Information must be evaluated to determine which groups of people have access to it and the consequences of unauthorized access. A high level of protection of confidentiality means that it is ensured that information is not disclosed to unauthorized persons.
Confidentiality is often the overriding protection goal in research/development or in strategic decision-making processes.
Information is a core component of all business processes. It must be ensured that information is available to authorized persons at all times when it is needed.
Availability is often the protection goal, which is in the foreground in clocked production or service processes.
Data must be "correct". This means that undesired changes are prevented, which can occur, for example, as a result of attacks or material fatigue. Changes must be traceable.
This protection goal is particularly important when "wrong" data can lead to grossly incorrect decisions.
In some cases, these protection goals compete with each other. This can e.g. This can be the case, for example, if information cannot be called up “immediately” due to high confidentiality requirements due to multi-level authentication processes.
In addition to these 3 main protection goals, there are also so-called extended protection goals, which are not discussed in detail in this article.
The term information security is often incorrectly equated with the term IT security. However, this does not go far enough. While IT security deals with the security of information technology or information processing systems, information security considers the amount of all information. This can also be information on data carriers which is not considered by IT security or this data is not explicitly shown but can only be found implicitly through analysis.
We can therefore say that IT security is a subset of information security.
In reality, companies are always faced with the challenge of formulating goals but only having limited resources (time/personnel/capital) to achieve them. Management systems are used to plan and control the achievement of goals economically and systematically. These should guarantee that the resources available to achieve the goal are allocated in the best possible way and that the process is controlled systematically.
The organization must define the goal to be achieved with the management system. The goal must then be operationalized, ie made measurable. This is the only way to check whether the desired goals have actually been achieved. This is normally done using so-called KPIs. A KPI within an ISMS could be, for example:
99% of the workforce has been trained in IT security at least once a year
or
Reduce the number of security incidents by 25% over the next 2 years
Once the goal has been operationalized, the available resources can be planned in order to work towards the defined goal (PLAN). After the planning has been completed, the planned measures are implemented (DO). In order to check whether the intended goals (measured against the operationalized goals in the form of KPIs) have been achieved with the measures used, the achievement of goals is regularly compared with the planning and checked (CHECK).
If it is determined that the goals have not been achieved, the reason for the deviation must be analyzed (ACT). If necessary, measures are to be derived from this and a new plan drawn up. This forms the so-called Deming cycle, which is the basis of every management system.
In summary, it is the task of an information security management system to achieve the information security goals defined by the organization through the planning and implementation of measures and to regularly check the achievement of goals. The resources defined for the information security organization are available for this.
The first, fundamental step in introducing an ISMS can be derived directly from the introduction to management systems. The organization must first define its information security objectives. This sounds abstract at first, but can be easily illustrated with the following examples:
The delimitation is just as important as the creation of the information security goals - it must be clear to which area these goals should apply. For reasons of simplicity, this is often the entire company, but it is also possible to look at individual processes or areas.
In order to achieve the information security goals, the company needs an information security organization. This refers to the people and processes that are intended to ensure that the goals are achieved through the development and implementation of measures. The basis of every information security organization is the appointment of a person responsible for information security.
In Germany, this is usually referred to as the “information security officer”.
The information security officer fulfills an important control function within the company. To avoid conflicts of interest, the information security officer should report directly to the highest level of management.
After the goals, the most important areas and the organization have been clarified, the operational steps can begin.
First, an overview of the existing information values must be created. In information security, one usually speaks of so-called "information assets".
Companies have many different information assets, these could be, for example:
Concept / guideline: A concept must be drawn up that shows which measures are to be implemented, why and how.
Measure: Measures that have to be implemented often follow from guidelines.
Audit: The appropriateness and effectiveness of the measures must be verifiable and must also be checked. A measure whose effectiveness cannot be verified does not bring any added value. This must already be taken into account when the concept is being drawn up.
A clear responsible person must be assigned for each of these 3 steps. If possible, an attempt should be made to assign a different person responsible for the area of audit than for the areas of concept and implementation by separating functions.
In larger organizations, there is usually a guideline pyramid that substantiates the abstract security goals step by step.
Once the system has been implemented, the risk analysis and the measures must be checked regularly. This is very important for two reasons:
In addition, information security incidents must be continuously recorded and evaluated. Information security incidents are events within the company that lead to a violation of the protection goals. This can be, for example, a failure of a system that requires high availability or the intrusion of malware into the company.
The systematic recording of such incidents can support the next revision of the risk analysis and measures to further optimize the information security organization.
As in other management systems, many standards have already been established worldwide in the area of information security management. A few are presented here and compared in terms of complexity:
The BSI basic protection is the framework of the Federal Office for Information Security. It defines specific security levels and, depending on the security level, very specific measures to be implemented.
The basic protection was significantly streamlined in the last revision. While the old version was still uninteresting for many companies due to the extensive requirements, the new version should now also be applicable for smaller companies.
The ISO-27001 is a worldwide known standard. While the BSI basic protection specifies measures in many areas, the ISO is much more flexible - it is only required that the organization carries out a risk analysis and creates the necessary documents. How the risks are ultimately dealt with (avoidance/reduction/acceptance/transmission) is not specified by the standard.
ISIS-12 is a framework that was developed by the Bavarian security cluster and is derived from IT-Grundschutz. The main addressees are primarily medium-sized cities and communities, which are to be gradually introduced to the implementation of basic protection or ISO 12 through the implementation of ISIS-27001.
A Microsoft standard for secure product development that is limited to the processes of secure application development.
There are also other area-specific information security standards. e.g. e.g.:
VdS 10000 is a very lean standard, developed by a subsidiary of the German insurance industry. It is intended to provide small businesses and SMEs in particular with a simple introduction to the topic of information security and to cover the most important sub-areas.
The credit card industry standard that describes the requirements for companies that want to process credit card payments. The scope is limited to the payment processing process. The scope depends on how payments are made.