There was a time not too long ago when the management of information on IT systems was an adjunct or supporting function of most organizations. Today, however, the management of resources on IT systems typically is the business. And securing those resources, the function of information security management and operations, has become a prime directive for ongoing organizational viability.
As value creation has become enmeshed in the fabric of IT infrastructure, both the scale and sophistication of IT threats have escalated. This places more pressure on critical intelligence systems like security information and event management (SIEM), threat intelligence platforms, security analytics, and advanced threat protection to scale, automate, and filter for contextual analysis.
Information security management and operations makes it possible to scale to evolving threats, while maintaining cohesion and adherence to standards, by providing the essential foundation for an organization to define, plan, measure, implement, and assess its security abilities.
The Information Technology Infrastructure Library (ITIL) defines information security management as the process that "aims to ensure the confidentiality, integrity and availability of an organization's information, data and IT services. ITIL Security Management usually forms part of an organizational approach to security management which has a wider scope than the IT Service Provider."
Security management achieves its goal of aligning IT and business security by managing a defined level of security controls on the risks of information and IT services. These are achieved through a set of security policies.
Therefore if security management is the alignment of goals and objectives, security operations is defined by the ongoing implementation and execution of IT services and processes in a secure manner. Together, they form an essential framework to protect information assets of an organization.
Security policies typically look at the information assets from a lens of protecting confidentiality, integrity, and availability. Organizations that follow standards such as ISO 27001 generally should have policies that address the following information security management functions:
- Access control
- Asset management
- Business continuity
- Communications security
- Human resources security
- Incident response
- Operational security
- Physical and environmental security
- Supplier relationships
While the list above is not exhaustive, the idea is that a solid policy framework will address people, process, products and technology, and partners and suppliers. Generally accepted best practice is to make these policies available to all employees and suppliers and to review policies for changing business and legal requirements every 12 months.
Security frameworks and standards
A widely accepted goal of information security management and operations is that the set of policies put in place—an information security management system (ISMS)—should adhere to global standards. ISO 27001 is the de facto global standard. ITIL security management best practice is based on the ISO 270001 standard.
Another framework or ISMS that is gaining wider acceptance within the United States is the National Institute of Standards and Technology (NIST) cybersecurity framework. According to NIST, the framework "focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes."
The NIST framework is notable in that it not only outlines a series of functions and outcomes to be managed within the cybersecurity domain, it also describes maturity levels for implementation through tiers. These implementation tiers help determine the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization's overall risk management practices.
The function of a security operations team and, frequently, of a security operations center (SOC), is to monitor, detect, investigate, and respond to cyberthreats around the clock. Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity. As the implementation component of an organization's overall cybersecurity framework, security operations teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.
A SOC acts like the hub or central command post taking in telemetry from across an organization's IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.
Correlating the terabytes of data that a large enterprise produces requires an effective security monitoring system that can scale with the data challenge, as well as incorporate data gathered from diverse sources such as devices, networks, and log and event sources. SOCs have been typically built around a hub-and-spoke architecture, where a security information and event management (SIEM) system aggregates and correlates data from security feeds. Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).
Security management and operations resources