SlideShare a Scribd company logo

Dit yvol4iss32

Rick Lemieux
Rick Lemieux
1 of 2
Download to read offline
11 Ways ITIL Improves Security The workable, practical guide to Do IT Yourself Page 1 of 2 Vol. 4.32 • August 13, 2008 11 Ways ITIL Improves Security By Hank Marquis Hank is EVP of Knowledge Management at Universal Solutions Group, and Founder and Director of NABSM.ORG. Contact Hank by email at hank.marquis@usgct.com. View Hank’s blog at www.hankmarquis.info. I TIL improves security governance. ITIL makes security easier and more controlled, thus making it easier to comply with regulations like Sarbanes-Oxley, HIPAA, FISMA, GLBA, NIST 800-53/FIPS200, FFIEC, and others. The IT Infrastructure Library® (ITIL®) is best practice. We all know ITIL describes what to do, not how to do it. The descriptive nature of ITIL leads many to wonder what benefits ITIL delivers, if any. However, without too much thought, anyone familiar with a particular industry or IT segment can soon understand how ITIL best practices can assist virtually any operational aspect of IT. Let’s examine security for example. How can ITIL best practices help with the day to day workings of security? The ITIL has a dedicated book for security, and includes security as a fabric within which the Service Support and Service Delivery books operate. The ITIL focuses on the process of implementing security requirements identified in Service Level Agreements. However, as always, the ITIL is descriptive and not prescriptive. Following, I show at least 11 ways ITIL can improve or assist in security, and give you a 9-step plan for improving security using ITIL. Security and ITIL ITIL describes a Security Management function (e.g., a group, like Service Desk) that interfaces with other ITIL processes regarding security issues. These issues relate predominantly to the Confidentiality, Integrity and Availability of data, as well as the security of hardware and software components, documentation and procedures. Virtually every organization faces some form of oversight and regulation. We have all heard of Sarbanes-Oxley, but there are many, many more. HIPAA, FISMA, GLBA, COBIT, NIST 800-53/FIPS200, FFIEC, and others. There are at least five areas to consider with thinking about security and ITIL: 1. The process of security management 2. The relationships between security and the other ITIL processes 3. External relationships as defined in Underpinning Contracts (UCs) 4. Customer facing requirements as defined in Service Level Agreements (SLAs) 5. Internal relationships between functional organizations as defined in Operating Level Agreements (OLA's) Here are some easy ways the best practices in ITIL can improve how IT organizations implement and manage information security in response to regulations. 1. Security requires audits, and regardless of the regulatory environment, IT must support audits. Audits require documentation, process control, and clear roles, responsibilities, and authorities. ITIL processes descriptions provide the basis for sound audits. http://www.itsmsolutions.com/newsletters/DITYvol4iss32.htm 8/13/2008
11 Ways ITIL Improves Security Page 2 of 2 2. Security requires control over assets. To control assets you must know what you have, where it’s located, and who can access it. This basis comes directly from ITIL Configuration Management. 3. Most regulation, including HIPAA and SOX, requires analysis and documentation of changes made to IT systems. In change management many issues are to be ensured. Change Management can perform risk analysis, business impact analysis, and security analysis from a centralized perspective. 4. Security management requires an incident category specifically for security related incidents. The ITIL Incident Management process provides the control and flexibility required to manage security incidents quickly and efficiently without a duplicate organization. 5. Security Incidents require review by security management. Having a single point of contact for all matters relating to IT – the ITIL Service Desk – provides a single reporting source for all Incidents, including those pertaining to security. 6. ITIL focuses security where needed based on business requirements, not technology. This is important since most security operations today do what they feel is best for the business instead of just what the business required. This “gold plating” carries a high cost and keeps IT from being seen by the business as a partner. 7. Since ITIL is all about organizational best practices, the security management process itself can operate in a process-driven, methodical manner. This is absolutely critical to success with security. 8. ITIL requires continuous review, audit, and reporting of processes activities. Security requires continuous reviews to remain vigilant. 9. Availability Management describes a centralized engineering and architecture that always takes into account the Confidentiality, Integrity, and Availability of data (CIA). 10. The Service Level Management process sets up, monitors, reports on, and administers agreements with customers (SLA), suppliers (UC), and other IT functional departments (OLA). These contracts and agreements all require security sections. 11. Establish a link between Problem Management and security alert channels. Relevant security issues should be documented and added to the knowledge base for use by Incident Management and the service desk as well as other IT functional groups. Summary ITIL best practices help deliver real security improvements, as well as establishing the controls required for meeting legislative and regulatory requirements. Here is a simple 9 step plan for improving security using ITIL: 1. Work with customers and the business to understand and document security requirements. It is very important that you take your lead from the business. 2. Review with senior IT leaders to ensure review of all relevant legislative, industry, and corporate regulations. 3. Work with other ITIL process managers to validate the ability to support customer (#1 above) and corporate (#2 above) security requirements identified. 4. Negotiate a Service Level Agreement (SLA) that includes a security section. As always, keep it in business terms, and make sure it is measurable. 5. Based on the SLA(s), create and implement Operational Level Agreements (OLAs) between related technical or functional departments or groups. Each OLA requires a security section that clearly spells out and defines how, for example, security incidents will be handled. 6. Review all Underpinning Contracts (UCs) for security as well. They should all include a security section. For example, defining access to customer information and data confidentiality. 7. Update UCs, define and implement OLA's, then publish the SLA. 8. Report on security as you would report on capacity, availability, or changes. 9. As required, iterate the security sections as required. Entire Contents © 2008 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). http://www.itsmsolutions.com/newsletters/DITYvol4iss32.htm 8/13/2008

