What is ISM?

The dictionary describes security as "a secure condition or feeling; a thing that guards or guarantees". ISO 17799/27001 describes information security as the "Preservation of confidentiality, integrity and availability of information".

All organisations understand the need for information security. But how much is enough? Too much can be both costly and a hindrance to business, while too little can leave an organisation exposed to major threats. Too often we only recognise the need for security after a disaster. Achieving the right balance is essential if an organisation is to flourish.

With today’s rapidly changing technology and our ever increasing reliance on information systems to manage our sensitive information, a challenge exists to answer the most fundamental question in information security - HOW MUCH SECURITY IS ENOUGH?

Why is answering this question so important?

There are serious implications to an organisation if this question is not answered correctly such as;

Unnecessary costs incurred purchasing, implementing and managing security controls that are in excess of what is actually required.
Exposure of sensitive information due to inadequate controls.

Why build Fort Knox if you are not protecting gold? Understanding what sensitive data exists and where it resides is essential to building a focussed, prioritised security solution. Organisations have limited budgets and must spend what little they have where it is needed most.
Similarly, where there is an identified need, the organisation must be assured that the solution is adequate – no more, no less.

Statistics tell us that 50-70%* of all threats are internal, although this rarely makes the news. If this is the case, then why do organisations spend completely disproportionate amounts on network perimeter protection? This is just one example of how expenditure is often more influenced by the media, vendors and the occasional over-zealous employees rather than sound analysis.

It is also often argued that more security is always better. If there were options to improve security at little or no cost and without hindering business processes, it would always make sense to implement those options. In reality, those solutions rarely exist. There is always a price for security, whether it be capital cost, the effort required to maintain and manage the solution or simply the additional hurdles that the organisation must jump to perform their daily tasks.

Keeping this cost to a minimum is essential for all organisations except those with unlimited budgets or excessive paranoia.

The Linus Approach

The The Linus Information Security Management (LISM) Methodology is a comprehensive process framework for Information Security. It provides a range of techniques or “HOW TO” guide to answer the most important question in information security – HOW MUCH SECURITY IS ENOUGH?

The LISM provides a simple and practical method for ensuring security controls are matched to the actual requirements of the organisation.

LISM comprises three key processes as illustrated below.

A Business or Data Owner process comprising Data Sensitivity Analysis and Security Environment Analysis. This is a non-technical process performed by the data owners to rate the sensitivity of their data and to determine who should be accessing the data, when and from where.
A Technology or Control Owner process comprising Control Rating, Control Packaging, Control Matching and Selection. This process is performed by control owners to define the effectiveness of their controls and, in consultation with the data owners, to select the optimal set of controls that will reduce the risk of inappropriate access to acceptable levels.
A Maintenance Process comprising linkages to the Systems Development Life Cycle (SDLC) and other business processes, event triggers and maintenance tools. This process is performed by both data and control owners to ensure that controls continue to be an appropriate match.

For more information on the Linus Information Security Methodology (LISM) contact us.

* Between 50% and 70% of all fraud happens on the inside, from employees and insiders," said Mr. Jegher of Celent Ref. Article from Credit and Collections World.

Related Information