3. SMB270 Security Essentials for ITSM
Ian Aitchison, Sr Product Director
Alan Taylor, Director Sales Engineering
4. Security Essentials for ITSM
Closing the Gap Between Security and IT Operations
Continually maintaining a secure IT environment requires proactive best practice security activities to ensure ongoing security. In addition,
cybersecurity attacks are on the rise, resulting in high-impact breaches that demand responses. ITSM can play a part in detecting and responding
appropriately to breaches or threats. From security incident management to coordination and communication with the security team, learn how to
identify impacts, reduce risks, and deliver security controls and improvements while still maintaining end-user productivity.
6. Prevention is Better than Cure
Chaos
FIRE HAZARD
Reactive
USE TOOLS TO
PREVENT,
DETECT, REACT
Proactive
DO IT PROPERLY
Tools monitor and
adjust in the way
you need to avoid
needing cure
8. A maturity model of maturity models!
How mature are different IT functions
Ian Opinion
Chaos
Reactive
Proactive
Optimized
Security
ITSM
ITIL
ITAM
IAITAM BPL
DevOps
12. Why SIM is NOT ENOUGH
Computer security incident management is a specialized form of incident
management, the primary purpose of which is the development of a well
understood and predictable response to damaging events and computer
intrusions. Incident management requires a process and
a response team which follows this process.
13. ITIL 2011 activities and processes
Service Strategy
Continual Service
Improvement
Service
Operations
Service
Transition
Service Design
Financial
Management
Demand
Management
Strategy
Operations
Service Portfolio
Management
Service Level
Management
Availability
Management
Capacity
Management
Continuity
Management
Information
Security
Management
Service Catalog
Management
Supplier
Management
Change
Management
Service Asset
Config Mgmt
Release & Deploy
Management
Transition
Support and
Planning
Service
Validation and
Testing
Evaluation
Knowledge
Management
Service Desk
Incident
Management
Problem
Management
Access
Management
Event
Management
Request
Fulfillment
Process
Improvement
Tech Mgmnt
App Mgmnt
IT Ops Mgmnt
Key
Process
Function
WHERE’S
SECURITY?
EVERYWHERE!!
SIM
14. Security is in ITIL These are the Information Security Management sub-processes and their
process objectives:
Design of Security Controls
Process Objective: To design appropriate technical and organizational
measures in order to ensure the confidentiality, integrity, security
and availability of an organization's assets, information, data and
services.
Security Testing
Process Objective: To make sure that all security mechanisms are
subject to regular testing.
Management of Security Incidents
Process Objective: To detect and fight attacks and intrusions, and to
minimize the damage incurred by security breaches.
Security Review
Process Objective: To review if security measures and procedures are
still in line with risk perceptions from the business side, and to
verify if those measures and procedures are regularly maintained
and tested.
15. Get Over IT
Yeah but….
Security Controls Security Incidents
Security Testing Security Review
Security Changes
Security Improvement
16. ITIL GETS IT WRONG
Data security over IT security
(doesn’t worry about hacks, firewall gaps, virus, ransomware etc).
Just cares about ‘is the data in a secure position’ or not
Does not specify technical components required in place
(patch, whitelist, blacklist, threat detection etc etc)
17. Security is not just Something We Do
Security is also How We Do Everything We Do
18. ITIL 2011 activities and processes
Service Strategy
Continual Service
Improvement
Service
Operations
Service
Transition
Service Design
Financial
Management
Demand
Management
Strategy
Operations
Service Portfolio
Management
Service Level
Management
Availability
Management
Capacity
Management
Continuity
Management
Information
Security
Management
Service Catalog
Management
Supplier
Management
Change
Management
Service Asset
Config Mgmt
Release & Deploy
Management
Transition
Support and
Planning
Service
Validation and
Testing
Evaluation
Knowledge
Management
Service Desk
Incident
Management
Problem
Management
Access
Management
Event
Management
Request
Fulfillment
Process
Improvement
Tech Mgmnt
App Mgmnt
IT Ops Mgmnt
Key
Process
Function
WHERE’S
SECURITY?
