Information security management

The main concept of this practice is about protecting data in terms of Confidentiality, Integrity, Availability, Authentication, Non-repudiation. To achieve security there are some tools and activities such as Policies, Processes, Behaviors, Risk management, Controls. 

There are three aspects of security that should be provided in order to receive security in an organization:

• Prevention: Making sure that information security threats are not occurring. 
• Detection: If a threat is not prevented, then it will be detected. 
• Correction: If a threat is detected, then we can survive that successfully. 

Note: The information security methods might disturb the creativity of people, so the controls should consider all of the aspects and aligned with the “Risk appetite” of the organization. 

To support this practice, these processes are defined:  

• Security incident management process 
• Risk management process 
• Auditing and control review process 
• Identity and access management process 
• Event management process 
• Vulnerability scan and penetrations test process 
•  Security change management 

Figure 5.3