Difference between revisions 579059955 and 579060466 on enwiki

< previous diff
next diff >
Information security management system
[[File:Risk Management Elements.jpg|thumb|Plan-Do-Check-Act Cycle]]
[[File:Isms framework.jpg|thumb|ENISA: Risk Management and Isms activities]]
An '''information security management system'''<ref>{{cite web|title=Security management system’s usability key to easy adoption|url=http://www.sourcesecurity.com/news/articles/co-4108-ga.8554.html|publisher=sourcesecurity.com|accessdate=22 August 2013}}</ref>  (ISMS) is a set of policies concerned with [[information securi(contracted; show full)

Another competing ISMS is [[Information Security Forum]]'s ''[[Standard of Good Practice]]'' (SOGP). It is more [[best practice]]-based as it comes from ISF's industry experiences.<br />

Some other best known ISMSs include [[Common Criteria]] (CC) international standard and IT Security Evaluation Criteria (ITSEC)<ref name=isms>{{cite journal|last=Jo|first=Heasuk|coauthors=Kim, Seungjoo; Won, Dongho|title=Advanced 
Iinformation Ssecurity Mmanagement Eevaluation Ssystem|journal=KSII Transactions on Internet and Information Systems|date=1 January 2011|year=2011|volume=5|issue=6|pages=1192–1213|doi=10.3837/tiis.2011.06.006}}</ref><br />

(contracted; show full)
* be based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices;
* be a never ending process;

== Dynamic issues in ISMS ==
There are three main problems which lead to uncertainty in information security management systems (ISMS):<ref
 name= dynamic>{{cite journal|last=Abbas|first=Haider|coauthors=Magnusson, Christer; Yngstrom, Louise; Hemani, Ahmed|title=Addressing dynamic issues in information security management|journal=Information Management & Computer Security|date=1 January 2011|year=2011|volume=19|issue=1|pages=5–24|doi=10.1108/09685221111115836|accessdate=26 October 2013}}</ref> 
* '''Dynamically changing security requirements of an organization'''
Rapid technological development raises new security concerns for organizations. The existing security measures and requirements become obsolete as new vulnerabilities arise with the development in technology. To overcome this issue, the ISMS should organize and manage dynamically changing requirements and keep the system up-to-date.<ref name= dynamic/>
* '''Externalities caused by a security system'''
Externality is an economic concept for the effects borne by the party that is not directly involved in a transaction. Externalities could be positive or negative. The ISMS deployed in an organization may also cause externalities for other interacting systems. Externalities caused by the ISMS are uncertain and cannot be predetermined before the ISMS is deployed. The internalization of externalities caused by the ISMS is needed in order to benefit internalizing organizations and interacting partners by protecting them from vulnerable ISMS behaviors.  <ref name= dynamic/>
* '''Obsolete evaluation of security concerns'''
The evaluations of security concerns used in ISMS become obsolete as the technology progresses and new threats and vulnerabilities arise. The need of continues security evaluation for organizational products, services, methods and technology is essential for maintain an effective ISMS. The evaluated security concerns need to be re-evaluated. A continuous security evaluation mechanism of ISMS within the organization is a critical need to achieve information security objectives. The re-evaluation process is tied with dynamic security requirement management process discussed above.<ref name= dynamic/>

== See also ==
{{Portal|Computer security}}
* [[Asset (computing)]]
* [[Attack (computing)]]
* [[CERT Coordination Center|CERT]]
* [[COBIT]]
* [[ENISA]]
* [[Enterprise architecture]]
* [[FISMA]]
* [[Information security management]]
* [[IT governance]]
* [[ITIL]]
* [[IT risk]]
* [[ISO 9001]]
* [[ISO/IEC 27001]]
* [[ISO/IEC 27002]]
* [[ISO/IEC 27004]]
* [[ISO/IEC 27005]]
* [[NIST]]
* [[PDCA]]
* [[Security control]]
* [[Security information and event management]]
* [[Threat (computer)]]
* [[Vulnerability (computing)]]
* [[WARP (information security)]]
* [[TRAC (ISMS)]]

== Notes and references ==
<references/>


[[Category:Data security]]