Which of the following is the most important activity for an information security manager when it comes to regulatory issues?

Objective: Information Security Management aims to ensure the confidentiality, integrity and availability of an organization's information, data and IT services. ITIL Security Management usually forms part of an organizational approach to security management which has a wider scope than the IT Service Provider.

Part of: Service Design

Process Owner: Information Security Manager

Process Description

ITIL V3 treats Information Security Management as part of the Service Design core volume, resulting in a better integration of this process into the Service Lifecycle (the previous ITIL version provided guidance on Security Management in a separate book).

The process has been updated to account for new information security concerns.

ITIL does not provide a detailed explanation of all aspects of Information Security Management, as there are dedicated and more detailed standards available (see, for example, ISO 27001). Rather, ITIL highlights the most important activities and assists in identifying interfaces with other Service Management processes.

Following the introduction of Design Coordination in ITIL 2011 the information flows have been adapted. The process overview of ITIL Security Management (.JPG) shows the key information flows (see fig. 1).

ITIL 4 refers to 'Information Security Management' as a general management practice.

Sub-Processes

These are the Information Management sub-processes and their process objectives:

Design of Security Controls

• Process Objective: To design appropriate technical and organizational measures in order to ensure the confidentiality, integrity, security and availability of an organization's assets, information, data and services.

Security Testing

• Process Objective: To make sure that all security mechanisms are subject to regular testing.

Management of Security Incidents

• Process Objective: To detect and fight attacks and intrusions, and to minimize the damage incurred by security breaches.

Security Review

• Process Objective: To review if security measures and procedures are still in line with risk perceptions from the business side, and to verify if those measures and procedures are regularly maintained and tested.

Definitions

The following ITIL terms and acronyms (information objects) are used in the Security Management process to represent process outputs and inputs:

Availability/ ITSCM/ Security Testing Schedule

Event Filtering and Correlation Rules

• Rules and criteria used to determine if an Event is significant and to decide upon an appropriate response. Event Filtering and Correlation Rules are typically used by Event Monitoring systems. Some of those rules are defined during the Service Design stage, for example to ensure that Events are triggered when the required service availability is endangered.
• Note: The output "Event Filtering and Correlation Rules" has been added in ITIL 2011, to emphasize that (some) Event filtering and correlation rules should be designed by Information Security Management to support the detection of security issues.

Information Security Policy

• The Information Security Management Policy describes and communicates the organization's approach to managing information security. It includes references to more specific Underpinning Information Security Policies which, for example, set binding rules for the use of systems and information.

Information Security Report

• The Information Security Report provides other Service Management processes and IT Management with information related to Information Security issues.

Security Advisories

• A list of known security vulnerabilities compiled from input by third-party product suppliers. The list contains instructions for preventive measures and for the handling of security breaches once they occur.

Security Alert

• A warning produced by Information Security Management, typically released when outbreaks of security threats are foreseeable or already under way. The aim is to make sure that users and IT staff are able to identify any attacks and take appropriate precautions.

Security Management Information System (SMIS)

• A virtual repository of all Information Security Management data, usually stored in multiple physical locations.

Test Report

• A Test Report provides a summary of testing and assessment activities. A Test Report is created for example during Release tests in the Service Transition stage or during tests carried out by Availability, IT Service Continuity or Information Security Management.

Underpinning Information Security Policy

• Underpinning Information Security Policies are specific policies complementing the main Information Security Policy by setting binding rules for the use of systems and information as well as for the use and delivery of services, with the aim of improving information security.

KPIs

• Key Performance Indicators (KPIs) Information Security Management

Roles | Responsibilities

Information Security Manager - Process Owner

• The Information Security Manager is responsible for ensuring the confidentiality, integrity and availability of an organization’s assets, information, data and IT services. He is usually involved in an organizational approach to Security Management which has a wider scope than the IT service provider, and includes handling of paper, building access, phone calls etc., for the entire organization.

Remarks

[1] A: Accountable according to the RACI Model: Those who are ultimately accountable for the correct and thorough completion of the Information Security Management process.

[2] R: Responsible according to the RACI Model: Those who do the work to achieve a task within ITIL Security Management.

[3] siehe → Role descriptions ...

