Professional Documents
Culture Documents
ISM - Lesson1
ISM - Lesson1
ISM - Lesson1
SECURITY &
MANAGEMENT
INFORMATION SECURITY
MANAGEMENT …
It is an approach by an organization to
ensure the availability, confidentiality,
and integrity of Information Technology
(IT) assets and safeguard or provide
defense from various cyberattacks.
AVAILABILITY
Information security management deals with the
availability of the data through implementing procedures,
processes and protocols which ensures that significant
information is accessible to authorized users anytime. The
typical activities may include hardware maintenance and
repairs, installation patches and upgrades, a well design
incident response and disaster recovery processes to
avoid and prevent data loss in the event of cyberattack.
“It’s definitely obvious that an organization wouldn’t want
their information, in any form, to be exposed to or wouldn’t
want to go public in a manner that would harm the
entirety of their processes.”
CONFIDENTIALITY
In terms of usage and importance, confidentiality and
privacy are of the same sense. When preserving the
confidentiality of the information, one important factors is
to ensure that only users that have been granted access
can read or modify the data. As such, information security
teams are obliged to assess the risks associated and that
appropriate privacy controls are in place.
“Best practices and unique platforms in connection to
data confidentiality are reviewed periodically to calibrate
and continuously monitor the employees or users if they
are compliant.”
INTEGRITY
It deals with data integrity through control implementations
that validates and confirms the consistency and accuracy of
the stored data within its life cycle. To be considered secure,
the information security teams must be able to store it
properly and that it cannot just be modified or deleted
beyond the access rights of the appropriate users.
“All organizations generate and collate massive and
essential information, but does this information accurately
reported and even stored properly? Somewhere between
the lines are validation teams that ensures the
completeness and accuracy of the data, it is now in the
hands of the Information Security (InfoSec) Teams to store
it accordingly.”
PILLARS OF INFORMATION
SECURITY MANAGEMENT
Nowadays, companies store huge amount
of information resulting to an increase
threats of cyberattacks and data theft that
eventually give way to the important
development in the field of information
security management.
A. INFORMATION SECURITY
CONTROLS
WHAT DOES SECURITY CONTROL MEAN?
Security controls in Information Security
Management (ISM) are considered
safeguards or even called
countermeasures implemented in an
organization to minimize, detect, avoid
and/or counteract various information
security risks such as data alteration or
theft, breaches on information systems
and unauthorized use or access.
FORMS OF SECURITY CONTROL
Preventive – This is a form of security control that is intended
to counteract incidents of cybersecurity breaches.
Detective – Detective security control is designed to locate
targeted unusual cybersecurity activities. Once the successful
or even potential breaches have been detected, notification
of the incidents to the cybersecurity professionals must be
done.
Corrective – Often in an organization, some security controls
are planned to be corrective in nature. After an incident has
occurred, corrective measures have been placed to reduce
data loss/ damage to the system or the business network, or at
large to the respective data bases and immediately restore
significant and critical processes and systems. A quick move
to revert back the security protocols and controls by showing
resilience into the incidents.
TYPES OF SECURITY CONTROLS
1. Physical Controls
2. Access Controls
3. Procedural Controls
4. Technical Controls
5. Compliance Controls
PHYSICAL CONTROLS
This type of security control involves
safeguards/ countermeasures in a structure
specified to prevent or thoroughly
discourage unsanctioned/ unofficial/ illegal
access to serious information assets. Typical
examples include the use of motion or
thermal alarm systems, guards, remote and
face identity scanners, locks or even the
presence of closed-circuit surveillance
cameras
ACCESS CONTROLS
These controls ensure that right
entitlements as to who they claim to be, and
consistently that they have appropriate
access to a specific data. Well known
example are passwords and security
questions.
PROCEDURAL CONTROLS
These controls are set to maintain a
computer system thru validation
procedures by using user manuals and
standard operating procedures (SOPs).