Recommended

Dit yvol2iss37
Dit yvol2iss37Dit yvol2iss37
Dit yvol2iss37Rick Lemieux
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security
 
Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...
Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...
Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...Directorate of Information Security | Ditjen Aptika
 
Oasys Stonesoft Aligned with ITIL
Oasys Stonesoft Aligned with ITILOasys Stonesoft Aligned with ITIL
Oasys Stonesoft Aligned with ITILOpen Access Systems Corporation
 
NIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS ComplianceNIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS ComplianceGovernment Technology & Services Coalition
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by SripathiPrajwal Panchmahalkar
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 

Recommended

Dit yvol2iss37
Dit yvol2iss37Dit yvol2iss37
Dit yvol2iss37Rick Lemieux
 
Raz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security Corporate Profile
Raz-Lee Security Corporate ProfileRaz-Lee Security
 
Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...
Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...
Kerangka untuk RPM Information Security Governance: COBIT 5 for Information S...Directorate of Information Security | Ditjen Aptika
 
Oasys Stonesoft Aligned with ITIL
Oasys Stonesoft Aligned with ITILOasys Stonesoft Aligned with ITIL
Oasys Stonesoft Aligned with ITILOpen Access Systems Corporation
 
NIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS ComplianceNIST 800-171 Simplifying CUI and DFARS Compliance
NIST 800-171 Simplifying CUI and DFARS ComplianceGovernment Technology & Services Coalition
 
[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by Sripathi[null] Iso 27001 a business view by Sripathi
[null] Iso 27001 a business view by SripathiPrajwal Panchmahalkar
 
From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...From reactive to automated reducing costs through mature security processes i...
From reactive to automated reducing costs through mature security processes i...NetIQ
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 
Information Security
Information SecurityInformation Security
Information SecurityWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Orientation in IT Audit
Orientation in IT AuditOrientation in IT Audit
Orientation in IT AuditSuman Thapaliya
 
IT Compliance and Security Solutions
IT Compliance and Security SolutionsIT Compliance and Security Solutions
IT Compliance and Security SolutionsAegify Inc.
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkMaganathin Veeraragaloo
 
Iio t security std
Iio t security stdIio t security std
Iio t security stdPlantconnectiot
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
Dit yvol4iss23
Dit yvol4iss23Dit yvol4iss23
Dit yvol4iss23Rick Lemieux
 
Dit yvol4iss43
Dit yvol4iss43Dit yvol4iss43
Dit yvol4iss43Rick Lemieux
 
Dit yvol4iss36
Dit yvol4iss36Dit yvol4iss36
Dit yvol4iss36Rick Lemieux
 

More Related Content

What's hot

ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...PECB
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013scttmcvy
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Traininghimalya sharma
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
IT Compliance and Security Solutions
IT Compliance and Security SolutionsIT Compliance and Security Solutions
IT Compliance and Security SolutionsAegify Inc.
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 

What's hot (19)

Information Security
Information SecurityInformation Security
Information Security
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
ISO/IEC 27001 vs. CCPA and NYC Shield Act: What Are the Similarities and Diff...
 
