This paper describes the interaction between the IT Infrastructure Library (ITIL<sup>®</sup>) and IT Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA). Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology.
Marketplace and Quality Assurance Presentation - Vincent Chirchir
ITIL and IT Security Architecture
1. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
ITIL® and IT Security Architecture
Leo de Sousa – IST 725
Abstract
This paper describes the interaction between the IT Infrastructure Library (ITIL®) and IT
Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA).
Enterprise Architecture provides a holistic approach to the integration and management of an
organization’s strategy, business and technology. IT Security Architecture is a component of
Enterprise Architecture. The EA3 Cube Framework shows how ITSA fits in a documented
enterprise architecture. IT Security is considered a planning thread that is a “common activity
that is present in all levels of the framework.” (Bernard, 2005, p. 42) ITIL® specifically
addresses the IT service component of Enterprise Architecture. ITIL® is an approach to IT
Service Management “to drive consistency, efficiency and excellence into the business of
managing IT services.” (itSMF Ltd, UK Chapter, 2007, p. 3) ITIL® contains five components
built around a Service Lifecycle. The components are Service Strategy, Service Design, Service
Transition, Service Operation and Continual Service Improvement. The sections of this paper
are: (a) Introduction, (b) Relations between ITIL®, IT Security Architecture and Enterprise
Architecture (c) Interactions of ITIL® and ITSA and (d) Conclusion. After reading this paper,
the reader should have a clear understanding of how ITIL® interacts with IT Security
Architecture practices within Enterprise Architecture.
Introduction
This paper uses Enterprise Architecture as the overarching framework to model and understand
how ITIL® and IT Security Architecture interact together. Enterprise Architecture provides a
holistic approach to the integration and management of an organization’s strategy, business and
technology. EA addresses “policy, planning, decision-making and resource development that is
useful to executives, line managers, and support staff.” (Bernard, 2005, p. 33)
IT Infrastructure Library (ITIL®) was developed by the UK Office of Government Commerce in
the 1980’s. The current version is ITIL® V3 and is a major rewrite from ITIL® V2. IT
Infrastructure Library (ITIL®) “provides a framework of Best Practice guidance for IT Service
Management and since its creation, ITIL® has grown to become the most widely accepted
approach to IT Service Management in the world.” (itSMF Ltd, UK Chapter, 2007, p. 2) ITIL®
suggests organizations take a holistic approach to IT service management with a focus on value
to customers. Services have two value measures:
• Utility – is the service delivering the required functionality? “fit for purpose”
• Warranty – is the service delivered in the expected timeframe, in a secure manner and
available for customers when necessary? “fit for use”
Leo de Sousa Page 1
2. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
ITIL® contains five components built around a Service Lifecycle. The components are Service
Strategy, Service Design, Service Transition, Service Operation and Continual Service
Improvement.
IT Security Architecture “is the art and science of designing and supervising the construction of
business systems, usually business information systems, which are: free from danger, damage,
etc.; free from fear, care, etc.; in safe custody; not likely to fail; able to be relied upon; safe from
attack.” (Sherwood, Clark, & Lynas, 2005, p. 2) The SABSA® Model captures IT Security
Architecture in six layers: Contextual Security Architecture, Conceptual Security Architecture,
Logical Security Architecture, Physical Security Architecture, Component Architecture and
Operational Security Architecture. (Sherwood, Clark, & Lynas, 2005, p. 34) (SABSA, 2012)
Components of IT Security Architecture reside within parts of the ITIL® Service Lifecycle and
both reside in the Enterprise Architecture framework which encompasses the entire business.
Relations between ITIL®, IT Security Architecture and
Enterprise Architecture
The EA3 Cube Documentation Framework (Bernard, 2005, p. 38) provides an excellent
framework for understanding the interactions between ITIL® and ITSA. The EA3 Cube
describes an Enterprise Architecture by documenting the current state and future state of an
enterprise as well as creating a management plan for change. Here is an image of the EA3 Cube
Documentation Framework and the ITIL® V3 Framework:
Looking at the EA3 Cube, we can see how each component interacts when modeling an
organization. ITIL® suggests IT Service Management best practices for the Service Lifecycle
for Services, Data and Information, Systems and Applications, Networks and Infrastructure and
Security/Standards in the EA framework. IT Security Architecture (ITSA) is one of the planning
threads in the EA3 Cube framework. IT Security Architecture helps identify issues and the risks
that could impact a company and its partners. ITSA also provides a framework for planning and
implementing secure business practices. Integrating ITSA and ITIL® enables a business to
Leo de Sousa Page 2
focus on best practices in security and IT service management to deliver value.
3. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
The diagram below represents the relationships between EAITILITSA.
