SlideShare ist ein Scribd-Unternehmen logo

ITIL With Information Security

V
vikasraina

ITIL (Information Technology Infrastructure Library) is a set of best practices for IT service management that can improve information security. ITIL defines processes for configuration management, incident and problem management, change management, and more. It takes a process-based approach to security that incorporates policies, processes, procedures, and work instructions into a continuous cycle. Implementing ITIL can help organizations develop structured and aligned security, establish accountability through SLAs and auditing, and communicate security's value to business stakeholders. While requiring resources, adopting the ITIL framework can ultimately save time and money for organizations through more efficient security management.

1 von 7
  How ITIL Can Improve Information Security Introduction ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment. Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL - aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support - the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly. This article will provide a general overview of ITIL and discuss how ITIL can improve how organizations implement and manage information security. ITIL overview ITIL began in the 1980s as an attempt by the British government to develop an approach for efficient and cost-effective use of its many IT resources. Using the experiences and expertise of successful IT professionals, a British government agency developed and released a series of best-practice books, each focusing on a different IT process. Since then, ITIL has become an entire industry of organizations, tools, consulting services, related frameworks, and publications. Currently in the public domain and still evolving, the 44-volume set of ITIL guidelines has been consolidated into 8 core books. When most people discuss ITIL, they refer to the ITIL Service Support and Service Delivery books. These contain a set of structured best practices and standard methodologies for core IT operational processes such as Change, Release, and Configuration Management, as well as Incident, Problem, Capacity, and Availability Management. ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. In the ITIL framework, the business units within an organization who commission and pay for IT services (e.g. Human Resources, Accounting), are considered to be quot;customersquot; of IT services. The IT organization is considered to be a service provider for the customers. ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.  
  The ITIL framework is typically implemented in stages, with additional processes added in a continuous service improvement program. Organizations can benefit in several important ways from ITIL: • IT services become more customer-focused • The quality and cost of IT services are better managed • The IT organization develops a clearer structure and becomes more efficient • IT changes are easier to manage • There is a uniform frame of reference for internal communication about IT • IT procedures are standardized and integrated • Demonstrable and auditable performance measurements are defined ITIL details ITIL takes a process-based approach to managing and providing IT services; IT activities are divided into processes, each of which has three levels: • Strategic: An organization's objectives are determined, along with an outline of methods to achieve the objectives. • Tactical: The strategy is translated into an appropriate organizational structure and specific plans that describe which processes have to be executed, what assets have to be deployed, and what the outcome(s) of the processes should be. • Operational: The tactical plans are executed. Strategic objectives are achieved within a specified time. A description of each of the numerous IT processes covered by ITIL is beyond the scope of this article. What follows are brief, general descriptions of the ITIL processes that, along with the Security Management process, have a significant relationship with information security. Each of these areas is a set of best practices: • Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). By identifying, controlling, maintaining and verifying the items that make up an organization's IT infrastructure, these practices ensure that there is a logical model of the infrastructure. • Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs. • Problem Management: Best practices for identifying the underlying cause(s) of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.  
  • Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable. • Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware are provided to IT customers. • Availability Management: Best practices for maintaining the availability of IT services guaranteed to a customer (for example, optimizing maintenance and design measures to minimize the number of incidents). These practices ensure that an IT infrastructure is reliable, resilient, and recoverable. • Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are provided efficiently, economically, and cost-effectively. • Service Level Management: Best practices for ensuring that agreements between IT and IT customers are specified and fulfilled. These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services. There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk's most important responsibilities are monitoring incidents and communicating with users. Figure 1 depicts the above processes, showing how the Service Desk function serves as the single point of contact for the various service management processes. Figure 1. ITIL Service Management Processes  
  More detailed information about the above processes and Service Desk function can be found in the references listed at the end of this article. ITIL and information security ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained. ITIL breaks information security down into: • Policies - overall objectives an organization is attempting to achieve • Processes - what has to happen to achieve the objectives • Procedures - who does what and when to achieve the objectives • Work instructions - instructions for taking specific actions It defines information security as a complete cyclical process with continuous review and improvement, as illustrated in Figure 2: Figure 2. Information Security Process As some organizations look at Implementation and Monitoring as a single step, ITIL's Information Security Process can be described as a seven step process: 1. Using risk analysis, IT customers identify their security requirements. 2. The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline. 3. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved. 4. Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization. 5. The SLA and OLAs are implemented and monitored.  
  6. Customers receive regular reports about the effectiveness and status of provided information security services. 7. The SLA and OLAs are modified as necessary. Service level agreements The SLA is a key part of the ITIL information security process. It is a formal, written agreement that documents the levels of service, including information security, that IT is responsible for providing. The SLA should include key performance indicators and performance criteria. Typical SLA information security statements should include: • Permitted methods of access • Agreements about auditing and logging • Physical security measures • Information security training and awareness for users • Authorization procedure for user access rights • Agreements on reporting and investigating security incidents • Expected reports and audits In addition to SLAs and OLAs, ITIL defines three other types of information security documentation: • Information security policies: ITIL states that security policies should come from senior management and contain: 1. Objectives and scope of information security for an organization 2. Goals and management principles for how information security is to be managed 3. Definition of roles and responsibilities for information security • Information security plans: describes how a policy is implemented for a specific information system and/or business unit. • Information security handbooks: operational documents for day-to-day usage; they provide specific, detailed working instructions. Ten ways ITIL can improve information security There are a number of important ways that ITIL can improve how organizations implement and manage information security. 1. ITIL keeps information security business and service focused. Too often, information security is perceived as a quot;cost centerquot; or quot;hindrancequot; to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs. 2. ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from quot;fire fightingquot; mode to a more structured and planned approach. 3. With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change. 4. ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its  
  information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley). 5. ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers. 6. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't quot;relatequot; to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization. 7. The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort. 8. The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has. 9. ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so. 10. ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services. Implementing ITIL ITIL does not typically start with IT - it is usually initiated by senior management such as the CEO or CIO. As an information security professional, however, you can add value by bringing ITIL to the attention of senior management. With the framework's rapidly increasing adoption, your organization might already be talking about ITIL; letting your management know specifically about ITIL's information security benefits can help spur its adoption. Implementing ITIL does take time and effort. Depending on the size and complexity of an organization, implementing it can take significant up front time and effort. For many organizations, successful implementation of ITIL will require changes in their organizational culture and the involvement and commitment of employees throughout the organization. Critical factors for successful ITIL implementation include: • Full management commitment and involvement with the ITIL implementation • A phased approach • Consistent and thorough training of staff and management • Making ITIL improvements in service provision and cost reduction sufficiently visible • Sufficient investment in ITIL support tools  
  Conclusion Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled- together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.    

