IT security management

The term IT security management comes from the field of information technology . It describes an ongoing process within a company or organization to ensure IT security .

The task of IT security management is to systematically secure an information-processing IT network. Dangers to information security or threats to data protection of a company or organization should be prevented or averted. The selection and implementation of IT security measures for the respective business processes of a company is one of the activities of IT security management. A standardized procedure is made possible by using IT standards .

IT standards

The following standards are assigned to IT security management:

IT-Grundschutz of the Federal Office for Information Security (BSI)
- The IT-Grundschutz Catalogs define specific measures for the various aspects of an IT landscape that must be met to maintain security in the case of low and medium protection requirements ( washing slips ). For systems with high protection requirements, the basic protection catalogs provide a structured procedure to identify the necessary measures. The basic protection catalogs are primarily known in Germany, but are also available in English.
ISO / IEC 27001 : Standard for Information Security Management Systems (ISMS)
ISO / IEC 27002 : Guide to Information Security Management (formerly ISO / IEC17799: 2005)
BS 7799-1 and BS 7799-2: predecessors of ISO / IEC 27002 and ISO / IEC 27001

The ISO / IEC-27001 standard is the most widely used worldwide.

Further standards with IT security aspects are:

IT Infrastructure Library (ITIL): Collection of best practices for IT service management
ISO / IEC 20000 : the ISO / IEC standard for IT service management
BS 15000 : British standard for IT service management
CobiT : IT governance framework
ISO / IEC 13335 : Former series of standards on security management in information and communication technology
EN ISO 27799 : Medical informatics - Safety management in the health sector using ISO / IEC 27002 (specifically for the health sector)
Payment Card Industry Data Security Standard (PCI-DSS): Set of rules for processing credit card transactions
the benchmarks of the Center for Internet Security
various Federal Information Processing Standards (FIPS) and others of the US National Institute of Standards and Technology (NIST)

Origin of the term

The term IT security management appeared for the first time with the publication of the Green Books in 1989. The BS-7799 standard for information security developed from part of the Green Books . Nevertheless, methods for a structured approach to safeguarding against threats to information security were already used by American authorities in the 1970s. In the 1980s, some studies and articles on the subject of computer abuse and security and how effective information security could be achieved through organizational measures in a company followed in the English-speaking area .

Individual evidence

^ Hofmann, Schmidt (ed.): Master course IT management. Basics, implementation and successful practice for students and practitioners. 2nd, updated and expanded edition. Vieweg + Teubner, 2010, ISBN 978-3-8348-0842-4 .
↑ Compass of IT security standards. (PDF; 912 kB) Guide and reference work. (No longer available online.) BITCOM, DIN AK Security Management, Working Committee NIA-27, August 2009, p. 5 , archived from the original on December 16, 2013 ; Retrieved December 16, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2
↑ Zella G. Ruthberg, Robert G. McKenzie (Ed.): Audit and evaluation of computer security. Proceedings of the NBS invitational workshop, held at Miami Beach, Florida, March 22-24, 1977. US Dept. of Commerce, National Bureau of Standards and for sale by the Supt. of Docs., US Govt. Print. Off., 1977.
↑ Detmar W. Straub: Computer abuse and security. Update on an empirical pilot study. In: ACM SIGSAC Review. 4, No. 2, 1986, pp. 21-31
↑ Data Processing Management Association (Ed.): Staffing Dedication to Security Redcues Computer Abuse New Study Discovers. In: Inside DPMA. 1987.
↑ Detmar W. Straub: Organizational structuring of the computer security function. In: Computers & Security. 7, No. 2, 1988, pp. 185-195.
↑ Philip E. Fites, Martin PJ Kratz, Alan F. Brebner: Control and security of computer information systems. Computer Science Press, 1989, ISBN 978-0-7167-8191-2
↑ Detmar W. Straub: Effective IS Security. An Empirical Study. In: Information Systems Research. 1, No. 3, 1990, pp. 255-276.

[Hofmann_2010-1] Hofmann, Schmidt (ed.): Master course IT management. Basics, implementation and successful practice for students and practitioners. 2nd, updated and expanded edition. Vieweg + Teubner, 2010, ISBN 978-3-8348-0842-4 .

[Kompass_IT-Sicherheitsstandards-2] Compass of IT security standards. (PDF; 912 kB) Guide and reference work. (No longer available online.) BITCOM, DIN AK Security Management, Working Committee NIA-27, August 2009, p. 5 , archived from the original on December 16, 2013 ; Retrieved December 16, 2013 . Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice. @1@ 2

[3] Zella G. Ruthberg, Robert G. McKenzie (Ed.): Audit and evaluation of computer security. Proceedings of the NBS invitational workshop, held at Miami Beach, Florida, March 22-24, 1977. US Dept. of Commerce, National Bureau of Standards and for sale by the Supt. of Docs., US Govt. Print. Off., 1977.

[4] Detmar W. Straub: Computer abuse and security. Update on an empirical pilot study. In: ACM SIGSAC Review. 4, No. 2, 1986, pp. 21-31

[5] Data Processing Management Association (Ed.): Staffing Dedication to Security Redcues Computer Abuse New Study Discovers. In: Inside DPMA. 1987.

[6] Detmar W. Straub: Organizational structuring of the computer security function. In: Computers & Security. 7, No. 2, 1988, pp. 185-195.

[7] Philip E. Fites, Martin PJ Kratz, Alan F. Brebner: Control and security of computer information systems. Computer Science Press, 1989, ISBN 978-0-7167-8191-2

[8] Detmar W. Straub: Effective IS Security. An Empirical Study. In: Information Systems Research. 1, No. 3, 1990, pp. 255-276.