Implementing ISO27001 2013
Implementing ISO27001 2013Implementing ISO27001 2013
Implementing ISO27001 2013
 
ISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness TrainingISO 27001 Training | ISMS Awareness Training
ISO 27001 Training | ISMS Awareness Training
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Orientation in IT Audit
Orientation in IT AuditOrientation in IT Audit
Orientation in IT Audit
 
IT Compliance and Security Solutions
IT Compliance and Security SolutionsIT Compliance and Security Solutions
IT Compliance and Security Solutions
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
Iio t security std
Iio t security stdIio t security std
Iio t security std
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 

Viewers also liked

Presentacion all star fgx en español forever green express - fg-xpress - pe...
Presentacion all star fgx en español forever green express - fg-xpress - pe...Presentacion all star fgx en español forever green express - fg-xpress - pe...
Presentacion all star fgx en español forever green express - fg-xpress - pe...Raoni Claro
 
Fg xpress strategic plan recognition events and leadership copia (34) - copia
Fg xpress strategic plan recognition events and leadership copia (34) - copiaFg xpress strategic plan recognition events and leadership copia (34) - copia
Fg xpress strategic plan recognition events and leadership copia (34) - copiaRaoni Claro
 
Fg xpress strategic plan recognition events and leadership copia (31) - copia
Fg xpress strategic plan recognition events and leadership copia (31) - copiaFg xpress strategic plan recognition events and leadership copia (31) - copia
Fg xpress strategic plan recognition events and leadership copia (31) - copiaRaoni Claro
 
150530 market outlook juni 2015
150530 market outlook juni 2015150530 market outlook juni 2015
150530 market outlook juni 2015Satrio Utomo
 
Texas Cattle Feeders Association
Texas Cattle Feeders Association Texas Cattle Feeders Association
Texas Cattle Feeders Association kaleymccafferty
 
Colegio las rosas (campos eolicos)
Colegio las rosas (campos eolicos)Colegio las rosas (campos eolicos)
Colegio las rosas (campos eolicos)Valeria Buendia
 
Fg xpress strategic plan recognition events and leadership copia (33) - copia
Fg xpress strategic plan recognition events and leadership copia (33) - copiaFg xpress strategic plan recognition events and leadership copia (33) - copia
Fg xpress strategic plan recognition events and leadership copia (33) - copiaRaoni Claro
 
Umhatul Momineen
Umhatul MomineenUmhatul Momineen
Umhatul MomineenWajid Malik
 

Viewers also liked (20)

Dit yvol4iss23
Dit yvol4iss23Dit yvol4iss23
Dit yvol4iss23
 
Dit yvol4iss43
Dit yvol4iss43Dit yvol4iss43
Dit yvol4iss43
 
Dit yvol4iss36
Dit yvol4iss36Dit yvol4iss36
Dit yvol4iss36
 
Html5 marlon
Html5 marlonHtml5 marlon
Html5 marlon
 
Presentacion all star fgx en español forever green express - fg-xpress - pe...
Presentacion all star fgx en español forever green express - fg-xpress - pe...Presentacion all star fgx en español forever green express - fg-xpress - pe...
Presentacion all star fgx en español forever green express - fg-xpress - pe...
 
