Service Management Blog

Introduction to Information Security Management

Stephen Watts
Matthew Tracy
4 minute read
Stephen Watts, Matthew Tracy
image_pdfimage_print

What is Information Security Management?

Technology allows businesses to foster collaboration, communication, and sharing across the globe. We live in a time where working from home for large corporations is becoming the norm. Many rewards come from this: happier employees, decreased office space costs, and increased productivity. Innovation in communication is changing the very way we do business.

Unfortunately, as we have made it easier to share and collaborate, we have opened ourselves to a dark side of these new freedoms.  With so many points of connection, we have to find the balance between easy communication and protecting our information.  We must implement policies, procedures, strategies, and best practices to overcome and not fall prey to online threats.  This is where Information Security Management comes in to play.

BMC Helix - The Future of Service and Operations Management

BMC Helix is the first and only end-to-end service and operations platform that’s integrated with 360-degree intelligence. Built for the cloud, this reimagined service and operations experience is unrivaled, giving you:

  • BMC Helix ITSM optimized for ITIL® 4
  • Enterprise-wide service including IT, HR, Facilities, and Procurement
  • An omni-channel experience across Slack, Chatbot, Skype, and more
  • Automation with conversational bots and RPA bots
  • More than 7,500 IT organizations trust BMC ITSM solutions. See why and learn more about BMC Helix ›

In short, information security management is the controls an organization implements to protect the confidentiality of itself and employees, availability and stability of services, and integrity of data and assets used to run the business. As more data passes between individuals and information security management becomes critically important, we’ll explore more about information security management, allowing us to collaborate freely across the web.

Assessment of Risks

One initial component of information security management is risk assessment. This step is integral as it serves as a starting point to determine what is and is not a threat, what needs to be protected, and what the costs benefits analysis is of protecting your information.

This is also where you analyze the best way to collaborate for your organization. There are many ways for companies to collaborate with tools making collaboration easy. The landscape is filled with tools from multiple vendors, but all are not created equally and may not be compatible with security procedures your current partners have in place. Evaluating technologies and security requires time and effort along with a solid strategy and understanding of the company’s needs and goals.

Using the Information Technology Infrastructure Library (ITIL) can make this easier by providing you with a baseline from which to build.  Industry standards and best practices can make it easier for you to evaluate your threats along with the likelihood and impact of those threats.

Threats

As the first part of an information security management assessment, you should look at potential threats. Properly understanding this can save you time and money in implementation in case threats become a reality.

Understanding your industry is key and policies and procedures common to your industry are a great place to start when evaluating your company. This is because finding ITIL-type policies for your industry allows you to zero in on potential issues. If you are having trouble finding industry-specific policies and procedures, general ITIL documents are a great place to start.

If you’re asking, “What are general threats to the wellbeing of my information?” you’re asking the right question.  While there are brute force attacks that can impact the outside an organization, the primary vector for attack will be through phishing and social engineering.  In fact, phishing and social engineering can lead to other types of attacks like downloading malware, viruses, or just giving out important user names, passwords, or other proprietary information to the wrong individual.

Once you understand the types of threats you need to understand how those threats can affect stakeholders if the information is stolen.  You must understand what the cost is for sending blueprints to the wrong person or if a member of the human resources department accidentally gave out the user name and password to the employee records database. Once you know this, you can evaluate the impact and likelihood of threats to your data and systems.

Impact and Likelihood

What can’t be overstated when assessing threats is figuring out what the likelihood and impact of a threat would be. This is extremely important as we look ahead to mitigation. Without knowing a probability of threats, we can’t properly plan for future mitigation or even determine if mitigation is needed.

As an example, let’s pretend that you have decided to use a common set of development tools to tie into a social media platform. Just by announcing that you will be integrating with a specific social media platform, outsiders can easily assume that you will use common API calls that are the industry standard. In this particular situation, you may decide to implement a minimal plan with no mitigation if the knowledge is made common.

On the flip side, you may use proprietary processes and technologies, the disclosure of which could cost you a competitive edge. Imagine creating a new product with custom-designed circuit boards, chips, or processes. Protecting that information, getting NDAs, and training employees to understand how to deal with phishing and social engineering attacks are key steps in creating information security management policies and procedures.

Remember to take your time on each part of your evaluation of the likelihood of an incident and analyze the impact so that you can have the proper mitigation strategy in place.

Mitigation

Information security management is figuring out how to mitigate data issues when they occur. You will want to stop the exposure, see how long the exposure has occurred, make sure the threat can’t happen again and determine what needs to be done to counteract the lost information, if necessary. All the remediation and notification steps that go into that are part of the mitigation plan.

Documenting mitigation policies and procedures allow you to run test scenarios on what may happen if a data breach occurs. This benchmarking allows you to plan and improve response times against ever-changing threats. ITIL best practices can be used as a starting point here. Auditing, training, and penetration testing are all ways to find out where vulnerabilities exist. Once these tests have identified your weaknesses, you can move to resolve the issue, or you may determine that it’s not something worth securing.

This is why you have to understand the impact and likelihood of any breach scenarios and where company policies for information security management must be implemented across the board. Your mitigation steps should also become a company-wide endeavor, meaning that IT has to reach out to stakeholders to better understand and help them evaluate proper ways to secure information.

When it comes to information security management, IT is moving away from the days of just making sure the network and the servers are working to a team of active defenders securing the company from intrusion by malicious users.

Proper information security management is a cornerstone ensuring that companies’ proprietary information stays proprietary while allowing companies to perform day-to-day business actions. The topic is complex, and this article provides just the tip of what is needed to understand how to navigate in this ever-changing world of information security.

Free Trial: BMC Helix ITSM

Take a free personalized demo of BMC Helix, the future of IT Service Management software
Free Trial › Learn More ›

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

About the author

Stephen Watts

Stephen Watts

Stephen Watts (Birmingham, AL) has worked at the intersection of IT and marketing for BMC Software since 2012.

Stephen contributes to a variety of publications including CIO.com, Search Engine Journal, ITSM.Tools, IT Chronicles, DZone, and CompTIA.

About the author

Matthew Tracy

Matthew Tracy

Matthew Tracy is on the Board of Directors for Alabama Veteran and is a Business Analyst at Vulcan Materials Company. Matt is an IoT expert with extensive experience working in IT service desks for financial and healthcare industries. Matt managed line-of-sight communications, computers, and electronic equipment during his Afghanistan deployment.