Information Security Management Resources
Statewide Information Security Policies
Statewide Policies on Information Security
State Information Security Standards
Statewide Standards on Information Security
State Information Risk Management Guidance
Risk related to the operation and use of information systems is another component of organizational risk that senior leaders must address as a routine part of their ongoing risk management responsibilities. Organizational risk can include many types of risk (e.g., investment risk, budgetary risk, program management risk, legal liability risk, safety risk, inventory risk, and the risk from information systems).
Effective risk management requires recognition that organizations operate in a highly complex and interconnected world using state-of-the-art and legacy information systems—systems that organizations depend upon to accomplish critical missions and to conduct important business. Leaders must recognize that explicit, well-informed management decisions are necessary in order to balance the benefits gained from the use of these information systems with the risk of the same systems being the vehicle through which adversaries cause mission or business failure.
Managing risk is not an exact science. It brings together the best collective judgments of the individuals responsible for the strategic planning and day-to-day operations of organizations to provide adequate security5 and risk mitigation for the information systems supporting the missions and business functions of those organizations. The complex, many-to-many relationships among mission/business processes and the information systems supporting those processes require a holistic, organization-wide view for managing risk.
The role of information security in managing risk from the operation and use of information systems is also critical to the success of an organization in achieving its strategic goals and objectives. Historically, senior leaders have viewed information security as a technical matter that was independent of organizational risk. This narrow view resulted in inadequate consideration of how risk from information systems, like other organizational risks, affects the likelihood of mission and business success.
The State of Montana has adopted the Federal Information Security Management Act (FISMA) and the associated National Institute of Standards and Technology (NIST), Standards and Guidance in the development and implementation of our Statewide Information Risk Management Program.
See the NIST Special Publications page for complete information on these standards and guidelines.
Information Risk Management Framework
The complexity and diversity of mission/business processes in modern organizations and the multitude of information systems that are needed to support those processes require a holistic approach to building effective information security programs and managing organizational risks. Developing an organization-wide information security program is not a new concept. However, obtaining a broad-based, organization-wide perspective by authorizing officials and other senior leaders facilitates a more comprehensive view of managing risk from the operation and use of information systems.
In today’s organizations, a single mission/business process may be supported by multiple information systems. Conversely, there may be multiple mission/business processes supported by a single information system. This many-to-many relationship among mission/business processes and information systems requires an organization-wide approach to managing risk—that is, the risk resulting from the use of information systems in organizational mission/business processes.
There are many advantages to employing an organizational approach when developing an information security program. A comprehensive, organization-wide information security program:
· Facilitates prioritization of information security requirements and allocation of information security resources based on risks to the organization’s mission/business processes;
· Ensures information security considerations are integrated into the enterprise architecture, the programming, planning, and budgeting cycles for managing information system assets, and the acquisition/system development life cycles;
· Facilitates decisions on risk mitigation activities based on the strategic goals and objectives of the organization and organizational priorities;
· Promotes the development and dissemination of common security policies and procedures;
· Promotes the identification, development, implementation, and assessment of common (infrastructure-based) security controls that support large segments of the organization;
· Promotes the development of organization-wide solutions to information security problems and more consistent and cost-effective information security solutions;
· Facilitates consolidation and streamlining of security solutions across the organization to simplify management, eliminate redundancy of protection, and improve interoperability and communication between dispersed information systems;
· Provides insights into systemic information security weaknesses and deficiencies;
· Promotes better communication among personnel responsible for information security;
· Increases the information security knowledge base for key individuals responsible for protecting organizational mission/business processes and the information systems supporting those processes; and
· Provides an essential foundation for building trust among organizations/partners.
To be effective, organization-wide information security programs require strong commitment, direct involvement, and ongoing support from senior leaders. The objective is to institutionalize information security into the day-to-day operations of organizations as a priority and an integral part of how organizations conduct their operations in cyberspace, recognizing that this is essential in order to successfully carry out organizational mission and business processes in actual threat-laden operational environments.
Building information security into the culture and infrastructure of organizations requires a carefully coordinated set of activities to ensure that fundamental requirements for information security are addressed within the mainstream management and operational processes employed by organizations (e.g., enterprise architecture development, acquisition and procurement processes, system development life cycle processes, concepts of operation)*.
*From the NIST SP 800-39
Links to other Information Risk Management Professional Resources
NIST - Computer Security Division - Computer Security Resource Center
State of MT Secure Information Security Portal:
*State Information Security staff only.
MT-ISAC (Contact the Enterprise Information Security Bureau for login)