Fg xpress strategic plan recognition events and leadership copia (34) - copia
Fg xpress strategic plan recognition events and leadership copia (34) - copiaFg xpress strategic plan recognition events and leadership copia (34) - copia
Fg xpress strategic plan recognition events and leadership copia (34) - copia
 
Fg xpress strategic plan recognition events and leadership copia (31) - copia
Fg xpress strategic plan recognition events and leadership copia (31) - copiaFg xpress strategic plan recognition events and leadership copia (31) - copia
Fg xpress strategic plan recognition events and leadership copia (31) - copia
 
150530 market outlook juni 2015
150530 market outlook juni 2015150530 market outlook juni 2015
150530 market outlook juni 2015
 
Texas Cattle Feeders Association
Texas Cattle Feeders Association Texas Cattle Feeders Association
Texas Cattle Feeders Association
 
Colegio las rosas (campos eolicos)
Colegio las rosas (campos eolicos)Colegio las rosas (campos eolicos)
Colegio las rosas (campos eolicos)
 
Dit yvol4iss33
Dit yvol4iss33Dit yvol4iss33
Dit yvol4iss33
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
 
Dit yvol4iss30
Dit yvol4iss30Dit yvol4iss30
Dit yvol4iss30
 
Dit yvol4iss31
Dit yvol4iss31Dit yvol4iss31
Dit yvol4iss31
 
Dit yvol4iss37
Dit yvol4iss37Dit yvol4iss37
Dit yvol4iss37
 
Dit yvol4iss25
Dit yvol4iss25Dit yvol4iss25
Dit yvol4iss25
 
Dit yvol4iss24
Dit yvol4iss24Dit yvol4iss24
Dit yvol4iss24
 
Fg xpress strategic plan recognition events and leadership copia (33) - copia
Fg xpress strategic plan recognition events and leadership copia (33) - copiaFg xpress strategic plan recognition events and leadership copia (33) - copia
Fg xpress strategic plan recognition events and leadership copia (33) - copia
 
01
0101
01
 
Umhatul Momineen
Umhatul MomineenUmhatul Momineen
Umhatul Momineen
 

Similar to Dit yvol4iss32

ITIL With Information Security
ITIL With Information SecurityITIL With Information Security
ITIL With Information Securityvikasraina
 
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001IJNSA Journal
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketingNavneet Singh
 
ITIL Service Desk
ITIL Service DeskITIL Service Desk
ITIL Service Deskjmansur1
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
What Is the Scope of ISO 27001 Certification in the Netherlands.pptx
What Is the Scope of ISO 27001 Certification in the Netherlands.pptxWhat Is the Scope of ISO 27001 Certification in the Netherlands.pptx
What Is the Scope of ISO 27001 Certification in the Netherlands.pptxAnoosha Factocert
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT FrameworksFrancisco Calzado
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...GrapesTech Solutions
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystemkpatrickwheeler
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 

Similar to Dit yvol4iss32 (20)

ITIL With Information Security
ITIL With Information SecurityITIL With Information Security
ITIL With Information Security
 
Itil,cobit and ıso27001
Itil,cobit and ıso27001Itil,cobit and ıso27001
Itil,cobit and ıso27001
 
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001
 
rethinking marketing
rethinking marketingrethinking marketing
rethinking marketing
 
Topic11
Topic11Topic11
Topic11
 
ITIL Service Desk
ITIL Service DeskITIL Service Desk
ITIL Service Desk
 
Dit yvol4iss22
Dit yvol4iss22Dit yvol4iss22
Dit yvol4iss22
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelines
 
Itil 2
Itil 2Itil 2
Itil 2
 
ACFN vISO eBook
ACFN vISO eBookACFN vISO eBook
ACFN vISO eBook
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
What Is the Scope of ISO 27001 Certification in the Netherlands.pptx
What Is the Scope of ISO 27001 Certification in the Netherlands.pptxWhat Is the Scope of ISO 27001 Certification in the Netherlands.pptx
What Is the Scope of ISO 27001 Certification in the Netherlands.pptx
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks201306 CIO NET The Value of IT Frameworks
201306 CIO NET The Value of IT Frameworks
 
Dit yvol2iss18
Dit yvol2iss18Dit yvol2iss18
Dit yvol2iss18
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standards
 
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...IT Governance and Compliance: Its Importance and the Best Practices to Follow...
IT Governance and Compliance: Its Importance and the Best Practices to Follow...
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance EcosystemPci Europe 2009 Underside Of The Compliance Ecosystem
Pci Europe 2009 Underside Of The Compliance Ecosystem
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
Dit yvol2iss43
Dit yvol2iss43Dit yvol2iss43
Dit yvol2iss43
 

