.4.2.
2 IT-Grundschutz Catalogues The BSI’s best-known publication on information security is the IT-Grundschutz Manual not only describes management of information security in great detail but also describes information security safeguards from the areas of technology, organisation, personnel and infrastructure in detail. The IT-Grundschutz Catalogues have a modular structure and contain modules for typical processes, applications and IT components. In addition to recommending information security measures for eachsubject, they also describe the most important threats from which an institution should protect itselfagainst. The user can therefore focus on the modules that are of relevance to their area. The modulesof the IT-Grundschutz Catalogue are updated and extended regularly and also take into account thelatest technical developments. BSI series of standards for information security: the issue of IS Management · 100-1: Information security management systems (ISMS)The present standard defines the general requirements of an ISMS. It is fully compatiblewith the ISO 27001 standard and also takes the recommendations of the ISO 27001 and27002 standards into consideration. It provides readers with an easy to understand andsystematic instruction manual irrespective of which method they want to use to implement the requirements.
The BSI renders the content of these ISO standards in its own BSI standard so that it candescribe some issues in greater detail and thus portray the content with a more didacticalapproach. Furthermore, the structure has been designed to be compatible with the ITGrundschutzprocedure. The standardised headers used in the documents mentioned abovemake it very easy for readers to get their bearings.
· 100-2 : IT-Grundschutz MethodologyThe IT-Grundschutz Methodology explains in a step-by-step fashion how a managementsystem for information security can be developed and operated in practice. The functions ofthe information security management system and the organisational structure for information security are very important issues here. The IT-Grundschutz Methodology goes into great detail on how an policy for information security can be developed in practice, how appropriate information security safeguards can be selected and what should be watched out for when implementing the policy of information security. It also in detail answers the question of how to maintain and improve information security during routine operation.
IT-Grundschutz in conjunction with BSI Standard 100-2 therefore interprets the very generalrequirements of the previously mentioned ISO 27000, 27001, and 27002 standards andprovides users with practical help in the form of numerous tips, background knowledge,information and examples. The IT-Grundschutz Catalogues not only explain what should bedone but also provide very specific information on how this can be implemented (also on atechnical level). Proceeding in accordance with IT Grundschutz is therefore a proven andefficient manner of fulfilling all the requirements of the above-mentioned ISO standards. · 100-3: Risk analysis on the basis of IT-GrundschutzThe BSI has worked out a methodology for risk analysis on the basis of IT-Grundschutz.This approach can be used when companies or public agencies are already workingsuccessfully with IT-Grundschutz and would like to add an additional security analysis tothe IT-Grundschutz analysis as seamlessly as possible. · 100-4: Emergency managementBSI Standard 100-4 explains a method for establishing and maintaining an agency-wide orcompany-wide emergency management system. The method described here is based on theIT-Grundschutz Methodology described in BSI Standard 100-2 and complements them well.
3.4.3 Open Questions Question 1: Why Information Security Management Systems is becomingintegral part of Information Technology? Answer: Since, with the increase of cyber-attacks, cyber warfare, corporate espionage & Hacktivism this has raised a strong concern over implementation of IT governance.
Here are five benefits of implementing ISMS in an organisation: a. It helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively. b. It provides you with a systematic approach to managing risks and enables you to make informed decisions on security investments. c. It gives you credibility with staff, clients and partner organisations, and demonstrates due diligence. d.
It encompasses people, processes and IT systems, in recognition that information security which thereby creates better work practices that support business goals. e. It can be formally assessed and certified against ISO 27001, bringing additional benefits such as demonstrable credentials, customer assurance and competitive advantage.
Question 2: Briefly explain, how other frameworks i.e. COBIT& ITIL differs from ISO 27.0x? Answer: AREA COBIT ITIL ISO27001 Function Mapping IT Processes Mapping IT service level management Information Security Framework Process Architecture 4 Processes & 34 Domains 9 Processes 10 Domain Issuer ISACA OGC ISO Implementation Information System Audit Manage Service Level Compliance to security Board Consultants Accounting Firm, IT consulting firm IT Consulting firm IT consultant firm, Security Firm, Network consultants.
