Security management of it system pdf

Security management programmes — Management programmes are established, implemented and maintained for achieving objectives and targets, which shall be optimized and then prioritized. Communication — Pertinent security management information shall be communicated to and from relevant employees, contractors and other stakeholders.

Document and data control — All documents, data and information required for this International Standard shall be controlled. Emergency preparedness, response and security recovery — The organization shall establish, implement and maintain appropriate plans and procedures to identify the potential for, and responses to, security incidents and emergency situations, and for preventing and mitigating the likely consequences that can be associated with them.

Associated security threats and risks shall be considered, including potential deterioration mechanisms and their consequences, when setting the frequency for measuring and monitoring the key performance parameters. System evaluation — Security management plans, procedures, and capabilities shall be evaluated through periodic reviews, testing, post-incident reports, lessons learned, performance evaluations, and exercises.

Significant changes must immediately be reflected in the procedure s. Control of records - Records shall be established and maintained as necessary to demonstrate conformity to the requirements of its security management system and of this standard, and the results achieved.

Audit — The audits of the security management system shall be carried out at planned intervals. Management reviews shall include assessing opportunities for improvement or changes to the security management system. Integration with other management systems The general requirements are ordinarily identified in every management system.

In addition, the table below presents the general requirements of several standards, which also serves as a comparing tool between SCSMS and other management systems. For an effective response, with respect to maintaining the supply chain, such a plan must be customized to fit to a company.

A more difficult task is the compilation of an implementation plan that balances the requirements of the standard, the business needs and the certification deadline. There is no single blueprint for implementing ISO that will work for every company, but there are some common steps that will allow you to balance the frequent conflicting requirements and prepare you for a successful certification audit.

Plan 2. Check 4. Act 1. Each phase has between 2 and 8 steps for a total of 21 steps. In turn, these steps are divided into activities and tasks. For example, the implementation of the management procedure for documented information can be completed before the understanding of the organization. Many processes are iterative because of the need for progressive development throughout the implementation project; for example, communication and training.

By following a structured and effective methodology, an organization can be sure it covers all minimum requirements for the implementation of a management system. Whatever methodology used, the organization must adapt it to its particular context requirements, size of the organization, scope, objectives, etc Certification of organizations The following common processes for an organization that wishes to be certified against ISO are: 1.

Implementation of the management system: Before being audited, a management system must be in operation for some time. Usually, the minimum time required by the certification bodies is 3 months. Internal audit and review by top management: Before a management system can be certified, it must have had at least one internal audit report and one management review.

Selection of the certification body registrar : Each organization can select the certification body registrar of its choice. Pre-assessment audit optional : An organization can choose to perform a pre-audit to identify any possible gap between its current management system and the requirements of the standard.

Stage 1 audit: A conformity review of the design of the management system. The main objective is to verify that the management system is designed to meet the requirements of the standard s and the objectives of the organization. Stage 2 audit On-site visit : The Stage 2 audit objective is to evaluate whether the declared management system conforms to all requirements of the standard, is actually being implemented in the organization and can support the organization in achieving its objectives.

Follow-up audit optional : If the auditee has non-conformities that require additional audit before being certified, the auditor will perform a follow-up visit to validate only the action plans linked to the non- conformities usually one day. Confirmation of registration: If the organization is compliant with the conditions of the standard, the Registrar confirms the registration and publishes the certificate. Continual improvement and surveillance audits: Once an organization is registered, surveillance activities are conducted by the Certification Body to ensure that the management system still complies with the standard.

Whereas certification of organizations is a vital component of the supply chain security field as it provides evidence that organizations have developed standardized processes based on best practices. It serves to demonstrate that a certified professional holds defined competencies based on best practices. It also allows organizations to make intelligent choices of employee selection or services based on the competencies that are represented by the certification designation.

In practice, it is much easier to implement ISMS, if an organization has already implemented a quality management system based on ISO For one thing, employees have a higher qualification to work in such a system.

Secondly, some management techniques are common to both systems. ISMS uses the same tools as the other systems, such as audits, corrective and preventive actions and management review, but supplements them with particular information systems techniques.

In addition to compatibility with the standards ISO and , information security management system maintains consistency with ISO , ISO , and technical safety standards. It provides for faster growth due to enhanced communication, on the one hand, and forces implementation of changes, both static and dynamic organizational structure, processes, management tools , on the other.

The basic advantage from ISMS implementation for the majority of organizations consists not in increased data security, but in enhancement of communication. This is so because companies that have sensitive data, as a rule, apply security solutions that ensure a certain level of protection, usually technical one.

Problems relating to information flow, however, are difficult to measure for managers and therefore neglected. Designing and implementing an ISMS requires an analysis of the communication system and indication of improvements that shall, at least, ensure its efficient operation, as a result of caring about continued accessibility and completeness of information. Other critical factors that do not directly stem from the requirements of ISO include, among others, elimination of flow of redundant information, provision of updateness and reliability.

