Difference between revisions 579049172 and 579054359 on enwiki

[[File:Risk Management Elements.jpg|thumb|Plan-Do-Check-Act Cycle]]
[[File:Isms framework.jpg|thumb|ENISA: Risk Management and Isms activities]]
An '''information security management system'''<ref>{{cite web|title=Security management system’s usability key to easy adoption|url=http://www.sourcesecurity.com/news/articles/co-4108-ga.8554.html|publisher=sourcesecurity.com|accessdate=22 August 2013}}</ref>  (ISMS) is a set of policies concerned with [[information securi(contracted; show full)
* The '''Check''' phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS.
* In the '''Act''' phase, changes are made where necessary to bring the ISMS back to peak performance.

[[ISO/IEC 27001:2005]] is a risk based information security standard, which means that organizations need to have a risk management process in place. The 
Figure 2 illustrates how risk management process fits into the [[PDCA]] model given above.<ref>{{cite journal|last=Humphreys|first=Edward|title=Information security management system standards|journal=Datenschutz und Datensicherheit - DuD|date=8 March 2011|year=2011|volume=35|issue=1|pages=7–11|doi=10.1007/s11623-011-0004-3}}</ref> 

However, the latest standard, [[ISO/IEC 27001:2013]], does not use this cycle.

Another competing ISMS is [[Information Security Forum]]'s ''[[Standard of Good Practice]]'' (SOGP). It is more [[best practice]]-based as it comes from ISF's industry experiences.<br />

Some other best known ISMSs include the Common Criteria (CC) international standard and the Trusted Computer System Evaluation Criteria (TCSEC)<ref name=isms>{{cite journal|last=Jo|first=Heasuk|coauthors=Kim, Seungjoo; Won, Dongho|title=Advanced Information Security Management Evaluation System|journal=KSII Transactions on Internet and Information Systems|date=1 January 2011|year=2011|volume=5|issue=6|pages=1192–1213|doi=10.3837/tiis.2011.06.006}}</ref><br />

Some nations use their own ISMS, e.g., Department of Defense(DoD) Information Technology Security Certification and Accreditation Process (DITSCAP)of USA, Defense Information Assurance Certification and Accreditation Process(DIACAP) of USA, IT Baseline Protection Manual (ITBPM)of Germany, ISMS of Japan, Trusted Computer System Evaluation Criteria (TCSEC) of USA, ISMS of Korea, Information Security Check Service (ISCS) of Korea.<ref name=isms/>

Other frameworks such as [[COBIT]] and [[ITIL]] touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework ''[[Risk IT]]'' dedicated to Information security.

There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem:
* [[Federal Information Security Management Act of 2002]] is a [[United States federal law]] enacted in 2002 that recognized the importance of [[information security]] to the economic and national security interests of the United States.<ref name="nist_overview">[http://csrc.nist.gov/groups/SMA/fisma/overview.html NIST: FISMA Overview]</ref> The act requires each [[Government agency#Government agencies in the United States|federal agency]] to develop, document, and implement an agency-wide program to provide [[information security]] for the information and [[information systems]] that support the operations and assets of the agency, including those provided or managed by another agency, [[Government contractor|contractor]], or other source.<ref name="nist_overview"/><ref name=Vacca>{{cite book
|last= Caballero
|first=Albert.
|authormask=
|authorlink=
|coauthors=
|firstn= |lastn=
|authorn-link=
|editor=
|editorn-last=Vacca
|editorn-first=John⏎
|editor-link=
|editorn-link=
|others=
|title=Computer and Information Security Handbook
|trans_title=
|url=
|archiveurl=
|archivedate=
(contracted; show full)agement is to implement the appropriate measurements in order to eliminate or minimize the impact that various security related [[threat (computer)|threats]] and [[vulnerability (computing)|vulnerabilities]] might have on an organization. In doing so, information security management will enable implementing the desirable qualitative characteristics of the services offered by the organization (i.e. availability of services, preservation of data confidentiality and integrity etc.).<ref name=ENISAFULL/>
 By preventing and minimizing the impacts of security incidents, ISMS ensures business continuity, customer confidence, protect business investments and opportunities, or reduce damage to the business.<ref>{{cite journal|last=Ma|first=Qingxiong|coauthors=Schmidt, Mark B.; Pearson, Michael|title=An integrated framework for information security management|journal=Review of Business|year=2009|volume=30|issue=1|pages=58-69|url=http://www.stjohns.edu/reviewofbusiness|accessdate=26 October 2013}}</ref> 

Large organizations or organizations such as banks and financial institutes, telecommunication operators, hospital and health institutes and public or governmental bodies have many reasons for addressing information security very seriously. Legal and regulatory requirements which aim at protecting sensitive or personal data as well as general public security requirements impel them to devote the utmost attention and priority to information security risks.<ref name=ENISAFULL/>

(contracted; show full)* [[WARP (information security)]]
* [[TRAC (ISMS)]]

== Notes and references ==
<references/>


[[Category:Data security]]
All content in the above text box is licensed under the Creative Commons Attribution-ShareAlike license Version 4 and was originally sourced from https://en.wikipedia.org/w/index.php?diff=prev&oldid=579054359.
This site is not affiliated with or endorsed in any way by the Wikimedia Foundation or any of its affiliates. In fact, we fucking despise them.