Information Security Management
Definition
"The practice of protecting the information needed by the organization to conduct its business."
Organizations must:
- Develop and manage information security policies and plans
- Mitigate information security risks
- Exercise and test security plans
- Embed information security across the service value system
⚠️
Key principle: Security responsibility extends across the entire organization, not isolated to security teams alone. ITIL v5 emphasizes integrating protections throughout all value chain activities and management practices.
The CIA Triad and Beyond
| Principle | Definition |
|---|---|
| Confidentiality | Prevention of information being disclosed to unauthorized entities |
| Integrity | Assurance that information is accurate and can only be modified by authorized personnel |
| Availability | Ensuring information can be used when needed |
| Authentication | Verification that a characteristic or attribute which appears or is claimed to be true, is in fact true |
| Non-repudiation | Providing undeniable proof that an alleged event happened, or an alleged action was performed |
Processes
Information Security Planning and Implementation
- Analyze organization's strategy and context
- Define and agree the information security policies
- Conduct information security risk assessment
- Define and agree information security controls and plans
- Communicate policies and implement controls
Information Security Controls Tests and Exercises
- Plan tests and exercises
- Prepare tests and exercises
- Perform tests and exercises
- Review tests and exercises
Information Security Incident Management
- Detect and assign
- Triage and analyse
- Contain and recover
Information Security Assessment and Review
- Identify changes to business, technology, or threat environment
- Identify missing controls
- Assess control effectiveness
- Create assessment report
Key Terms
Threat: "any potential event that could have a negative impact on an asset."
Threat actor: "any person or organization that poses a threat."
Vulnerability: "any weakness in an asset or control that could be exploited by a threat."
Recommendations for Practice Success
- Make information security everyone's responsibility, not just the security team's
- Work closely with customers and partners to align security expectations
- Assess risks and tailor policies to the organization's specific context and risk appetite
- Automate anomaly detection and build resilience into systems and processes
Key Metrics
| Metric | What it measures |
|---|---|
| Products/services with documented security requirements (%) | Coverage of security requirements |
| Products/services with security plans (%) | Planning maturity |
| Timely updates of security plans | Responsiveness to change |
| Security risks analysed and evaluated | Thoroughness of risk assessment |
| Security risks mitigated to acceptable levels | Effectiveness of risk treatment |
| Security plans tested | Testing coverage |
| Improvement actions from plan testing | Learning from exercises |
| Governing body discussion of security | Executive attention and oversight |
| Value streams with defined security steps | Integration of security in workflows |
| Practices with security in process flows/roles | Embedding security across the organization |
Key Roles
- Chief Information Security Officer (CISO): Sets security strategy and policy at the organizational level
- Information security manager: Coordinates day-to-day security operations and risk management
Software Tools
- Security Information and Event Management (SIEM) tools
- Workflow management and collaboration tools
- Monitoring and event management tools
- Analysis and reporting tools
- Work planning and prioritization tools
- Knowledge management tools, survey tools
- Orchestration systems