A framework for information security evaluation

Abstract

Information Security Management consists of various facets, such as Information Security Policy, Risk Analysis, Risk Management, Contingency Planning and Disaster Recovery; these are all interrelated in some way, often causing uncertainty and confusion among top management. This paper proposes a model for Information Security Management, called an Information Security Management Model (ISM2), which puts all the various facets in context. The model consists of five different levels, defined on a security axis. ISM2 introduces the idea of international security criteria or international security standards. The rationale behind these is to enable information security evaluation according to internationally accepted criteria. Due to the lack of internationally recognized and/or accepted information security standards and criteria, this model cannot be implemented in its totality at this time. A restricted form is implemented, forming an information security evaluation tool. This tool can be used for information security management with great success within an organization. © 1994.