3.4 IT Security Management – Frameworks, Standards & Regulations
Information is a crucial asset to companies and government agencies, and must therefore be
protected appropriately. Most information today is generated, stored, transported, or processed at least in part using information technology (IT). In the industry and administrations, no one denies the
necessity to adequately protect its IT landscape. In addition, though, information from all other phases
of business processes must be adequately protected. IT security incidents such as the disclosure or
manipulation of information can have wide-ranging, adverse effects to a business or can prevent the
organisation from performing its tasks, resulting in high costs.
No one in industry, commerce and administration would any longer dispute the need for adequate
protection of their IT environment. IT security incidents can have far-reaching repercussions that
harm business or interfere with the performance of tasks and thus result in high costs being incurred.
3.4.1 Introduction to Information Security
Practical experience has shown that optimising information security management frequently improves
information security more effectively and lastingly than investing in security technology. However,
measures originally implemented to improve information security can also have a positive effect
outside a security context and can turn out to be profitable. Investments in information security can in
many cases even contribute to cost savings in the medium term. Positive side-effects that can be
expected from this are higher quality of work, increased customer confidence, optimisation of the IT
landscape and organisational processes as well as the utilisation of synergy effects through better
integration of information security management in existing structures.
An appropriate level of information security depends primarily on systematic procedures and only
secondarily on the individual technical measures. The following considerations illustrate this
· The management level is responsible for ensuring statutory regulations and contracts with third parties are complied with and that important business processes are not disrupted.
· Information security has interfaces with many areas of an institution and affects highly important business processes and tasks. Only the administration/management level can therefore, ensure that information security management is integrated smoothly in existing organisational structures and processes.
· Furthermore, the administration/management level is responsible for the efficient deployment of resources.
The administration/management level therefore has a high degree of responsibility for information
security. A lack of supervision, an unsuitable information security strategy or wrong decisions can
have far-reaching negative effects because of security incidents as well as missed opportunities and
184.108.40.206 What is information security?
The purpose of information security is to protect information of all kinds and from all sources. This
information might be printed on paper, kept on computer systems or stored in the minds of the users.
IT security primarily deals with protecting information stored electronically and with its processing.
The classic core principles of information security, namely confidentiality, integrity and availability,
form the basis for its protection. Many users also include additional basic values in them
examinations. They can also be very helpful, depending on the corresponding application case.
Additional generic terms used in information security include, for example, authenticity, validity,
reliability, and non-deniability.
As the following examples illustrate, information security is not only threatened by wilful acts such as
computer viruses, interception of communications or computer theft:
· Force majeure (e.g. fires, flooding, storms and earthquakes) can directly affect data media, IT systems or block access to the computer centre. Documents, IT systems or services are therefore no longer available as required.
· After an unsuccessful software update, applications cease to function, or data has been modified without being noticed.
· An important business process is delayed because the only staff members familiar with the software application are ill.
· Confidential information is inadvertently passed on to unauthorised persons by a staff member because documents or files have not been marked “confidential”.
220.127.116.11 A choice of words: IT security versus information security
The terms “information technology”, “information and communications technology” and “information
and telecommunications technology” are frequently used synonymously. Due to the length of these
terms, various abbreviations have become established and people therefore generally simply refer to
IT. Since the electronic processing of information is a part of almost all areas of our lives,
distinguishing between whether information is processed using information technology,
communications technology or on paper is no longer up-to-date. The term “information security”
instead of IT security is therefore more comprehensive and more appropriate. Since, however, the
term “IT security” is still predominantly used in the literature (among other reasons, because it is
shorter), it will continue to be used in this publication as well as other publications of ITGrundschutz,
although the documents will place more and more emphasis over time on examining
information security. Effective and efficient management of information security is not only an important issue for large institutions but also for small and medium-sized public agencies and companies as well as for the self-employed.
