Information Security Governance and Risk Management - Security Management
Information Security Governance and Risk Management
Security management is the pervasive security service needed to support and control the provisions of the other security services. It includes policy implementation and maintenance, security database management, security service management, security mechanism management, security context and association management, and interactions with security infrastructures, such as keys and certificates.
Although an ISSEP may find it necessary to add additional high-level security services to those mentioned, the IATF recognizes these six services as essential to documenting the IPP. Thus, the ISSEP should have a clear understanding of how these security services will be addressed within the context of the previously conducted threat analysis.
The life cycle provides a framework for enabling IT security decision makers to organize their IT security efforts from initiation to closeout. SP 800-35 (NIST SP800-35, p. ii) points out that the systematic management of the IT security services process is of critical importance to organizations.
Many organizations face challenges if they ignore the issues and the needs of risk management. Those responsible for IT security in organizations need to keep security requirements in mind, allocate the necessary costs, and remember that their choices and decisions can have a crucial impact on the strategic functions of their organization, internal arrangements and other crucial aspects.
SP 800-35 focuses on how organizations should evaluate and select a variety of IT security services from either an internal IT group or an outside vendor to maintain their overall IT security program (i.e., policy development or patch management).
With that in mind, the inclusion of NIST SP 800-35 at this point is to show the NIST model for categorizing security services belonging to one of three categories (NIST SP 800-35, p. 3-1):
- Management services: areas and issues usually addressed by the key IT security staff and internal stakeholders. These decision makers are responsible for computer security program and managing risks associated with it.
- Operational services: this category covers a variety of approaches where key controls are managed and implemented by real people, and not computers and/or systems. Operational services require in-depth knowledge and expertise, as well as reliable technology.
- Technical services: these services fully rely on control of a computer system, as opposed to the operational services (which are managed by real people). Technical services, their security and efficiency, are fully dependent on the computer system responsible for their management.
That ISSEPs working in the Federal arena are probably aware of these NIST categories. However, it is also important to know the six LATF security service categories. The ISSEP ensure that the LATF security services (i.e., access control, confidentiality, integrity, availability, non-repudiation, and security management) are met and which security controls must be implemented to provide the identified services.