Following the NIST Framework for Improving Critical Infrastructure Cybersecurity, managing the security of information hinges on five security management capabilities:

1. Identify: what information needs to be protected and where it is located
2. Protect: that information
3. Detect: information attacks and other incidents
4. Respond: to information attacks and other incidents, especially successful attacks
5. Recover: from the incident, returning back to normal operations

The information security management community has begun referring to these capabilities as information resilience: The ability of an organization to continue to provide an acceptable level of performance throughout all phases of the management chain, particularly respond and recover.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

The Objective of Information Security Management is to Manage Information Risk

• Cyber Fraud
• Business Email Compromise
• Information Theft
• Ransomware
• Denial of Service Attack
• Regulatory compliance
• Disaster

Information Risk Impacts Business Risk

• Loss of Money
• Loss of Brand Value
• Loss of Competitive Advantage

Information Risk Measures

• Thirty percent (30%) of cybercrime victims are smaller organizations
• Sixty percent (60%) of these victims are out of business within 6 months
• Eighty percent (80%) of these breaches are preventable with basic security management

Managing information risk means ensuring four things

1. The confidentiality and privacy of sensitive information
2. The integrity of information and data
3. The availability of critical information
4. The authenticity of communications

The Context of Information Security Management

Information security management augments insurance and other forms of risk transfer. It also takes place in the legal context of commercial reasonableness.

 

Contributed by Citadel Information Group
© Copyright 2017. Citadel Information Group. All Rights Reserved.

 

Information Security Success Strategies — The Critical Seven

The following seven critical success strategies are vital in implementing a successful formal risk-driven Information Security Management Program.

1. Put someone in-charge. Establish leadership. Information Security Manager / Chief Information Security Officer.
   1. C-Suite and Board Governance
   2. Independent Perspective from CIO or Technology Director
   3. Supported by Cross-Functional Leadership Team
   4. Supported with Subject-Matter Expertise
2. Implement formal risk-driven information security policies and standards.
3. Identify, document and control sensitive information.
4. Train and educate personnel. Change culture.
5. Manage 3rd-party security.
6. Manage IT Infrastructure from an “information security point of view” in accordance with standards at least as strong as SecureTheVillage’s Code of Basic Information Security Management Practices.
7. Be prepared. Incident response. Business continuity planning.

Distrust and Caution Are the Parents of Security … Benjamin Franklin

The secret of success lies in managing risk, not avoiding it. … Merryle Rukeyser, Financial Journalist / Educator

The number one thing at the Board level and CEO level is to take cybersecurity as seriously as you take business operations and financial operations. It’s not good enough to go to your CIO and say “are we good to go.” You’ve got to be able to ask questions and understand the answers. … Major Gen Brett Williams, U.S. Air Force (Ret) … This Week with George Stephanopoulos, December 2014

Information security is a team sport. … Citadel Information Group

 

Contributed by Citadel Information Group