EVERYWHERE!!
22. 1.4.5 A definition of cyber resilience
Good cyber resilience is a complete, collaborative approach
driven by the board but involving everyone in the organization
and extending to the supply chain, partners and customers. To
balance the cyber risks faced by the business against the
opportunities and competitive advantages it can gain, effective
cyber resilience requires an enterprise-wide risk-based
strategy that proactively manages the vulnerabilities, threats,
risks and impacts on its critical information and supporting assets.
It also involves moving away from strategies that seek solely to
prevent attacks on assets to ones that include preparing for, and
recovering from, a cyber-attack.
23. Resilia
The critical elements of effective cyber resilience include:
●● Clear board-level ownership and responsibility for cyber resilience
●● The adoption of tailored learning and development for all staff. This in turn will establish:
●● A clear understanding of what the organization’s critical assets are,
especially with regard to information
●● A clear view of the organization’s key threats and vulnerabilities arising
from their environment, including that of their customers, partners and supply chain
●● The adoption of a common language used by all stakeholders in the
organization
●● An assessment of the organization’s cyber resilience maturity and design of
appropriate, prioritized and proportionate plans using best-practice guidance
●● An appropriate balance of controls to prevent, detect and correct.
26. ITSM Security
Automatically receive detected alerts from
monitoring tools. Create ITSM ‘event’
processes with automated response
and corrective actions.
Follows ITSM Event Mgnt guidelines.
May link to Incident Management
eg, new virus detected in 25% of
machines, do we want to do
something?
Event
Management
27. ITSM Security
Security Incident : creation and predefined response,
escalation and resolution processes from within
service desk, from email, from self service, from voice
etc. Aligns with ITSM best practice incident
management.
May create Major Incident.
eg “I have a virus error message”, “Is this a phishing
email?”
Incident
Management
28. ITSM Security
Predefined Major Incident
workflow – notification, escalation,
communication, automation.
Significant business impact from
current security event
Major
Incident
Management
29. ITSM Security
Business response to Breach (Press,
WebSite, Internal Comms)
May be linked to Major Incident.
“We’ve been hacked!”
Major Breach
Response
30. ITSM Security
Planned, scheduled security
assessment exercise – internal or
external, includes assignment and
completion of corrective actions.
Vulnerability assessments, pen tests.
Security
Assessment
31. ITSM Security
Self Service and Knowledge
published guidelines,
recommendations and advice to
business users. Security
personal assessment and user
training tracking.
“access your security
awareness documentation and
training here”
Business
Education
32. ITSM Security
Reports and Evidence
data captured
automatically to ensure
compliance with GRC
requirements and
standards.
PCI, HIPAA etc
Governance
and
Compliance
33. ITSM Security
Latest alerts, news, best
practice, advice, warning
from the broader industry
into searchable security
knowledge base
Security
Knowledge
34. ITSM Security
Predefined scorecards
and dashboards for
industry security
frameworks, plus
complete business
security posture
Standard
Scorecards
and
Dashboards
39. Demo Time
1 - Event Management = Automatic Security Alert/Incident from
external monitoring tools
2 - Breach Reaction = controlled response sequence to major
security breach
3 - Dashboard - all types of security activity in one place
ALAN - what can you
do here?
40. Security in ITSM, also consider
▪ User record – has been security trained
▪ Change and Release – Security risk assess, security change approve
▪ Knowledge – article types ‘security’ for IT and the Business
▪ Self Service – EndUser security status, security news, security
assessments
▪ Service improvement – better secure posture is improvement too!
▪ Resolution cause – security issue?
▪ Problem Management – root cause. Eliminate future security incidents
▪ Also – is your ITSM tool secure? Often public facing, what security,
password, auditing in place?