This article is intended to provide an overview of information management systems. For this purpose, the term is first explained and then the most important components and the individual steps for introducing an ISMS are presented. Finally, there is an overview of common standards.
Definition of information security
Information security deals with the security of information. Specifically, the following protection goals for information are defined in information security:
Information must then be assessed as to which group of people it is accessible to and the consequences of unauthorized access. A high level of protection of confidentiality means that it is ensured that information is not disclosed to unauthorized persons.
Confidentiality is often the overriding protection objective in research / development or in strategic decision-making processes.
Information is a core component of all business processes. It must be ensured that information is available to authorized persons at any time when it is needed.
Availability is often the protection goal, which is in the foreground in production or service processes that are synchronized.
Data must be “correct”. This means that undesired changes are prevented, which can occur, for example, due to attacks but also material fatigue. Changes must be traceable.
This protection goal is to be valued particularly highly if “wrong” data can lead to grossly wrong decisions.
In some cases these protection goals compete with each other. This can e.g. This could be the case, for example, when information cannot be called up “immediately” due to high confidentiality requirements due to multi-level authentication processes.
In addition to these 3 main protection goals, there are also so-called extended protection goals, which are not discussed in this article.
The term information security is often incorrectly equated with the term IT security. However, this does not go far enough. While IT security deals with the security of information technology or information processing systems, information security considers the amount of all information. This can also be information on data carriers that is not considered by IT security or that this data is not even explicitly displayed, but can only be found implicitly through analysis.
We can therefore say that IT security is a subset of information security.
Definition of management systems
In reality, companies are constantly faced with the challenge of formulating goals, but only having limited resources (time / personnel / capital) to achieve them. Management systems are used to plan and control the achievement of objectives in a business-efficient and systematic manner. These are intended to guarantee that the resources available to achieve the goal are allocated in the best possible way and that the process is controlled systematically.
The following requirements must be met for this:
The organization must define the goal which the management system is to achieve. The goal must then be operationalized, i.e. H. can be made measurable. This is the only way to check afterwards whether the intended goals have actually been achieved. This is usually done using so-called KPIs. A KPI within an ISMS could be, for example:
99% of the workforce has been trained in IT security at least once a year
Reduce the number of security incidents by 25% in the next 2 years
Once the goal has been operationalized, the resources available can be planned in order to work towards the defined goal (PLAN). After the planning is completed, the planned measures are implemented (DO). In order to check whether the desired goals (measured against the operationalized goals in the form of KPIs) have been achieved with the measures implemented, the achievement of goals is regularly compared with the planning and checked (CHECK).
If it is found that the goals have not been achieved, the reason for the deviation must be analyzed (ACT). If necessary, measures must be derived from this and a new plan drawn up. This forms the so-called Deming cycle, which is the basis of every management system.
In summary, it is the task of an information security management system to achieve the information security goals defined by the organization through the planning and implementation of measures and to regularly check the achievement of goals. The resources defined for the information security organization are available for this.
Basics of an ISMS
Definition of information security goals
The first, fundamental step for the introduction of an ISMS can be derived directly from the introduction to management systems. The organization must first define its information security goals. This sounds abstract at first, but it can be easily illustrated by the following examples:
- The protection of our customer data is extremely important to us, because we can only achieve sustainable business success through the trust of our customers
- Our success is guaranteed by our fair customer conditions. For this it is essential that all of our systems work correctly. Manufacturing errors cannot be tolerated.
- We can only defend our market position as a technology leader in the long term by protecting our business secrets. This has to be one of the main goals of our information security organization.
Just as important as the creation of information security goals is the delimitation – it must be clear to which area these goals should apply. For reasons of simplicity, this is often the entire company, but it is also possible to look at individual processes or areas.
The information security organization
In order to achieve the information security goals, the company needs an information security organization. This refers to the people and processes who are supposed to ensure that the goals are achieved through the development and implementation of measures. The basis of every information security organization is the appointment of a person responsible for information security.
In Germany, this is usually referred to as the “information security officer”.
The information security officer fulfills an important control function within the company. To avoid conflicts of interest, the information security officer should report directly to the highest management level.
The information security policy
Both the information security goals and the main features of the information security organization must be adopted by top management in a guideline.
This guideline is the basis and at the same time also the legitimation of the actions of the information security officer. He must align the security organization with its content.
Inventory of the information values
After the goals, the most important areas and the organization have been clarified, the operational steps can begin.
