What is security management?

Security management is the process of protecting an

organization’s information, systems, and assets from
security threats. It involves identifying risks, creating
strategies to address them, and implementing controls to
safeguard data and systems.

Security management is not just about technology. It

includes policies, procedures, and employee training to
reduce risks and ensure that everyone plays their part in
keeping data secure. It is crucial for any business that
handles sensitive data or depends on digital systems.

Types of security management

There are several key areas within security management

that organizations need to focus on. Each area plays a
role in building a comprehensive security strategy.

Here are the main types of security management:

1. Information security management (ISM)

 Purpose: To protect the confidentiality, integrity, and

availability of data.

 Key activities: ISM involves risk assessments,

implementing security controls, and ensuring compliance
with standards like ISO/IEC 27001.

 Importance: It ensures that sensitive data is only

accessible by authorized individuals and remains safe
from breaches.
 2. Network security management

 Purpose: To secure a company’s networks from

unauthorized access, misuse, or attacks.

 Key activities: This includes configuring firewalls, using

intrusion detection systems, and monitoring network
traffic.

 Importance: A secure network ensures that

cybercriminals cannot infiltrate systems, steal data, or
disrupt operations.

3. Physical security management

 Purpose: To protect an organization’s physical assets,

such as buildings, servers, and employees.

 Key activities: This involves implementing access

controls, security cameras, and alarm systems.

 Importance: Physical security complements digital

security and prevents unauthorized individuals from
gaining physical access to sensitive areas.

4. Cyber security management

 Purpose: To protect digital systems and data from cyber

threats.

 Key activities: This involves threat detection, incident

response, and implementing security tools like antivirus
software and encryption.
 Importance: Cyber security management is critical for
defending against malware, ransomware, phishing, and
other online threats.

5. Risk management

 Purpose: To identify and prioritize risks and create

strategies to minimize them.

 Key activities: This involves identifying risks, assessing

their impact, and deciding how to address them.

 Importance: Risk management ensures that

organizations focus on the most critical risks and take
action to reduce their potential impact.

6. Compliance management

 Purpose: To ensure that the organization meets all legal,

regulatory, and contractual requirements.

 Key activities: This involves conducting audits, creating

policies, and ensuring compliance with laws like GDPR or
industry standards like PCI DSS.

 Importance: Compliance management protects

organizations from legal penalties and builds customer
trust.

Best practices for security management

 To create a strong security management program,
organizations should follow these best practices:

1. Conduct regular risk assessments

 Why: Threats change over time, and new risks can

emerge. Regular assessments help organizations stay
prepared.

 How: Identify potential risks, assess their likelihood and

impact, and prioritize actions to mitigate them.

2. Develop security policies and procedures

 Why: Policies guide employee behavior and ensure

consistent security practices.

 How: Create policies for password management, data

handling, incident response, and more. Ensure employees
are trained on these policies.

3. Implement security controls

 Why: Controls help prevent unauthorized access and

reduce the risk of attacks.

 How: Use firewalls, intrusion detection systems, multi-

factor authentication (MFA), and other security tools.

4. Train employees

 Why: Human error is one of the leading causes of

security breaches.
 How: Provide regular training to employees on phishing
attacks, password security, and other threats. Make
security awareness a part of the company culture.

5. Monitor and audit security systems

 Why: Continuous monitoring helps detect and respond to

threats quickly.

 How: Use monitoring tools to track network activity,

system logs, and user behavior. Regularly audit security
systems to identify weaknesses.

6. Plan for incident response

 Why: Even the best defenses can fail. Having a response

plan ensures the organization can recover quickly.

 How: Create an incident response plan that outlines

roles, responsibilities, and steps to take during a security
breach.

7. Ensure compliance with standards

 Why: Compliance protects organizations from legal

penalties and builds customer trust.

 How: Identify relevant regulations and industry

standards, such as ISO 27001, GDPR, or PCI DSS, and
take steps to meet their requirements.

8. Use multi-layered security

 Why: Relying on a single defense is not enough to stop
modern threats.

 How: Combine physical security, network security, cyber

security, and employee training to create a multi-layered
approach.

What Is a Security Policy?