More from Rick Lemieux

IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementRick Lemieux
 

More from Rick Lemieux (20)

IT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT AlignementIT Service Management (ITSM) Model for Business & IT Alignement
IT Service Management (ITSM) Model for Business & IT Alignement
 
Dit yvol5iss41
Dit yvol5iss41Dit yvol5iss41
Dit yvol5iss41
 
Dit yvol5iss40
Dit yvol5iss40Dit yvol5iss40
Dit yvol5iss40
 
Dit yvol5iss38
Dit yvol5iss38Dit yvol5iss38
Dit yvol5iss38
 
Dit yvol5iss37
Dit yvol5iss37Dit yvol5iss37
Dit yvol5iss37
 
Dit yvol5iss36
Dit yvol5iss36Dit yvol5iss36
Dit yvol5iss36
 
Dit yvol5iss35
Dit yvol5iss35Dit yvol5iss35
Dit yvol5iss35
 
Dit yvol5iss34
Dit yvol5iss34Dit yvol5iss34
Dit yvol5iss34
 
Dit yvol5iss31
Dit yvol5iss31Dit yvol5iss31
Dit yvol5iss31
 
Dit yvol5iss33
Dit yvol5iss33Dit yvol5iss33
Dit yvol5iss33
 
Dit yvol5iss32
Dit yvol5iss32Dit yvol5iss32
Dit yvol5iss32
 
Dit yvol5iss30
Dit yvol5iss30Dit yvol5iss30
Dit yvol5iss30
 
Dit yvol5iss29
Dit yvol5iss29Dit yvol5iss29
Dit yvol5iss29
 
Dit yvol5iss28
Dit yvol5iss28Dit yvol5iss28
Dit yvol5iss28
 
Dit yvol5iss26
Dit yvol5iss26Dit yvol5iss26
Dit yvol5iss26
 
Dit yvol5iss25
Dit yvol5iss25Dit yvol5iss25
Dit yvol5iss25
 
Dit yvol5iss24
Dit yvol5iss24Dit yvol5iss24
Dit yvol5iss24
 
Dit yvol5iss23
Dit yvol5iss23Dit yvol5iss23
Dit yvol5iss23
 
Dit yvol5iss22
Dit yvol5iss22Dit yvol5iss22
Dit yvol5iss22
 
Dit yvol5iss21
Dit yvol5iss21Dit yvol5iss21
Dit yvol5iss21
 

Dit yvol4iss32

  • 1. 11 Ways ITIL Improves Security The workable, practical guide to Do IT Yourself Page 1 of 2 Vol. 4.32 • August 13, 2008 11 Ways ITIL Improves Security By Hank Marquis Hank is EVP of Knowledge Management at Universal Solutions Group, and Founder and Director of NABSM.ORG. Contact Hank by email at hank.marquis@usgct.com. View Hank’s blog at www.hankmarquis.info. I TIL improves security governance. ITIL makes security easier and more controlled, thus making it easier to comply with regulations like Sarbanes-Oxley, HIPAA, FISMA, GLBA, NIST 800-53/FIPS200, FFIEC, and others. The IT Infrastructure Library® (ITIL®) is best practice. We all know ITIL describes what to do, not how to do it. The descriptive nature of ITIL leads many to wonder what benefits ITIL delivers, if any. However, without too much thought, anyone familiar with a particular industry or IT segment can soon understand how ITIL best practices can assist virtually any operational aspect of IT. Let’s examine security for example. How can ITIL best practices help with the day to day workings of security? The ITIL has a dedicated book for security, and includes security as a fabric within which the Service Support and Service Delivery books operate. The ITIL focuses on the process of implementing security requirements identified in Service Level Agreements. However, as always, the ITIL is descriptive and not prescriptive. Following, I show at least 11 ways ITIL can improve or assist in security, and give you a 9-step plan for improving security using ITIL. Security and ITIL ITIL describes a Security Management function (e.g., a group, like Service Desk) that interfaces with other ITIL processes regarding security issues. These issues relate predominantly to the Confidentiality, Integrity and Availability of data, as well as the security of hardware and software components, documentation and procedures. Virtually every organization faces some form of oversight and regulation. We have all heard of Sarbanes-Oxley, but there are many, many more. HIPAA, FISMA, GLBA, COBIT, NIST 800-53/FIPS200, FFIEC, and others. There are at least five areas to consider with thinking about security and ITIL: 1. The process of security management 2. The relationships between security and the other ITIL processes 3. External relationships as defined in Underpinning Contracts (UCs) 4. Customer facing requirements as defined in Service Level Agreements (SLAs) 5. Internal relationships between functional organizations as defined in Operating Level Agreements (OLA's) Here are some easy ways the best practices in ITIL can improve how IT organizations implement and manage information security in response to regulations. 1. Security requires audits, and regardless of the regulatory environment, IT must support audits. Audits require documentation, process control, and clear roles, responsibilities, and authorities. ITIL processes descriptions provide the basis for sound audits. http://www.itsmsolutions.com/newsletters/DITYvol4iss32.htm 8/13/2008
