ITIL and IT Security Architecture


Published on

This paper describes the interaction between the IT Infrastructure Library (ITIL<sup>®</sup>) and IT Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA). Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology.

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

ITIL and IT Security Architecture

  1. 1. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® and IT Security Architecture Leo de Sousa – IST 725 AbstractThis paper describes the interaction between the IT Infrastructure Library (ITIL®) and ITSecurity Architecture (ITSA) within the overall context of Enterprise Architecture (EA).Enterprise Architecture provides a holistic approach to the integration and management of anorganization’s strategy, business and technology. IT Security Architecture is a component ofEnterprise Architecture. The EA3 Cube Framework shows how ITSA fits in a documentedenterprise architecture. IT Security is considered a planning thread that is a “common activitythat is present in all levels of the framework.” (Bernard, 2005, p. 42) ITIL® specificallyaddresses the IT service component of Enterprise Architecture. ITIL® is an approach to ITService Management “to drive consistency, efficiency and excellence into the business ofmanaging IT services.” (itSMF Ltd, UK Chapter, 2007, p. 3) ITIL® contains five componentsbuilt around a Service Lifecycle. The components are Service Strategy, Service Design, ServiceTransition, Service Operation and Continual Service Improvement. The sections of this paperare: (a) Introduction, (b) Relations between ITIL®, IT Security Architecture and EnterpriseArchitecture (c) Interactions of ITIL® and ITSA and (d) Conclusion. After reading this paper,the reader should have a clear understanding of how ITIL® interacts with IT SecurityArchitecture practices within Enterprise Architecture. IntroductionThis paper uses Enterprise Architecture as the overarching framework to model and understandhow ITIL® and IT Security Architecture interact together. Enterprise Architecture provides aholistic approach to the integration and management of an organization’s strategy, business andtechnology. EA addresses “policy, planning, decision-making and resource development that isuseful to executives, line managers, and support staff.” (Bernard, 2005, p. 33)IT Infrastructure Library (ITIL®) was developed by the UK Office of Government Commerce inthe 1980’s. The current version is ITIL® V3 and is a major rewrite from ITIL® V2. ITInfrastructure Library (ITIL®) “provides a framework of Best Practice guidance for IT ServiceManagement and since its creation, ITIL® has grown to become the most widely acceptedapproach to IT Service Management in the world.” (itSMF Ltd, UK Chapter, 2007, p. 2) ITIL®suggests organizations take a holistic approach to IT service management with a focus on valueto customers. Services have two value measures: • Utility – is the service delivering the required functionality? “fit for purpose” • Warranty – is the service delivered in the expected timeframe, in a secure manner and available for customers when necessary? “fit for use”Leo de Sousa Page 1
  2. 2. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012ITIL® contains five components built around a Service Lifecycle. The components are ServiceStrategy, Service Design, Service Transition, Service Operation and Continual ServiceImprovement.IT Security Architecture “is the art and science of designing and supervising the construction ofbusiness systems, usually business information systems, which are: free from danger, damage,etc.; free from fear, care, etc.; in safe custody; not likely to fail; able to be relied upon; safe fromattack.” (Sherwood, Clark, & Lynas, 2005, p. 2) The SABSA® Model captures IT SecurityArchitecture in six layers: Contextual Security Architecture, Conceptual Security Architecture,Logical Security Architecture, Physical Security Architecture, Component Architecture andOperational Security Architecture. (Sherwood, Clark, & Lynas, 2005, p. 34) (SABSA, 2012)Components of IT Security Architecture reside within parts of the ITIL® Service Lifecycle andboth reside in the Enterprise Architecture framework which encompasses the entire business. Relations between ITIL®, IT Security Architecture and Enterprise ArchitectureThe EA3 Cube Documentation Framework (Bernard, 2005, p. 38) provides an excellentframework for understanding the interactions between ITIL® and ITSA. The EA3 Cubedescribes an Enterprise Architecture by documenting the current state and future state of anenterprise as well as creating a management plan for change. Here is an image of the EA3 CubeDocumentation Framework and the ITIL® V3 Framework:Looking at the EA3 Cube, we can see how each component interacts when modeling anorganization. ITIL® suggests IT Service Management best practices for the Service Lifecyclefor Services, Data and Information, Systems and Applications, Networks and Infrastructure andSecurity/Standards in the EA framework. IT Security Architecture (ITSA) is one of the planningthreads in the EA3 Cube framework. IT Security Architecture helps identify issues and the risksthat could impact a company and its partners. ITSA also provides a framework for planning andimplementing secure business practices. Integrating ITSA and ITIL® enables a business toLeo de Sousa Page 2focus on best practices in security and IT service management to deliver value.
