Information Security Management System
The Information Security Management System (ISMS, engl. For " management system for information security " ) is a list of procedures and rules within a company, which serve to define the information security permanently, to control, monitor, maintain and continuously improve.
The term is used in the standard ISO / IEC 27002. ISO / IEC 27001 defines an ISMS. The German share of this standardization work is held by DIN NIA 01-27 IT security procedures.
IT Baseline Protection
The Federal Office for Security in Information Technology (BSI ) brought out a concept for the implementation of an information security management system (ISMS ) with the IT Baseline Protection 2006. The IT Baseline Protection, with its four standards 100-1, 100-2, 100-3 and 100-4 in combination with the IT baseline protection catalogs ( up to 2006 IT Baseline Protection Manual called ) assistance in establishing and maintaining an ISMS. Since 2006, the IT Baseline Protection Catalogs to the international standard ISO / IEC 27001 are adapted. For Germany the procedure according to this system can be regarded as quasi-standard.
The BSI places special emphasis on three areas: confidentiality, integrity and availability of information.
Information security management system in 12 steps ( ISIS12 )
ISMS in accordance with ISO / IEC 27001 or IT baseline protection catalogs the BSI provide for various reasons often major obstacles for businesses of SMEs (Small and medium-sized enterprises (SMEs ) ) is, especially if they are not active in the IT industry. Difficulties exist according to experience, among other things, to leave sufficient trained staff in the mostly small IT departments. Further, the level required by the ISO / IEC 27001 standard risk analysis and the selection of specific measures, many companies in reality insoluble problems. The so-called "Network information security in SMEs (NIM ) " (Members ao Bavarian IT Security Cluster, University and University of Regensburg ) therefore developed - from IT baseline protection and ISO / IEC 27001 derived - a scientifically abgestütztes model for the implementation of an ISMS in 12 concrete steps. Close attention was paid to ensuring that not every threat scenario is covered, but the company has a clear guide to action in a limited scope is given with integrated implementation concept and in plain language at hand.
General Approaches
Information security is usually defined as the task of leading an organization or company and should be organized according to a top -down approach. In particular, the adoption of information protection and security policy ( security policy ) is the responsibility of top management. The elaboration of this policy is usually delegated to an employee. In addition to the data protection officer as a candidate for this job, a job as IT Security Officer or an IT security group is used if necessary. Then the compliance monitoring is the task within the organization.
Frequently there is a description of the data security in a data protection strategy or security concept, and also includes the security concept.
IT Security Officer
The aforementioned IT Security Officer ( ITSB ) is appointed by the Chairman / Managing Director of the company. His selection should be based on the following criteria
- Have a marked affinity for IT
- Enjoy public confidence
- Have experience in project work
- Want to fill the position and do not have
- Directly to the Chief Executive / Managing Director
- Be equipped with adequate time and financial resources.
The / The ITSB is the contact for all IT security issues and should also in decision-making and selection processes in software, IT infrastructure, new construction and are comparable consulted.