bcs-ismp-bk-en-GB March 30, 2010 - 08:51 86
Information Security Management Principles
The need to link with business planning and risk management and audit
The aim of an Information Assurance programme should be to reduce
information risk within the enterprise. As we have seen throughout this sec-
tion, Information Assurance planning and implementation processes should
not work in isolation. To be effective an implementation programme needs
to understand the enterprise’s business objectives and goals so that it can
identify the appropriate assurance control measures to ensure that the enter-
prise is sufﬁciently protected to meet these goals.
Information Assurance implementation programmes need to work closely
with other organisational and assurance processes to manage risk to an
acceptable level. The risk management process should provide awareness
and understanding of the risks faced by the enterprise and identify where
risks are not being managed effectively. The outputs from risk assessments
should determine what controls should be implemented and assess how
urgently they need to be addressed.
Similarly, assurance governance processes will identify where existing con-
trols are inadequate and where improvements need to be made. This may
be through the reporting of assurance breaches or via auditing or testing
of security controls. Governance processes will also determine changes in
regulatory or legal requirements that may require additional controls to be
put in place.
All implementation programmes should support the enterprise’s Informa-
tion Assurance policies, security strategy and security architecture. All secur-
ity controls should support its long-term vision for Information Assurance
and should be seen to add value or business beneﬁt to the organisation.
Miss Peacock is very pleased with the work that you have done so far on
Information Assurance and has given you a budget to implement some
additional access controls within GANT. How would you approach this?
This section covers the general principles of the law in relation to Information
Assurance management. This will cover a broad spectrum from the assur-
ance implications on compliance with legal requirements affecting business
(e.g. international electronic commerce) to laws that directly affect the way
information can be monitored and copied. It will also make reference to
certain pieces of legislation to explain concepts and highlight the legislative
variances between separate countries.