itil and security management overview

7/28/2019 ITIL and Security Management Overview

1/15

ITIL and Security Management Overview David McPhee

For the purpose of this chapter, the focus is how information security management works within the Information TecInfrastructure Library (ITIL).

What is ITIL?

The Information Technology Infrastructure Library (ITIL) is a framework of best practices. The concepts within ITIL sinformation technology services delivery organizations with the planning of consistent, documented, and repeatablecustomized processes that improve service delivery to the business. The ITIL framework consists of the following ITprocesses: Service Support (Service Desk, Incident Management, Problem Management, Change Management,Configuration Management, and Release Management) and Services Delivery (Service Level Management, CapacitManagement, Availability Management, Financial Management and IT Service Continuity Management).

History of ITIL

The ITIL concept emerged in the 1980s, when the British government determined that the level of IT service qualityto them was not sufficient. The Central Computer and Telecommunications Agency (CCTA), now called the Office of Government Commerce (OGC), was tasked with developing a framework for efficient and financially responsible useresources within the British government and the private sector.
http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm#authorhttp://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm#authorhttp://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm#author


2/15

Figure 1. ITIL Overview.

The earliest version of ITIL was actually originally called GITIM, Government Information Technology Infrastructure


3/15

Management. Obviously this was very different to the current ITIL, but conceptually very similar, focusing around ser support and delivery.

Large companies and government agencies in Europe adopted the framework very quickly in the early 1990s. ITILspreading far and, and was used in both government and non-government organizations. As it grew in popularity, bo

UK and across the world, IT itself changed and evolved, and so did ITIL.

What Is Security Management?

Security management details the process of planning and managing a defined level of security for information and Iservices, including all aspects associated with reaction to security Incidents. It also includes the assessment andmanagement of risks and vulnerabilities, and the implementation of cost justifiable countermeasures.

Security management is the process of managing a defined level of security on information and IT services. Includedmanaging the reaction to security incidents. The importance of information security has increased dramatically becathe move of open internal networks to customers and business partners; the move towards electronic commerce, thincreasing use of public networks like Internet and Intranets. The wide spread use of information and information proas well as the increasing dependency of process results on information requires structural and organized protectioninformation.

Descriptions

Service Support Overview Service support describes the processes associated with the day-to day support and maintenance activities associatthe provision of IT services: Service Desk, Incident Management, Problem Management, Change Management,Configuration Management, and Release Management.

Service Desk: This function is the single point of contact between the end users and IT ServiceManagement.

Incident Management: Best practices for resolving incidents (any event that causes an interruption t

reduction in, the quality of an IT service) and quickly restoring IT services. Problem Management: Best practices for identifying the underlying causes of IT incidents in order to

future recurrences. These practices seek to proactively prevent incidents and problems. Change Management: Best practices for standardizing and authorizing the controlled implementatio

changes. These practices ensure that changes are implemented with minimum adverse impact on Iservices, and that they are traceable.

Configuration Management: Best practices for controlling production configurations; for example,standardization, status monitoring, and asset identification. By identifying, controlling, maintaining anverifying the items that make up an organization's IT infrastructure, these practices ensure that therelogical model of the infrastructure.

Release Management: Best practices for the release of hardware and software. These practices enonly tested and correct versions of authorized software and hardware is provided to IT customers.

Service Support Details

Service Desk The objective of the service desk is to be a single point of contact for customers who need assistance with incidents,problems, questions, and to provide an interface for other activities related to IT and ITIL services.


4/15

Figure 2. Service desk diagram.

Benefits of Implementing a Service Desk

Increased first call resolutionSkill based supportRapidly restore serviceImproved incident response timeQuick service restoration

Improved tracking of service qualityImproved recognition of trends and incidentsImproved employee satisfaction

Processes Utilized by the Service Desk

Workflow and procedures diagramsRoles and responsibilitiesTraining evaluation sheets and skill set assessmentsImplemented metrics and continuous improvement procedures

Incident Management

The objective of Incident management is minimize the disruption to the business by restoring service operations to alevels as quickly as possible and to ensure the availability of IT services is maximized, and could also protect the intand confidentiality of information by identifying the root cause of a problem.

Benefits of an Incident Management Process

Incident detection and recordingClassification and initial support


5/15

Investigation and diagnosisResolution and recoveryIncident closureIncident ownership, monitoring, tracking and communicationRepeatable Process

With a formal incident management practice, IT quality will improve through ensuring ticket quality, standardizing tickownership, and providing a clear understanding of ticket types while decreasing the number of un-reported or misrepincidents.

Figure 3. Incident management ticket owner workflow diagram.

Problem Management The object of problem management is to resolve the root cause of incidents to minimize the adverse impact of incideproblems on the business and secondly to prevent recurrence of incidents related to these errors. A `problem' is an


6/15

underlying cause of one or more incidents, and a `known error' is a problem that is successfully diagnosed and for wwork-around has been identified. The outcome of known error is a request for change (RFC).

Figure 4. Problem management diagram overview.

A problem is a condition often identified as a result of multiple Incidents that exhibit common symptoms. Problems cbe identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for whiimpact is significant.

A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequentdevelopment of a work-around.

An RFC is a proposal to IT infrastructure for a change to the environment.

