In today’s data- and information-heavy age, it’s critical to secure your organization's valuable content, such as videos, documents, customer data, and account information. Information security management safeguards that content, protecting it from third parties while ensuring the right people have access. An information security management system (ISMS) keeps your content secure and prepares you to respond if a breach does happen.
You need to follow certain standards and protocols when implementing an ISMS, and these standards can help streamline creating a system. If your organization doesn't yet have an ISMS, read on to find out what's involved in creating one and what you need to put one into place.
Information security management refers to the approach your company takes to maintain the CIA triad of information security:
- Confidentiality: Private content needs to be kept private, away from third parties who might try to sell it or otherwise use it for personal gain — passwords, encryption, and user controls are ways to maintain the confidentiality of your content
- Integrity: If a third party does access your content, you need to be sure they can't change it or alter it beyond recognition; ensuring your content's confidentiality helps protect its integrity, as does being able to revert to previous versions if you suspect something has been tampered with
- Availability: Your content needs to be accessible to the people who use it, so ensuring availability is another important part of the CIA triad; maintain availability by creating backups of content and making sure users have the correct permissions assigned to them
What does ISMS stand for?
ISMS is also known as an information security management system. An ISMS includes the policies and procedures your organization puts into place to safeguard the CIA triad, reduce risk, and keep your business operating if a breach happens. How narrow or comprehensive an ISMS is depends on the type and amount of data you need to protect. Generally speaking, an ISMS is built on six pillars:
1. Strategic planning
Your business needs a solid strategy to minimize risk and protect its content. A strategic plan is part of ensuring the strength of the CIA triad.
2. Governance, risk, and compliance
This pillar ensures that your information security processes match your organization's goals. It also lets you keep up with compliance and guidelines that might change regularly while reducing risk.
3. Security controls
Security controls might be at the heart of your company's ISMS. Controls are measures you put into place to reduce risks such as unauthorized access or theft. They can be preventive, meaning they stop incidents from occurring; corrective, meaning they fix issues; or detective, meaning they spot incidents or issues in progress or that have already happened.
4. Third-party risk management
Third-party risk management gives you some control over the actions of others that might impact your content or company as a whole. For example, a third-party software company could increase your risk of a data breach, or the actions of a vendor you work with could affect your company's reputation.
5. Security program management
Your company's security program is all of its policies, activities, processes, and projects that go into ISMS. The goal of the program should be to maintain the CIA triad.
6. Audit management
Audit management allows your organization to perform audits quickly and easily. With an audit management program in place, you can rapidly detect risks and adequately respond to threats.
The International Organization for Standardization (ISO) publishes a standard, 27001, that outlines the ISMS requirements. When your organization follows ISO 27001, you can ensure your content's security, including employee information, intellectual property, third-party content, and financial information. ISO 27001 is the only standard of its kind that's internationally recognized and certifiable. Your company might consider becoming ISO 27001 certified to demonstrate that you have an effective ISMS in place.
ISO 27001 outlines the controls and management systems a company needs to be certified. There are over 100 controls listed in the standard, each of which is designed to help your company detect, manage, and treat risk. The controls are divided into 14 groups and 35 categories. An earlier version of the standard required the controls for certification, but the updated version removes the requirement.
Some of the controls include:
- Supplier relationships
- Physical and environmental security
- Operational security
- Information security policies
The management system clauses in the standard are meant to help your company implement an ISMS, maintain it, and improve it.
Why is an ISMS important?
Imagine what would happen if an unauthorized third party got access to your company's content. If a hacker gets ahold of your customer list or information, they can steal your clients' identities or sell that information to another party. If an unauthorized user finds your company's plans for its next big product, they could steal those plans and build the product before you do or sell the plans to the highest bidder.
Data breaches and content theft can harm individuals or the company as a whole. Information theft can also hurt your company's reputation. If your content is altered, it could affect the quality of the service or products you offer, also damaging your reputation.
An ISMS aims to prevent or stop unauthorized access, protect your content's integrity, and ensure that the right people have access to it. Your company needs an ISMS to minimize risks and keep one step ahead of potential hackers and thieves. Depending on your company's industry, an ISMS might be required to comply with regulations.
Who is involved in information security management?
