Your SlideShare is downloading. ×
Microsoft PowerPoint - 1.5 - Practical Security Management ...
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Microsoft PowerPoint - 1.5 - Practical Security Management ...


Published on

Published in: Technology, Business

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Practical Security and Risk Management with ITIL Glenn Wong ITSM and Security Practice Consultant Hewlett-Packard HK 12th Aug 2009
  • 2. Agenda • Introduction • What is ITSM, ITIL? • Applying ITIL to Security Management • Integrating ITIL and Security Management in Real life • Conclusion • Q&A
  • 3. Introduction - Pressures on the enterprise New Increasing Regulatory technologies threats compliance Risk & Security Infrastructure Efficiency Effectiveness Agility Business Performance Cost Revenue Margin 3 2009/8/18 c01345427
  • 4. Numerous business challenges • All high priority • Manage operational risk − People − Process − Systems − External • Address risks − Continuity − Security − Availability • Manage costs 4 2009/8/18 c01345427
  • 5. The issues • Control systems must be implemented by security measures and aligned to business risk. • Security cannot be achieved with technology alone. • There are other equally important factors, including: − Behavioural − Cultural − Procedural • How can we address them? 5 2009/8/18 c01345427
  • 6. What is ITSM, ITIL?
  • 7. What is ITSM? “The implementation and management of quality IT Services that meet the needs of the Business. IT Service Management is performed by IT service providers through an appropriate mix of people, process and information technology.” ITIL® V3 Glossary ITIL ® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office 7 2009 8 18 日 月年
  • 8. Why ITIL is important ? • Viewed as the most widely accepted approach to IT Service Management (ITSM) in the world • ITIL evolution: − ITIL v1 developed in the late1980s for UK Government. Achieving stability & control of the infrastructure − ITIL v2 introduced in 2000, updated for globalization & private industry. Quality & efficiency of IT processes − ITIL v3 updated in 2005 as an Lifecycle Model
  • 9. Benefits • ITIL provides a systematic and professional approach to the management of IT service provision. Adopting its guidance offers users a huge range of benefits that include: − reduced costs while meeting compliance and regulation requirement − improved IT services through the use of proven best practice processes − improved customer satisfaction through a more professional approach to service delivery − standards and guidance − improved productivity − improved use of skills and experience − improved delivery of third party services through the specification of ITIL or ISO 20000 as the standard for service delivery in services procurements
  • 10. ITIL v3: Service Lifecycle & IT Service Performance • Measure, Assess, and Track Service Performance • Align IT Performance with Business Goals • Create & communicate business- IT Service Performance focused Balanced Scorecards • Enable responsive, stable and repeatable IT Service Delivery • Provide robust end-to-end working practices • Deliver improved Processes such as Incident, Problem, & Change Management •Manage the technology and toolsets that are used to deliver and support services Service Lifecycle
  • 11. ITIL Support and Delivery Model 11
  • 12. Applying ITIL to Security Management
  • 13. Enabling Controls – P5 Model ISO 27001 P1: People P4: Processes P 5: Proof Mitigating P2: Policy: P3: Procedures: (Owner): (Tools): (Metrics): Control: -- Design Document 11.2.4 Review of User System Access - HP OpenView Select - Access Control Access Rights Access Control Policy -- Visio Workflow Management Group Identity Validation Report - Implementation Plan - Design Document - Entrust – Secure E-mail 10.8.4 Electronic Secure Messaging - Secure Transmission Messaging Exchange Administrator - Visio Workflow - Voltage Security, Inc. – Policy Receipt Report - Implementation Plan SecureEmail -- Design Document 12.5.4 Information Leakage Chief Privacy Officer Data Privacy Policy -- Visio Workflow Vontu, Inc. – Vontu Suite - Content Violation Report -- Implementation Plan Mitigating Mitigating Primary Primary Governing Governing Procedures or Procedures or Tools used to Tools used to Key Performance Key Performance Controls as Controls as owner of the owner of the policy for policy for work papers work papers automate the automate the Indicators (KPI). Indicators (KPI). described by described by control. control. control. control. required to required to control. control. ISO 27001 ISO 27001 implement implement control. control.
  • 14. Control Implementation Profiles
  • 15. The Incident & Problem Management Process Incident Activities Problem Activities Problem Control Activities Error Control Activities