•Assets (What)
•Process (How)
EA (S+B+T) •Location (Where)
•People (Who)
•Time (When)
•Motivation (Why)
•Service Strategy
ITIL (ITSM)
•Service Design
•Service Transition
•Service Operation
•Continual Service Improvement
•Contextual Security Architecture
•Conceptual Security Architecture
ITSA (CIA) •Logical Security Architecture
•Physical Security Architecture
•Component Architecture
•Operational Security Architecture
Interactions of ITIL® and ITSA
This section explores the impacts of ITIL® on ITSA. The table below lists all the ITIL
processes by component type - interactions with ITSA are bolded. (Clinch, 2009, pp. 16-17)
Service Strategy Service Design Service Service Continual Service
Transition Operations Improvement
Demand Mgmt Service Catalogue Knowledge Mgmt Incident Mgmt Service
Mgmt Measurement
Financial Mgmt Service Level Change Mgmt Problem Mgmt Service Reporting
Mgmt
Strategy Capacity Mgmt Asset and Event Mgmt Service
Generation Configuration Improvement
Mgmt
Service Portfolio Availability Release and Request
Mgmt Mgmt Deployment Fulfillment
Mgmt
Service Transition Access Mgmt
Continuity Mgmt Planning and
Support
Information Service Operations Mgmt
Security Mgmt Validation and
Testing
Supplier Mgmt Evaluation Service Desk
Application Mgmt
Technical Mgmt
IT Operations
Leo de Sousa Page 3
4. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
Service Strategy
ITIL® defines Service Strategy as “collaboration between business strategists and IT to develop
IT service strategies that support the business strategy.” (Kneller, 2010, p. 3) This section of
ITIL® only has generalized references to IT security architecture. There is one specific
reference to in the Service Value section: “Service Warranty: how the service is delivered and its
fitness for use, in terms of availability, capacity, continuity and security.” (itSMF Ltd, UK
Chapter, 2007, p. 14) The intent is security is considered a part of the strategy for creating
valuable services for the organization.
Service Design
ITIL® defines Service Design as “designing the overarching IT architecture and each IT service
to meet customers’ business objectives by being both fit for purpose (utility) and fit for use
(warranty).” (Kneller, 2010, p. 4) Availability Management, IT Service Continuity
Management and Information Security Management processes in ITIL® all provide guidance for
implementing security practices.
• Availability Management – considers both reactive and proactive activities to ensure
services are available for use. IT security architecture provides proactive guidance to
protect services as well as responding to security attacks or breaches that compromise a
service (e.g. Denial of Service attacks)
• IT Service Continuity Management – considers ongoing recovery capabilities for
services. IT security architecture guides the design of recovery capabilities and
infrastructures to ensure that services can be recovered and delivered securely
• Information Security Management – is the main ITIL® process for IT security
architecture. This process seeks to align IT security with business security and protect
the information assets for all services. This process uses the CIA (confidentiality,
integrity, availability) model to suggest best practices of IT security in services.
Service Transition
ITIL® defines Service Transition as “managing and controlling changes into the live IT
operational environment, including the development and transition of new or changed IT
services.” (Kneller, 2010, p. 4) Knowledge Management, Change Management, Asset and
Configuration Management, Release and Deployment Management and Service Validation and
Testing processes all have IT security architecture components.
• Knowledge Management – ensures that the correct person has access to the right
knowledge, at the correct time to deliver and support business services. This process uses
the IT Security Architecture CIA (confidentiality, integrity, availability) model to suggest
best practices for information security
• Change Management – delivers standard and secure methods to manage change to
services. IT security architecture should be integrated with Change Management
processes to ensure that introduction of new configuration items do not increase the risk
to the services they support. IT security reviews are also important for reviewing
Leo de Sousa Page 4
5. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
changes to existing services to maintain the agreed upon security levels. IT security
architecture must be considered for all levels of change from strategic to tactical to
operational. Effective implementation of this process limits unauthorized changes that
could create security risks.
• Asset and Configuration Management – accounts for service assets and configuration
items to protect their integrity for the service lifecycle. IT Security architecture integrates
with this process especially when considering Data and Information Architecture,
Systems and Application Architecture and Networks and Infrastructure Architecture
segments. Being able to identify, control and account for corporate information assets
protects companies from security breaches, data leakage and information security
compliance failures. Creating a Configuration Management System to record and track
all configuration items used to deliver services is a key function for security.
• Release and Deployment Management – ensures that changes are securely released into
the production environment that supports business services. Implementing auditing and
release controls following IT security best practices align this ITIL® process with ITSA.
Effective implementation of this process limits unauthorized changes that could create
security risks.
• Service Validation and Testing – provides objective evidence that services are meeting
their established service level agreements for functionality, availability, continuity,
security and usability. Conducting security audits including penetration tests are
examples of how ITSA and this ITIL® process interact.
Service Operations
ITIL® defines Service Operations as “delivering and supporting operational IT services in such a
way that they meet business needs and expectations and deliver forecasted business benefits.”
(Kneller, 2010, p. 4) Incident Management, Problem Management, Event Management and
Access Management processes in ITIL® all use guidance from information security practices.
