Information Security Management
What is Information Security Management?
Business organizations today create, aggregate and store massive amounts of information from their customers, including behavioral analytics, usage data, personal information, credit cards and payment data, health care information and more. The increase in enterprise data collection over the past decade, along with the increasing threat of cyber attacks and data breaches, has led to significant developments in the field of Information Security Management for IT organizations.
Information security management describes the set of policies and procedural controls that IT and business organizations implement to secure their informational assets against threats and vulnerabilities. Responsibility for information security may be assigned to a Chief Security Officer, Chief Technical Officer, or to an IT Operations manager whose team includes IT operators and security analysts. Many organizations develop a formal, documented process for managing InfoSec - often called an Information Security Management System, or ISMS.
What is an Informational Asset?
If your organization does not collect identifying or personal information from customers, you may wonder whether it is necessary for you to adopt information security management processes to protect your data. Unsurprisingly, nearly all organizations possess information that they would not want shared or publicized. Whether these data are maintained in digital or physical format, the discipline of Information Security Management is critical to protecting the data from unauthorized access or theft.
Consider whether your organization owns and would like to protect the following types of information assets:
Strategic Documentation - Businesses and IT organizations develop and document long-term strategic and short-term tactical objectives that establish their goals and vision for the future. These valuable internal documents contain secrets and insight that competitors may want to access.
Products/Service Information - Critical information about products and services, including those offered by the business and by IT, should be protected through information security management. This includes the source code for in-house developed application, as well as any data or informational products that are sold to customers. If your business sells a digital product, you will need information security to ensure that hackers cannot steal your product and distribute it without your consent or knowledge.
Intellectual Property/Patents - If your company generates intellectual property, including developing software, you may require information security controls to protect it. Your competitors may want to steal your source code and use it to reverse engineer a product to compete with yours. Some countries do not enforce copyright or intellectual property laws, so you may have no recourse if this is allowed to happen.
Proprietary Knowledge/Trade Secrets - Every organization generates proprietary knowledge throughout the course of doing business. For IT organizations, that knowledge may be stored in an internal knowledge base that is accessible to IT operators and support staff. Trade secrets are the unique insights and understanding that give your business a competitive advantage. If you wouldn't share them openly with your competition, you should secure trade secrets and proprietary knowledge using information security management controls.
Ongoing Project Documentation - Ongoing project documentation consists of the documented details of products or services that are in the process of being launched. If your competitors find out what you're up to, they may attempt to release a competing product or feature more quickly than anticipated and could even benchmark it against your new product in an effort to lock you out of the marketplace.
Employee Data - Human resource departments collect and retain data about your employees, including performance reviews, employment history, salaries and other information. These records could contain confidential information that a cyber attacker might use to blackmail your employees. A competitor organization could use this data to identify targets before attempting to poach your employees.
All of these examples are listed in addition to confidentially submitted customer data, where a failure to protect the data against theft would constitute a breach of trust, and in some cases, a lack of conformity with information security standards or legislation.
Three Objectives of Information Security Management
Information security at the organizational level is centered around the CIA triad of Confidentiality, Integrity and Availability. Information security controls are put in place to ensure the confidentiality, integrity and availability of protected information. InfoSec specialists and SecOps teams must understand each newly implemented control in terms of how it promotes the CIA triad for a protected data class.
Confidentiality - When it comes to InfoSec, confidentiality and privacy are essentially the same thing. Preserving the confidentiality of information means ensuring that only authorized persons can access or modify the data. Information security management teams may classify or categorize data based on the perceived risk and anticipated impact that would result of the data was compromised. Additional privacy controls can be implemented for higher-risk data.
Integrity - Information security management deals with data integrity by implementing controls that ensure the consistency and accuracy of stored data throughout its entire life cycle. For data to be considered secure, the IT organization must ensure that it is properly stored and cannot be modified or deleted without the appropriate permissions. Measures such as version control, user access controls and check-sums can be implemented to help maintain data integrity.
Availability - Information security management deals with data availability by implementing processes and procedures that ensure important information is available to authorized users when needed. Typical activities include hardware maintenance and repairs, installing patches and upgrades, and implementing incident response and disaster recovery processes to prevent data loss in the event of a cyber attack.
Information Security Management Standards and Compliance
For some organizations, information security management is more than a requirement for protecting sensitive internal documents and customer information. Depending on your industry vertical, information security management might be a legal requirement to safeguard sensitive information that you collect from customers.
Organizations that collect personalized medical or health care records in the United States are required to follow the privacy and security guidelines of the Health Insurance Portability and Accountability Act (HIPAA). Organizations that process credit card payments are responsible for compliance with the Payment Card Industry Data Security Standard (PCI DDS). Organizations that collect personalized information from customers in Europe are covered by the European General Data Protection Regulation (GDPR) and could face thousands or millions of dollars in fines for non-compliance.
Sumo Logic Supports IT Security Management and Compliance Initiatives
Effective security monitoring and response are crucial aspects of your information security management program. Sumo Logic's cloud analytics platform makes it easy for IT organizations to gather the latest threat intelligence, configure real-time threat alerts and automate incident response in increasingly large and disparate cloud hybrid environments with scattered data assets. Effective security monitoring protects against data breaches while reducing audit costs and promoting compliance with internal and external security and privacy standards.