Professional Documents
Culture Documents
ITQMS Information Security Management Process V1.2
ITQMS Information Security Management Process V1.2
REFERENCE DOCUMENTS
DATE VER DESCRIPTION OF CHANGES
MM/DD/YY 1.0 Baseline ➢ ITIL® Service Design Guidance Publication
(ITIL® is a registered trade mark of AXELOS
Limited)
EDITED BY APPROVED BY
DEFINITIONS & ABBREVIATIONS
Name Name
ITEM DESCRIPTION
Availability Information is accessible and
Title Title usable upon demand by those
who are authorized
CBP Critical Business Processes
Date Date CMDB Configuration Management
Database
CMS Configuration Management
PURPOSE & SCOPE System
Confidentiality Information is available only to
➢ The purpose of information security those who are authorized
management is to align IT security with CSIR Continual Service Improvement
business security and ensure that the Register or CSI register records
confidentiality, integrity, and availability of the all identified service improvement
organization’s assets, information, data, and opportunities.
services always matches the agreed-upon Each opportunity should be
needs of the business. categorized and prioritized.
GUIDANCE & TIPS: Information security Improvements can be categorized
management ensures that the security aspects by improvement effort (size) as
related to services are appropriately managed and small, medium, or large, or how
controlled in line with the business needs. quickly it can be achieved—short
term, medium term, or long term.
➢ The scope of information security management Information The term information includes
includes end-to-end business processes, data stores, databases, and meta
business requirements (current and future), data and takes into account all
information security requirements, legal and channels used to communicate
regulatory requirements, and business and IT information
operational risks.
ISMS Information Security
GUIDANCE & TIPS: The scope of information
Management System
security management usually includes the entire
Integrity Information is accurate and
organization and will depend on a business impact
complete
analysis and risk assessment.
ITSM Information Technology Service
Management
BUSINESS VALUE
Likelihood Possibility of a threat exploiting a
➢ Fulfill legal and regulatory requirements vulnerability
➢ Protect organizational assets MR Management Review
➢ Information security awareness
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
CODE:ISM_P1
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
CODE:ISM_P1
RISKS
INTERFACES
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
CODE:ISM_P1
9. Senior management should allocate resources requires expertise and detailed analysis of each
and budget to implement the policy. asset. Therefore, it is preferable to analyze the
10. Information security manager should business processes and then identify and protect
communicate the policies throughout the the assets that support the business processes.
organization.
11. Information security manager should enforce Perform Risk Assessment
adherence to all security policies and 15. Information security manager should conduct a
procedures. risk assessment in order to identify the
12. Information security manager should likelihood that a disaster or other serious
periodically review and update the policy. service disruption may actually occur.
GUIDANCE & TIPS: Security policies should be GUIDANCE & TIPS: Risk assessment is the
revised periodically and updated based on the assessment of the risks that may give rise to
changing business needs, information security best security violation. Risk management is concerned
practices, legal and regulatory requirements, with identifying appropriate risk cost-justifiable
emerging technology, security incidents, and IT countermeasures to combat those risks
strategy. 16. Information security manager should identify
and prioritize CBPs.
Define Risk Assessment Methodology GUIDANCE & TIPS: Processes essential to
13. Information security manager should identify a running a business that are also the most profitable
risk assessment methodology that is suited to are known as CBPs. Information about CBPs is
the organization. typically available in the BIA report. Information
14. Risk assessment methodology should include security manager should work with the IT service
guidelines to: continuity manager to identify and prioritize CBPs.
a.) Identify and prioritize Critical Business 17. Information security manager should identify
Processes (CBPs), Which are essential the IT services that are essential to support
to running a business and are the most CBPs.
profitable 18. Information security manager should identify
b.) Identify and classify assets that support and document the assets supporting essential
CPBs IT services.
c.) Identify sources of potential threats 19. Information security manager should assign
and threat actions ownership for each asset (if ownership is not
d.) Identify system vulnerabilities that already assigned).
could be exploited by a potential threat 20. Information security manager should
e.) Determine likelihood rating determine the level of protection required for
f.) Analyze the impact each asset.
g.) Assess the level of risk based on 21. Information security manager should identify
likelihood, threat, vulnerability, threats (in terms of physical, personal,
impact, and existing controls operational) and vulnerabilities (in terms of
h.) Establish the criteria for accepting confidentiality, availability, integrity) that
risks affect the asset.
i.) Identify control recommendations GUIDANCE & TIPS: Threats include fire, power
j.) Define reporting and escalation failure, flood, terrorist attack, human error, virus or
methodologies malicious software, industrial actions, etc.
GUIDANCE & TIPS: You may start with step (a) 22. Information security manager should assess the
or (b); starting with step (a) will ensure that CBPs probability of a threat exploiting vulnerability
and all supporting assets are identified and (likely, possible, unlikely).
protected. Step (b) (assets) includes the risk of
failing to protect a critical business process and
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
CODE:ISM_P1
23. Information security manager should identify 28. Information security manager should review
the impact of losses (critical, marginal, or and revise information security policies based
negligible). on the risk assessment report.