  • 2. 11 Ways ITIL Improves Security Page 2 of 2 2. Security requires control over assets. To control assets you must know what you have, where it’s located, and who can access it. This basis comes directly from ITIL Configuration Management. 3. Most regulation, including HIPAA and SOX, requires analysis and documentation of changes made to IT systems. In change management many issues are to be ensured. Change Management can perform risk analysis, business impact analysis, and security analysis from a centralized perspective. 4. Security management requires an incident category specifically for security related incidents. The ITIL Incident Management process provides the control and flexibility required to manage security incidents quickly and efficiently without a duplicate organization. 5. Security Incidents require review by security management. Having a single point of contact for all matters relating to IT – the ITIL Service Desk – provides a single reporting source for all Incidents, including those pertaining to security. 6. ITIL focuses security where needed based on business requirements, not technology. This is important since most security operations today do what they feel is best for the business instead of just what the business required. This “gold plating” carries a high cost and keeps IT from being seen by the business as a partner. 7. Since ITIL is all about organizational best practices, the security management process itself can operate in a process-driven, methodical manner. This is absolutely critical to success with security. 8. ITIL requires continuous review, audit, and reporting of processes activities. Security requires continuous reviews to remain vigilant. 9. Availability Management describes a centralized engineering and architecture that always takes into account the Confidentiality, Integrity, and Availability of data (CIA). 10. The Service Level Management process sets up, monitors, reports on, and administers agreements with customers (SLA), suppliers (UC), and other IT functional departments (OLA). These contracts and agreements all require security sections. 11. Establish a link between Problem Management and security alert channels. Relevant security issues should be documented and added to the knowledge base for use by Incident Management and the service desk as well as other IT functional groups. Summary ITIL best practices help deliver real security improvements, as well as establishing the controls required for meeting legislative and regulatory requirements. Here is a simple 9 step plan for improving security using ITIL: 1. Work with customers and the business to understand and document security requirements. It is very important that you take your lead from the business. 2. Review with senior IT leaders to ensure review of all relevant legislative, industry, and corporate regulations. 3. Work with other ITIL process managers to validate the ability to support customer (#1 above) and corporate (#2 above) security requirements identified. 4. Negotiate a Service Level Agreement (SLA) that includes a security section. As always, keep it in business terms, and make sure it is measurable. 5. Based on the SLA(s), create and implement Operational Level Agreements (OLAs) between related technical or functional departments or groups. Each OLA requires a security section that clearly spells out and defines how, for example, security incidents will be handled. 6. Review all Underpinning Contracts (UCs) for security as well. They should all include a security section. For example, defining access to customer information and data confidentiality. 7. Update UCs, define and implement OLA's, then publish the SLA. 8. Report on security as you would report on capacity, availability, or changes. 9. As required, iterate the security sections as required. Entire Contents © 2008 itSM Solutions® LLC. All Rights Reserved. ITIL ® and IT Infrastructure Library ® are Registered Trade Marks of the Office of Government Commerce and is used here by itSM Solutions LLC under license from and with the permission of OGC (Trade Mark License No. 0002). http://www.itsmsolutions.com/newsletters/DITYvol4iss32.htm 8/13/2008