The structure of an appropriate information security management system depends, of
course, on the size of the institution. This standard and the very specific recommendations of IT-Grundschutz are there to help any person responsible who wishes to improve information security within their sphere of influence. Throughout the following, we shall continuously provide information on how the recommendations of this standard can be adapted to suit the specific needs at hand whilst considering the size of the institution.
3.4.2 Overview of information security standards
In the area of information security, various standards have been developed in which emphasis is
placed in part on other target groups or subject areas. The use of security standards in companies or
government agencies not only improve the level of security, their use also makes it easier for
organisations to agree on which security safeguards must be implemented in what form. The
following overview points out the basic ideas behind the most important standards.
18.104.22.168 ISO standards for information security
In the international standards organisations ISO and IEC, it was decided to consolidate the standards
for information security in the 2700x series since the number of standards is constantly increasing.
The most important standards in this case are:
Figure1: ISO 27.0x Standards 1
· ISO 13335 – The ISO 13335 standard “Management of Information and Communications Technology Security” (formerly “Guidelines on the Management of IT Security”) is a general guide for initiating and implementing the IT security management process. It provides instructions but no solutions for managing IT security. The standard is a fundamental work in this area and is the starting point or reference point for a whole series of documents on IT security management.
· ISO 17799 – The aim of ISO 17799 “Information Technology – Code of Practice for Information Security Management” is to define a framework for IT security management. ISO 17799 is therefore primarily concerned with the steps necessary for developing a fully-functioning IT security management and for integrating this securely in the organisation. The necessary IT security measures are touched on briefly on the one hundred or so pages of the ISO/IEC 17799 standard. The recommendations relate to the management level and contain almost no specific technical information. Their implementation is one of the many options available for fulfilling the requirements of the ISO 27001 standard.
· ISO 27001 – The ISO 27001 “Information Technology – Security Techniques – Information Security Management Systems Requirements Specification” is the first international standard for management of information security that also allows certification. ISO 27001 provides general recommendations on around ten pages for, among other things, the introduction, operation, and improvement of a documented information security management system that also takes the risks into account. The controls from ISO/IEC 27002 are referred to in a normative annex.
· ISO 27002 – The goal of ISO 27002 (previously ISO 17799:2005), “Information technology – Code of practice for information security management”, is to define a framework for information security management. ISO 27002 is therefore mainly concerned with the steps necessary to establish a functioning security management system and anchor it in the organisation. The necessary security safeguards are only described briefly in the approximately 100 pages of the ISO standard ISO/IEC 27002. The recommendations are primarily intended for the management level and do not contain much specific technical information for this reason. The implementation of the security recommendations in ISO 27002 is one of many ways to fulfil the requirements of ISO Standard 27001.
· ISO 27005 – This ISO Standard “Information security risk management” contains general recommendations for risk management for information security. Among other items, it supports the implementation of the requirements from ISO/IEC 27001. In this case, though, no specific method for risk management is prescribed. ISO/IEC 27005 replaces the previous standard ISO 13335-2. This standard, ISO 13335 “Management of information and communications technology security, Part 2: Techniques for information security risk management”, provided guidelines for the management of information security.
· ISO 27006 – ISO Standard 27006 “Information technology – Security techniques – Requirements for the accreditation of bodies providing certification of information security management systems” specifies requirements for the accrediting of certification bodies for ISMS and handles specific details of the ISMS certification process.
· Other standards in the ISO 2700 x Series – The ISO 2700x series of standards will probably be made up of ISO standards 27000–27019 and 27030–27044 in the long term. all standards in this series handle different aspects of security management and are based on the requirements in ISO 27001. The other standards should contribute to improved understanding and the practical application of ISO 27001. They handle, for example, the practical implementation of ISO 27001, i.e. with the measurability of risks or with methods for risk management.
