Information Security Management essay

Information security management


Information security management is all about the rules, regulations and policies that govern the security of any given information. The principle that governs this information security management id that an institution/organization or a firm comes up with rules, procedures, systems and processes to manage any kind of risk in its information dissemination and making the information that is within reach of its employees that it is safe and secure.

Information security management however, should be adaptable and flexible. ISM changes with time and it needs the management unit of it to be receptive to change and should be able to change at any given time both in the internal system and the external environment. The first approach that can be taken by the ISM is planning. This is where it starts by designing the ISM and checking at the prevailing risks that might affect the system or the anticipated risks. After the assessment, they should thereafter, select the kind of control that is appropriate in the given security risk. This planning stage is very important because it determines the continuity of the organizations operation. This is the stage at which all the risks are identified and the counter attack or the appropriate measures that can be taken to prevent risks of such kinds. It is also in the planning stage that an organization can be able to do more research on how other organizations have managed to control information fraud. Doing such research gives the organizations insights of the risks they should anticipate. In this regard they are able to plan effectively on how to go about any challenging situation ahead of them. (Gregory, 2007)

The next stage after planning is the doing/pre-test stage. This is where the operations of the organizations are ongoing. The proposed information system management is now implemented. It is now in operation at first as a pre-test. In case some of the suggested measures do not work, then it is bound to change. If it works with the systems and is able to protect the information flow of the organization, they it is documented to be the policy and regulation of the organization. It is however; very paramount that when acting on the information security management, the management itself considers plan b in case some change in technology occurs. This will help them be swift in adapting to change.

After the implementation stage, the next is the check stage. This is where the management body ensures that they monitor and evaluate the effectiveness of the all process. This is in order to get the full report on the progress of the process and to determine if it is working for the good of the organization. If it is not then another plan is put in place. If it is positively favourable, then it is continued to be used as a company policy.

The final stage of the information security management is the acting stage. This is where changes are made where necessary. In cases where the process is seen not to be effective then it is done away with. It the process work but it is seen to be weak, then it is critically evaluated and strengthened in order to fit the organizations operation. For those that have worked well in the organization then it is stipulated as the company policy that governs its operations. All these four stages are therefore, the most crucial stages of the information security management in an organization (Standard Australia International, et al, 1999).

Information Security framework

A framework is where something is enclosed or it is also referred to as a structure that supports something. It serves as a guide or support to a policy or a structure. Security framework is all about the measures that are taken to minimize information security risks in an organization. The security control framework can be classified in different criteria depending on the level at which it occurs. It can be preventive, detective or corrective. In the preventive level, this is where the risk is prevented from happening. This can only be done if it is detected in good time. It is only a responsive and alert system that can detect the emergence of a risk. When this is seen in good time, it is able to be controlled or stopped so that it has not had immense negative impact on the firm. This happens before the event, or the risk happens.

The detective level is where there is an alarm or an alert that something is about to happen in a given place. When the alarm is raised, they the necessary measures are taken to counter the situation. This level is all about a risk that is in progress and needs an immediate intervention by the appropriate people. In case the risk is not detected in good time and it happens, then a corrective measure is taken to prevent it from happening. (Phillips, 2009)

A security framework that is designed to protect the security of a company can be categorized in to three layers. They include, service, network and the customer layer. The service layer is the application service for the host that is mainly focused on the customer service. It is where the information that the host has on a client is not exposed to anyone else other than the client alone. It helps to create a customer friendly environment and make the customer feel comfortable.

The identity layer is the support structure that the third party used. This is the service that the customer can access in wherever they are about an organization. This can be accessed through a personal computer and mobile phones to access the service; it can be through connecting to the internet or direct service. This service protects the identity of the customers and enhances the interaction between the end user who is the customer and the network operator. The customer has a secret log in number that they use to access information that concerns them.

Network layer deals with the execution of the services and its management. It is the actual interaction of the delivery of service and the operator. The network is managed as to who should access what information. It gives the criteria to which information is accessed (Deswarte, et al, 2004).

The security framework can be approached by a perspective where the solution is based on the activities taking place in the organization. This is all about the operator being able to manage or control each layer within the busy framework.

