by The Open University
Available in 39 free installments
Owner:
Information security management is the process by which the value of each of an organisation's information assets is assessed and, if appropriate, protected on an ongoing basis. The information an organisation holds will be stored, used and transmitted using various media, some of which will be tangible ? paper, for example ? and some intangible ? such as the ideas in employees' minds. Preserving the value of information is mainly a question of protecting the media in which it is contained.
Building an information security management system (as we present it in this unit) is achieved through the systematic assessment of the systems, technologies and media used for information assets, the appraisal of the costs of security breaches, and the development and deployment of countermeasures to threats. Put simply, information security management recognises the most vulnerable spots in an organisation and builds armour-plating to protect them.
The diversity of the media used for an organisation's information assets is just one of the difficulties to be overcome in building an information security management system. Among other difficulties are the following.
Effective information security measures often run counter to the mission of an organisation. For instance, the safest way to secure a computer and the information on it is to allow no access to it at all!
The requirement to respect the needs of the users of the organisation's information, so that they can continue to do their jobs properly.
We can deduce that no single solution can address all possible security concerns. The only strategy is to engineer a fit-for-purpose solution that achieves a suitable balance between risks and protection against them.
As with all management systems, the engineering of a fit-for-purpose information security management system is achieved through hard work. Part of the hard work is, of course, an understanding of the technologies involved ? we provide the necessary details in this unit. Other major tasks are identifying the needs of the different stakeholders and ensuring coverage of every procedure and policy that involves the development, transformation or dissemination of sensitive information.
Thus, information security management is a development activity analogous to the development of software, and we shall present in this way throughout this unit.
Click on Reading 1 to read the section from the introduction to the British Standard on Information Security Management entitled ‘What is information security??.
Click below to open Reading 1 (0.2 MB).
View documentHow is information security characterised in the Standard?
How is information security achieved, according to the Standard?
The original standard on information security management that was developed by the British Standards Institute (BSi) was British Standard BS 7799?1:1999. This was revised as International Standard ISO/IEC 17799:2000(E), and then readopted in the UK as British Standard BS 7799?1:2000 (and is also referred to as BS ISO/IEC 17799:2000). Subsequently a second standard, BS 7799?2:2002, was developed (based on an earlier standard, BS 7799?2:1999, brought out to accompany BS 7799?1:1999), creating the current two-part British Standard on information security management. We shall refer to these two documents collectively as the British Standard on Information Security Management, or as the Standard for short. Individually, we shall refer to BS 7799?1:2000 as Part 1 of the Standard and BS 7799?2:2002 as Part 2 of the Standard. Both parts of the Standard are accessible from British Standards Online. It is a section from the Introduction to Part 1 of the Standard (BS 7799?1:2000) that you are asked to read here.
When reading the extract, try not to be put off by its dry and formal style and language.
Information security is characterised as the preservation of the confidentiality, integrity and availability of information.
According to the Standard, information security is achieved by choosing and implementing a set of controls ? these could be policies, practices, procedures, organisational structures or software functions ? to ensure that the information security objectives of the organisation are met.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
