Today, every organization’s business is automated, digitized and online, leading to data confidentiality, integrity and availability emerging as key concerns. According to Verizon’s 2010 Data Breach Investigation Report, malware and hacking are the top two threats, contributing to 38% and 40% respectively of the data breaches. While there is no ‘silver bullet’ for systems security, a healthy and continually improving information security management system (ISMS) can go a long way in mitigating risks. For an ISMS to be successful within any organization, three key phases ought to be considered—design, implementation, and maintenance.
Important parameters for ISMS design
The ISMS design phase is extremely crucial as it can make or break the overall implementation. Key considerations while designing the ISMS include:
- Setting business objectives – Security controls must be designed to support the ISMS’ business objectives and an upfront clarification of these – across the business – is vital.
- Identifying information assets (such as electronic documents, hardware, software, paper and people) – Key information assets that support business processes should be prioritised for protection in the ISMS.
- Securing organizational commitment – For an ISMS implementation to be successful, the project’s objectives need to be understood and endorsed throughout the organization. Cross-functional organizational participation and management engagement is important.
- Developing an asset-based risk assessment and treatment plan – By prioritising information assets and correlating against potential threats, an idea of the perceived risks can be developed during the ISMS design process.
- Considering compliance requirements (legal/statutory/regulatory) and contractual agreements – External factors must be translated into the ISMS implementation’s design. Compliance requirements such as SOX (Sarbanes-Oxley) 404, HIPAA (Health Insurance Portability and Accountability Act), PCI DSS (Payment Card Industry Data Security Standard), GLBA (Gramm-Leach-Bliley Act), and DPA (Data Protection Act) are common these days and could become impossible to assimilate if not factored into the early stages of ISMS design.
- Engaging third parties/partners – Entities involved in business processes need to be advised, monitored and controlled as part of ISMS design and implementation stages. Too often, security control implementation can be delayed thanks to third party ignorance.
Organizations also need to ensure that the efforts and costs involved in designing and implementing information security controls are commensurate with the value of the asset being protected. If not, the risk of ISMS failure increases.
Drawbacks during ISMS implementation
Implementing ISMS is a tougher challenge than design, as it requires organizations to move from theory to practice and (perhaps more importantly) bridge the gap between flexibility and control. Best practices are not always the easiest practices, and organizations often face significant ISMS implementation challenges – for instance, when trying to implement security controls on legacy systems and unsupported platforms.
The question then is how to achieve the business objectives while maintaining business continuity during ISMS implementation. Organizations also need to develop a security exception process that evaluates the residual risk of not implementing a security control and also suggests alternative controls to reduce it to an acceptable level. This can only be done if the risk strategy has been properly assessed in the ISMS design phase.
The most common pitfalls of ISMS implementation can be summarized as follows:
- Lack of management support – Senior management support is of paramount importance for successful ISMS implementation.
- Organizational disengagement – Implementing ISMS is not just an information technology (IT) manager’s job, but the responsibility of the entire organization.
- Non-prioritization of tasks and milestones – Prioritizing tasks is a best practice while undertaking any big project and ISMS is no different. An organization must focus on the ‘low hanging fruits’ to ensure continuous focus and interest in the project, but must also keep the end goal in mind.
- Lack of status checks – It is essential to develop key security metrics and measure them regularly to ensure ongoing improvement.
- Unclear project management tenets – Best practice project management tools will help ensure ISMS project success.
- Disconnect from business processes – Project leads must ensure that the information security controls help, and do not hinder the functioning of the business they are trying to protect.
ISMS governance team
All the hard work done by an organization is meaningless if the ISMS is not maintained. An ISMS governance team can ensure that the potential impact of any changes to the business environment, IT infrastructure, and compliance landscape are considered against the organization’s security stature. Thus, the ISMS can be reassessed and if needed, updated, to support business goals. Sticking to the basics and following a few simple steps would help an organization streamline its ISMS implementation process.
About the author: Ashish Thapar (CISSP, CISM, CISA, GCFA) is the principal consultant for professional services at Verizon Business. He has diverse experience in the field of information security which spans design, implementation and management of an enterprise’s information security management system.