Finally in the security framework process, there are some security considerations that should be made in order to verify that the person who wants to access information is really authentic. The considerations include access procedure. This is where there is an alert that a person wants to access some information. This is followed by authentication. This is where a user keys in a number or a password to prove that they are actually whom they claim to be. The authorization stage follows. This is where the operator approves the access of the information when they are satisfied that the identified user is real. The analytic stage is the final. This is where the operator constantly monitors the operations of the customer and keeps a record of any transaction. This improves customer relations with its operator. (Fry, 2009)

Information security standards

The information standard is stipulated by the International organization of standardization that was established in 1947. This body is a nongovernmental and works with various telecommunication organizations to come up with accepted standard in the information security sector.

There are a number to references standards that were passed by this body. Some of them include the code of practice of the information security management. It was developed so has to help organizations to be able to manage their security issues effectively and to act as a guideline on every day operation of the security system in the organization. The guideline given is wholesome and covers every sector of the organizations operation starting from the human resource all the way to the information technology desk. These guidelines protect integrity and confidentiality of an organization. (Calder, 2006)

The other set standard is found in the information security management ISO/IEC 27001:2005. This stipulates the requirements that are needed for the implementation, operation, establishment, monitoring, maintaining and improving the information security management system that has already been documented. This applies to all types of companies/organizations.

The evaluation criteria for information technology are also the other standard that has been passed. It consists of three parts; which include the introduction and model, requirements needed to function and the assurance requirement. These certify the security system and its assurance in technology. It is all inclusive of hardware and software certification. (Calder, 2009)

The ISO/IEC 13335 is another standard that is recognized in the information security system. It deals with management of information technology. It specifies the models and the concepts of communication of information technology, the techniques of managing IT and management cover of the network security. These entire standard acts as a guideline that regulates the security systems in the information security management sector.

Regulatory compliance

Apart from the standards that are set to guide the uses of security systems, there are also guidelines and regulations that govern the way the systems are used. These regulations are however, specific to the industry of service. Every industry has its own specified regulatory measures depending on the kind of service that they offer.

One of the business regulations that were enacted in the US is the accounting reform and protection of investor act which was put to practice in 2002. This was passed in order to protect investors from information that is inaccurate and unreliable. This act protects investors or financial institutions from passing reliable information to unauthorized persons.

The other regulatory act is on the control of internal control systems in an organization. This ensures that the operations of an organization are all computerized and a device that detects what has been bought or sold is kept in the record. This ensures that the employees of the organization have no reason to say that they have not transacted a business. This is so because the internal control device records the time of transaction and the person that was offering the service. It deals with assessing the risks, controlling the environment and monitoring transactions and communications made. (Whitman, 2010)

The health insurance act is also one of the regulatory measures taken in the health sector. The act candidly defines the standards for information on healthcare, and the cost of any measure in security. All information of a patient or hospital transactions are protected and should be kept confidential to unauthorized persons.

Federal security of information Act is also one of the regulations. It states that all information passed by the federal agencies is protected, and that they should develop programs that provide information security. It says that it requires the agency to do an assessment periodically on information systems and develop risks that protect policies.

Disaster recovery

Disaster recovery involves the procedures and policies that are put in place to counter a disaster that has taken place in an organization or a company. The main reason behind recovery after a disaster is to help in the continuity of the operations of an organization. This is to ensure that the employees are not disrupted in case of a scandal or a disaster.

The information technology department in an organization is very crucial it its everyday operation. It ensures that the all organization runs smoothly and in a protective manner. In the case where there is a crisis in the company concerning information fraud and bridge of security, it destabilizes the all system. The employees do not feel that there transactions with its clients is safe. The clients on the other hand lose its trust on the organization.

It is therefore, very important that an organization is prepared for the recovery of any disaster. This means investing time in it. The IT specialist should always have a backup plan in order to restore the organizations systems. A disaster recovery system is vital for the smooth operations of the organization. It ensures continuity and consistency despite a crisis. It makes the employees confident of their It system.


For any information security to be successful in an organization, all the members of the organization should be involved. Everyone should take keen interest in protecting the information and the assets of the organization. It is only through working together as a team that an organization can develop and effective information security management system.

Information Security Management essay

Related essays

  1. Importance of Emergency Management
  2. Organizational Change - New Structuring
  3. Maintaining Job Descriptions
  4. Project Management