• Incident Management – restores normal service as quickly as possible so that business
impacts are minimized. Incidents can come from any part of the business. When they
are IT security related, the IT service desk and security teams initiate an incident
response process: identification, containment, eradication and recovery. (Killmeyer,
2006, p. 215) Security incidents can range from external attacks, data breaches (e.g.
FIPPA and HIPPA compliance), internal attacks and copyright violations.
• Problem Management – determines the root causes of incidents, recommends changes to
resolve the issue and provides workarounds if a resolution cannot be found. The IT
security team takes a lead in this process for security problems. The focus in this process
is the eradication of the problem by implementing new security practises and technology.
This process initiates the Change Management process when resolutions need to put into
production.
• Event Management – depends on monitoring of configuration items and services. The
process generates notifications about changes and initiates the Incident Management
process. This process relates to proactive security monitoring and logging. If a
monitored security alert is triggered, the IT service desk and security team initiate the
Incident Management process for a security incident.
Leo de Sousa Page 5
6. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
• Access Management – provides the access rights for people to use services while
blocking non-authorized access. Specifically, this ITIL® process manages privileges
using the CIA model – confidentiality, integrity, availability to protect data and assets.
Other IT security practices like auditing and logging access are practiced in this process.
Continual Service Improvement
ITIL® defines Continual Service Improvement as “learning from experience and adopting an
approach which ensures continual improvement of IT services.” (Kneller, 2010, p. 4) This
component of ITIL® focuses on continual evaluation and improvement of services and value to
customers. ITIL® suggests a 7-Step Improvement Process to “collect meaningful data, analyze
this data to identify trends and issues, present the information to management for their
prioritization and agreement and implement improvements.” (itSMF Ltd, UK Chapter, 2007, p.
36) This approach could be taken to continuously improve IT security architecture practices.
The Continual Service Improvement component of ITIL® only has generalized references to IT
security architecture. There is a section that advocates the use of Standards. There are a series
of Security standards that ITIL relates with the main standards family being ISO/IEC 27000
Information Security Management. Here are some of the related standards that ITIL® leverages:
(Clinch, 2009, pp. 18-19)
• ISO/IEC 27001:2005 Information Security Management Systems – Requirements
• ISO/IEC 27002:2005 Code of Practice for Information Security Management
• ISO/IEC 27005:2008 Information Security Risk Management
• ISO/IEC 27006:2007 Requirements for Bodies Providing Audit and Certification of
Information Security Management Systems
• ISO/IEC 27799:2008 Health Informatics – Information Security Management in Health
Using ISO/IEC 27002
Conclusion
Enterprise Architecture models and documents all the parts of an organization not just the IT
components. As such, it provides a guiding framework for understanding the interactions
between the various components of an organization, how IT service management is implemented
(ITIL®) and how IT security architecture is deployed. Many organizations see IT security as
purely an IT function and the result is a failure to adequately implement a holistic approach to
securing the business.
“If we take to heart ITIL’s message that a service is something that delivers business value by
improving customer outcomes, we should be seeking to position ISM (information security
management) as a business activity that directly contributes towards the delivery of enhanced
business value to customers.” (Clinch, 2009, p. 8)
Leo de Sousa Page 6
7. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012
ITIL® interacts effectively with IT Security Architecture in Service Design, Service Transition
and Service Operations and has some influence in Service Strategy and Continual Service
Improvement. Here are the ITIL® processes with strong IT security architecture interactions.
Service Design Service Transition Service Operations
Availability Mgmt Knowledge Mgmt Incident Mgmt
Service Continuity Mgmt Change Mgmt Problem Mgmt
Information Security Mgmt Asset and Configuration Mgmt Event Mgmt
Release and Deployment Mgmt Access Mgmt
Service Validation and Testing
ITIL® leverages many of the existing and evolving IT Security standards particularly from the
ISO/IEC 27k family.
“Awareness and consideration of security risks and issues are background obligations for every
step of successful IT Service Management under ITIL®.” (Clinch, 2009, p. 20)
References
Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:
AuthorHouse.
Clinch, J. (2009, May). ITIL V3 and Information Security. Retrieved from Best Management
Practice: http://www.best-management-
practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf
itSMF Ltd, UK Chapter. (2007). An Introductory Overview of ITIL V3. Retrieved from Best
Management Practice: http://www.best-management-
practice.com/gempdf/itSMF_An_Introductory_Overview_of_ITIL_V3.pdf
Killmeyer, J. (2006). Information Security Architecture 2nd Edition. Boca Raton: Auerbach
Publications.
Kneller, M. (2010, Sept). Executive Briefing: The Benefits of ITIL. Retrieved from Best
Management Practice: http://www.best-management-
practice.com/gempdf/OGC_Executive_Briefing_Benefits_of_ITIL.pdf
SABSA. (2012). SABSA Matrix. Retrieved from SABSA: http://www.sabsa.org/the-sabsa-
method/the-sabsa-matrix.aspx
Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven
Approach. San Francisco: CMP Books.
Leo de Sousa Page 7