SWS2 Securing Information Systems
Page content
#Securing Information Systems
ISMS
- ISO/IEC 27000 family
- NIST Risk Management Framework
- BSI 2000 family
- An ISMS is a systemic approach to managing information so that it remains secure. (It’s not an application)
- It includes people, processes and IT systems by applying risk mgmt processes.
- Information security risk is managed and kept at an acceptable leve by designing, implementing and maintaining a coherent set of security controls.
- our focus: Security controls
Security Controls
- are safeguards or countermeasures to avoid, detect counteract, or minimize security risks to physical property, information, computer systems, or other assets.
- Controls are characterized (and sometimes grouped) by various attributes, for example type, information security property, function, and category.
- Information Security Properties: Which characteristics of information does the control help to preserve (Confidentiality, Integrity, Availability)
- Category: What is concerned (people, physical objects, technology, other (organisational)
- Function: The function within the ISMS (identity, protect, detect, respond, recover)
ISMS Functions
Identify
Protect
Detect
Respond
Recover
A
Type of Controls
Preventive Controls
prevent an Incicident from occuring. (authentication, firewall)
Detective Controls
identify and characterize an incident in progress. (IDS, burglar alarm)
Corrective Controls
limit the extend of damage after an incident occurs. (backup system, redundant systems)
- ISMS uses a high level of abstraction
- very little guidance on technical implementation of security controls
- specific controls for certain industries
- Controls might be specified/identified at different levels of granularity