CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 1 / 8

MODIFICATION HISTORY ➢ Minimize losses from security incidents

REFERENCE DOCUMENTS
DATE VER DESCRIPTION OF CHANGES
MM/DD/YY 1.0 Baseline ➢ ITIL® Service Design Guidance Publication
(ITIL® is a registered trade mark of AXELOS
Limited)
EDITED BY APPROVED BY
DEFINITIONS & ABBREVIATIONS
Name Name
ITEM DESCRIPTION
Availability Information is accessible and
Title Title usable upon demand by those
who are authorized
CBP Critical Business Processes
Date Date CMDB Configuration Management
Database
CMS Configuration Management
PURPOSE & SCOPE System
Confidentiality Information is available only to
➢ The purpose of information security those who are authorized
management is to align IT security with CSIR Continual Service Improvement
business security and ensure that the Register or CSI register records
confidentiality, integrity, and availability of the all identified service improvement
organization’s assets, information, data, and opportunities.
services always matches the agreed-upon Each opportunity should be
needs of the business. categorized and prioritized.
GUIDANCE & TIPS: Information security Improvements can be categorized
management ensures that the security aspects by improvement effort (size) as
related to services are appropriately managed and small, medium, or large, or how
controlled in line with the business needs. quickly it can be achieved—short
term, medium term, or long term.
➢ The scope of information security management Information The term information includes
includes end-to-end business processes, data stores, databases, and meta
business requirements (current and future), data and takes into account all
information security requirements, legal and channels used to communicate
regulatory requirements, and business and IT information
operational risks.
ISMS Information Security
GUIDANCE & TIPS: The scope of information
Management System
security management usually includes the entire
Integrity Information is accurate and
organization and will depend on a business impact
complete
analysis and risk assessment.
ITSM Information Technology Service
Management
BUSINESS VALUE
Likelihood Possibility of a threat exploiting a
➢ Fulfill legal and regulatory requirements vulnerability
➢ Protect organizational assets MR Management Review
➢ Information security awareness
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 2 / 8

Security A security breach resulting in a Security Incident

Incident security violation of the Log/Database
information systems of the Incident Report
organization Information Security
SMIS Security Management Audits and Audit Reports
Information System
SLA Service Level Agreement
Threat An event that causes damage or ROLES & RESPONSIBILITIES
disruption to information systems
or services
ROLE RESPONSIBILITIES
Vulnerability Weaknesses in security that could
be exploited by threats - Define and enforce
information security policy,
TRIGGERS sub-policies, and
procedures.
➢ New or changed organization policies - Conduct risk assessment.
➢ New or changed business needs - Prepare and implement risk
➢ Service or component security breaches treatment (mitigation) plan.
➢ New or changed corporate risk management - Ensure that information
guidelines security is integrated with
➢ New or changed regulations business security.
➢ External or internal information security audit - Assist with the business
findings impact analysis.
- Monitor and manage all
PROCESS INPUTS & OUTPUTS security breaches.
Information - Participate in security
PROCESS INPUTS PROCESS OUTPUTS Security Manager reviews arising from
security breaches and
Business Strategy Information Security
initiate remedial actions.
Policy
- Monitor and mange security
Information Security Sub-
Business Requirements incidents.
Policies
- Attend change advisory
IT Strategy SMIS
board meetings.
Legal and Regulatory Risk Assessment
- Implement information
Requirements Methodology
security awareness and
Asset Registry training programs.
Risk Assessment Report - Ensure that the
Security Controls List confidentiality, integrity,
and availability of services
Risk Treatment Plan are maintained at the levels
Risk Controls Deployed agreed upon in the SLA.
Training and Awareness
Plan KEY PERFORMANCE INDICATORS (KPIS)
Training Records
CSIR OBJECTIVE KPI
Audit Report

Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 3 / 8

Percentage ➢ Change management: Information security

Effectiveness increase/decrease in security management assists with the change impact
incidents/breaches assessment.
Percentage ➢ Incident and problem management:
increase/decrease in the Information security management assists in the
number of non- resolution of security-related incidents.
Compliance ➢ IT Service Continuity Management (ITSCM):
conformances of the
information security policies Collaborates on the Business Impact Analysis
(audit related) (BIA) and risk assessment.
Percentage increase in SLA
Effectiveness conformance (related to
information security)
Number of improvements
Effectiveness (security related) planned
and implemented
Increase in awareness of
Effectiveness information security within
the organization (survey)

CRITICAL SUCCESS FACTORS

➢ Information security manager/Process owner

➢ Management and business commitment to
information security management
➢ Effective information security awareness and
training within the organization