Empfohlen

IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?Eryk Budi Pratama
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
What Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceWhat Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceBill Lisse
 
IT Governance - OpenThinking Day
IT Governance - OpenThinking DayIT Governance - OpenThinking Day
IT Governance - OpenThinking DayIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Comprehending Information Technology Governance
Comprehending Information Technology GovernanceComprehending Information Technology Governance
Comprehending Information Technology GovernanceGoutama Bachtiar
 
Dit yvol3iss44
Dit yvol3iss44Dit yvol3iss44
Dit yvol3iss44Rick Lemieux
 
E governance project management practices through information technology infr...
E governance project management practices through information technology infr...E governance project management practices through information technology infr...
E governance project management practices through information technology infr...IJARIIT
 

Empfohlen

IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?Eryk Budi Pratama
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Information System audit
Information System auditInformation System audit
Information System auditPratapchandra
 
What Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceWhat Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceBill Lisse
 
IT Governance - OpenThinking Day
IT Governance - OpenThinking DayIT Governance - OpenThinking Day
IT Governance - OpenThinking DayIyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Comprehending Information Technology Governance
Comprehending Information Technology GovernanceComprehending Information Technology Governance
Comprehending Information Technology GovernanceGoutama Bachtiar
 
Dit yvol3iss44
Dit yvol3iss44Dit yvol3iss44
Dit yvol3iss44Rick Lemieux
 
E governance project management practices through information technology infr...
E governance project management practices through information technology infr...E governance project management practices through information technology infr...
E governance project management practices through information technology infr...IJARIIT
 
It governance
It governanceIt governance
It governanceMahetab Khan
 
It governance
It governanceIt governance
It governanceLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
 
