ctly stated, the requirement for information security awareness materials, training evaluation/feedback reports etc. may be inferred.ISMS audit plans and procedures state the auditors responsibilities in relation to auditing the ISMS, the audit criteria, scope, frequency and methods. While not stated directly, ISMS audit reports, agreed action plans and follow-up/verification/closure reports should be retained and made available to the certification auditors on request.action procedure documents the way in which nonconformities which exist are identified, root-causes are analyzed and evaluated, suitable corrective actions are carried out and the results thereof are reviewed.action procedure, which is similar to the corrective action procedure but focuses more on preventing the occurrence of nonconformities in the first place, with such activities being prioritized on the basis of the assessed risk of such nonconformities.
2.2 Content management system for an isms
ISMS may rely on a content management system to support the exchange of information, for example, audit reports, policies, etc. The content management system must be selected knowing specific requirements of the enterprise. It is recommended to consider a structured specification and evaluation process such as that for choosing risk analysis/management methods.exist free or open source and commercial products designed to support ISMSs and ISO27k. Their types are Content Management Systems (CMS), Document Management Systems (DMS), Learning Management Systems (LMS) and Policy Management System (PMS).a system is nevertheless optional, and information exchange can be directly supported by an ISMS or be performed manually for relatively small businesses or at higher managerial levels.
2.3 The information security metrics
quality of the IS can be measured through various parameters, ranging from number of blocked spam messages to the degree of attaining a strategic goals. As for an ISMS, the author strongly insists on measuring the effectiveness by managerial indexes, such as number of completed low-level tasks, the conventional risk value, eliminated by a security measure, etc. Such evaluation yields better understanding at high executive levels.
2.4 Internal audit capabilities
second ultimate goal of implementing an ISMS, except providing a comprehensive IS management for the enterprise, is the certification of accordance to one or several of the ISO27k standards.certification process assumes the external audit of the corporate ISS to define the compliance with the standard. To guarantee the successful external audit, a company may induce internal security audits preliminary to certification.the ISMS contains and manipulates the most important security assessment data, the introduction of audit functions may seriously facilitate the internal audit procedures.
Conclusions to section
management standard development national
Taking into consideration the stated problems and requirements to an ISMS, the following features and functional capabilities are needed in an information security management product.
1.High-level managerial presentation by the introduction of simple interfaces and reports oriented specifically at the high-level management;
2.Monitoring and management of the IS risks at the enterprise with immediate reassessment in case of any changes in the sets of assets and threats;
.Planning of external or internal IS audit, control of the audit procedures progress by pivot reports;
.Registration of violations, deviations and remarks in the process of audit procedures fulfilment by supplying the needed information in a specialised report;
.Use of templates for policies, descriptions and other working documents. These templates must comply with the national standards;
.Creation and keeping all the necessary dispositive and regulation documents on IS (functional duties, instructions, security policies, etc.) by storing, updating and supplying the corporate IS information to the documents directly;
.Maintaining the common databases of knowledge and methodical materials, archiving to supply management decisions with actual data;
.The conduction of analysis of the IS state (matrix of the state) and forming of management-level reports as comprehensible tables and charts, as it is usually hard to deliver the IS issues to unfamiliar people;
.Rational distribution of the roles and plenary powers, allocation of resources to officials and tasks;
.Informative-analytical support of decisions by organisations management as to the process of IS management, because having clear and actual information, it is easier to take rational decisions;
.Providing the forming of requirements (matrix of requirements) and ISMS efficiency estimation indexes (matrix of estimations), which is important in controlling the achievement of the set objectives;
.Estimation and management of the budget of the ISMS creation and exploitation, to control the expenditures on the ISMS in particular, or the overall organisations IS;
.Monitoring of tasks execution and rendering of recommendations to boost the overall performance for the projects.
SECTION 3. INFORMATION SECURITY MANAGEMENT SYSTEM MATRIX
3.1 Purpose of the ISMS
basic task of the ISMS is the informative-analytical support of the process of the ISS creation attributable to the precise estimation of the accepted decisions efficiency, and choice of the rational hardware, software and organisational solutions.Matrix is based on system approach to information security by Domarev V.V. as well as on universal experience of different companies.proposed ISMS provides the following functional capabilities:
1.Development of documentation;
.Rational choice of software and hardware IS means and solutions;
.Forming the terms of reference and projects management;
.Management of information assets and resources;
.Analysis of threats;
.Estimation of risks;
.Planning, development and implementation of organisational and technical measures of IS;
.Estimation of the IS efficiency;
.Accumulation of informative-analytical knowledge and experience;
11.Training and education of organisations specialists in information security.
3.2 General description of the ISMS
The Matrix is positioned as an information security management, international IT standard implementation and decision support system. The ISMS is an information-methodological instrument of IS management, which is the simple, versatile and effective mean of creation, management, control and estimation of the efficiency of the IS providing processes in organisations.Matrix is a systematic decision that is intended to organize the cooperation of the organisations management, IT department, IS service, specialists of internal audit and other departments in the process of IS management in the organisation.ISMS Matrix is projected for organisation of information security management processes in accordance with the requirements of standards of the National bank of Ukraine or other normative documents. The system also allows to independently organize the work for the creation of the ISS and easily adapts itself for the solution of concrete IS providing tasks with taking the business processes peculiarities into consideration.of the ISMS Matrix provides a possibility to reduce financial expenses on bringing in external auditors and consultants.ISMS Matrix is based on the principles of the system approach to IS management, absorbing the knowledge and the best practices of the leading companies that provide IS. The system consists of database, containing the sets of operational tasks and knowledge. Each element of these sets is classified by Domarevs Matrix (element is assigned to a stage, a direction and a base). This allows systematising and uniting IS management and knowledge.
3.3 Improvements provided by the ISMS
application allows to:
1.increase the efficiency of management decisions;
2.systematise and unite the forces of different specialists for the achievement of common goal (implementation of one or several international IS standards simultaneously);
3.estimate the current state of ISS and its compliance to a certain IS standard;
4.obtain pivot reports on ISS state, current and finished jobs (in extension, updating, etc.)to the research of the analogous products presented in , there exist certain problems in IT GRCM software. The explanations of the solutions and their effects are presented below.following improvements became possible due to the application of the developed ISMS Matrix.situation when the product is concentrated more on assessment, than on managerial functions is resolved because the main function of the developed ISMS is high-level management. Thus the managerial efficiency of the product increased.problem of absence of the conditional branching in workflow algorithms is eliminated because the developed ISMS supports workflow that is not limited to business processes with strict algorithms. Thus the developed ISMS can be applied to the non-trivial business situations.flexibility in self-assessment is resolved because the operation of the developed ISMS is based on self-assessment data and is dynamically rebuilt in reply to any changes in the structure, operation or normative provision of the target organisation. Thus the developed ISMS extends the self-assessment abilities of the target organisation.when products may be concentrated on a single standard and not appropriate for broader use is resolved beca