B-Cognizance

IIITA's E-Magazine

Indian Institute of Information Technology - Allahabad

E-Secure Article 2

 

By

Rehan Khan

MSCLIS (2008-10)

Indian Institute of Information Technology, Allahabad

 

'ISMS' is a term that is being used widely in today’s business circles. What does it stand for and how does it benefit a company? Given the importance of data and information, it is nec-essary to put in place a mechanism to secure the two.

ISMS stands for Information Security Management System and the process, policy, objectives, rules and framework in place to protect the company’s information. It also renders the company’s systems and assets foolproof thereby guarding it from theft or external threats.

 ISMS has been put to generous use after the Enron debacle. Data and information theft can take place with the connivance of the disgruntled employees of an organization who may shift their allegiance to the company’s rivals as a result. 

 The features of ISMS are as follows:

1.      Establishment of Information Security. 

2.      Management Commitment

3.      Internal ISMS Audits

4.      Management Review

5.      Maintaining ISMS

The first and foremost requirement before establishing an ISMS is to familiarise with the management’s business objectives and design an information security policy accordingly. It is so because no security policy can succeed unless it is in line with the business objectives of the company. Therefore, a detailed study of the company is required. Then various security policies, procedures and mechanisms must be put in place. A security mechanism involving a huge outlay to protect an asset of much lower value is not advisable because it will be better to take the risk in such a case. The cost involved in arranging protection should not be more than the loss incurred by taking the risk, going by the cost-benefit principle.  

The second thing is to obtain the approval of the top management and thus enlist its support. It is the most difficult part of the exercise since such approval will not be forthcoming easily. Information security does not give you instant benefits. Also, the benefits are intangible. After the approval is obtained, a commitment is needed from the management to initiate the remaining steps that are required to be taken. Post-approval, a lot more has to be done in terms of internal audits, study of the various assets, maintenance of asset register, threat profiling, etc.

Thirdly, the assets of the company are to be identified and classified. This helps in identifying the main assets of the company and the components of the asset which need to be protected. This is followed by threat-profiling which is a compilation of the various threats faced by the asset and the probability of loss associated with the asset in question. This helps in designing an appropriate control mechanism in respect of the said asset.

 After an internal audit, the whole plan is placed before the top management which is also apprised of the steps taken for the protection of the various assets depending upon their exposure to threat and their vulnerabilities It also gives the information security team the go-ahead in respect of the rules which must be strictly adhered to and followed without being questioned.

The responsibility of the management and also of the information security team does not end once the ISMS has been implemented. The two should monitor compliance and implementation. They should also ascertain if the purpose, viz., ensuring the safety of the information, is being served. The system should minimize the various threats and align itself with the business objectives. It should be able to address the company’s goals and ascertain whether it has reduced exposure to risk / threat or not. If yes, then steps are to be taken to ensure that the system is sustained; if no, corrective measures are to be initiated.

PS: The author has also published the above article on his blog on www.merinews.com as a citizen journalist.

Ensuring Information Security