It service management
It service managementIt service management
It service managementLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2FCA Vikram S Mathur
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 frameworkYulias Sihombing, Ak, MAk, CIA
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Asset Management: Climbing the Asset Maturity Curve
Asset Management: Climbing the Asset Maturity CurveAsset Management: Climbing the Asset Maturity Curve
Asset Management: Climbing the Asset Maturity CurveInformation Services Group (ISG)
 
Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3pjmartinez
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment Chris Nicole Apat-Orcullo, CPA
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
IT Governances
IT GovernancesIT Governances
IT GovernancesJerald Burget
 
IT governance and bal
IT governance and balIT governance and bal
IT governance and balsourov_das
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing worldPECB
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
ICAB - ITA Chapter 1 class 3 - IT Strategy
ICAB - ITA Chapter 1 class 3 - IT StrategyICAB - ITA Chapter 1 class 3 - IT Strategy
ICAB - ITA Chapter 1 class 3 - IT StrategyMohammad Abdul Matin Emon
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
ITIL(v3): A Beginers Guide
ITIL(v3): A Beginers GuideITIL(v3): A Beginers Guide
ITIL(v3): A Beginers GuideMd. Rezaul Islam
 
IT Services Management
IT Services ManagementIT Services Management
IT Services ManagementDanu Ridwanto
 

Weitere ähnliche Inhalte

Was ist angesagt?

Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Osman Hasan
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2FCA Vikram S Mathur
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3pjmartinez
 
IT governance and bal
IT governance and balIT governance and bal
IT governance and balsourov_das
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing worldPECB
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 

Was ist angesagt? (20)

It governance
It governanceIt governance
It governance
 
It governance
It governanceIt governance
It governance
 
Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)Corporate governance of INFORMATION TECHNOLOGY (IT)
Corporate governance of INFORMATION TECHNOLOGY (IT)
 
It service management
It service managementIt service management
It service management
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
Cobit 41 framework
Cobit 41 frameworkCobit 41 framework
Cobit 41 framework
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 
Asset Management: Climbing the Asset Maturity Curve
Asset Management: Climbing the Asset Maturity CurveAsset Management: Climbing the Asset Maturity Curve
Asset Management: Climbing the Asset Maturity Curve
 
Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3Governance Of Enterprise Information Technology V3
Governance Of Enterprise Information Technology V3
 
Internal controls in an IT environment
Internal controls in an IT environment Internal controls in an IT environment
Internal controls in an IT environment
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
IT governance and bal
IT governance and balIT governance and bal
IT governance and bal
 
IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world IT Governance – The missing compass in a technology changing world
IT Governance – The missing compass in a technology changing world
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
ICAB - ITA Chapter 1 class 3 - IT Strategy
ICAB - ITA Chapter 1 class 3 - IT StrategyICAB - ITA Chapter 1 class 3 - IT Strategy
ICAB - ITA Chapter 1 class 3 - IT Strategy
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
 

Ähnlich wie ITIL With Information Security

ITIL(v3): A Beginers Guide
ITIL(v3): A Beginers GuideITIL(v3): A Beginers Guide
ITIL(v3): A Beginers GuideMd. Rezaul Islam
 
IT Services Management
IT Services ManagementIT Services Management
IT Services ManagementDanu Ridwanto
 
A Case Study On Implementing ITIL In Business Organization Considering Busi...
A Case Study On Implementing ITIL In Business Organization Considering Busi...A Case Study On Implementing ITIL In Business Organization Considering Busi...
A Case Study On Implementing ITIL In Business Organization Considering Busi...Carrie Cox
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
Itil the basics
Itil the basicsItil the basics
Itil the basicsdarshan185
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Processkadhar_masthan
 
ITIL Service Desk
ITIL Service DeskITIL Service Desk
ITIL Service Deskjmansur1
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...Nancy Ideker
 
Taming the DCIM Wave with ITIL
Taming the DCIM Wave with ITILTaming the DCIM Wave with ITIL
Taming the DCIM Wave with ITILAFCOM
 
Itism.v20160321.2eng public
Itism.v20160321.2eng publicItism.v20160321.2eng public
Itism.v20160321.2eng publicVolodymyr Mazur
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL PresentationRon Drew
 

Ähnlich wie ITIL With Information Security (20)

ITIL(v3): A Beginers Guide
ITIL(v3): A Beginers GuideITIL(v3): A Beginers Guide
ITIL(v3): A Beginers Guide
 
