1. What is information security management?
Information security management is the systematic management and operation of the entire organization to ensure information security.
If information security measures are implemented individually, if even one measure is inadequate, the risk of information leakage cannot be reduced even if thorough measures are taken in other areas. It has been. These days, with the high risk of leaks of important information such as customer information and confidential information, this is an initiative that all companies should consider implementing.
Mechanisms and initiatives created to ensure information security within an organization are called an Information Security Management System (ISMS). To practice information security management, it is necessary to build an information security management system within the organization.
[Specific examples of items included in the information security management system]
- creating a security policy
- Prepare an information operation management manual
- To conduct training for the enlightenment of employees
- Implementing the PDCA cycle to improve the operational management system, etc.
1-1. Three points to keep in mind in information security management
The information security management system must ensure confidentiality, integrity, and availability.
| What are confidentiality, integrity, and availability? | |
|---|---|
| Confidentiality | 【Overview】
|
[Examples of specific measures]
|
|
| completeness | 【Overview】
|
[Examples of specific measures]
|
|
| availability | 【Overview】
|
[Examples of specific measures]
|
|
In information security management, it is important to manage and operate information while maintaining a good balance of confidentiality, integrity, and availability. If you place too much emphasis on confidentiality, the procedures for using information become too complicated, sacrificing availability.
It is important to consider a management system that strikes a balance between security and usability in cooperation with the on-site departments that use the information.
1-2. Why is information security management necessary?
Information security management is required for companies to:
(1) Continue to protect organizational information at a high level
(2) Increase the credibility of the organization externally
This is because we can achieve two things.
“(1) Continuing to protect organizational information at a high level” means implementing security measures that address the following points.
[Indispensable points for continuing to protect organizational information at a high level]
- Maintain a uniform security level within your organization
- Security measures can be changed collectively according to changes in risks
If information security is inadequate even in one part of the organization, the information of the entire organization will be exposed to risks such as unauthorized access and leakage, so the overall security level must be consistent.
By implementing information security management and collectively implementing security measures for the entire organization, it is possible to easily maintain a uniform security level within the organization.
In addition, the risks for which security measures should be implemented change depending on the systems and information handled by the organization, and the methods of unauthorized access and virus infection routes change daily, so it is necessary to review measures regularly.
If you introduce information security management that comprehensively implements information security measures, you can collectively change security measures according to changes in risks. You can rest assured that changes are less likely to be missed or delayed.
In addition, if you pass the ISMS conformity assessment system implemented by the Information Security Management System Certification Center and acquire ISMS certification, you can “(2) increase the credibility of your organization externally.”
[What is ISMS certification?]
- Proof that information security measures are in place that meets the domestic standard for information security management systems (JIS Q 27001)
1-3. Examples of the introduction of information security management
A company that operates many locations nationwide and provides map information services has introduced information security management for the purpose of strengthening security and improving trust.
Since the company handles a lot of personal information, thorough management was necessary. In addition, when entering a public business, there are many cases where domestic standards for information security management systems are required, and an introduction is also required to obtain sales opportunities.
As a result of introducing information security management and managing the security of bases nationwide according to the same standard,
- Awareness of on-site information security has improved
- The quality of security measures has improved by receiving confirmation from a third party’s perspective to obtain a domestic standard certification.
- Easier to participate in public works
It means that there were advantages such as
It can be said that the introduction of information security management is not limited to the proper management of information, but it can be said that it leads to the expansion of business opportunities.
2. The implementation of information security management begins with the creation of a security policy.
If you want to implement information security management, first create a security policy.
Security policy means the basic policies and implementation procedures for information security measures.
here,
① Why is it necessary to create a security policy as a basic policy?
② What kind of content should be decided specifically?
Let’s check two things.
2-1. Why is a security policy necessary?
Security policies are necessary to increase the effectiveness of security measures and maximize their benefits.
[Purpose of Establishing Security Policy]
- Identify information that requires security measures and its management status
- Improve employee security awareness
- gain external trust
In the process of establishing a security policy, it is necessary to confirm the overall picture and management status of the current information assets. By grasping the current state of your company’s information,
- An employee leaks information outside the control of the security management department
- Information assets that require security measures are overlooked
such risks can be reduced.
In addition, by developing a security policy and sharing it with employees, you can raise awareness and knowledge of information security.
Externally, the fact that you have a concrete security policy will make it much more likely to be trusted, rather than simply appealing that you are “careful about security.”
2-2. What kind of content should be defined in the security policy?