Information security management should be a company-wide project. Success with an ISMS requires buy-in from executives, human resources, the IT team, the finance department, and the customer service team. Your company's culture should stress the importance of information security and focus on handling your content securely. Here's what that might look like across departments:
Executive and C-suite level
At the executive level, there should be at least one individual, such as a chief security or chief technology officer, responsible for overseeing the ISMS and making sure the system meets standards and complies with applicable regulations. The executive should communicate with other C-suite team members to stress the importance of the ISMS and encourage compliance.
The HR department plays a significant role in communicating expectations to employees and new hires. Information security should be part of the training and onboarding process for new employees so they understand the importance of various rules and know what is expected of them. For example, HR can stress not bringing confidential content home or installing unapproved software onto company devices.
The IT department creates the policies and safeguards that serve as the backbone of the company's ISMS. The department can also monitor employee behavior, detect unusual activity, and intervene when someone tries to install an unauthorized product on company hardware. IT can block certain sites or prohibit certain downloads to help protect a company's content.
The finance department handles a lot of confidential information, from your company's bank account information to customers' private data. It needs to understand the processes and policies in place to keep that content secure. This department also likely has to ensure that it follows regulations to protect financial data and minimize fraud.
Your company's customer service team is the first department customers interact with when they have a concern or if a breach does happen. They need to be kept up to date on your ISMS so they can respond to concerns or issues rapidly. Having an informed and competent customer service department can protect your company's reputation or build it back up after a data breach or security issue.
Information security management across industries
If your company has content that it wants to protect, an ISMS is a must-have, no matter what industry you are in. Although vital for all businesses, an ISMS is particularly critical for industries with compliance regulations and reporting requirements. For example, healthcare content that pertains to patients needs to follow the Health Insurance Portability and Accountability Act (HIPAA). Companies in the financial industry need to protect their content following the Payment Card Industry Data Security Standard or requirements from the Financial Industry Regulatory Authority (FINRA).
What is the Federal Information Security Management Act?
The Federal Information Security Management Act (FISMA) was first passed in 2002 and was updated in 2014. FISMA is a risk management framework that protects government information by outlining standards and regulations. Initially, the act applied only to federal agencies, but its scope has since expanded and now covers state agencies and private companies that have contracts with the government.
The act created a method to reduce data security risks for the government while also improving the cost of information security. To comply with FISMA, federal agencies and other qualified agencies or companies need to develop information security management programs. The programs need documentation and an implementation plan. Additionally, the act requires an annual review of an agency's or company's information security program. The review results get sent to the Office of Management and Budget (OMB), which produces annual reports for Congress.
An update, the Federal Information Security Modernization Act of 2014 or FISMA 2014, solidifies the Department of Homeland Security (DHS) role in implementing security policies. DHS also oversees compliance and works with the OMB to develop security policies.
Under FISMA 2014, the DHS can offer technical and operational assistance to Executive Branch civilian agencies at their request. If agencies request it, the act allows them to use DHS technology on their networks. The updated act also requires major information security incidents and data breaches to be reported to Congress. Incidences should be reported both when they happen and annually.
Federal and state agencies or private companies that work with the government can take several steps to ensure compliance with FISMA. The steps include:
1. Choosing baseline controls
All federal information security management systems need to meet certain requirements, which can be established with baseline controls and vary based on the ISMS and the agency.
2. Categorizing risk
Agencies need to determine the level of risk present and decide how to establish their ISMS to provide the most appropriate security level.
3. Documenting controls
Agencies need to keep an inventory of all their controls and document how the ISMS and networks interact.
4. Refining controls
A risk assessment allows an agency to refine controls and determine if the controls in place meet its security needs.
5. Conducting security reviews
Agencies need to conduct a security review annually, especially if they want to be certified or maintain certification.
6. Monitoring controls
Regular security control monitoring ensures controls are adequate and allows agencies to respond to incidents quickly. If agencies make a change, they need to document the change.
What are information security policies?
Information security policies are the procedures and rules an organization creates to ensure all content meets IT security management requirements. The policies should also ensure all users who have access to a company's content know the rules and regulations.
The goals of an information security policy usually include:
- Creating and documenting security measures
- Controlling user access to content
- Safeguarding the organization's reputation
- Ensuring compliance with regulations and laws
- Protecting confidential content and data, including customer information
- Creating a method of response in case of threats, data breaches, or other incidents
- Creating an acceptable use policy and ensuring enforcement of the policy
Generally, the scope of an information security policy should be broad. The policy should cover all content and information created or owned by a company. The content can be digital, stored in the cloud, or stored in on-premise servers. It can also be physical, such as paper files, DVDs, hard drives, and portable drives stored in filing cabinets or offices.
