store.theartofservice.com/itil.html
ITIL Service Management
Service Management?= The Objective Tree =
Security Management?= Activities: securing information =
Security
ensure such a level of security, that the agreed availability of the infrastructure is not compromised.
study the security demand
study the security possibilities
security regarding 3rd parties (e.g. suppliers)
study the risks of security
draw up a security strategy
Security Management?= Activities: securing information =
CRAMM: analysis of risks
Security Management?= the basics =
CIA
Confidentiality
protecting information against unauthorised use
Integrity
accuracy and completeness of information
Availability
information is available at any moment within the agreed timeframe
Security Baseline
the basic level of security
these standard security measures are listed in the Service Catalogue
Security Management?= Activities: securing information =
the?process?model
Security Management?= Activities: securing information =
Steering: policy and organisation of securing information
Policy
develop and implement policy
awareness campaign: the goal, the common principles and the importance placed on security
determine the sub processes
determine responsibilities and authorities
determine the relationships with other ITIL-processes
how to deal with security incidents
Security Management?= Activities: securing information =
Steering: policy and organisation of securing information
Organisation
set up organisation structure and management frame
allocate responsibilities and authorities
choose tools (for e.g. risk analysis)
implement the “Taskforce Information Security” TIS
coordination of securing information (and providing specialist advice)
ensure independent audits (EDP-audits)
ensure information security in 3rd party contracts
ensure physical and logical access security regarding 3rd parties
Security Management?= Activities: securing information =
Planning
draw up the security paragraph in the SLA together with SLM
record in OLAs / SPAs as security plan per
– organisation-unit? – IT platform? – application? – network? – …
draw up security paragraphs in underpinning contracts
the security plan per organisation-unit within the organisation of the external IT service provider
Security Management?= Activities: securing information =
Implementation
classification and managing IT resources
input for maintenance of CI’s in the CMDB
staff security
screening
security statements / agreements
training
security awareness
how to deal with security incidents
how to deal with flaws in security
disciplinary measures
Security Management?= Activities: securing information =
Implementation
managing security
allocation of responsibilities and authorities
written manuals / guidelines
house rules
guidelines for security during the full lifecycle ?(development – test – acceptance – operation – phase out)
implementation of contingency provisions
handling and securing data carriers
access security
implementation of the policy of securing information
maintenance of access rights of customers and applications
maintenance of security measures in networks?(firewalls, dial-in facilities, bridges, routers, …)
Security Management?= Activities: securing information =
Evaluation (audit & evaluation)
self assessments
are mainly carried out by the business processes themselves
internal audits
by internal EDP-auditors
external audits
by external (independent) EDP-auditors
verification of the security policy
verification of security plans
evaluate security incidents
detect and react to unwanted use of IT resources
Security Management?= Activities: securing information =
Maintenance
of both the SLA (the security paragraph) as well as the OLAs
is based on the results of the sub process “Evaluate” and insight in changing risks
proposes changes to be carried out:
in the sub process “Plan”
in the regular SLA maintenance
the changes go through Change Management !!!
Security Management?= Activities: securing information =
Reporting
on sub process “Plan”
degree of confirmation to SLAs (including CPIs on security)
status of (and possible problems with):? – OLAs / SPAs? – Underpinning Contracts? – security year plans / action plans
on sub process “Implementation”
status accounting
regarding the implementation of securing information
regarding the awareness campaign on securing information
account of security incidents and the reactions
trend analysis regarding security incidents
Security Management?= Activities: securing information =
Reporting
on sub process “Evaluation”
results of audits, reviews and internal assessments
warnings about and identification of new threats
specific reports
with the individual customer agreed SLA-reports
procedures regarding communication in special (unforseen) situations
Security Management ?= Costs, Points of Attention, Advantages =
Costs
P ersonnel
carrying out of the risk-analysis, draw up and maintenance of the security plan, management of (supporting) contracts, …
A ccommodation
also physical storage of process documents, …
S oftware tools for analysis, contract management, security plans,
H ardware implementation costs of security equipment, test costs, …
E ducation
ITIL Master Class / ITSM-Practitioner, …
P rocedures
designing & managing Security Management, documentation, instruction sets, …
Security Management ?= Costs, Points of Attention, Advantages =
Points of Attention
commitment of the organisation and the management
security measures constrain (long fought) privileges
no security incidents = tendency to decrease budget
attitude and awareness
“real” security is often new to the organisation
integrate security procedures in daily routine
controllability
have right actions been taken (and have the right procedures been followed)?
have the right decisions been made?
is the authority of decision makers verifiable?
Security Management ?= Costs, Points of Attention, Advantages =
Points of Attention
Change Management
in assessing a change no slackening may occur regarding (a basic level of) security
too high ambition
don’t do everything at once
implementation of organisational measures is harder than implementation of technical measures
lack of detection mechanisms
“new” applications (e.g. internet) run the risk, under the influence of short “time to market” and desired low development costs, of being not capable of “intrusion detection”
Security Management ?= Costs, Points of Attention, Advantages =
Advantages
pro-active approach of the organisation
optimal security measures
ensuring a technically reliable information flow
internal importance: ?- availability in time of accurate and complete information
external importance: ?- adequate provision of information leads to mature services? and/or products for the external market?- support for the continuity of the organisation
Security Management ?= Functionally Oriented vs. Process Driven =
ITIL Service Management?= “webbing” =