The content stipulated in the security policy can be broadly divided into three types: (1) basic policies, (2) standards for measures against risks, and (3) specific procedures for operation.
| Content stipulated in the security policy | |
|---|---|
| (1) Basic policy |
|
| (2) Criteria for taking countermeasures against risks |
|
| (3) Specific procedures for operation |
|
For these three types, let’s be conscious of defining realistic contents according to the situation in the company as concretely as possible. The types and amounts of information assets held, as well as the current management and operation systems, differ from organization to organization.
To continue security measures without difficulty, avoid diverting the security policies of other companies as they are, and be sure to customize the contents according to your company.
Examples of information security policies can be found on the website of the Japan Network Security Association.
3. Flow of implementing information security management
When implementing information security management, the basic flow is to implement the following PDCA cycle and continuously improve it.
| Basic Flow of Implementing Information Security Management | |
|---|---|
| P (Plan) plan |
|
| D(Do) operation |
|
| C(Check) Feedback |
|
| Improved A(Act) |
|
Since security risks and the status of information assets and systems in possession change from moment to moment, it is important for information security management to continuously respond to changes and make improvements. Let’s go into a little more detail about the points in each stage.
3-1. (1) Planning stage of information security management
To implement information security management, first, grasp the current situation and determine the direction.
[① Main things to do at the planning stage]
- Get an overview of your information assets
- Analyze risks and issues in your company’s information management
- create a security policy
The ultimate goal of the planning phase is to create a security policy. In the security policy, it is necessary to specifically define the target information assets and the target persons for whom the measures should be implemented. In addition, let’s include the contents that can be realized without hindering the work, considering the operation system and the situation of division of work and staffing within the company.
If you create a security policy with a team that includes people who are familiar with the internal situation and the situation of each department, you can create a feasible security policy.
3-2. (2) Operation stage of information security management
In the operational stage of information security management, in addition to appropriately implementing security policy measures, it is important to thoroughly educate all employees.
[(2) Main things to do in the operation stage]
- Communicate security policies to all employees
- Provide security training
- Implement the measures specified in the security policy
For security measures to be effective, every employee must have correct knowledge of information security and implement measures in their daily work. This is because security risks exist in various scenes of daily work, such as when sending and receiving e-mails and when referring to internal documents.
To instill security knowledge in employees,
- Provide training on security policy
- Make them feel that they are their own, such as asking them to sign a consent form that complies with the security policy.
- Define penalties for security policy violations
and other measures should be taken.
3-3. ③ Information security management feedback stage
To make information security management effective, let’s continuously check and improve.
[(3) Main things to do in the feedback stage]
- Based on the results of practice and changes in the cyberattack situation, periodically check whether it is necessary to change the security policy.
- Audit whether the security policy is being practiced
If you disseminate the security policy and then leave it as it is,
- Some employees do not practice security policies
- Information assets and systems that increased after the security policy was established are no longer subject to security measures.
- Cannot defend against new cyberattacks
Because it can cause harm.
3-4. (4) Improving stage of information security management
If you find any points that need to be improved in the feedback, promptly review the privacy policy, etc.
[(4) Main things to do in the improvement stage]
- Improve security policies and internal systems based on feedback
In addition to reviewing the privacy policy, it is also important to manage the company so that all employees can implement security measures more smoothly.
Let’s consider more reliable and efficient methods than now, such as increasing training opportunities, introducing checklists, and incorporating security functions into the system itself.
4. Key points for effective information security management
To effectively implement information security management, three points should be particularly emphasized.
| Three points for effective information security management |
|---|
|
Let’s be specific about what is important.
4-1. Conduct risk analysis properly
To make information security management highly effective, carefully analyze your company’s security risks.
This is because security measures can be efficiently effective by focusing on high-risk areas.
For example, if you do not exchange important information when sending and receiving emails, but you often take customer information out of the office when you are out on the road or on a business trip, it would be more effective to increase the measures against taking out a device with a higher risk.
Before creating a security policy and in the process of running the PDCA cycle, we recommend that you correctly understand your company’s security risks and take measures that match the risks.
4-2. Implement company-wide in-house training
By conducting company-wide in-house training on information security, the effectiveness of security measures can be enhanced.
Security risks that occur in daily operations cannot be reduced simply by creating a mechanism to deal with them. This is because it is essential for every employee involved in information and systems related to security risks to acquire knowledge and to remember to implement countermeasures.
To raise the security awareness of employees and make them see it as their matter, set up a place for security education, such as training for all employees.
4-3. Utilize the information security management exam
Members who formulate security policies need to have more knowledge about information security management than other employees.
If you do not know how to acquire knowledge, it is also recommended to use the information security management exam conducted by the Information-technology Promotion Agency (IPA).
| What is the Information Security Management Exam? | |
|---|---|
| subject |
|
| Question content |
|
If you want to acquire comprehensive basic knowledge about information security, you may want to try the qualification exam.