Notes

By:  Stefan Kempter 

Process Description  › Sub-Processes  › Definitions  › Roles

Information security management encompasses many areas -- from perimeter protection and encryption to application security and disaster recovery. IT security is made more challenging by compliance regulations, such as HIPAA, PCI DSS, Sarbanes-Oxley and global standards, such as GDPR.

This is where IT security frameworks and standards can be helpful. Knowledge of regulations, standards and frameworks are essential for all infosec and cybersecurity professionals. Compliance with these frameworks and standards is important from an audit perspective, too.

To help manage the process, let's look at what IT security standards, regulations and frameworks are, as well as a few of the more popular options to choose from and how they are used.

What are IT security standards and regulations?

Standards are like a recipe; they list out steps that must be performed. A well-managed IT organization must comply with requirements set forth in a standard.

Regulations, in contrast, have a legal binding impact. The way they describe how something should be performed indicates government and public support for the rules and processes set forth in the regulation. Failure to comply with IT-focused regulations can result in financial penalties and litigation.

What is an IT security framework?

An IT security framework is a series of documented processes that define policies and procedures around the implementation and ongoing management of information security controls. These frameworks are a blueprint for managing risk and reducing vulnerabilities.

Information security professionals use frameworks to define and prioritize the tasks required to manage enterprise security. Frameworks are also used to help prepare for compliance and other IT audits. Therefore, the framework must support specific requirements defined in the standard or regulation.

Organizations can customize frameworks to solve specific information security problems, such as industry-specific requirements or different regulatory compliance goals. Frameworks also come in varying degrees of complexity and scale. Today's frameworks often overlap, so it's important to select a framework that effectively supports operational, compliance and audit requirements.

Why are frameworks important?

Frameworks provide a starting point for establishing processes, policies and administrative activities for information security management.

Security requirements often overlap, which results in "crosswalks" that can be used to demonstrate compliance with different regulatory standards. For example, ISO 27002 defines information security policy in Section 5; Control Objectives for Information and Related Technology (COBIT) defines it in the "Align, Plan and Organize" section; the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework defines it as "Internal Environment;" HIPAA defines it as "Assigned Security Responsibility;" and PCI DSS defines it in the "Maintain an Information Security Policy" section.

Using a common framework, such as ISO 27002, an organization can establish crosswalks to demonstrate compliance with multiple regulations, including HIPAA, Sarbanes-Oxley, PCI DSS and Graham-Leach-Bliley.

How to choose an IT security framework

The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements could be deciding factors. Publicly traded companies, for example, may wish to use COBIT to comply with Sarbanes-Oxley, while the healthcare sector may consider HITRUST. The ISO 27000 Series of information security frameworks, on the other hand, is applicable in public and private sectors.

While ISO standards are often time-consuming to implement, they are helpful when an organization needs to demonstrate its information security capabilities via ISO 27000 certification. While NIST Special Publication (SP) 800-53 is the standard required by U.S. federal agencies, it can be used by any organization to build a technology-specific information security plan.

These frameworks help security professionals organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.

Examples of IT security standards and frameworks

1. ISO 27000 Series

The ISO 27000 Series was developed by the International Organization for Standardization. It is a flexible information security framework that can be applied to all types and sizes of organizations.

The two primary standards -- ISO 27001 and 27002 -- establish the requirements and procedures for creating an information security management system (ISMS). Having an ISMS is an important audit and compliance activity. ISO 27000 consists of an overview and vocabulary and defines ISMS program requirements. ISO 27002 specifies the code of practice for developing ISMS controls.

Compliance with ISO 27000 Series standards is established through audit and certification processes, typically provided by third-party organizations approved by ISO and other accredited agencies.

The ISO 27000 Series has 60 standards covering a broad spectrum of information security issues, for example:

• ISO 27018 addresses cloud computing.
• ISO 27031 provides guidance on IT disaster recovery programs and related activities.
• ISO 27037 addresses the collection and protection of digital evidence.
• ISO 27040 addresses storage security.
• ISO 27799 defines information security in healthcare, which is useful for companies that require HIPAA compliance.

2. NIST SP 800-53

NIST has developed an extensive library of IT standards, many of which focus on information security. First published in 1990, the NIST SP 800 Series addresses virtually every aspect of information security, with an increasing focus on cloud security.