  3. 3. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012The diagram below represents the relationships between EAITILITSA. •Assets (What) •Process (How) EA (S+B+T) •Location (Where) •People (Who) •Time (When) •Motivation (Why) •Service Strategy ITIL (ITSM) •Service Design •Service Transition •Service Operation •Continual Service Improvement •Contextual Security Architecture •Conceptual Security Architecture ITSA (CIA) •Logical Security Architecture •Physical Security Architecture •Component Architecture •Operational Security Architecture Interactions of ITIL® and ITSAThis section explores the impacts of ITIL® on ITSA. The table below lists all the ITILprocesses by component type - interactions with ITSA are bolded. (Clinch, 2009, pp. 16-17)Service Strategy Service Design Service Service Continual Service Transition Operations ImprovementDemand Mgmt Service Catalogue Knowledge Mgmt Incident Mgmt Service Mgmt MeasurementFinancial Mgmt Service Level Change Mgmt Problem Mgmt Service Reporting MgmtStrategy Capacity Mgmt Asset and Event Mgmt ServiceGeneration Configuration Improvement MgmtService Portfolio Availability Release and RequestMgmt Mgmt Deployment Fulfillment Mgmt Service Transition Access Mgmt Continuity Mgmt Planning and Support Information Service Operations Mgmt Security Mgmt Validation and Testing Supplier Mgmt Evaluation Service Desk Application Mgmt Technical Mgmt IT OperationsLeo de Sousa Page 3
  4. 4. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012Service StrategyITIL® defines Service Strategy as “collaboration between business strategists and IT to developIT service strategies that support the business strategy.” (Kneller, 2010, p. 3) This section ofITIL® only has generalized references to IT security architecture. There is one specificreference to in the Service Value section: “Service Warranty: how the service is delivered and itsfitness for use, in terms of availability, capacity, continuity and security.” (itSMF Ltd, UKChapter, 2007, p. 14) The intent is security is considered a part of the strategy for creatingvaluable services for the organization.Service DesignITIL® defines Service Design as “designing the overarching IT architecture and each IT serviceto meet customers’ business objectives by being both fit for purpose (utility) and fit for use(warranty).” (Kneller, 2010, p. 4) Availability Management, IT Service ContinuityManagement and Information Security Management processes in ITIL® all provide guidance forimplementing security practices. • Availability Management – considers both reactive and proactive activities to ensure services are available for use. IT security architecture provides proactive guidance to protect services as well as responding to security attacks or breaches that compromise a service (e.g. Denial of Service attacks) • IT Service Continuity Management – considers ongoing recovery capabilities for services. IT security architecture guides the design of recovery capabilities and infrastructures to ensure that services can be recovered and delivered securely • Information Security Management – is the main ITIL® process for IT security architecture. This process seeks to align IT security with business security and protect the information assets for all services. This process uses the CIA (confidentiality, integrity, availability) model to suggest best practices of IT security in services.Service TransitionITIL® defines Service Transition as “managing and controlling changes into the live IToperational environment, including the development and transition of new or changed ITservices.” (Kneller, 2010, p. 4) Knowledge Management, Change Management, Asset andConfiguration Management, Release and Deployment Management and Service Validation andTesting processes all have IT security architecture components. • Knowledge Management – ensures that the correct person has access to the right knowledge, at the correct time to deliver and support business services. This process uses the IT Security Architecture CIA (confidentiality, integrity, availability) model to suggest best practices for information security • Change Management – delivers standard and secure methods to manage change to services. IT security architecture should be integrated with Change Management processes to ensure that introduction of new configuration items do not increase the risk to the services they support. IT security reviews are also important for reviewingLeo de Sousa Page 4
  5. 5. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 changes to existing services to maintain the agreed upon security levels. IT security architecture must be considered for all levels of change from strategic to tactical to operational. Effective implementation of this process limits unauthorized changes that could create security risks. • Asset and Configuration Management – accounts for service assets and configuration items to protect their integrity for the service lifecycle. IT Security architecture integrates with this process especially when considering Data and Information Architecture, Systems and Application Architecture and Networks and Infrastructure Architecture segments. Being able to identify, control and account for corporate information assets protects companies from security breaches, data leakage and information security compliance failures. Creating a Configuration Management System to record and track all configuration items used to deliver services is a key function for security. • Release and Deployment Management – ensures that changes are securely released into the production environment that supports business services. Implementing auditing and release controls following IT security best practices align this ITIL® process with ITSA. Effective implementation of this process limits unauthorized changes that could create security risks. • Service Validation and Testing – provides objective evidence that services are meeting their established service level agreements for functionality, availability, continuity, security and usability. Conducting security audits including penetration tests are examples of how ITSA and this ITIL® process interact.Service OperationsITIL® defines Service Operations as “delivering and supporting operational IT services in such away that they meet business needs and expectations and deliver forecasted business benefits.”