A security policy is a document that outlines the rules and methods an
organization uses to protect its data. It includes general security goals and
covers specific issues like remote access, acceptable use and data
collection. It is used with other documents, like standard operating
procedures, to help achieve security goals. The policy explains the strategy
and the reasons behind the proposed security measures, while other
documents provide information on how to implement them.
Why is a Security Policy Important?
 Security policies are a crucial aspect of information security programs.
They guide the implementation of technical controls by clarifying senior
management’s intentions and expectations for security. These policies
provide a starting point for security teams to translate these intentions into
specific technical actions, ensuring consistent application of security
controls.
Security policies help to ensure that all individuals are applying the same
standards. They outline what is considered appropriate and inappropriate
behavior, such as using company devices for personal use or sharing
passwords. They are also used to establish how compliance is monitored
and enforced.
Documented security policies are required by regulations such as GDPR,
CCPA, HIPAA, SOX, PCI-DSS, and so on. Even when not explicitly
mandated, security policies are necessary for organizations to meet strict
security and data privacy requirements. Furthermore, well-designed
security policies enhance organizational efficiency by promoting
consistency, avoiding duplication of effort, and providing clear guidance for
policy exceptions. Ultimately, they help organizations meet their business
objectives.
What Are the Three Types of Security Policies?
There are three types of security policies outlined by NIST:
1. Program policies: Program policies are high-level blueprints that guide
an organization’s information security program.
2. Issue-specific policies: Issue-specific policies provide concrete
guidance on specific issues.
3. System-specific policies: System-specific policies are the most detailed
and focus on specific systems or computers.
These policies are created by senior management with input from IT and
security teams.
The Core Components of an Effective Security Policy
Since security policies play a vital role in your information security program,
they must be carefully crafted, implemented, and enforced. A well-designed
security policy should include the following components:
Clear goals and objectives: To help employees understand the
importance of information security, program policies should have a clear
mission statement or purpose at the top level.
Clearly defined scope and applicability: Every security policy should
clearly define who it applies to, whether based on geographic region,
business unit, job role, etc.
Endorsement from senior management: Ideally, security policies should
communicate intent from senior management in order to gain support and
ensure successful implementation, communication, and enforcement.
Procedures for enforcement: Security policies should have mechanisms
for enforcement to prevent non-compliance. Instead of aiming for
perfection, security policies should be realistic and not overly burdensome
to encourage adoption.
A glossary of important terms: Considering that not all employees are
technically inclined, it is helpful to use concise, jargon-free language. Any
technical terms should be clearly defined for better understanding.
Acceptable level of risk: Each organization’s management must
determine the acceptable level of risk. Consequently, security policies
should align with the organization’s risk appetite and cover relevant topics
accordingly.
Protocols for updating the policy: Regular reviews and updates are
essential for maintaining the effectiveness of security policies. While the
program or master policy may not require frequent changes, issue-specific
policies should be updated as technology, workforce trends, and other
factors evolve. New policies may also be necessary over time, such as
BYOD and remote access policies that have become common in recent
years.

What Is a Risk Management Framework?

ISRM frameworks provide guidelines and best practices to develop and

implement a comprehensive program. They are a shortcut, allowing you to
formulate a plan without doing everything from scratch. Additionally, some
industries require organizations to adopt a standardized framework for
external audits and certification.

ISO 27001 and the NIST Cybersecurity Framework are the most frequently
used cybersecurity frameworks. NIST operates under the U.S. Department
of Commerce, whereas ISO is an international standards organization.
NIST's CSF cannot undergo certification or auditing, whereas ISO 27001
can. Furthermore, NIST provides its resources for free, while ISO 27001
comes with associated costs. Both are valuable tools, and the best
framework for you will depend on your specific needs and requirements.

Backup and disaster recovery are essential to any ISRM program.

Data breaches and power outages can permanently erase your
data, damage your reputation, and cost you money—unless you
have a backup and a disaster recovery plan.

The Four Stages of ISRM

ISRM is a linear process. You must complete each stage to move

on to the next. Here are the four stages of information security
risk management:

1. Identification

The first step of ISRM is to identify all the organization's assets,

vulnerabilities, threats, and controls.