RISKS

➢ Lack of commitment from senior management

➢ Lack of commitment from business owners
➢ Lack of information security awareness in the
organization
➢ Lack of funding and resources allocated to
information security management
➢ Focus on technical aspects rather than business
needs

INTERFACES

➢ Service Level Management (SLM): Assists in

determining business and information security
requirements.
➢ Access management: Ensures that authorized
users are granted access to services and that
unauthorized users are prevented from
accessing services.
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 4 / 8

PROCEDURE FLOWCHART 1. Information security manager should define

the information security policy by taking into
consideration the following:
a.) Business objectives and requirements
b.) Legal and regulatory requirements
c.) Corporate governance requirements
d.) IT strategy and plans
e.) Audit and risk requirements
f.) Information security best practices
2. Information security manager should define
the information security policies, and for each
policy statement, the following should be
addressed:
a.) Objective
b.) Policy statement
c.) Reason
d.) Related processes
e.) Benefits
f.) Owner
g.) Policy effective date
3. The information security policy should
establish a sense of direction and principles for
actions with regard to information security.
4. The information security policy should
describe management’s attitude toward
information security.
5. The information security policy should
describe the organization’s Information
Security Management System (ISMS).
GUIDANCE & TIPS: In order to manage security
effectively and efficiently, an ISMS must be
established, managed, and controlled.
GUIDANCE & TIPS: The information security
policy will drive the organization’s ISMS.
6. Information security manager should develop
information security sub-policies.
7. The following sub-policies should be
developed:
a.) Access control policy
b.) Password policy
c.) Email and internet policy
d.) Information classification policy
e.) Remote access policy
PROCEDURE DESCRIPTION f.) Procurement policy
g.) Audit policy
Define Information Security Policy 8. Senior management should approve the
information security policy and sub-policies.

Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 5 / 8

9. Senior management should allocate resources requires expertise and detailed analysis of each
and budget to implement the policy. asset. Therefore, it is preferable to analyze the
10. Information security manager should business processes and then identify and protect
communicate the policies throughout the the assets that support the business processes.
organization.
11. Information security manager should enforce Perform Risk Assessment
adherence to all security policies and 15. Information security manager should conduct a
procedures. risk assessment in order to identify the
12. Information security manager should likelihood that a disaster or other serious
periodically review and update the policy. service disruption may actually occur.
GUIDANCE & TIPS: Security policies should be GUIDANCE & TIPS: Risk assessment is the
revised periodically and updated based on the assessment of the risks that may give rise to
changing business needs, information security best security violation. Risk management is concerned
practices, legal and regulatory requirements, with identifying appropriate risk cost-justifiable
emerging technology, security incidents, and IT countermeasures to combat those risks
strategy. 16. Information security manager should identify
and prioritize CBPs.
Define Risk Assessment Methodology GUIDANCE & TIPS: Processes essential to
13. Information security manager should identify a running a business that are also the most profitable
risk assessment methodology that is suited to are known as CBPs. Information about CBPs is
the organization. typically available in the BIA report. Information
14. Risk assessment methodology should include security manager should work with the IT service
guidelines to: continuity manager to identify and prioritize CBPs.
a.) Identify and prioritize Critical Business 17. Information security manager should identify
Processes (CBPs), Which are essential the IT services that are essential to support
to running a business and are the most CBPs.
profitable 18. Information security manager should identify
b.) Identify and classify assets that support and document the assets supporting essential
CPBs IT services.
c.) Identify sources of potential threats 19. Information security manager should assign
and threat actions ownership for each asset (if ownership is not
d.) Identify system vulnerabilities that already assigned).
could be exploited by a potential threat 20. Information security manager should
e.) Determine likelihood rating determine the level of protection required for
f.) Analyze the impact each asset.
g.) Assess the level of risk based on 21. Information security manager should identify
likelihood, threat, vulnerability, threats (in terms of physical, personal,
impact, and existing controls operational) and vulnerabilities (in terms of
h.) Establish the criteria for accepting confidentiality, availability, integrity) that
risks affect the asset.
i.) Identify control recommendations GUIDANCE & TIPS: Threats include fire, power
j.) Define reporting and escalation failure, flood, terrorist attack, human error, virus or
methodologies malicious software, industrial actions, etc.
GUIDANCE & TIPS: You may start with step (a) 22. Information security manager should assess the
or (b); starting with step (a) will ensure that CBPs probability of a threat exploiting vulnerability
and all supporting assets are identified and (likely, possible, unlikely).
protected. Step (b) (assets) includes the risk of
failing to protect a critical business process and
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 6 / 8