The communication system that has been improved in that way shall provide employees with higher quality and speed in decision-making, which translates into better functioning of the organization and its growth.

The above-mentioned benefits stemming from increased information security reveal themselves especially in planning future activities, e. Prevention of premature disclosure of information may provide for undisturbed execution of development plans. Benefits that an organization achieves from implementation of an information security management system partially depend on the phase of its development cycle in which it finds itself.

In the inception and youth phase there are problems relating to addressability and protection of access to information, because in case of a structure and division of responsibilities that have not been fully established each employee has knowledge about operations of the entire business, which may pose a threat in the event of their transfer to competition.

On the other hand, however, lack of clearly defined ownership of information assets forces central decision-making by the owner which may delay growth. With the growth of business and an increasing amount of information it becomes necessary to design communication channels to ensure access to necessary data for the employees. Otherwise, there will occur problems relating not only to access, but also to updateness.

Such a situation shall create a risk of taking erroneous decisions. A stabilized organization should enhance its relatively stable communication system. Therefore, cost of production and access to information, its efficiency or value will be the key factors in this phase. Decisions taken on the basis of analysis of such issues may increase communication effectiveness and that of the entire organization.

Crisis in the organization The company may face a crisis due to external or internal causes. Analyzing the crises resulting from external causes can be distinguished, in terms of range: industrial, national or international crisis.

Industry crisis that may be caused, inter alia, by changes in consumer preferences, the emergence of new technologies, regulations. It transmits itself directly to the companies with a small range of product diversity.

A properly functioning system for collecting information about markets and changes in technology can allow to react in advance to the symptoms of the crisis. National crisis may result from political, economic or environmental reasons. The impact of this type of crisis can be reduced through sound financial management in the enterprise, as well as efficient financial information monitoring system.

International crisis affects the company as a national crisis. However, its causes may lie outside the country in which the organization operates. The internal crisis is associated with the processes of business development.

It occurs when the former methods of business management cease to function properly. Based on the model L. Greiner, can be distinguished crisis of leadership, autonomy, control and bureaucracy [3]. Another common cause of internal crises in companies are failures that result from insufficient competence of top management, the improper use of methods and techniques, as well as undeveloped internal communication.

Occurrence internal crisis can be accelerated or intensified by the crisis surrounding the organization. Efficient communication allows to spread information, coordinate activities, resolve conflicts and make decisions. Factors that increase organizations vulnerability to crisis threats include some of the pathologies of the information system, for example: differences in perceptions of the facts by the staff, distortion of information, lack of understanding of transmission of information, differences in language professional vocabulary, idioms , over-interpretation, too much information, the occurrence of disturbances in communication noise , lack of confidence, excessive filtering of information [2].

These pathologies can cause: improper information gathering, incorrectly performed analyses, decision-making based on incomplete data, misunderstanding of financial and strategic position of the company, failure to detect early signals of crisis. However, different manner and additional purposes of using these tools should be noted. Management review. Management review is a regular meeting of executives dedicated to the functioning of the system.

The main reviews are held several times a year, but short meetings even several times a month. Reviews allow to gather information, enable information comparisons and entail discussion between representatives of the organizational units. In this way the review causes that each participant better understands the situation of the company. Management review promotes the understanding of relations between different parts of the organization.

Understanding those relations enables managers to more accurate detection of the problems. Corrective actions. The aim of corrective actions is removal of non-compliance and incidents causes. These actions are taken based on information about identified non- compliance. Information security manager is responsible for the proper conduct of actions, While the employees according to their competencies are responsible for causes removal.

Preventive actions. Preventive actions serve to detect and remove potential causes that could entail non-compliance or incidents. Their carrying requires involvement of all employees in order to identify potential problems. Procedures of running these actions is the same as in the case of corrective actions. Identification of the causes allows to find further causes of problems and better understand the organization and its environment. Moreover, removal of causes will imply that there won't be any adverse effects.

Preventive actions are more difficult to implement, but they are more efficient no losses. Incident management. Detection of undesired events and quick response to it, is the goal of incident management.

In addition, it provides information for corrective action. Identification and reporting of incidents is the responsibility of every employee. This tool increases the workers' awareness and sensitivity to the problems occurring in the company and its environment. Risk assessment. Risk assessment is the periodic review of risk factors and identification of new factors.

General assessment is usually done once a year. Besides it, during the year are carried out a number of minor assessments. Conducting risk assessment immediately after the identification of changes in risk factors provides the information necessary to take preventive action and update risk treatment plans.

Risk treatment plans. Risk treatment plan is a set of instructions followed in the event of a risk factor. The organization should make plans on the basis of risk assessment, audit reports and information from the outside. Valuable source of plans are simulations.