(Kneller, 2010, p. 4) Incident Management, Problem Management, Event Management andAccess Management processes in ITIL® all use guidance from information security practices. • Incident Management – restores normal service as quickly as possible so that business impacts are minimized. Incidents can come from any part of the business. When they are IT security related, the IT service desk and security teams initiate an incident response process: identification, containment, eradication and recovery. (Killmeyer, 2006, p. 215) Security incidents can range from external attacks, data breaches (e.g. FIPPA and HIPPA compliance), internal attacks and copyright violations. • Problem Management – determines the root causes of incidents, recommends changes to resolve the issue and provides workarounds if a resolution cannot be found. The IT security team takes a lead in this process for security problems. The focus in this process is the eradication of the problem by implementing new security practises and technology. This process initiates the Change Management process when resolutions need to put into production. • Event Management – depends on monitoring of configuration items and services. The process generates notifications about changes and initiates the Incident Management process. This process relates to proactive security monitoring and logging. If a monitored security alert is triggered, the IT service desk and security team initiate the Incident Management process for a security incident.Leo de Sousa Page 5
  6. 6. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 • Access Management – provides the access rights for people to use services while blocking non-authorized access. Specifically, this ITIL® process manages privileges using the CIA model – confidentiality, integrity, availability to protect data and assets. Other IT security practices like auditing and logging access are practiced in this process.Continual Service ImprovementITIL® defines Continual Service Improvement as “learning from experience and adopting anapproach which ensures continual improvement of IT services.” (Kneller, 2010, p. 4) Thiscomponent of ITIL® focuses on continual evaluation and improvement of services and value tocustomers. ITIL® suggests a 7-Step Improvement Process to “collect meaningful data, analyzethis data to identify trends and issues, present the information to management for theirprioritization and agreement and implement improvements.” (itSMF Ltd, UK Chapter, 2007, p.36) This approach could be taken to continuously improve IT security architecture practices.The Continual Service Improvement component of ITIL® only has generalized references to ITsecurity architecture. There is a section that advocates the use of Standards. There are a seriesof Security standards that ITIL relates with the main standards family being ISO/IEC 27000Information Security Management. Here are some of the related standards that ITIL® leverages:(Clinch, 2009, pp. 18-19) • ISO/IEC 27001:2005 Information Security Management Systems – Requirements • ISO/IEC 27002:2005 Code of Practice for Information Security Management • ISO/IEC 27005:2008 Information Security Risk Management • ISO/IEC 27006:2007 Requirements for Bodies Providing Audit and Certification of Information Security Management Systems • ISO/IEC 27799:2008 Health Informatics – Information Security Management in Health Using ISO/IEC 27002 ConclusionEnterprise Architecture models and documents all the parts of an organization not just the ITcomponents. As such, it provides a guiding framework for understanding the interactionsbetween the various components of an organization, how IT service management is implemented(ITIL®) and how IT security architecture is deployed. Many organizations see IT security aspurely an IT function and the result is a failure to adequately implement a holistic approach tosecuring the business.“If we take to heart ITIL’s message that a service is something that delivers business value byimproving customer outcomes, we should be seeking to position ISM (information securitymanagement) as a business activity that directly contributes towards the delivery of enhancedbusiness value to customers.” (Clinch, 2009, p. 8)Leo de Sousa Page 6
  7. 7. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012ITIL® interacts effectively with IT Security Architecture in Service Design, Service Transitionand Service Operations and has some influence in Service Strategy and Continual ServiceImprovement. Here are the ITIL® processes with strong IT security architecture interactions.Service Design Service Transition Service OperationsAvailability Mgmt Knowledge Mgmt Incident MgmtService Continuity Mgmt Change Mgmt Problem MgmtInformation Security Mgmt Asset and Configuration Mgmt Event Mgmt Release and Deployment Mgmt Access Mgmt Service Validation and TestingITIL® leverages many of the existing and evolving IT Security standards particularly from theISO/IEC 27k family.“Awareness and consideration of security risks and issues are background obligations for everystep of successful IT Service Management under ITIL®.” (Clinch, 2009, p. 20) ReferencesBernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse.Clinch, J. (2009, May). ITIL V3 and Information Security. Retrieved from Best Management Practice: Ltd, UK Chapter. (2007). An Introductory Overview of ITIL V3. Retrieved from Best Management Practice:, J. (2006). Information Security Architecture 2nd Edition. Boca Raton: Auerbach Publications.Kneller, M. (2010, Sept). Executive Briefing: The Benefits of ITIL. Retrieved from Best Management Practice: (2012). SABSA Matrix. Retrieved from SABSA: method/the-sabsa-matrix.aspxSherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven Approach. San Francisco: CMP Books.Leo de Sousa Page 7