Security Management has two objectives:
1.To meet the security requirements of the SLAs and other external requirements further to contracts, legislation and externally imposed policies.
2.To provide a basic level of security, independent of external requirements Security Management is essential to maintaining the uninterrupted operation of the IT organisation.
It also helps to simplify Information Security Service Level Management, as it is much more difficult to manage a large number of different SLAs than a limited number.
The process input is provided by the SLAs, which specify security requirements, possibly supplemented by policy documents and other external requirements. The process also receives information about relevant security issues in other processes, such as security incidents. The output includes information about the achieved implementation of the SLAs, including exception reports and routine security planning.
At present, many organisations deal with Information Security at the strategic level in information policy and information plans, and at the operational level by purchasing tools and other security products. Insufficient attention is given to the active management of Information Security, the continuous analysis and translation of policies into technical options, and ensuring that the security measures continue to be effective when the requirements and environment change. The consequence of this missing link is that, at the tactical management level, significant investments are made in measures that are no longer relevant, at a time when new, more effective measures ought to be taken. Security Management aims to ensure that effective Information Security measures are taken at the strategic, tactical and operational levels.
Information Security is not a goal in itself; it aims to serve the interests of the business or organisation. Some information and information services will be more important to the organisation than others. Information Security must be appropriate to the importance of the information. Striking a balance between security measures and the value of the information, and threats in the processing environment develops tailor-made security.
An effective information supply, with adequate Information Security is important to an organisation for two reasons:
- Internal reasons: an organisation can only operate effectively if correct and complete information is available when required. The level of Information Security should be appropriate for this.
- External reasons: the processes in an organisation create products and services, which are made available to the market or society, to meet defined objectives. An inadequate information supply will lead to substandard products and services, which cannot be used to meet the objectives and which will threaten the survival of the organisation. Adequate Information Security is an important condition for having an adequate information supply. The external significance of Information Security is therefore determined in part by the internal significance. Security can provide significant added value to an information system. Effective security contributes to the continuity of the organisation and helps to meet its objectives.