  • 16. Functional Decomposition • TVM functions defined in AERA Security Logical Architectures • Security Incident Management functions associated with Security Incident Response (SIR) will be added to a future AERA release
  • 17. Service Support •Improved Cross-Functional •Improved Organizational Communication Learning Benefits •Improved Business-IT •Central Knowledge Alignment Repository To achieve SPOC KM Initiative In support of Incident Management Problem Management ITIL Best Practices
  • 18. Security Services Catalog
  • 19. Integrating ITIL and Security Management in Real life
  • 20. Operationalizing the INFOSec Program With ITIL Processes Continuity Continuity Capacity Capacity Service Build and Service Build and Service Planning Service Planning Management Management Management Management Test Test Security specifications for Capacity Service Security specifications continuity plan Reports Design for new services Security Plan Security Plan IT Strategy and IT Strategy and Availability Availability Security Specifications for architecture design Architecture Architecture Management Management IT Architecture Planning Planning Security specifications for Security Management Security Management availability designs CI Attributes and Relationships Exception Approvals Problem Problem Security W.O. Configuration Configuration section of Approvals Management Management SLA’s Management Management Security Plan, Work OLAs Order Security Security RFC Plan Trigger security Assessment Specs incident response Operations Operations Service Level Service Level Change Change Incident Incident Management Management Management Management Management Management Management Management Process input/output Process trigger
  • 21. IT ecosystem USER Line of Business BUSINESS Business Process Call / Regulation/ Request strategic Demand Business Service Request Management Management Service Request Finance Portfolio Management Program Management Service Costs Costs Service Level Management Solution Implementation Program Management Development Availability Management Application Training / Regulation Quality Education /strategic Request Infrastructure Service Desk/ Management Mon’g Tools Request Major Application for Change Performance Ticket Change Incident Problem Change RFC CAB Change Audit Management Management Management Ticket Standard Change Change rollout Release Management
  • 22. Integration to Service Desk (SPOC)
  • 23. Integration to Incident Management and Configuration Management
  • 24. Integration with Change Management
  • 25. Security Incident KPIs
  • 26. Next Step
  • 27. ITIL v3 Qualification Scheme Underlined values Underlined values indicate ITIL Expert indicate ITIL Expert credits HF436S credits ITIL Master ITIL v3 Managers ITIL Expert Bridge 5 5 HF442S Managing Across the Lifecycle 5 SS SD ST SO CSI SOA RCV OSA PPO HF437S HF438S HF439S HF440S HF441S HF427S HF429S HF428S HF430S ITIL v2 ITIL v2 3 3 3 3 3 4 4 4 4 Managers Practitioner Certificate Lifecycle modules Capability modules Certificates 17 10½ or more 2 ITIL v3 Foundation Certificate in Service Management HF421S 2 ITIL v3 Foundation Bridge HE785 0.5 ITIL v2 Foundation Certificate Diagram based on the APMG ITIL v3 1.5 Qualification Scheme Version 3.0 SS - Strategy, SD - Design, ST – Transition, SO - Operation, CS I-Continual Service Improvement SO&A - Service Offerings & Agreements, RC&V - Release, Control & Validation, OS&A - Operational Support & Analysis, PP&O - Planning, Protection & Optimization
  • 28. HP ITSM Curriculum for All Skill Levels ITIL V2 Manager Supplementary: ITIL V2 Foundation ISO/IEC 20000, ITIL V2 IT Governance, Practitioner etc. ITSM Manager’s Foundation Awareness Bridge Bridge Training ITIL V3 Capability Managing ITIL V3 ITIL V3 across the Foundation Expert lifecycle ITIL V3 Lifecycle Basic Advanced Full details at:
  • 29. HP Education Services in ITIL / ITSM Training • Solid Experience − >30 years experience in education − train >100,000 IT professionals in ITIL/ITSM & HP Software − >80 education centers WW authorized for ITIL examination • ITSM Leadership − authors of ITIL v3 “Service Operations” book, ITIL glossary & service model • Effective Learning Approach − HP “Race to Results” ITSM Simulation Game − softskills for IT professionals • Total Solution − awareness, foundation, manager, bridges & modules to ITIL Expert − optional CobiT, ISO20000, MoC, PMP • Proven Effectiveness − ITIL Foundation passing rate: 95% vs 80% WW
  • 30. Conclusion Key for Successful ITIL and Security Management • Providing evidences for Business and IT Alignment • Shared Service Operation Infrastructure • Reduce Technology and Process Investment cost • Shared KPI Reporting • Service Awareness and Visibility to End User community • Proactive Integration with Daily operation • Attend ITIL Training
  • 31. Questions