The Information Technology Infrastructure Library (ITIL) defines information security management as the process that “aims to ensure the confidentiality, integrity and availability of an organization's information, data and IT services. ITIL Security Management usually forms part of an organizational approach to security management which has a wider scope than the IT Service Provider.”
Security management achieves its goal of aligning IT and business security by managing a defined level of security controls on the risks of information and IT services. These are achieved through a set of security policies.
Therefor if security management is the alignment of goals and objectives, security operations is defined by the ongoing implementation and execution of IT services and processes in a secure manner. Together, they form an essential framework to protect information assets of an organization.
Security policies typically look at the information assets from a lens of protecting confidentiality, integrity, and availability. Organizations that follow standards such as ISO 27001 generally should have policies that address the following information security management functions:
While the list above is not exhaustive, the idea is that a solid policy framework will address people, process, products and technology, and partners and suppliers. Generally accepted best practice is to make these policies available to all employees and suppliers and to review policies for changing business and legal requirements every 12 months.
A widely accepted goal of information security management and operations is that the set of policies put in place—an information security management system (ISMS)—should adhere to global standards. ISO 27001 is the de facto global standard. ITIL security management best practice is based on the ISO 270001 standard.
Another framework or ISMS that is gaining wider acceptance within the United States is the National Institute of Standards and Technology (NIST) cybersecurity framework. According to NIST, the framework "focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization's risk management processes."
Correlating the terabytes of data that a large enterprise produces, requires an effective security monitoring system that can scale with the data challenge, as well as incorporate data gathered from diverse sources such as devices, networks, and log and event sources. SOCs have been typically built around a hub-and-spoke architecture, where a security information and event management (SIEM) system aggregates and correlates data from security feeds. Spokes of this model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).