An organization's content is usually classified under an information security policy based on risk or access level. Classifications might include:
- High-risk restricted: Restricted data is protected by regulations such as HIPAA or the Family Educational Rights and Privacy Act (FEPRA) and can also include data that contains private personal financial information
- Confidential: Authorization is needed to view and access confidential content, but the data itself might not fall under legal or regulatory restrictions
- Public: Anyone can view or access public content
What is an information security management framework?
An information security management framework is a standard designed to protect companies' data against vulnerabilities. Several types of frameworks exist, such as ISO 27001. The framework that makes the most sense for your organization depends on your industry and the security scope you need. ISO 27001 is considered the gold standard, but other ISM frameworks include:
NIST SP 800-53
Special Publication 800-53 was created by the National Institute of Standards and Technology (NIST) in 1990. The goal of the framework is to help federal agencies adopt Federal Information Processing Standards. It details best practices for information security. Although it was designed for the federal government, many private companies have adopted NIST SP 800-53.
Payment Card Industry Data Security Standard (PCI DSS)
Created by five big credit card companies, this framework aims to prevent credit card fraud. It was first introduced in 2004.
Control Objectives for Information and Related Technologies (COBIT)
COBIT was created by the Information Systems Audit and Control Association (ISACA) for use in the financial industry.
Health Information Trust Alliance (HITRUST)
HITRUST was developed to provide clear information security guidelines to healthcare organizations. The framework aimed to make HIPAA compliance easier. Although it was designed specifically for use in the healthcare industry, companies in any industry can use HITRUST, particularly industries with strict regulatory requirements.
How to implement an information security management system
You have several options for implementing an ISMS, but one of the most commonly used methods is a Plan, Do, Check, Act Cycle (PDCA). A PDCA cycle helps organizations make a change, such as introducing an ISMS. Your company can also use PDCA when it wants to improve something or when it needs to identify or determine the cause of a problem. When you use it to implement an ISMS, a PDCA cycle might look something like this:
During the Plan part of the process, you identify the issue and get buy-in from all relevant parties, including executives and different departments. At this phase, you start to put together the ISMS. That can mean deciding on a content platform to use and choosing controls such as encryption or password protection. As you plan, you'll consider the resources you have available as well as the resources you'll need for the success of the ISMS.
During the Do phase of the cycle, you put the plan into practice. You might begin using the Box Content Cloud or the various controls you've established. Often, it's best to start small. You might test out the Do phase in a single department and gauge reaction. Starting small lets you identify and fix issues during the next phase of the cycle.
Once you implement your plan, you have to evaluate how it's working. At the Check phase, you verify that the plan worked. If it didn't, you can zero in on weak areas and decide how to correct them.
The Act phase occurs after you've gone back to the initial plan and made any needed changes based on what you discovered in the previous phase. Once you get to the Act phase, you put the plan into action in all departments or roll out your policies company-wide.
PDCA is a cycle, so it's meant to be repeated. It can also help your company continually improve, which means you might frequently find yourself back at the Plan phase. Since technology constantly evolves and the methods hackers use are constantly changing, keeping your ISMS updated through a PDCA cycle allows you to stay one step ahead at all times.
Get started with Box
Securing your company's data and content is a critical component of an ISMS. The Box Content Cloud provides frictionless security, with features such as AES 256-bit encryption and access controls to limit and manage who can see and access your content. Other Box products such as Box Shield help you prevent data leaks, and Box Governance allows you to create policies that put you in full control of your content.
Box is designed with vertical security and compliance features across:
- All industries with FLSA, OSHA, SOX (1,2,3), PCI DSS, IRS with NIST 800-53 and FIPS 140-2, and TLS
- Financial services with FINRA and MiFid II
- U.S. federal government with FedRAMP, DoD Cloud SRG, ITAR/EAR, and NIST 800-171/DFARS
- U.S. healthcare with HIPAA and HITECH
- Life sciences with GxP
67% of the Fortune 500 rely on Box for content management and security. To see the benefits of using Box for yourself, get started on a free trial today.
See the benefits of Box for yourself
**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.