 Assets: These include physical equipment like servers,

laptops, and mobile devices and digital assets like data,
software, and intellectual property.
 Threats: Threats are actors or events that could exploit
vulnerabilities and harm assets. Threats can be internal
(e.g., malicious insiders) or external (e.g., hackers,
cybercriminals, natural disasters).
  Vulnerabilities: Vulnerabilities are weaknesses present in
assets that threats could exploit. Vulnerabilities can be
technical (software bugs, security configuration flaws) or
procedural (no strong password policy, lack of training).
 Controls: These are the measures that organizations
implement to mitigate risks. They can be preventive,
like firewalls, or detective, like security monitoring and log
reviews.

2. Assessment

Once you have identified all assets, vulnerabilities, threats, and

controls, you can assess the risks. This process involves:

 Identifying the likelihood and impact of each

risk: Likelihood is the probability of the risk occurring, while
impact is the severity of the consequences if it does occur.
 Prioritizing risks: Not all risks are equal. Some are more
likely to happen and have a greater impact. Prioritize risks so
you can focus resources on mitigating the most critical.

Here is a common risk assessment equation:

Risk = Likelihood * Impact

To score a risk, you must first assign a numeric value to each

factor. For example, you might assess the risk of a data breach as
medium likelihood and high impact. Using a scale of 1 to 5,
equates the likelihood to 3 and impact to 5, totaling 15.

Note that risk scoring is not a precise science. It is a way of

comparing risks and prioritizing mitigation efforts. Your assigned
values will depend on your risk appetite and tolerance.
3. Treatment

Once you have assessed the risks, you can develop and
implement risk treatment plans. The four main types of risk
treatment are:

 Remediation: Remediation involves eliminating the

underlying vulnerability that is creating the risk. For
example, you might remediate a risk by patching a software
vulnerability or implementing a new security control.
 Mitigation: Mitigation involves reducing the likelihood or
impact of a risk. For example, you can mitigate risk by
implementing a business continuity plan or educating
employees on cybersecurity best practices.
 Transference: Transference involves transferring the risk to
another party. For example, you can purchase cyber
insurance to transfer the financial risk of a data breach.
 Acceptance: Acceptance involves making a conscious
decision to accept the risk. This strategy may be appropriate
for risks that are low in likelihood or impact or for risks that
are too costly or difficult to mitigate.
 Avoidance: Eliminating the risk by changing processes,
technologies, or practices. For instance, discontinuing the
use of a vulnerable software application.
4. Monitoring & Reporting

Information security risk management is a continuous process.

You must monitor risks and update treatment plans regularly
because new assets, vulnerabilities, threats, and controls are
constantly emerging.

Another critical aspect of effective cybersecurity risk

management is the reporting process. It includes creating
detailed reports, presentations, or dashboards that convey
complex information in a format understandable to non-technical
stakeholders.

Risk management reporting ensures that those responsible for

governance, oversight, and compliance are well-informed and can
make decisions that align with the organization's security
objectives.

Process Ownership in Information Security Risk Management

Information security risk management is a collaborative process

that involves many participants. Without clear ownership, assets
and risks tend to be neglected. People assume somebody else is
responsible for a task, leading to inaction. On the other hand,
clearly assigning responsibility ensures the protection of vital
assets.

Within an ISRM framework, the following stakeholders play

different parts. While their roles are connected, ISRM benefits
from their responsibilities being clearly delineated and
understood:

Process Owners

A business process is a series of interconnected activities and

tasks an organization takes to achieve a specific goal or outcome.

Process owners play a critical role in ISRM because they have the
deepest understanding of the risks they face. They are also in the
best position to implement and maintain security controls and to
monitor their effectiveness.

Example

A software development team lead is a process owner. Their

focus is the overall success of their team and the organization's
software development process. However, they work closely with
asset owners to assess risks to the team's code and develop and
implement risk mitigation strategies.

For example, they can implement security measures such as code

reviews to reduce the risk of vulnerabilities in the code the team
produces.

Asset Owners

Asset owners are responsible for managing and protecting an

organization's assets, which include information, infrastructure,
and other valuable resources. While teams can assume the role of
an asset owner, it's generally more effective to designate an
individual for this responsibility.

