Effective information resources management requires understanding and awareness of types of risk from a variety of sources. Legislation addressing federal information resources management consistently directs government agencies to follow risk-based decision-making practices when investing in, operating, and securing their information systems, obligating agencies to establish risk management as part of their IT governance. Information security represents one way to reduce risk, and in the broader context of risk management, information security management is concerned with reducing information system-related risk to a level acceptable to the organization. Organizations identify, assess, and respond to risk using the discipline of risk management.
This chance is risk, typically characterized as a function of the severity or extent of the impact to an organization due to an adverse event and the likelihood of that event occurring. No organization can provide perfect information security that fully assures the protection of information and information systems, so there is always some chance of loss or harm due to the occurrence of adverse events. The Federal Information Security Management Act defines information security as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction” in order to safeguard their confidentiality, integrity, and availability.
The ISMS can be applied to a specific system, components of a system, or the Forensic Laboratory as a whole.
A list of some of these is given in Section 5.1.Īn ISMS is a documented system that describes the information assets to be protected, the Forensic Laboratory’s approach to risk management, the control objectives and controls, and the degree of assurance required.
There are a number of national and international standards that specify risk approaches, and the Forensic Laboratory is able to choose which it wishes to adopt, though ISO 27001 is the preferred standard and the Forensic Laboratory will want to be Certified to this standard. Information Security Management can be successfully implemented with an effective information security risk management process. Information security risk management is the systematic application of management policies, procedures, and practices to the task of establishing the context, identifying, analyzing, evaluating, treating, monitoring, and communicating information security risks. David Watson, Andrew Jones, in Digital Forensics Processing and Procedures, 2013 5.5.1 Overview