APPENDIX 2: ISM ACTIVITIES

There are many activities or tasks that an ISM has to contend with and they obviously can’t all be done in one month. You need to try and spread your activity across the year with some level of planning, so that you are not constantly fire-fighting. Below are the key headlines from each of the chapters, represented as task points for an ISM to focus on.

ISM activities – January

• Embedding security culture
• Desktop refresh and consumerisation
• Incident reporting
• Data-sharing protocols/information sharing agreements
• Records management
• Penetration testing
• Environmental management issues.

ISM activities – February

• User administration (and rights management)
• Inventory management
• Review back-up arrangements
• Review business continuity requirements and engage widely across the business, conducting business impact analyses
• Review risk assessment arrangements across the whole organisation.

ISM activities – March

• Addressing user requirements
• Privacy impact assessments
• Managing a virus outbreak
• Embedding a useful InfoSec intranet.

ISM activities – April

• Reviewing information assurance arrangements
• Linking up with information governance requirements
• Security metrics and measurements
• Equipment life-cycle management.

ISM activities – May

• Maintaining situational awareness
• Addressing language and management challenges
• Laptop management
• Outsourcing/third-party management
• Addressing port control.

ISM activities – June

• Reviewing audit reports – internal and external
• Review other project proposals
• Review organisational complaints
• Security incident response management
• Access control
• Removable media device management.

ISM activities – July

• Reading – journal articles, books, blogs
• Maintaining continuous professional development.

ISM activities – August

• Identify all assets – hardware, software, information, people
• People – network widely
• Review access control
• Review information security awareness levels and design new material
• Review incident management processes and improve if necessary.

ISM activities – September

• Software licensing
• Remote and mobile worker management
• User acceptance testing
• Addressing physical security (convergence)
• Password management
• Laptop management.

ISM activities – October

• Information security policy creation and development
• Anti-virus (malware) management
• Standard build and image roll-out
• Password management (again)
• Audit log management
• Vulnerability management
• Cloud Computing – third-party management, etc.
• Project and people management.

ISM activities – November

• Remote working (again) – location network set-up
• Ensuring security is built into all projects from the outset
• Information labelling and classification of information assets
• Ensuring lessons learnt are recorded and shared.

ISM activities – December

• Security improvement programme (SIP)
• Fax management
• Image build (again)
• Physical security (again).