Example

An asset owner, such as a high-ranking system administrator, is

responsible for the overall performance of the organization's IT
infrastructure.

Their duties include identifying, evaluating, and mitigating risks to

servers and networks, whether autonomously or under the
supervision of the risk owner. For example, they could implement
or expand role-based access controls to diminish the risk of
unauthorized data access.

Risk Owners

Risk owners are responsible for effectively implementing risk

management activities, including identifying and assessing
potential risks, developing risk mitigation plans, and monitoring
the progress of risk treatment plans.

For each identified risk, multiple personnel may be involved in its

management, including subject matter experts, project managers,
and other members of the organization's risk management team.
These individuals work closely with the risk owner to implement
mitigation measures and monitor the progress of treatment plans.

Example

The head of the IT department epitomizes the role of a risk owner.

Given their leadership position, they possess the authority to
oversee the organization's risk management landscape and the
capacity to delegate responsibilities.

Their role in risk management is to oversee the development and

implementation of the IT security policy. Additionally, they
allocate resources to initiatives, monitor the effectiveness of the
information security program, and report on the organization's
security posture to senior management and the board of
directors.
Security ethics and best practices:

Information Security Ethics

1. Confidentiality: Protect sensitive information from unauthorized access.

2. Integrity: Ensure the accuracy and completeness of information.

3. Availability: Ensure information is accessible and usable when needed.

4. Authenticity: Verify the identity of users and systems.

5. Non-Repudiation: Ensure that senders cannot deny sending a message.

Best Practices
1. Use Strong Passwords: Use unique, complex passwords for all accounts.

2. Keep Software Up-to-Date: Regularly update operating systems, software, and

plugins.

3. Use Encryption: Use encryption to protect sensitive data in transit and at rest.

4. Use Two-Factor Authentication: Use two-factor authentication to add an extra

layer of security.

5. Regularly Back Up Data: Regularly back up critical data to prevent losses.

6. Use Secure Communication Protocols: Use secure communication protocols like

HTTPS and SFTP.

7. Monitor Systems and Networks: Regularly monitor systems and networks for
security threats.

8. Implement Incident Response Plans: Develop and implement incident response

plans to respond to security incidents.

Information Security Principles

1. Defense in Depth: Implement multiple layers of security controls.

2. Least Privilege: Grant users the minimum privileges necessary.

3. Separation of Duties: Divide tasks among multiple individuals to prevent

unauthorized access.

4. Need-to-Know: Limit access to sensitive information to those who need it.

Information Security Standards

1. ISO 27001: International standard for information security management.

2. NIST Cybersecurity Framework: Framework for managing and reducing
cybersecurity risk.

3. PCI DSS: Standard for securing payment card data.

4. HIPAA: Standard for securing protected health information.

Security Laws
1. General Data Protection Regulation (GDPR): EU law regulating data protection and privacy.

2. Health Insurance Portability and Accountability Act (HIPAA): US law regulating healthcare
data security and privacy.

3. Payment Card Industry Data Security Standard (PCI DSS): Global standard for securing
payment card data.

4. Gramm-Leach-Bliley Act (GLBA): US law regulating financial institution data security and
privacy.

5. California Consumer Privacy Act (CCPA): US state law regulating consumer data privacy.

Security Standards

1. ISO 27001: International standard for information security management.

2. NIST Cybersecurity Framework: US framework for managing and reducing cybersecurity risk.

3. COBIT: International framework for IT governance and management.

4. PCI DSS: Global standard for securing payment card data.

5. SOC 2: US standard for service organizations' security and privacy controls.

Industry-Specific Standards

1. HIPAA: Healthcare industry standard for data security and privacy.

2. PCI DSS: Payment card industry standard for data security.

3. NERC CIP: North American electric utility industry standard for cybersecurity.
4. FDA 21 CFR Part 11: US pharmaceutical industry standard for electronic records and
signatures.

