Information Security Management and Security Reporting

Information Security Management and Security Reporting

Wolfgang Hommel (Leibniz Supercomputing Centre, Germany)
Copyright: © 2015 |Pages: 12
DOI: 10.4018/978-1-4666-5888-2.ch426

Chapter Preview



The basic goal of ISM is to ensure security properties – such as the confidentiality, integrity, and availability – for an organization’s assets, i.e., any material or immaterial goods that are of value to the specific organization. IT assets typically include data, such as a customer database, software-based services like a web server, and hardware, e.g., the physical web server machine. Whereas any specific security measure, such as a network firewall, only has a limited scope – i.e., it protects only selected security properties of a subset of all assets – ISM takes a holistic approach and typically covers IS on an organization-wide scale (Whitman & Mattord, 2010).

Given the current state of the art in ISM, we basically need to consider three complementary building blocks:

  • 1.

    ISM takes a risk-driven approach. In practice, perfect security can never be achieved. Due to the large number of assets, one needs to prioritize the measures that should be taken to ensure the best possible security level with the given personnel, time, and budget constraints (Roper, 1999).

  • 2.

    ISM gives us a large pool of security measures to choose from. Security measures can be categorized as either technical or organizational, and considering their relationship to security incidents, they can be categorized as preventing, detecting, or reacting.

  • 3.

    ISM applies the principle of continuous improvement. Only a limited number of deliberately chosen security measures can be implemented within a given period. These measures then must be analyzed for effectiveness, refined, and eventually complemented by additional measures (Cazemier, 2010).

Key Terms in this Chapter

Information Security Management System (ISMS): An overall framework of policies, processes, guidelines, and resources for information security based on a risk-driven approach and the continuous improvement paradigm.

Risk Management: A process that includes activities for the identification, estimation, evaluation, and treatment of risks.

Information Security: The preservation of information properties such as confidentiality, integrity, and availability.

Security Report: A document presenting security metrics that have been chosen for a specific target audience.

Security Metric: A quantification of selected security properties that is derived from objective security measurements.

ISO/IEC 27000: A series of international standards for information security management systems (ISMS), ISO/IEC 27001, which specifies ISMS requirements, is the best-known standard in this series.

Security: Key Performance Indicator (SKPI): A chosen security metric of particular importance, which can, for example, be used in contracts between IT service providers and customers.

Complete Chapter List

Search this Book: