Information security management - definition & overview

Information security management describes the set of policies and procedural controls that IT and business organizations implement to secure their informational assets against threats and vulnerabilities. Many organizations develop a formal, documented process for managing InfoSec, called an information security management system, or ISMS.

Nearly all organizations possess information that they would not want to be shared or publicized. Whether these data are maintained in digital or physical format, the discipline of information security management is critical to protecting the data from unauthorized access or theft.

Consider whether your organization owns and would like to protect the following types of information assets:

Strategic documentation - Businesses and IT organizations develop and document long-term strategic and short-term tactical objectives that establish their goals and vision for the future. These valuable internal documents contain secrets and insight that competitors may want to access.

Products/service information - Critical information about products and services, including those offered by the business and IT, should be protected through information security management. This includes the source code for an in-house developed application, as well as any data or information products that are sold to customers. If your business sells a digital product, you will need information security to ensure that hackers cannot steal your product and distribute it without your consent or knowledge.

Intellectual property/patents - If your company generates intellectual property, including developing software, you may require information security controls to protect it. Your competitors may want to steal your source code and use it to reverse engineer a product to compete with yours. Some countries do not enforce copyright or intellectual property laws, so you may have no recourse if this is allowed to happen.

Proprietary knowledge/trade secrets - Every organization generates proprietary knowledge throughout doing business. For IT organizations, that knowledge may be stored in an internal knowledge base that is accessible to IT operators and support staff. Trade secrets are the unique insights and understanding that give your business a competitive advantage. If you wouldn't share them openly with your competition, you should secure trade secrets and proprietary knowledge using information security management controls.

Ongoing project documentation - Ongoing project documentation consists of the documented details of products or services that are in the process of being launched. If your competitors find out what you're up to, they may attempt to release a competing product or feature more quickly than anticipated and could even benchmark it against your new product to lock you out of the marketplace.

Employee data - Human resource departments collect and retain data about your employees, including performance reviews, employment history, salaries and other information. These records could contain confidential information that a cyber attacker might use to blackmail your employees. A competitor organization could use this data to identify targets before attempting to poach your employees.

All of these examples are listed in addition to confidentially submitted customer data, where a failure to protect the data against theft would constitute a breach of trust, and in some cases, a lack of conformity with information security standards or legislation.

Information security at the organizational level is centered around the triad of confidentiality, integrity and availability (CIA). Information security controls are put in place to ensure the CIA of protected information. InfoSec specialists and SecOps teams must understand each newly implemented control in terms of how it promotes the CIA triad for a protected data class.

Confidentiality - When it comes to InfoSec, confidentiality and privacy are essentially the same thing. Preserving the confidentiality of information means ensuring that only authorized persons can access or modify the data. Information security management teams may classify or categorize data based on the perceived risk and anticipated impact that would result if the data were compromised. Additional privacy controls can be implemented for higher-risk data.

Integrity - Information security management deals with data integrity by implementing controls that ensure the consistency and accuracy of stored data throughout its entire life cycle. For data to be considered secure, the IT organization must ensure that it is properly stored and cannot be modified or deleted without the appropriate permissions. Measures such as version control, user access controls and check-sums can be implemented to help maintain data integrity.

Availability - Information security management deals with data availability by implementing processes and procedures that ensure important information is available to authorized users when needed. Typical activities include hardware maintenance and repairs, installing patches and upgrades, and implementing incident response and disaster recovery processes to prevent data loss in the event of a cyber attack.

Organizations that wish to reduce or eliminate instances of unauthorized access to sensitive data can implement a structured risk management process to identify potential information security risks and identify strategies for mitigating them. Each organization must develop an individualized approach to information security, as individual companies have different methodologies and requirements for collecting, storing, using and transmitting data. An organization can begin its risk management initiative by:

1. Identifying informational assets within the business that need to be protected. This often includes things such as the identity of customers, specific data collected about customers such as health data or payment card information, intellectual assets and internal communications or documents.
   
2. Identifying potential threats, vulnerabilities and impacts with respect to each asset.
   • A threat is the "what" of a security risk. It could be a malware attack or a wave of phishing e-mails.
   • A vulnerability is the "how" of a security risk. We want to identify the possible attack vectors and ask how each identified threat could manifest itself within our environment.
   • An impact is what happens when the threat is realized. Some threats might have low impacts and others might have very high impacts on the business.
3. Evaluate the overall risk associated with each threat based on the business's vulnerability to the threat and the potential impact. For example, you may decide that while phishing attacks are relatively common, the potential impact would probably be small, but that in the less likely event of a deliberate hack attempt, the impact would be large.
   
4. Once you have identified and quantified all of the known risks, the next step is determining what to do about it. There are several methods for dealing with risk in information security:
   • Avoidance - Sometimes risk can be avoided by changing business activities to eliminate the source of the vulnerability.
   • Acceptance - Some risks are not very likely and even if they manifested would not cause significant harm to the business. In these cases, we may be able to simply accept the risk.
   • Control - Move forward with the business activities, but implement controls to either lessen the potential impact of the threat or reduce the probability of the threat being realized.
   • Transfer - In some cases, your organization may be able to transfer risk to someone else and avoid responsibility. For example, if your organization processes health insurance claims, you would be responsible for maintaining the security of all that patient data. If you were to outsource the process, however, you could also outsource the responsibility for information security and limit the risk to your business.
     
5. Design and implement any security processes or controls that you have identified as necessary to limit the overall information security risk to a manageable level.
   
6. Continue to monitor information security within your organization and adjust your information security strategy as needed to address the most current threats and vulnerabilities that impact your organization.

For some organizations, information security management is more than a requirement for protecting sensitive internal documents and customer information. Depending on your industry vertical, information security management might be a legal requirement to safeguard sensitive information that you collect from customers.

For example, organizations that collect personalized medical or health care records in the United States are required to follow the privacy and security guidelines of the Health Insurance Portability and Accountability Act (HIPAA). Organizations that process credit card payments are responsible for compliance with the Payment Card Industry Data Security Standard (PCI DDS). Organizations that collect personalized information from customers in Europe are covered by the European General Data Protection Regulation (GDPR) and could face thousands or millions of dollars in fines for non-compliance.

Effective security monitoring and response are crucial aspects of your information security management program. Sumo Logic's cloud analytics platform makes it easy for IT organizations to gather the latest threat intelligence, configure real-time threat alerts and automate incident response in increasingly large and disparate cloud hybrid environments with scattered data assets. Effective security monitoring protects against data breaches while reducing audit costs and promoting compliance with internal and external security and privacy standards. Learn more about how Sumo Logic can help with compliance monitoring.

What does an information security manager do?

An information security manager oversees the security of an organization's information systems and data. Their primary role involves developing, implementing and maintaining the organization's information security policies and procedures to ensure data confidentiality, integrity and availability.

What are the key components of a solid information security management system?

• Risk assessment to identify potential threats and vulnerabilities

• Security policy outlining the organization's approach to information security

• Security controls to implement and enforce security measures

• Security incident response plan to address security breaches promptly

• Data protection measures to safeguard sensitive information and personal data

• Security awareness training to educate employees on security best practices.

• Compliance with relevant regulations

• Continuous monitoring and update of security measures

• Information security risk management to assess and mitigate risks effectively

• Incident reporting and escalation procedures to handle security incidents efficiently

What are the differences between data protection and data security in the context of information security management?

While data protection focuses on protecting personal and sensitive information and ensuring compliance with data privacy regulations, data security addresses the overall protection of data assets within an organization, including sensitive data and intellectual property, financial information and operational data. Both data protection and data security are essential components of a comprehensive information security management strategy to mitigate risks and safeguard valuable data assets effectively.