Cyber security Frameworks

1. NIST Cybersecurity Framework: US framework for managing and reducing cybersecurity risk.

2. Cybersecurity Maturity Model (CMM): Framework for assessing and improving cybersecurity
maturity.

3. ISO 27001: International standard for information security management.

Compliance Regulations

1. GDPR: EU regulation for data protection and privacy.

2. CCPA: US state regulation for consumer data privacy.

3. HIPAA: US regulation for healthcare data security and privacy.

4. PCI DSS: Global regulation for securing payment card data.

Security assurance
Security assurance is an umbrella term for several processes aimed at
ensuring individual system components can adequately protect themselves
from attacks. Doing so requires not just a one-time effort, but actually spans
the complete system lifecycle. After all, what is considered an acceptable
security posture may change over time depending on, for example, newly
emerging threats or changes to how the system itself is utilized.

We summarize the key processes that should be part of every security

assurance program as follows:

1. Security Hardening
2. Security Testing
 3. Vulnerability Management

In the remainder of this article, let’s take a closer look at what these
individual processes entail.

Security Hardening
Security hardening describes the minimization of a system’s attack surface
and proper configuration of security functions. The former may be achieved
by disabling unnecessary components, removing superfluous system
accounts, and closing any communication interfaces not in use – just to
name a few. The latter configuration task focuses on security controls within
the system itself and ensures that these can perform their functions as
intended. This can include the configuration of host-based firewalls, intrusion
detection/ prevention capabilities, or operating system controls, such as
SELinux.

Security hardening is particularly important before a system is deployed, but

should be verified regularly thereafter to confirm that the system still meets
the defined hardening standard in the context of its current operating
environment.

Security Testing
Security testing aims to validate a system’s security posture by trying to
identify any weaknesses or vulnerabilities possibly remaining after security
hardening. This activity can take many different forms, depending on the
complexity of the system under test and the available resources and skills. In
its most basic form, it may comprise an automated vulnerability scan from
the outside as well as an authenticated scan from the perspective of a user
on the system. More advanced tests would go a step further by analyzing the
system’s responses and reasoning about communication flows that may
afford an attacker with a way into the system. Established best practices,
such as the OWASP Top 10, can serve as a useful guide here to focus the test
activities on the most common vulnerabilities. Beyond that, fully manual test
could dig even deeper, for example, trying to discover vulnerabilities in the
systems source code if available.

Similar to hardening of the system, security testing should also be performed

before and during a systems operation. Regular, automated security scans
can be a great tool to identify new vulnerabilities early on.

Vulnerability Management
 Vulnerability management takes the results of the security tests performed
and attempts to mitigate them. This includes the analysis of each finding (Is
this actually an issue in the context of this system?), prioritization (How big
of an issue is it?), and mitigation (How can it be fixed?). While the last part
should be fairly obvious, the first two are just as essential since it is
important to take a risk-based approach to vulnerability mitigation. No
system will ever be completely free of vulnerabilities, but the goal should be
to avoid the ones that are critical and easily abusable.

What is security Law?

It is also known as internet laws or digital laws, are laws that govern the use of the internet
and other digital technologies. These laws address a wide range of issues, including
intellectual property, privacy, cybercrime, and liability for online activities. Cyber laws vary
from country to country, but most countries have laws that address issues such as hacking,
identity theft, and online fraud.
There are several key security laws that govern online activity and protect individuals and
organizations from cybercrime. Some of the most important laws include:
1. The Computer Fraud and Abuse Act (CFAA): This law criminalizes unauthorized access
to computer systems and networks, as well as unauthorized access to sensitive information
stored on those systems.
2. The Electronic Communications Privacy Act (ECPA): This law regulates the interception
and disclosure of electronic communications, including email and text messages.
3. The Health Insurance Portability and Accountability Act (HIPAA): This law regulates
the use and disclosure of protected health information (PHI) in electronic form.
4. The Children’s Online Privacy Protection Act (COPPA): This law regulates the collection
of personal information from children under the age of 13.
5. The General Data Protection Regulation (GDPR): This EU regulation regulates the
collection and processing of the personal data of EU citizens.
6. The Personal Data Protection Bill (PDPB): In India, this bill regulates the collection,
storage, and processing of personal data of Indian citizens.
These are just a few examples of the many cyber laws that exist to protect individuals and
organizations from cybercrime. It’s important for individuals and organizations to stay informed
about these laws and to comply with them in order to avoid legal repercussions.
The relationship between information security and cyber laws is close, as both fields are
concerned with protecting sensitive information and preventing unauthorized access to that
information. Cyber laws help to define what constitutes a security breach and the penalties for
committing such a breach, while information security practices help to prevent breaches from
occurring in the first place. Cyber laws also help to ensure that organizations are accountable
for protecting sensitive information and that individuals are able to take legal action if their
personal information is mishandled.