First, an overview of the existing information values must be created. In information security, one traditionally speaks of so-called “information assets”.
Companies have many different information assets, for example these could be:
- Customer databases
- Internal controlling reports
- HR data of the employees
- Production and machine control information
Prepare a risk analysis
After the information assets have been recorded, a risk analysis is now carried out for them. The risk analysis pursues the goal of designing the level of protection appropriately and effectively depending on the subject matter. What does that mean in concrete terms?
Let’s say a company has 2 storage rooms. Pallets with office supplies are stored in a storage room. There are gold bars in the other room. It immediately becomes clear that the security measures for the room with the gold bars are certainly more important than the security measures for the room with the office supplies. However, just because gold bars are stored in a room, it is also uneconomical to equip every room with thick steel doors.
This classification must be made for each of the three protection goals. It is, so to speak, the “value” of the information for the company in relation to the protection goal. The value always depends on the effect of a violation of the protection goal.
Unfortunately, it is often difficult for a company to quantify this assessment in relation to information. The risk analysis should ensure that a systematic and correct classification is made for all information.
The second task of risk analysis is to identify the possible attack scenarios and assess how likely they are. Interdisciplinary cooperation is often required for this, because dangers can arise from many sources for information carriers and thus also the information they contain.
Creation of a security concept
The security concept is developed on the basis of the risk analysis and measures are then planned. One often speaks of so-called “controls” here. These can be both technical and organizational measures. The following triad always applies:
Concept / guideline: A concept must be drawn up which shows which measures are to be implemented, why and how.
Measure: Directives often result in measures that have to be implemented.
Audit: The appropriateness and effectiveness of the measures must be verifiable and also verified. A measure, the effectiveness of which cannot be verified, brings no added value. This must be taken into account when creating the concept.
For each of these 3 steps a clear person responsible must be determined. If possible, an attempt should be made to assign the audit area to a different person responsible than the concept and implementation areas by separating functions.
In larger organizations, there is usually a guideline pyramid which concretises the abstract security goals step by step.
Information security management processes
Once the system has been implemented, the risk analysis and the measures must be checked regularly. This is very important for two reasons:
- Especially in the field of IT security, new weak points are constantly being discovered that were not yet considered in the first risk analysis. It must be examined how these new risks are taken into account and whether additional measures are necessary.
- Many measures, especially in the organizational area, first have to be proven in practice. If measures are perceived by the users as too cumbersome, this often leads to the users trying to circumvent the measure. This often has the consequence that the measure cannot develop any effectiveness and thus the desired effects for risk reduction cannot be achieved. In addition, it follows that there are often costs without added value.
In addition, information security incidents must be continuously recorded and evaluated. Information security incidents are events within the company that lead to a violation of the protection goals. This can be, for example, a failure of a system that requires high availability or the intrusion of malware into the company.
The systematic recording of such incidents can support the next revision of the risk analysis and measures to further optimize the information security organization.
Frameworks and Standards
As in other management systems, many standards have already been established around the world in the area of information security management. Some are presented here and compared in terms of complexity:
BSI Baseline Protection:
The BSI-Grundschutz is the framework of the Federal Office for Information Security. It defines specific security levels and, depending on the security level, very specific measures which are to be implemented.
The basic protection was clearly detoxified in the last revision. While the old version was of no interest to many companies due to the extensive requirements, the new version should now also be applicable to smaller companies.
The ISO-27001 is a standard known worldwide. While the BSI-Grundschutz stipulates measures in many areas, the ISO is significantly more flexible – it is only required that the organization carry out a risk analysis and create the necessary documents. How the risks are ultimately treated (avoidance / reduction / acceptance / transfer) is not specified by the standard.
ISIS-12 is a framework that was developed by the Bavarian security cluster and is derived from IT-Grundschutz. The main addressees are primarily medium-sized cities and municipalities, which are to be gradually introduced to the implementation of basic protection or ISO 27001 through the implementation of ISIS-12.
A standard from Microsoft for secure product development that is limited to the processes of secure application development.
There are also other, area-specific information security standards. z. B .:
VdS 10000 is a very slim standard, developed by a subsidiary of the German insurance industry. Above all, it is intended to give small and SMEs an easy introduction to the topic of information security and cover the most important sub-areas.
The standard of the credit card industry that describes the requirements for companies that want to process credit card payments. The scope is limited to the payment processing process. The scope depends on how payments are made.