NIST SP 800-53 is the information security benchmark for U.S. government agencies and is widely used in the private sector. SP 800-53 has helped spur the development of information security frameworks, including the NIST Cybersecurity Framework (CSF).

3. NIST SP 800-171

NIST SP 800-171 has gained popularity due to requirements set by the U.S. Department of Defense regarding contractor compliance with security frameworks. Government contractors are a frequent target for cyber attacks due to their proximity to federal information systems. Government manufacturers and subcontractors must have an IT security framework to bid on federal and state business opportunities.

Controls included in the NIST SP 800-171 framework are directly related to NIST SP 800-53 but are less detailed and more generalized. It's possible to build a crosswalk between the two standards if an organization must show compliance with NIST SP 800-53, using NIST SP 800-171 as the base. This creates flexibility for smaller organizations -- they can show compliance as they grow using the additional controls included in NIST SP 800-53.

4. NIST CSF

The NIST Framework for Improving Critical Infrastructure Cybersecurity, or NIST CSF, was developed under Executive Order 13636, released in February 2013. It was developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries must maintain a high level of preparedness, as they have all been targeted by nation-state actors due to their importance.

Unlike other NIST frameworks, NIST CSF focuses on risk analysis and risk management. Security controls in the framework are based on the five phases of risk management: identify, protect, detect, respond and recover. Like all IT security programs, these phases require the support of senior management. NIST CSF can be used by both public and private sectors.

5. NIST SP 1800 Series

The NIST SP 1800 Series is a set of guides that complement the NIST SP 800 Series of standards and frameworks. The SP 1800 Series of publications offers information on how to implement and apply standards-based cybersecurity technologies in real-world applications.

The SP 1800 Series publications provide the following:

• examples of specific situations and capabilities;
• experience-based, how-to approaches using multiple products to achieve the desired result;
• modular guidance on implementation of capabilities for organizations of all sizes; and
• specifications of required components and installation, configuration and integration information so organizations can easily replicate the process themselves.

6. COBIT

COBIT was developed in the mid-1990s by ISACA, an independent organization of IT governance professionals. ISACA offers the well-known Certified Information Systems Auditor and Certified Information Security Manager certifications.

COBIT originally focused on reducing IT risks. COBIT 5, released in 2012, included new technology and business trends to help organizations balance IT and business goals. The current version is COBIT 2019. It's the most used framework to achieve Sarbanes-Oxley compliance. Numerous publications and professional certifications address COBIT requirements.

7. CIS Controls

The Center for Internet Security (CIS) Critical Security Controls, Version 8 -- formerly the SANS Top 20 -- lists technical security and operational controls that can be applied to any environment. It does not address risk analysis or risk management like NIST CSF; rather, it is solely focused on reducing risk and increasing resilience for technical infrastructures.

Controls include the following:

• Inventory and Control of Enterprise Assets
• Data Protection
• Audit Log Management
• Malware Defenses
• Penetration Testing

CIS Controls link with existing risk management frameworks to help remediate identified risks. They're useful resources for IT departments lacking technical information security experience.

8. HITRUST Common Security Framework

The HITRUST Common Security Framework includes risk analysis and risk management frameworks, along with operational requirements. The framework has 14 different control categories and can be applied to almost any organization, including healthcare.

HITRUST is a massive undertaking for any organization due to the heavy weight given to documentation and processes. As a result, many organizations end up scoping smaller areas of focus for HITRUST. The costs of obtaining and maintaining HITRUST certification adds to the level of effort required to adopt this framework. The certification is audited by a third party, which adds a level of validity.

9. GDPR

GDPR is a framework of security requirements that global organizations must implement to protect the security and privacy of EU citizens' personal information. GDPR requirements include controls for restricting unauthorized access to stored data and access control measures, such as least privilege, role-based access and multifactor authentication.

10. COSO

COSO is a joint initiative of five professional organizations. Its 2013 framework covers internal controls, and its 2017 framework covers risk management.

A guidance paper, "Managing Cyber Risk in a Digital Age," offers advice on how to prepare and respond to enterprise cyber threats. It aligns with the COSO Enterprise Risk Management Framework.