Security Management and Operations
Relationship with ISMS
Information Security Management System (ISMS) is defined in the ISO/IEC 27000 set of standards. The ISO/IEC 27001 standard sets out a certifiable and measureable standard against which an organization can evaluate its information security management program. ISMS covers a set of processes following the life cycle of “Plan-DoCheck-Act” (known as “PDCA cycle”). ISO/IEC 27002 provides a set of best practice controls that can be used to build up an ISMS.
The word “management” means the act or skills of planning, leading, controlling and making decisions on achieving targeted goals. Likewise, security management is about controlling and making decisions on security matters. On the contrary, many organizations and security personnel are constantly firefighting with problems and incidents. Instead of controlling security matters, they are being “controlled” by the fuss from their daily chores.
Examples – Security Governance
There are many ways of raising IT security policy awareness. Examples include:
“If you can’t measure it, you can’t manage it.” -- Peter Drucker, The management of guru
Similarly, security can be better managed if a set of metrics can be developed and adopted for measurement.
"...it is not the strongest of the species that survives, nor the most intelligent; it is the one that is the most adaptable to change.” --Charles Darwin
Change management comes in plenty of forms5.
Case Study – Incident Management7
At the University of Oviedo, there are 30,000 people across four campuses: Oviedo, Gijón, Avilés and Mieres. Incident management is performed at two action levels: institution level and education centre level. At institution level is the User Care Centre (UCC). It sorts out IT problems for the academic and administrative communities as a whole. There is an automated IT incident management tool (XPERTA), as well as an institutional website for support. At education centre level, which can be a specific faculty, the service provides lecturers and students with assistance for incidents arising from teaching-related activities.
The purpose of incident management is to
Incident management can include the following activities:
Besides implementing, periodic incident management training should be provided to operation personnel.
Security Device Management
Security devices include routers, firewalls, Intrusion Detection System (IDS), Intrusion Protection System (IPS) and other devices which are deployed as security measures to protect from security threats. Security device management refers to monitoring and maintaining security devices. Patches and updates are critical to maintain the currency of the security devices against latest threats, where applicable, security rulesets and signature updates should be applied for detecting and preventing threats.
In addition to prevailing security devices, leading security vendors are launching new security devices and modules on discovering cyber threats and malware attacks in zero-day.
Separation of Duties9
Segregation of duties is critical to effective internal control; it reduces the risk of both erroneous and inappropriate actions.
Specific examples of segregation of duties are as follows:
Segregation of duties is a deterrent to fraud because it requires collusion with another person to perpetrate a fraudulent act.
- We are actually referring to information security management. For simplicity sake, the term “security management” is used throughout this newsletter.
- A set of Best Practice guidance for IT Service Management. ITIL is owned by the Office of Government Commerce in UK. It consists of a series of publications giving guidance on the provision of quality IT services, and on the processes and facilities needed to support them. Please refer to http://www.itil.co.uk for more information.
- ITIL v3 defines 5 core components - Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.
- "Taking the First Step with PDCA" 2 February 2009.
- "Case Study – Advanced Approval Workflow. " 26 August 2014.
- "JOnline: Log Management: A Pragmatic Approach to PCI DSS - ISACA" By Prakhar Srivastava and Tarun Verma
- "Information Technology Incident Management: A Case Study of the University of Oviedo and the Faculty of Teacher Training and Education" July 2012.
- "Key Elements of a Threat and Vulnerability Management Program" By John P. Pironti, 2006.
- "SEGREGATION OF DUTIES (PREVENTIVE & DETECTIVE) – UCLA Corporate Financial Services".