There are five elements of Information Security Management
Process they are:
1) Control: The objectives of control elements are:
a) Establish an organization structure to prepare,
approve and implement the information security policy.
b) Establish a management framework to initiate
and manage information security in the organization.
c) Allocate responsibilities establish and control
2) Plan: The objectives of Plan are:
a) Devise and recommend the appropriate security
measures, based on an understanding of the requirements
of the organization.
b) The requirements will be gathered from such
sources as business and service risk, plans and
strategies, SLAs and OLAs and the legal, moral and
ethical responsibilities for information security.
3) Implement: The objective of the implementation
element is to ensure that appropriate procedures, tools
and controls are in place to underpin the Information
4) Evaluation: The objectives of Evaluation element
a) Supervise and check compliance with the security
policy and security requirements in SLAs and OLAs.
b) Carry out regular audits of the technical
security of IT systems.
c) Provide information to external auditors and
regulators, if required.
5) Maintain: The objectives of Maintain element are:
a) Improve on security agreements as specified
in, for example, SLAs and OLAs.
b) Improve the implementation of security measures
E) The Information Security Policy
The policy must cover all areas of security, be appropriate,
meet business needs and include:
1) An overall Information Security Policy
2) Use and misuse of IT assets policy
3) An access control policy
4) A password control policy
5) An e-mail policy
6) An internet policy
7) An anti-virus policy
8) An information classification policy
9) A document classification policy
10) A remote access policy
11) A policy with regard to supplier access of IT services,
information and components
12) An asset disposal policy.
4.8.5 Supplier Management
The process responsible for getting value for money from
suppliers, ensuring all supplier contracts and agreements support
business needs, and all suppliers meet contractual commitments.
A) Purpose of Supplier Management Process
The purpose of the supplier management process is to obtain
value for money from suppliers and to ensure that suppliers
perform to the targets contained within their contracts.
B) Objectives of Supplier Management Process
1) Obtain value for money from suppliers and contracts.
2) Work with SLM to ensure underpinning contracts support
and are aligned with business needs, SLRs and SLAs.
3) Negotiate and agree underpinning contracts and manage
through their lifecycle.
4) Manage supplier relationships and performance.
5) Maintain a supplier policy and a Supplier and Contract
C) Scope of Supplier Management Process
1) Identifying qualified suppliers.
2) Negotiating with suppliers.
3) Establishing underpinning contracts.
4) Monitoring supplier performance.
D) Categories of Supplier Management Process
1) Strategic - for significant partnering relationships
that involve senior managers sharing confidential strategic
information to facilitate long-term plans
2) Tactical - relationships involving significant commercial
activity and business interaction.
3) Operational - for suppliers of operational products
4) Commodity - for suppliers providing low-value and/or
readily available products and services.
4.8.6 Capacity Management
Capacity management process is responsible for ensuring that
the capacity of IT services and the IT infrastructure is able
to meet agreed capacity- and performance-related requirements
in a cost-effective and timely manner.
A) Purpose of Capacity Management Process
1) Ensure that the IT infrastructure and the capacity
of IT services reach the agreed capacity and performance
levels in a cost-effective and timely manner.
2) Capacity management process should to meet both the
current and future capacity and very importantly the performance
needs of a business.
B) Objectives of Capacity Management Process
1) Providing guidance and suggestions to other areas
of the business and IT on all capacity and performance related
2) Making sure that service performance achievements
reach their agreed targets by managing the capacity and
performance of both resources and services
3) Helps with the diagnosis and resolution of capacity
and performance related issues
4) Estimating the impact of all changes on the capacity
5) Making sure that proactive measures are taken to improve
the performance of services.
C) Scope of Capacity Management Process
1) Accounting for data storage, concurrency, and service
2) Establishing and implementing capacity designs.
3) Analyzing and assessing capacity performance.
D) Activities of Capacity Management
There are mainly three activities of Capacity Management
Process they are:
1) Business Capacity Management: Translates business
needs and plans into requirements for service and IT infrastructure,
ensuring that the future business requirements for IT services
are quantified, designed, planned and implemented in a timely
2) Service Capacity Management: Focuses on the management,
control and prediction of the end-to-end performance and
capacity of the live, operational IT services usage and
3) Component Capacity Management: Focuses on the management,
control and prediction of the performance, utilization and
capacity of individual IT technology components.
4.8.7 The IT Service Continuity
IT service continuity management (ITSCM) is responsible for
the continuity of the IT services required by the business in
times of disasters or extreme events to recover the IT services.
(Less significant incidents are dealt with by Incident Management
Process). ITSCM is one of the elements of business continuity
A) Purpose of IT Service Continuity Management process
1) Identify and manage the risks to the IT services.
2) Agree with the business for the minimum requirement
of service in case of a disaster
B) Objectives of IT Service Continuity Management Process
1) Maintain a set of IT Service Continuity Plans and
IT recovery plans that support the overall Business Continuity
Plans (BCPs) of the organization.
2) Complete regular Business Impact Analysis (BIA) exercises
to ensure that all continuity plans are maintained in line
with changing business impacts and requirements.
3) Conduct regular risk assessment and management exercises
in conjunction particularly with the business and the Availability
Management and Security Management processes that manages
IT services within an agreed level of business risk.
4) Provide advice and guidance to all other areas of
the business and IT on all continuity- and recovery-related
5) Ensure that appropriate continuity and recovery mechanisms
are put in place to meet or exceed the agreed business continuity
6) Assess the impact of all changes on the IT Service
Continuity Plans and IT recovery plans
7) Ensure that proactive measures to improve the availability
of services are implemented wherever it is cost-justifiable
to do so.
8) Negotiate and agree the necessary contracts with suppliers
for the provision of the necessary recovery capability to
support all continuity plans in conjunction with the Supplier
C) Scope of IT Service Continuity Management Process
1) Defining continuity needs
2) Establishing Continuity Plans
3) Implementing Continuity Plans
4) Periodically Testing Continuity Plans.
D) Activities of IT Service Continuity Management Process
There are four stages of ITSCM, incorporating each of the
activities that take place to ensure that IT organizations are
as prepared and organized as possible in the event of a disaster
situation. The stages are as follows:
1) Initiation defines policy, scope, allocate resources and
set up project organization.
2) Requirements and strategy will need to be defined.
a) A business impact analysis (BIA) has to be done.
b) Service analysis will also have to be done. this will
analyze essential IT services based on the SLA. Dependencies
must be assessed also.
c) Risks affecting the business will then have to be
analyzed. The ITSC manager also has to identify the threats
d) ITSCM strategy must then be defined. The strategy
can be risk reduction or recovery planning.
3) The next step is to implement the plan. This includes
setting up the organization, developing the plan and testing
4) Operation management requires training non-IT staff on
the DRP. It requires regular review and testing. Any improvements
or changes have to go through the Change management process.
Figure: Activities of an IT Service Continuity Management
E) Sub-process of IT Service Continuity Management Process
1) Business Impact Analysis - identify key services that
need continuity at different time of the day/month/year and
clarify relative importance of individual services
2) Risk Assessment - to compile a list of evaluated risks
and propose counter measures. These will ensure the provision
of IT service continuity in a cost-effective way