|
An information security management system〔(【引用サイトリンク】url=http://www.sourcesecurity.com/news/articles/co-4108-ga.8554.html )〕 (ISMS) is a set of policies concerned with information security management or IT related risks. The idioms arose primarily out of BS 7799. The governing principle behind an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk. == ISMS description == As with all management processes, an ISMS must remain effective and efficient in the long term, adapting to changes in the internal organization and external environment. ISO/IEC 27001:2005 therefore incorporated the "Plan-Do-Check-Act" (PDCA), or ''Deming'' cycle, approach: * The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. * The Do phase involves implementing and operating the controls. * The Check phase objective is to review and evaluate the performance (efficiency and effectiveness) of the ISMS. * In the Act phase, changes are made where necessary to bring the ISMS back to peak performance. ISO/IEC 27001:2005 is a risk based information security standard, which means that organizations need to have a risk management process in place. The risk management process fits into the PDCA model given above. However, the latest standard, ISO/IEC 27001:2013, does not emphasise the Deming cycle anymore. The ISMS user is free to use any management process (improvement) approach like PDCA or Six Sigmas DMAIC. Another competing ISMS is Information Security Forum's ''Standard of Good Practice'' (SOGP). It is more best practice-based as it comes from ISF's industry experiences. Some best-known ISMSs for computer security certification are the Common Criteria (CC) international standard and its predecessors Information Technology Security Evaluation Criteria (ITSEC) and Trusted Computer System Evaluation Criteria (TCSEC). Some nations publish and use their own ISMS standards, e.g. the Department of Defense (DoD) Information Technology Security Certification and Accreditation Process (DITSCAP) of USA, the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) of USA, the German IT baseline protection, ISMS of Japan, ISMS of Korea, Information Security Check Service (ISCS) of Korea.〔 Other frameworks such as COBIT and ITIL touch on security issues, but are mainly geared toward creating a governance framework for information and IT more generally. COBIT has a companion framework ''Risk IT'' dedicated to Information security. The below table provides a certification structure comparison of some of the best-known ISMSs:〔 There are a number of initiatives focused to the governance and organizational issues of securing information systems having in mind that it is business and organizational problem, not only a technical problem: * Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 that recognized the importance of information security to the economic and national security interests of the United States.〔(NIST: FISMA Overview )〕 The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.〔〔 〕 * Governing for Enterprise Security Implementation Guide 〔(CERT Governing for Enterprise Security Implementation Guide )〕 of the Carnegie Mellon University Software Engineering Institute CERT is designed to help business leaders implement an effective program to govern information technology (IT) and information security. * A Capability Maturity Model (CMM) for system security engineering was standardized in ISO/IEC 21827. * Information Security Management Maturity Model (known as ISM-cubed or ISM3) is another form of ISMS. ISM3 builds on standards such as ISO 20000, ISO 9001, CMM, ISO/IEC 27001, and general information governance and security concepts. ISM3 can be used as a template for an ISO 9001-compliant ISMS. While ISO/IEC 27001 is controls based, ISM3 is process based and includes process metrics. ISM3 is a standard for security management (how to achieve the organizations mission despite of errors, attacks and accidents with a given budget). The difference between ISM3 and ISO/IEC 21827 is that ISM3 is focused on management, ISO 21287 on Engineering. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「information security management system」の詳細全文を読む スポンサード リンク
|