Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. By extension, ISM includes information risk management, a process which involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This of course requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.
Risk management and mitigation
Managing information security in essence means managing and mitigating the various threats and vulnerabilities to assets, while at the same time balancing the management effort expended on potential threats and vulnerabilities by gauging the probability of them actually occurring. A meteorite crashing into a server room is certainly a threat, for example, but an information security officer will likely put little effort into preparing for such a threat.
After appropriate asset identification and valuation has occurred, risk management and mitigation of those assets involves the analysis of the following issues:
- Threats: Unwanted events that could cause the deliberate or accidental loss, damage, or misuse of information assets
- Vulnerabilities: How susceptible information assets and associated controls are to exploitation by one or more threats
- Impact and likelihood: The magnitude of potential damage to information assets from threats and vulnerabilities and how serious of a risk they pose to the assets; cost–benefit analysis may also be part of the impact assessment or separate from it
- Mitigation: The proposed method(s) for minimizing the impact and likelihood of potential threats and vulnerabilities
Once a threat and/or vulnerability has been identified and assessed as having sufficient impact/likelihood to information assets, a mitigation plan can be enacted. The mitigation method chosen largely depends on which of the seven information technology (IT) domains the threat and/or vulnerability resides in. The threat of user apathy toward security policies (the user domain) will require a much different mitigation plan than one used to limit the threat of unauthorized probing and scanning of a network (the LAN-to-WAN domain).