One of the best ways to mitigate security incident risk is to have a system. Devising and enforcing policies that you can address systematically is key. After all, it is inadequacies in technologies, people and processes that increase your risk. Examples of these inadequacies include:
- Backdoors and viruses in the tech stack
- The human element and its vulnerability to social engineering
- A lack of governance for vetting new tools for security
To address these shortcomings, organizations can establish a systematic framework plus policies for information security. Together, this is called the Information Security Management System (ISMS).
What is ISMS?
Information Security Management Systems (ISMS) is the name for policies and procedures that enable organizations to systematically manage information security. You can define your ISMS policies using industry standard frameworks such as ISO-27001, which provides generic requirements and guidelines.
You can further adjust these guidelines using your organization’s specific InfoSec needs and expectations. Then, you can continually improve by following industry standards and best practices.
Phases in successful InfoSec Management Systems
Here are the key focus areas, or phases, for standardizing your InfoSec systems. Feel free to treat these phases as a sort of maturity model.
The guideline adds a strategic context to the decision-making process of information security policies and investments. The first step is to identify the stakeholders — including internal and external users, partners and consumers — and the issues most relevant to their information security requirements.
The scope also highlights the importance of processes and activities: how interactions between users and systems affects the information security performance of the organization.
Stakeholder commitment, especially among decision makers and top executives, is instrumental to an effective ISMS program. The objectives of the program should be aligned with:
- Business goals
- Customer expectations
- Regulatory compliance requirements
- Evolving cybersecurity landscape (future thinking)
The leadership should be onboarded for commitments including policy approvals, budget allocation, new roles and responsibility assignments, partnership agreements and communications with the concerned authorities.
The Planning phase narrows down pertinent issues and guides decision makers to the opportunities and challenges associated. Organizations plan to mitigate the risks as they integrate and implement new policies into their ISMS framework.
- Evaluate the outcome of every process change and action against known benchmarks. These may include KPIs specified by the Service Level Agreements (SLAs) as well as a variety of business and security centric KPIs.
- Identify and assign the roles of Risk Owners with defined responsibilities to appropriate experts within your organization.
- Adopt a risk treatment process to ensure all necessary controls are in place. Streamline and automate these controls where applicable.
The ISMS may require you to adopt additional resources, expertise, processes, documentation and tooling. ISO 27001 outlines a set of guidelines to optimize support across all of these domains — focus on the impact of individual choices on your InfoSec performance.
Baseline improvements are attributed to company-wide security education, training and awareness programs, as well as documentation that allows decision makers to track, monitor and improve all areas of the planning and support. The framework discusses in detail the guidelines on creating, updating and improving documentation necessary for information security planning, operations and external communications.
In the Operation phase, you’ll focus on the process of information security, how it is managed, controlled, documented, evaluated and improved using the available planning guidelines and support capabilities.
You’ll need to establish a criteria for processes and then implement the control actions based on this criteria. The controls are focused particularly on mitigating any unintended and adverse consequences of operational changes that may occur during the operation phase.
Assess this risk periodically. Document any risk treatment activity for future reference — including continual improvement of the ISMS plan.
6. Performance evaluation
ISO-270001 emphasizes continual improvement through monitoring and measurement. Your ISMS policies define a few items in support of this:
- What needs to be measured
- The individuals and teams in charge of monitoring
- The evaluation and analysis itself
When evaluating your performance, you can also look at your historic and industry benchmarks. An internal audit program and management review can help you evaluate the results from different strategic viewpoints and functions.
Performance evaluation outcomes are communicated to decision makers and ISMS program owners. Continual improvement plan is aligned with the framework guidelines by:
- Keeping track of nonconformities.
- Implementing corrective actions.
- Evaluating performance of the changes
- Documenting the changes.
- Updating the ISMS policy guide for users.
At this phase, decision makers may specify and prioritize important metrics and KPIs governing information security performance evaluation.
InfoSec best practices
Another framework, the ISO/IEC 27002:2022 guideline provides detailed reference best practices in context of the ISO/IEC 27001:2022 framework. The ISO 27002 describes the control actions a generic implementation guideline in context of the ISO 27001 framework.
These guides are based on well-established industry best practices and can be adapted to meet organization-specific requirements for your own implementation.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.