22.214.171.124 IT-Grundschutz Catalogues
The BSI’s best-known publication on information security is the IT-Grundschutz Manual not only describes management of information security in great detail but also describes information security safeguards from the areas of technology, organisation, personnel and infrastructure in detail. The IT-Grundschutz Catalogues have a modular structure and contain modules for typical processes, applications and IT components. In addition to recommending information security measures for each
subject, they also describe the most important threats from which an institution should protect itself
against. The user can therefore focus on the modules that are of relevance to their area. The modules
of the IT-Grundschutz Catalogue are updated and extended regularly and also take into account the
latest technical developments.
BSI series of standards for information security: the issue of IS Management
· 100-1: Information security management systems (ISMS)
The present standard defines the general requirements of an ISMS. It is fully compatible
with the ISO 27001 standard and also takes the recommendations of the ISO 27001 and
27002 standards into consideration. It provides readers with an easy to understand and
systematic instruction manual irrespective of which method they want to use to implement the requirements.
The BSI renders the content of these ISO standards in its own BSI standard so that it can
describe some issues in greater detail and thus portray the content with a more didactical
approach. Furthermore, the structure has been designed to be compatible with the ITGrundschutz
procedure. The standardised headers used in the documents mentioned above
make it very easy for readers to get their bearings.
· 100-2 : IT-Grundschutz Methodology
The IT-Grundschutz Methodology explains in a step-by-step fashion how a management
system for information security can be developed and operated in practice. The functions of
the information security management system and the organisational structure for information security are very important issues here. The IT-Grundschutz Methodology goes into great detail on how an policy for information security can be developed in practice, how appropriate information security safeguards can be selected and what should be watched out for when implementing the policy of information security. It also in detail answers the question of how to maintain and improve information security during routine operation.
IT-Grundschutz in conjunction with BSI Standard 100-2 therefore interprets the very general
requirements of the previously mentioned ISO 27000, 27001, and 27002 standards and
provides users with practical help in the form of numerous tips, background knowledge,
information and examples. The IT-Grundschutz Catalogues not only explain what should be
done but also provide very specific information on how this can be implemented (also on a
technical level). Proceeding in accordance with IT Grundschutz is therefore a proven and
efficient manner of fulfilling all the requirements of the above-mentioned ISO standards.
· 100-3: Risk analysis on the basis of IT-Grundschutz
The BSI has worked out a methodology for risk analysis on the basis of IT-Grundschutz.
This approach can be used when companies or public agencies are already working
successfully with IT-Grundschutz and would like to add an additional security analysis to
the IT-Grundschutz analysis as seamlessly as possible.
· 100-4: Emergency management
BSI Standard 100-4 explains a method for establishing and maintaining an agency-wide or
company-wide emergency management system. The method described here is based on the
IT-Grundschutz Methodology described in BSI Standard 100-2 and complements them well.
3.4.3 Open Questions
Question 1: Why Information Security Management Systems is becoming
integral part of Information Technology?
Answer: Since, with the increase of cyber-attacks, cyber warfare, corporate espionage & Hacktivism this has raised a strong concern over implementation of IT governance. Here are five benefits of implementing ISMS in an organisation:
a. It helps you coordinate all your security efforts (both electronic and physical) coherently, consistently and cost-effectively.
b. It provides you with a systematic approach to managing risks and enables you to make informed decisions on security investments.
c. It gives you credibility with staff, clients and partner organisations, and demonstrates due diligence.
d. It encompasses people, processes and IT systems, in recognition that information security which thereby creates better work practices that support business goals.
e. It can be formally assessed and certified against ISO 27001, bringing additional benefits such as demonstrable credentials, customer assurance and competitive advantage.
Question 2: Briefly explain, how other frameworks i.e. COBIT
& ITIL differs from ISO 27.0x?
Mapping IT Processes
Mapping IT service level management
Information Security Framework
4 Processes & 34 Domains
Information System Audit
Manage Service Level
Compliance to security Board
Accounting Firm, IT consulting firm
IT Consulting firm
IT consultant firm, Security Firm, Network consultants.