Download (PPT, 698KB)


store.theartofservice.com/itil.html
ITIL Service Management

Service Management?= The Objective Tree =

Security Management?= Activities: securing information =

Security

ensure such a level of security, that the agreed availability of the infrastructure is not compromised.

study the security demand

study the security possibilities

security regarding 3rd parties (e.g. suppliers)

study the risks of security

draw up a security strategy

Security Management?= Activities: securing information =

CRAMM: analysis of risks

Security Management?= the basics =

CIA

Confidentiality

protecting information against unauthorised use

Integrity

accuracy and completeness of information

Availability

information is available at any moment within the agreed timeframe

Security Baseline

the basic level of security

these standard security measures are listed in the Service Catalogue

Security Management?= Activities: securing information =

the?process?model

Security Management?= Activities: securing information =

Steering: policy and organisation of securing information

Policy

develop and implement policy

awareness campaign: the goal, the common principles and the importance placed on security

determine the sub processes

determine responsibilities and authorities

determine the relationships with other ITIL-processes

how to deal with security incidents

Security Management?= Activities: securing information =

Steering: policy and organisation of securing information

Organisation

set up organisation structure and management frame

allocate responsibilities and authorities

choose tools (for e.g. risk analysis)

implement the “Taskforce Information Security” TIS

coordination of securing information (and providing specialist advice)

ensure independent audits (EDP-audits)

ensure information security in 3rd party contracts

ensure physical and logical access security regarding 3rd parties

Security Management?= Activities: securing information =

Planning

draw up the security paragraph in the SLA together with SLM

record in OLAs / SPAs as security plan per

– organisation-unit? – IT platform? – application? – network? – …

draw up security paragraphs in underpinning contracts

the security plan per organisation-unit within the organisation of the external IT service provider

Security Management?= Activities: securing information =

Implementation

classification and managing IT resources

input for maintenance of CI’s in the CMDB

staff security

screening

security statements / agreements

training

security awareness

how to deal with security incidents

how to deal with flaws in security

disciplinary measures

Security Management?= Activities: securing information =

Implementation

managing security

allocation of responsibilities and authorities

written manuals / guidelines

house rules

guidelines for security during the full lifecycle ?(development – test – acceptance – operation – phase out)

implementation of contingency provisions

handling and securing data carriers

access security

implementation of the policy of securing information

maintenance of access rights of customers and applications

maintenance of security measures in networks?(firewalls, dial-in facilities, bridges, routers, …)

Security Management?= Activities: securing information =

Evaluation (audit & evaluation)

self assessments

are mainly carried out by the business processes themselves

internal audits

by internal EDP-auditors

external audits

by external (independent) EDP-auditors

verification of the security policy

verification of security plans

evaluate security incidents

detect and react to unwanted use of IT resources

Security Management?= Activities: securing information =

Maintenance

of both the SLA (the security paragraph) as well as the OLAs

is based on the results of the sub process “Evaluate” and insight in changing risks

proposes changes to be carried out:

in the sub process “Plan”

in the regular SLA maintenance

the changes go through Change Management !!!

Security Management?= Activities: securing information =

Reporting

on sub process “Plan”

degree of confirmation to SLAs (including CPIs on security)

status of (and possible problems with):? – OLAs / SPAs? – Underpinning Contracts? – security year plans / action plans

on sub process “Implementation”

status accounting

regarding the implementation of securing information

regarding the awareness campaign on securing information

account of security incidents and the reactions

trend analysis regarding security incidents

Security Management?= Activities: securing information =

Reporting

on sub process “Evaluation”

results of audits, reviews and internal assessments

warnings about and identification of new threats

specific reports

with the individual customer agreed SLA-reports

procedures regarding communication in special (unforseen) situations

Security Management ?= Costs, Points of Attention, Advantages =

Costs

P ersonnel

carrying out of the risk-analysis, draw up and maintenance of the security plan, management of (supporting) contracts, …

A ccommodation

also physical storage of process documents, …

S oftware tools for analysis, contract management, security plans,

H ardware implementation costs of security equipment, test costs, …

E ducation

ITIL Master Class / ITSM-Practitioner, …

P rocedures

designing & managing Security Management, documentation, instruction sets, …

Security Management ?= Costs, Points of Attention, Advantages =

Points of Attention

commitment of the organisation and the management

security measures constrain (long fought) privileges

no security incidents = tendency to decrease budget

attitude and awareness

“real” security is often new to the organisation

integrate security procedures in daily routine

controllability

have right actions been taken (and have the right procedures been followed)?

have the right decisions been made?

is the authority of decision makers verifiable?

Security Management ?= Costs, Points of Attention, Advantages =

Points of Attention

Change Management

in assessing a change no slackening may occur regarding (a basic level of) security

too high ambition

don’t do everything at once

implementation of organisational measures is harder than implementation of technical measures

lack of detection mechanisms

“new” applications (e.g. internet) run the risk, under the influence of short “time to market” and desired low development costs, of being not capable of “intrusion detection”

Security Management ?= Costs, Points of Attention, Advantages =

Advantages

pro-active approach of the organisation

optimal security measures

ensuring a technically reliable information flow

internal importance: ?- availability in time of accurate and complete information

external importance: ?- adequate provision of information leads to mature services? and/or products for the external market?- support for the continuity of the organisation

Security Management ?= Functionally Oriented vs. Process Driven =

ITIL Service Management?= “webbing” =

store.theartofservice.com/itil.html

Categories: ITILNews