2.2 Information Security Management Systems (ISMS)
2.2.1 Information Security Management Systems
There has not been a canonical definition of Information Security Management Sys- tems (ISMS). The world was introduced to the formal concept of ISMS during the 1990s with the development and introduction of the British Standard BS-7799 [91], which was incorporated in the ISO 27000 series. Eloff defines an Information Security Management System as a management system used for establishing and maintaining a secure information environment [33]. Information Security Management Systems incorporate the typical “Plan-Do-Check-Act” (PDCA) cycle, proposed by Deming [92, 93]. The main tasks in the “Plan” phase is to design the ISMS, assess infor- mation security risks and select appropriate controls. The security controls are then implemented in the “Do” phase. The “Check” phase reviews and evaluates the perfor- mance (efficiency and effectiveness) of the ISMS. In the “Act” phase, remidial actions are taken and security lessons are documented. This data can be put back into the risk assessment process in the “Plan” phase, ultimately leading to the improvements of the ISMS.
2.2.2 Information Security Management Systems framework
ENISA outlines the ISMS framework as shown in Figure 2.1. The development of an ISMS framework includes six steps, definition of security policy, definition of ISMS scope, risk assessment (as part of risk management), risk management, selection of appropriate controls, and statement of applicability [9]. This is consistent with the requirements in the ISO 27000 series [34, 42].
The definition of a security policy and the scope of the ISMS, are higher-level man- agement strategies. In healthcare, regulations and policies have been proposed in dif- ferent countries, such as Health Insurance Portability and Accountability Act (HIPAA) [94] in the US, the Data Protection Act [95] in the UK and the Personal Information Protection Act [96] in China. Risk management is a process to “transform” the security standards, guidelines of security policy, the targets, and objectives of ISMS into spe- cific plans for the implementation of controls and mechanisms that aims to minimise threats and vulnerabilities. Security risk management (SRM) is a continuous process to prioritise information system security risk, implement and monitor security controls (i.e., countermeasures, safeguards) [13, 36]. It synthesises the strategies, policies, ac-
2.2. INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) 16
Risk Management Definition of Security Policy
Definition of ISMS Scope Input examples
Threats, Impacts, Vulnerabilities
Risk Management Strategy
Additional Controls
Risk Assessment
Statement of Applicability Selection of Controls
Output examples Policy Document
Scope of the ISMS
Use of assessed Risks
Identified weaknesses for
Assets
Strength of Controls and Implementation
Statement of Applicability Document
STEP 1
STEP 2
STEP 3
STEP 4
STEP 5
STEP 6
Figure 2.1: Information Security Management Systems (ISMS) Framework [9]
tivities, procedures, and people used to manage security risk, and is expected to result in a system of controls that collectively protect information systems security [34, 42].
Appropriate controls are then selected and mapped to the identified risks. The sources of the controls are mainly from existing sets of controls or mechanisms, included in information security standards (e.g. ISO 27001) and guidelines, or a combination or adaptation of proposed controls to the specific organisational requirements. Section 2.2.3 reviews these controls.
2.2.3 Security standards and guidelines
There have been a number of initiatives to contribute to the ISMS. Several private and government organisations developed guidelines to ensure that an adequate level of se- curity is achieved and best practices adopted in an organisation, such as ISO27001, BS7799, CMMI [97], FISCAM [55], GB/T22239 [98], ITIL [99], Common Criteria [100], SecUML [101] and COBIT [102]. Security standards provide a detailed level of mandatory controls to support the enforcement of information security policies. Secu-
2.2. INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) 17
rity guidelines consist of recommended controls and best practices to support security standards or serve as a reference when no applicable standards are available. The fol- lowing sections introduce some example standards or guidelines.
The Federal Information System Controls Audit Manual (FISCAM) provides best practices on security control techniques and audit procedures [55]. It is consistent with the Federal Information Security Management Act (FISMA) [103] and has incorpo- rated NIST Standards such as NIST SP 800-53 [104], NIST SP 800-100 [105]. FISMA defines a framework for managing information security that must be followed for all information systems operated by a U.S. federal government agency. The FISCAM can be used as the basis for a FISMA evaluation and has provided different levels of secu- rity requirements for evaluating general security controls. FISCAM includes general controls categories such as security management, access controls, configuration man- agement, segregation of duties and contingency planning. For each of those general control areas, it identifies several critical elements that are essential security require- ments for establishing adequate security controls.