24. Information security manager should then
estimate the level of risk (high, moderate, or Prepare Risk Treatment Plan
low). 29. Information security manager should prepare a
list of controls to be deployed.
GUIDANCE & TIPS: Risk matrix example: GUIDANCE & TIPS: Business owners, IT
Impact/Probab Critical Marginal Negligible managers, and information security experts should
ility work together to determine the controls.
Certain High High Moderate 30. Controls may target the following domains:
a.) Physical security
Likely High High Moderate b.) Personal security
c.) Operational security
Possible High Moderate Low
d.) Computer crime
Unlikely Moderate Low Low e.) Information security
f.) Network security
g.) Organizational structure
25. Information security manager should
h.) Human resources security
determine whether the risks are acceptable and
i.) Access control
if a risk requires treatment.
j.) Backup and restore strategy
GUIDANCE & TIPS: Business owners, IT
k.) Software development and testing
managers, and information security experts should
l.) IT infrastructure planning (availability,
work together to determine the controls.
capacity, service, continuity)
26. Information security manager should then
31. Controls may be related to one or more of the
complete a risk assessment report.
following security services:
27. A risk assessment report should contain the
a.) Availability
following:
b.) Confidentiality
a.) Assets
c.) Integrity
• Asset name
d.) Authentication
• Asset category
e.) Non-repudiation
• Asset owner
f.) Access control
b.) Risk assessment
32. Security services can make use of one or more
• Risk analysis (threats and
of the following security mechanisms:
vulnerabilities)
a.) Preventive measures: Used to prevent
• Business impact
a security incident from occurring
• Likelihood
b.) Reductive measures: Taken in
• Risk evaluation
advance to reduce the impact in case of
c.) Risk treatment (controls)
a security incident or breach
• Risk appetite
c.) Detective: If a security incident occurs,
• Risk mitigation
it is important to detect it as soon as
• Controls
possible
d.) Residual Risk
d.) Repressive measures: Taken to
GUIDANCE & TIPS: Residual risk is the portion
counteract the repetition of security
of the risk (exposure to danger or loss) that
incidents
remains after a risk assessment has been conducted
e.) Corrective measures: Repairing the
and controls have been implemented.
situation after the incident
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
CODE:ISM_P1
GUIDANCE & TIPS: Security mechanisms are in order to identify gaps and make improvements
implemented using policies, procedures, and to the ISMS.
technical tools. 42. Information security manager should identify
33. Information security manager should then and implement improvements and should
prepare the risk treatment plan based on the ensure that each improvement achieves its
identified security controls. goals.
34. A risk treatment plan should include: 43. Information security manager should assess,
a.) Goals and objectives review, and report security risks and threats on
b.) Scope a periodic basis.
c.) Audience 44. Information security manager should record all
d.) Asset details information relevant to information security
e.) Risks management in the SMIS.
f.) Existing controls 45. This includes information related to:
g.) Controls to be implemented a.) Information security policies
h.) Actions to be taken b.) Security reports and information
i.) Roles and responsibilities c.) Security controls
35. Senior management should approve the risk d.) Security risks and responses
treatment plan. 46. Information security manager should ensure
that the SMIS provides relevant information in
Implement Security Controls order to support the information security
36. Information security manager should management process.
implement (enforce) the security controls
identified in the risk treatment plan and Security Incident Management
information security policies. 47. Information security manager should ensure
GUIDANCE & TIPS: Security controls should that policies related to security incident
support and enforce the information security and management are defined in the overall
minimize all recognized and identified threats. information security policy.
48. Security incidents can be related to physical
Prepare Training & Awareness Plan security, personal security, operational
37. Information security manager should develop a security, or computer crime.
training and awareness plan. 49. The security incident handling team should
38. Information security manager should ensure monitor and manage all security breaches and
that there is sufficient training and awareness incidents.
on information security policies and controls 50. The security incident handing team should:
across the organization. a.) Promptly detect security related
39. Information security manager should maintain incidents and security breaches
training records. b.) Record all incidents in a centralized
incident log/database
Monitor & Improve c.) Evaluate, classify, and prioritize
40. Information security manager should measure security incidents
the effectiveness of the security policies and d.) Escalate incidents to specialized
controls. technical teams or suppliers (if
41. Information security manager should perform required)
periodic internal audits to check compliance e.) Ensure that security incidents are
with the security policies and procedures. evaluated, their root causes identified,
GUIDANCE & TIPS: Internal audits and external and preventive actions taken
audits are conducted on a regular basis to ensure f.) Measure the effectiveness of the
compliance with the information security policies controls
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.
CODE:ISM_P1
Confidential
Copyright © 2013 by IT Quality Management Solutions (PVT) LTD. All rights reserved. No part of this publication may be reproduced, stored in any
retrieval system, or transmitted in any form or by any means, electronic or otherwise, without written permission.