IT Services Management
IT Services ManagementIT Services Management
IT Services Management
 
A Case Study On Implementing ITIL In Business Organization Considering Busi...
A Case Study On Implementing ITIL In Business Organization Considering Busi...A Case Study On Implementing ITIL In Business Organization Considering Busi...
A Case Study On Implementing ITIL In Business Organization Considering Busi...
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
Itil the basics
Itil the basicsItil the basics
Itil the basics
 
Itil 2
Itil 2Itil 2
Itil 2
 
Itil Service Level Mgmnt
Itil Service Level MgmntItil Service Level Mgmnt
Itil Service Level Mgmnt
 
About itil v3
About itil v3About itil v3
About itil v3
 
1 itil v3 overview ver1.8
1 itil v3 overview ver1.81 itil v3 overview ver1.8
1 itil v3 overview ver1.8
 
CobiT And ITIL Breakfast Seminar
CobiT And ITIL Breakfast SeminarCobiT And ITIL Breakfast Seminar
CobiT And ITIL Breakfast Seminar
 
Msp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery ProcessMsp It Goverance And Service Delivery Process
Msp It Goverance And Service Delivery Process
 
Itil
ItilItil
Itil
 
ITIL Service Desk
ITIL Service DeskITIL Service Desk
ITIL Service Desk
 
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
An IT Service Reporting Framework for Effective Implementation of ITIL Contin...
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
Taming the DCIM Wave with ITIL
Taming the DCIM Wave with ITILTaming the DCIM Wave with ITIL
Taming the DCIM Wave with ITIL
 
Overview to itil
Overview to itilOverview to itil
Overview to itil
 
Itism.v20160321.2eng public
Itism.v20160321.2eng publicItism.v20160321.2eng public
Itism.v20160321.2eng public
 
Itsm
ItsmItsm
Itsm
 
RDrew ITIL Presentation
RDrew ITIL PresentationRDrew ITIL Presentation
RDrew ITIL Presentation
 