In the Chinese standard, GB/T22239 (Information security technology - Baseline for classified protection of information system), there are four classified security levels to ensure information security [98]. Baseline security requirements are provided for different levels,
• The first level requires the ISMS to protect the system from malicious attacks from individual or small scale threats with few resources; to resist the general natural disasters or other harms caused to critical resources; and to recover at least part of the functions after the system is compromised or damaged.
• The second level requires the ISMS to protect the system from malicious attacks from small organisations or small scale threats with few resources; to resist the general natural disasters or other harms caused to critical resources; to detect important security vulnerabilities and security events; and to recover at least part of the functions after the system is compromised or damaged.
• The third level requires the ISMS to protect the system from malicious attacks launched by organised groups or threats with abundant resources by following unified security strategy; to resist severe natural disasters or other harms caused to critical resources; to detect important security vulnerabilities and security events; and to recover most of the functions after the system is compromised or damaged.
2.2. INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) 18
• The fourth level requires the ISMS to protect the system from malicious attacks launched by state-level threats or from hostile organisations by following unified security strategy; to resist severe natural disasters or other harms caused to crit- ical resources; to detect important security vulnerabilities and security events;
and to recover almost all the functions after the system is compromised or dam- aged.
Organisations are required to comply with the GB/T22239, by achieving a certain security level. For example, the guidance of the health industry information security level protection issued by the Ministry of Health of the People’s Republic of China requires that, health information systems and related units should be self-examined in accordance with GB/T22239. In particular, the tertiary (highest level) hospital needs to achieve at least the third level of the GB/T22239 [106].
2.2.4 Strengths and weaknesses of security standards/guidelines Organisations can potentially benefit from standards/guidelines in two ways [107, 108].
The first is to ensure the development of a strong, consistent and structured strategy to protect information security. Security standard/guidelines provide best practice and recommend security requirements that the organisation needs to meet and it is a good starting point for shaping information security management strategy [107, 109]. The second is to demonstrate to the staff, customers and trading partners that the organisa- tion has taken security seriously by following international best practices. Gomes in- troduced the ISO 27002 for implementing four security controls (Asset Management, Physical and Environmental Security, Communications & Operations Management, Access Control) in a data center infrastructure of Hospital S. Sebastiao in Portugal [110]. The application of this framework was reported to be successful, justified by the well accomplishment of those four security controls [110]. Wiander analysed the im- plementation experiences of four organisations that have implemented ISO/IEC 17799 (2005). The results suggest that the standard served the needs of the enterprises and its intended usage correlated well with organisations’ practice [111].
Siponen criticised the basis of the security standards/guidelines. He argues that many are only based on personal observation and not universally valid [112]. The standards/guidelines are validated by appealing to common practise and authority only, which is not a sound basis for international use [113]. However, information security standards/guidelines can serve as information security management library for prac-
2.2. INFORMATION SECURITY MANAGEMENT SYSTEMS (ISMS) 19
titioners [113]. Practitioners would benefit from in-depth practical experiences and lessons learned on how the objectives of security standards/guidelines are met in or- ganisations where they are applied [113].
2.2.5 Security requirement modelling
Security standards provide security requirements that are based on best practices. As is mentioned, some organisations adopted security requirements from security standard directly. As an alternative, organisations can model their own security requirements by using security requirement modeling methods such as Common Criteria (CC) [114]
and SecUML [101, 115]. The Common Criteria (CC) is an international standard (ISO/IEC 15408). It allows the security experts to elicit security requirements and specify security attributes of their own products. The SecUML [101, 115] is a mod- elling language that defines abstract syntax for annotating UML diagrams with infor- mation relevant to access control. The meta-model consists data types like users, roles, objects, operations and permissions and was found to be able to ease the expression of access control requirements during analysis and design [101].
2.2.6 ISMS and incident learning
As mentioned, ISMS incorporate the typical “Plan-Do-Check-Act” (PDCA) cycle. In- cident learning is viewed as a resource that can be used to improve procedures, policies, and implementing new controls [5], which involves every step of the ISMS. However, incident learning is not given much attention in the research literature [5]. An ex- ploratory case study conducted in a large global financial services organisation shows that the practice of incident response frequently do not result in the improvements of strategic security processes such as policy development and risk assessment. The key learning notes are not effectively fed back into security processes, management struc- ture, policies, procedures and risk assessment [6]. There is a gap between the learning of security incident and the ISMS, to translate the learning to inform improvements of the ISMS. Sections 2.3 examines incident learning from the perspective of security incident management lifecycle.