II. Management

ISMS Life Cycle

Management should establish an ISMS life cycle to support the ISMS within universities. A good example of ISMS life cycle is the "Plan-Do-Check-Act" model utilised by ISO 27001, which aims to establish, implement, monitor and improve the effectiveness of information security management in a continuous manner. The model has the following four phases:

  1. "Plan" phase - establishing the ISMS

  2. "Do" phase - implementing and operating the ISMS

  3. "Check" phase - monitoring and reviewing the ISMS

  4. "Act" phase - maintaining and improving the ISMS

ISMS Coverage

Management should ensure ISMS cover all areas that critical to universities information security protection. In ISO 27001, there are 11 domains to address the main security issues from the management's point of view:

  1. Security Policy - Key information security directives and mandates for the entire organisation required by top management.

  2. Organising Information Security - Internal and external information security governance structure.

  3. Asset Management - Policies and procedures that determine what information assets an organisation holds, and how to manage their security appropriately.

  4. Human Resources Security - Human resource background screening, security awareness, training and educational activities.

  5. Physical and Environmental Security - Requirement on physical protection of IT equipment against malicious or accidental damage, theft, overheating and power outage etc.

  6. Communications and Operations Management - Security controls over systems and network management.

  7. Access Control - Logical access controls over IT systems, network and data to prevent unauthorised use.

  8. Information System Acquisition, Development and Maintenance - Systems Development Lifecycle (SDLC) processes for specifying, building / acquiring, testing, implementing and maintaining IT systems.

  9. Information Security Incident Management - Management procedures for information security events, incidents and weaknesses.

  10. Business Continuity Management - Procedures for IT disaster recovery planning, business continuity management and contingency planning.

  11. Compliance - Compliance with laws, regulations, security policies and standards, technical compliance, and Information systems audit considerations.
 
Reference:
http://www.ogcio.gov.hk/eng/prodev/download/s17.pdf
http://www.iso27001security.com/html/27002.html