Here are some international standards for security:

Information Security Standards

1. ISO 27001: International standard for information

security management.
2. ISO 27002: International standard for information
security controls.
3. ISO 27005: International standard for information
security risk management.

Cybersecurity Standards
1. NIST Cybersecurity Framework: US framework for managing and reducing cybersecurity risk.

2. ISO 27032: International standard for cybersecurity.

3. ISO 27035: International standard for incident response.

Data Protection Standards

1. GDPR: EU regulation for data protection and privacy.

2. ISO 27701: International standard for privacy information management.

3. ISO 29151: International standard for personally identifiable information (PII) protection.

Network Security Standards

1. ISO 27033: International standard for network security.

2. IEEE 802.1X: International standard for network access control.

3. RFC 2196: International standard for site security handbook.

Cloud Security Standards

1. ISO 27017: International standard for cloud security.

2. ISO 27018: International standard for cloud privacy.

3. CSA STAR: Cloud Security Alliance (CSA) certification for cloud security.

Payment Card Industry (PCI) Standards

1. PCI DSS: Global standard for securing payment card data.

2. PCI PA-DSS: Global standard for securing payment application data.

Healthcare Security Standards

1. HIPAA: US regulation for healthcare data security and privacy.

2. ISO 27799: International standard for healthcare information security.

3. HL7: International standard for healthcare data exchange.

What Is a Security Audit?

A security audit thoroughly assesses how effectively an information system aligns with pre-
established criteria, determining the system’s security for an organization. This comprehensive
evaluation encompasses information processing procedures, software, hardware, and user
practices. Additionally, security audits are necessary to comply with various industry regulations
such as:

 GDPR
 ISO 27001
 SOC 2
 HIPAA
 PCI DSS
Moreover, the primary objective is to identify potential vulnerabilities that malicious actors could
exploit, ensuring that security controls comply with relevant laws and regulations.

How Does a Security Audit Work?

During a security audit, auditors closely examine an organization’s information systems,
policies, and procedures to detect flaws and assure compliance with security regulations. The
process involves careful planning, identification of critical assets, and risk evaluation. Auditors
review data protection protocols, access restrictions, and system configurations. They also
conduct vulnerability assessments and penetration tests to uncover vulnerabilities.

The findings are documented in a report that pinpoints weak areas and proposes remedial
actions. Post-audit verification is done to ensure the implementation of corrective measures.
Therefore, this comprehensive procedure is crucial in fortifying the organization’s systems and
data against security risks, unauthorized access, and data breaches.

Importance of Security Audits

Security audits are essential for several reasons:

 Risk Management: It prevents the loss of essential data and the leakage of confidential
information to unauthorized persons.
 Regulatory Compliance: Most significantly, it maintains that the organization meets all
legal requirements, including data protection laws and regulations like GDPR, healthcare
standards like HIPAA, and payment security standards like PCI DSS.
 Reputation Protection: It minimizes fraud risks and other security attacks that may
undermine the company’s credibility in the market.
 Operational Efficiency: Increasing the security level of an organization can, in turn,
positively impact its current and future performance.
 Stakeholder Confidence: Another essential reason is to guarantee the stakeholders,
customers, and partners that the organization values security.

Types of Security Audits

There are several sorts of security audits, each with different goals.

1. Internal Audits:
The organization’s staff carries out an audit to assess the internal control mechanisms and
procedures.
2. External Audits:
A certified third-party assessment team conducts security audits or penetration testing to
give an impartial opinion about the organization’s security status.

3. Compliance Audits:
The goal of a security compliance audit is to identify areas where the organization’s
compliance is lacking and ensure it complies with regulatory standards.

4. Operational Audits:
Assess the adequacy and efficacy of security measures in operations.

5. Technical Audits:
Includes detailed examination of technical issues relating to the organization’s information
systems, including network, application, and database security.