23. Information security manager should identify 28. Information security manager should review
the impact of losses (critical, marginal, or and revise information security policies based
negligible). on the risk assessment report.
24. Information security manager should then
estimate the level of risk (high, moderate, or Prepare Risk Treatment Plan
low). 29. Information security manager should prepare a
list of controls to be deployed.
GUIDANCE & TIPS: Risk matrix example: GUIDANCE & TIPS: Business owners, IT
Impact/Probab Critical Marginal Negligible managers, and information security experts should
ility work together to determine the controls.
Certain High High Moderate 30. Controls may target the following domains:
a.) Physical security
Likely High High Moderate b.) Personal security
c.) Operational security
Possible High Moderate Low
d.) Computer crime
Unlikely Moderate Low Low e.) Information security
f.) Network security
g.) Organizational structure
25. Information security manager should
h.) Human resources security
determine whether the risks are acceptable and
i.) Access control
if a risk requires treatment.
j.) Backup and restore strategy
GUIDANCE & TIPS: Business owners, IT
k.) Software development and testing
managers, and information security experts should
l.) IT infrastructure planning (availability,
work together to determine the controls.
capacity, service, continuity)
26. Information security manager should then
31. Controls may be related to one or more of the
complete a risk assessment report.
following security services:
27. A risk assessment report should contain the
a.) Availability
following:
b.) Confidentiality
a.) Assets
c.) Integrity
• Asset name
d.) Authentication
• Asset category
e.) Non-repudiation
• Asset owner
f.) Access control
b.) Risk assessment
32. Security services can make use of one or more
• Risk analysis (threats and
of the following security mechanisms:
vulnerabilities)
a.) Preventive measures: Used to prevent
• Business impact
a security incident from occurring
• Likelihood
b.) Reductive measures: Taken in
• Risk evaluation
advance to reduce the impact in case of
c.) Risk treatment (controls)
a security incident or breach
• Risk appetite
c.) Detective: If a security incident occurs,
• Risk mitigation
it is important to detect it as soon as
• Controls
possible
d.) Residual Risk
d.) Repressive measures: Taken to
GUIDANCE & TIPS: Residual risk is the portion
counteract the repetition of security
of the risk (exposure to danger or loss) that
incidents
remains after a risk assessment has been conducted
e.) Corrective measures: Repairing the
and controls have been implemented.
situation after the incident

Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 7 / 8

GUIDANCE & TIPS: Security mechanisms are in order to identify gaps and make improvements
implemented using policies, procedures, and to the ISMS.
technical tools. 42. Information security manager should identify
33. Information security manager should then and implement improvements and should
prepare the risk treatment plan based on the ensure that each improvement achieves its
identified security controls. goals.
34. A risk treatment plan should include: 43. Information security manager should assess,
a.) Goals and objectives review, and report security risks and threats on
b.) Scope a periodic basis.
c.) Audience 44. Information security manager should record all
d.) Asset details information relevant to information security
e.) Risks management in the SMIS.
f.) Existing controls 45. This includes information related to:
g.) Controls to be implemented a.) Information security policies
h.) Actions to be taken b.) Security reports and information
i.) Roles and responsibilities c.) Security controls
35. Senior management should approve the risk d.) Security risks and responses
treatment plan. 46. Information security manager should ensure
that the SMIS provides relevant information in
Implement Security Controls order to support the information security
36. Information security manager should management process.
implement (enforce) the security controls
identified in the risk treatment plan and Security Incident Management
information security policies. 47. Information security manager should ensure
GUIDANCE & TIPS: Security controls should that policies related to security incident
support and enforce the information security and management are defined in the overall
minimize all recognized and identified threats. information security policy.
48. Security incidents can be related to physical
Prepare Training & Awareness Plan security, personal security, operational
37. Information security manager should develop a security, or computer crime.
training and awareness plan. 49. The security incident handling team should
38. Information security manager should ensure monitor and manage all security breaches and
that there is sufficient training and awareness incidents.
on information security policies and controls 50. The security incident handing team should:
across the organization. a.) Promptly detect security related
39. Information security manager should maintain incidents and security breaches
training records. b.) Record all incidents in a centralized
incident log/database
Monitor & Improve c.) Evaluate, classify, and prioritize
40. Information security manager should measure security incidents
the effectiveness of the security policies and d.) Escalate incidents to specialized
controls. technical teams or suppliers (if
41. Information security manager should perform required)
periodic internal audits to check compliance e.) Ensure that security incidents are
with the security policies and procedures. evaluated, their root causes identified,
GUIDANCE & TIPS: Internal audits and external and preventive actions taken
audits are conducted on a regular basis to ensure f.) Measure the effectiveness of the
compliance with the information security policies controls
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
 CODE:ISM_P1

LOGO INFORMATION SECURITY

MANAGEMENT PROCEDURE Page: 8 / 8

g.) Report security incident statuses and

trends to management and stakeholders

Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.