Information Security Management System

An information security management system is an information resource management system (IRMS) for managing any type of sensitive data, whether that data belongs to the business itself or from a customer. The term can also be used in a more narrowed sense to refer only to how companies handle the encryption and storage of data that is so sensitive that it has been legally mandated by law for protection.

It is a set of security policies that are designed to protect or control access to various forms of information being managed by an organization. In theory, most organizations that handle information of any sort have policies in place controlling how and who has access to what data for what purposes. However, there may not be a formalized structure for implementing the policies in a way that allows the business to assess its overall exposure to information risk and implement any changes that might be needed. Additionally, the policies themselves may not be updated or reviewed often enough.

To address these issues, an information securities management system (ISMS) provides a checklist that allows organizations to evaluate their overall role in handling sensitive data and implement any necessary changes to policies. It also creates a formal structure for how information is handled and stored so that it can be more readily accessed in an audit situation.

ISMS is most often used in the context of computer security. The term has also been applied to the management of information in other areas such as financial services and telecommunications, but none of these are specifically covered by ISMS.

In large organizations, where a number of IT groups may have access to different sets of sensitive data, such as financial reports or customer lists, systems need to be put in place that allows each unit to share pertinent information with others. Some companies may not have a formal structure in place to ensure that each department has access to the data they need. Instead, different information may flow through multiple hands between departments, creating more of a risk than if it were in one centralized location.

If a company maintains financial records, for instance, employees in various parts of the business might be given access to various reports that include personal data. Those employees might need review notes and other information on the reports and how they should be used. If a new employee arrives, he or she may have no idea how to access that information. In some cases, it would be helpful for him or her to be able to make changes without having the information forwarded by someone else.

In addition, it may be beneficial for the employee to have access to her own reports (if she needs them) or other information about her unit (such as personnel actions). This is sometimes called self-service when dealing with sensitive data. It is usually controlled by a separate software application from normal company systems.

In some cases, the employee's ability to view and change the data may depend on other organizations being involved. Perhaps he or she is able to modify data for the HR department. He or she would not have access to HR or other personnel records, however, if those systems are managed separately by another division of the business.

The systems used to control sensitive information may be inadequate if they are not able to handle many requests at once. The ISMS manages requests in a more centralized system, allowing the employee to see that data across multiple departments.