ITIL With Information Security

  • 1.   How ITIL Can Improve Information Security Introduction ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment. Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL - aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support - the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly. This article will provide a general overview of ITIL and discuss how ITIL can improve how organizations implement and manage information security. ITIL overview ITIL began in the 1980s as an attempt by the British government to develop an approach for efficient and cost-effective use of its many IT resources. Using the experiences and expertise of successful IT professionals, a British government agency developed and released a series of best-practice books, each focusing on a different IT process. Since then, ITIL has become an entire industry of organizations, tools, consulting services, related frameworks, and publications. Currently in the public domain and still evolving, the 44-volume set of ITIL guidelines has been consolidated into 8 core books. When most people discuss ITIL, they refer to the ITIL Service Support and Service Delivery books. These contain a set of structured best practices and standard methodologies for core IT operational processes such as Change, Release, and Configuration Management, as well as Incident, Problem, Capacity, and Availability Management. ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. In the ITIL framework, the business units within an organization who commission and pay for IT services (e.g. Human Resources, Accounting), are considered to be quot;customersquot; of IT services. The IT organization is considered to be a service provider for the customers. ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.  
  • 2.   The ITIL framework is typically implemented in stages, with additional processes added in a continuous service improvement program. Organizations can benefit in several important ways from ITIL: • IT services become more customer-focused • The quality and cost of IT services are better managed • The IT organization develops a clearer structure and becomes more efficient • IT changes are easier to manage • There is a uniform frame of reference for internal communication about IT • IT procedures are standardized and integrated • Demonstrable and auditable performance measurements are defined ITIL details ITIL takes a process-based approach to managing and providing IT services; IT activities are divided into processes, each of which has three levels: • Strategic: An organization's objectives are determined, along with an outline of methods to achieve the objectives. • Tactical: The strategy is translated into an appropriate organizational structure and specific plans that describe which processes have to be executed, what assets have to be deployed, and what the outcome(s) of the processes should be. • Operational: The tactical plans are executed. Strategic objectives are achieved within a specified time. A description of each of the numerous IT processes covered by ITIL is beyond the scope of this article. What follows are brief, general descriptions of the ITIL processes that, along with the Security Management process, have a significant relationship with information security. Each of these areas is a set of best practices: • Configuration Management: Best practices for controlling production configurations (for example, standardization, status monitoring, asset identification). By identifying, controlling, maintaining and verifying the items that make up an organization's IT infrastructure, these practices ensure that there is a logical model of the infrastructure. • Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services. These practices ensure that normal service is restored as quickly as possible after an incident occurs. • Problem Management: Best practices for identifying the underlying cause(s) of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.  
  • 3.   • Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable. • Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware are provided to IT customers. • Availability Management: Best practices for maintaining the availability of IT services guaranteed to a customer (for example, optimizing maintenance and design measures to minimize the number of incidents). These practices ensure that an IT infrastructure is reliable, resilient, and recoverable. • Financial Management: Best practices for understanding and managing the cost of providing IT services (for example, budgeting, IT accounting, charging). These practices ensure that IT services are provided efficiently, economically, and cost-effectively. • Service Level Management: Best practices for ensuring that agreements between IT and IT customers are specified and fulfilled. These practices ensure that IT services are maintained and improved through a cycle of agreeing, monitoring, reporting, and reviewing IT services. There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk's most important responsibilities are monitoring incidents and communicating with users. Figure 1 depicts the above processes, showing how the Service Desk function serves as the single point of contact for the various service management processes. Figure 1. ITIL Service Management Processes  
  • 4.   More detailed information about the above processes and Service Desk function can be found in the references listed at the end of this article. ITIL and information security ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained. ITIL breaks information security down into: • Policies - overall objectives an organization is attempting to achieve • Processes - what has to happen to achieve the objectives • Procedures - who does what and when to achieve the objectives • Work instructions - instructions for taking specific actions It defines information security as a complete cyclical process with continuous review and improvement, as illustrated in Figure 2: Figure 2. Information Security Process As some organizations look at Implementation and Monitoring as a single step, ITIL's Information Security Process can be described as a seven step process: 1. Using risk analysis, IT customers identify their security requirements. 2. The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline. 3. The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved. 4. Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization. 5. The SLA and OLAs are implemented and monitored.  
  • 5.   6. Customers receive regular reports about the effectiveness and status of provided information security services. 7. The SLA and OLAs are modified as necessary. Service level agreements The SLA is a key part of the ITIL information security process. It is a formal, written agreement that documents the levels of service, including information security, that IT is responsible for providing. The SLA should include key performance indicators and performance criteria. Typical SLA information security statements should include: • Permitted methods of access • Agreements about auditing and logging • Physical security measures • Information security training and awareness for users • Authorization procedure for user access rights • Agreements on reporting and investigating security incidents • Expected reports and audits In addition to SLAs and OLAs, ITIL defines three other types of information security documentation: • Information security policies: ITIL states that security policies should come from senior management and contain: 1. Objectives and scope of information security for an organization 2. Goals and management principles for how information security is to be managed 3. Definition of roles and responsibilities for information security • Information security plans: describes how a policy is implemented for a specific information system and/or business unit. • Information security handbooks: operational documents for day-to-day usage; they provide specific, detailed working instructions. Ten ways ITIL can improve information security There are a number of important ways that ITIL can improve how organizations implement and manage information security. 1. ITIL keeps information security business and service focused. Too often, information security is perceived as a quot;cost centerquot; or quot;hindrancequot; to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs. 2. ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from quot;fire fightingquot; mode to a more structured and planned approach. 3. With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change. 4. ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its  
  • 6.   information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley). 5. ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers. 6. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't quot;relatequot; to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization. 7. The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort. 8. The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has. 9. ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so. 10. ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services. Implementing ITIL ITIL does not typically start with IT - it is usually initiated by senior management such as the CEO or CIO. As an information security professional, however, you can add value by bringing ITIL to the attention of senior management. With the framework's rapidly increasing adoption, your organization might already be talking about ITIL; letting your management know specifically about ITIL's information security benefits can help spur its adoption. Implementing ITIL does take time and effort. Depending on the size and complexity of an organization, implementing it can take significant up front time and effort. For many organizations, successful implementation of ITIL will require changes in their organizational culture and the involvement and commitment of employees throughout the organization. Critical factors for successful ITIL implementation include: • Full management commitment and involvement with the ITIL implementation • A phased approach • Consistent and thorough training of staff and management • Making ITIL improvements in service provision and cost reduction sufficiently visible • Sufficient investment in ITIL support tools  
  • 7.   Conclusion Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled- together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.