Implementation of Information Security Management System
In its original meaning, information (orig. in-formatio) refers to the act of formation, imprinted shape or form, which can be figuratively understood as a creation of mind and therefore as learning and education. From here it is a small step to the meaning, which is in common use nowadays, where information is understood as a knowledge to be transferred.
Modern, information society, we live in today, is based on acquisition, dissemination and use of information. Thus, information become highly valuable goods that are a subject of interest, trade and competitive advantage, but on the other hand also a subject of speculation or threat, whereas information can be endangered not only by people themselves, but sometimes also by imperfectly functioning technologies they created. Moreover, another important aspect is the Nature with all the factors that a person is unable to influence and sometimes even correctly predict. Pprotecting information is therefore an important prerequisite for successful functioning of modern society.
If you've just noticed or you are currently solving problems with an increasing number of defects or malfunctions in IT services (leaks or losses of valuable data, problems caused by staff errors, etc. – that is, generally speaking, security incidents), then you may come to a decision to adopt a complex solution of your information system. Then you must consider following issues:
- how (at reasonable cost) to achieve coverage of all areas which is necessary to protect the information address - from the physical security through personal and legislative, to IT security technologies, control of access to information and much more
- how to maintain once-built-up concept in a long-term perspective and, on the best case, with decreasing costs and increasing efficiency; problems typically start at maintenance of procedures and documentation rules to reflect the real operating condition, further problem is simply measuring the state in which they are found in its advance
- how to solve everything at a reasonable depth in a real time – your environment (and the whole world) is a dynamic system in principle, hence it is necessary to respond to changes quickly and without redundant costs
In short, to deal with all needs mentioned above we need a mechanism which is able to control the very complex entity (all IT and other sources, but primarily humans) in accordance with predetermined policies and rules and, in addition, effectively (i.e. with lowest cost) and in a long term perspective (i.e. the ability to adapt to changes of outside conditions as well as to changes inside of the company).
For all the purposes mentioned above, more or less sophisticated management systems are used to protect information nowadays, and such systems have following attributes:
- they are based on the approach of risk assessment
- they have a comprehensive mechanism for the interim analysis, implementation, inspection, maintenance and improvement of information security
- they can provide a systematic prevention of incidents
- they have reliable internal control mechanisms
- they establish enforceable rules and obligations for all stakeholders
A suitable solution is the procedure under a Security standard. In this way, it is possible to achieve required complexity and efficiency, but also to create a good basis for a regular security audit or a possible future certification.
On the basis of our practical experiences in security and on knowledge of the specifics of the Czech and Slovak IT environment, we recomend as a suitable alternative the Information Security Management System (ISMS) as it is defined by international standard ISO / IEC 27001.
In accordance with it we offer a quality information security management system – optimally tailored to your needs.