Incident Management and Problem Management: What's the Difference? Incidents and service requests are formally managed through a staged process to conclusion. This process is referr


7/15

the "incident management lifecycle." The objective of the incident management lifecycle is to restore the service as qas possible to meet service level agreements (SLAs). The process is primarily aimed at the user level.

Problem management deals with resolving the underlying cause of one or more incidents. The focus of problemmanagement is to resolve the root cause of errors and to find permanent solutions. Although every effort will be mad

resolve the problem as quickly as possible this process is focused on the resolution of the problem rather than the sthe resolution. This process deals at the enterprise level.

Change Management Change management ensures that all areas follow a standardized process when implementing change into a producenvironment. Change is defined as any adjustment, enhancement, or maintenance to a production business applicatsystem software, system hardware, communications network, or operational facility.

Benefits of Change Management

Planning changeImpact analysisChange approvalManaging and implementing changeIncrease formalization and compliancePost change reviewBetter alignment of IT infrastructure to business requirementsEfficient and prompt handling of all changesFewer changes to be backed outGreater ability to handle a large volume of changeIncreased user productivity

Configuration Management Configuration management is the implemtation of a configuration management database (CMDB) that contains detaiorganization's elements that are used in the provision and management of its IT services. The main activities of confi

management are:

Planning: Planning and defining the scope, objectives, policy and process of the CMDB. Identification: Selecting and identifying the configuration structures and items within the scope of yo

infrastructure. Configuration control: Ensuring that only authorized and identifiable configuration items are accepte

recorded in the CMDB throughout its lifecycle. Status accounting: Keeping track of the status of components throughout the entire lifecycle of confi

items. Verification and audit: Auditing after the implementation of configuration management to verify that t

correct information is recorded in the CMDB, followed by scheduled audits to ensure the CMDB is kto-date.

Configuration Management and Information Security Without the definition of all configuration items that are used to provide an organizations's IT services, it can be veryto identify which items are used for which services. This could result in critical configuration items being stolen, movemisplaced, affecting the availability pf tje services dependent on them. It could also result in unauthorized items beinin the provision of IT services.

Benefits of Configuration Management


8/15

Reduced cost to implement, manage, and support the infrastructureDecreased incident and problem resolution timesImproved management of software licensing and complianceConsistent, automated processes for infrastructure mappingIncreased ability to identify and comply with architecture and standards requirements

Incident troubleshootingUsage trendingChange evaluationFinancial chargeback and asset lifecycle managementService Level Agreement (SLA) and software license negotiations

Release Management Release Management is used for platform-independent and automated distribution of software and hardware, includilicense controls across the entire IT infrastructure. Proper Software and Hardware Control ensure the availability of litested, and version certified software and hardware, which will function correctly and respectively with the availablehardware. Quality control during the development and implementation of new hardware and software is also theresponsibility of Release Management. This guarantees that all software can be conceptually optimized to meet thedemands of the business processes.

Benefits of Release Management

Ability to plan resource requirements in advanceProvides a structured approach, leading to an efficient and effective processChanges are bundled together in a release, minimizing the impact on the user Helps to verify correct usability and functionality before release by testingControl the distribution and installation of changes to IT systemsDesign and implement procedures for the distribution and installation of changes to IT systemsEffectively communicate and manage expectations of the customer during the planning and rollout oreleases

The focus of release management is the protection of the live environment and its services through the use of formalprocedures and checks.

Release Categories A release consists of the new or changed software or hardware required to implement approved change.

Major software releases and hardware upgrades, normally containing large areas of new functionalitof which may make intervening fixes to problems redundant. A major upgrade or release usually supall preceding minor upgrades, releases and emergency fixesMinor software releases and hardware upgrades, normally containing small enhancements and fixeof which may have already been issued as emergency fixes. A minor upgrade or release usually supall preceding emergency fixes.Emergency software and hardware fixes, normally containing the corrections to a small number of k

problems


9/15

Figure 5. Release management overview.

Releases can be divided based on the release unit into:

Delta Release is a release of only that part of the software which has been changed. For example, spatches to plug bugs in a software.Full Release means that the entire software program will be release again. For example, an entire van application.Packaged Release is a combination of many changes: for example, an operating system image conthe applications as well.

Service Delivery Overview

Services delivery is the discipline that ensures IT infrastructure is provided at the right time in the right volume at theprice, and ensuring that IT is used in the most efficient manner. This involves analysis and decisions to balance cap


10/15

production or service point with demand from customers, it also covers the processes required for the planning andof quality IT services and looks at the longer term processes associated with improving the quality of IT services deli

Service Level Management: Service level management (SLM) is responsible for negotiating and agr service requirements and expected service characteristics with the customer

Capacity Management: Capacity management is responsible for ensuring that IT processing and stocapacity provision match the evolving demands of the business in a cost effective and timely manne Availability Management: Availability management is responsible for optimizing availability Financial Management: The object of financial management for IT services is to provide cost effecti

stewardship of the IT assets and the financial resources used in providing IT services. IT Service Continuity Management: Service continuity is responsible for ensuring that the available I

Service Continuity options are understood and the most appropriate solution is chosen in support of business requirements

Service Level Management The object of service level management (SLM) is to maintain and gradually improve business aligned IT service qualthrough a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instiactions to eradicate unacceptable levels of service.

SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and monitors and revieactual service levels achieved against their SLA targets. SLM should also be trying to proactively improve all servicewithin the imposed cost constraints. SLM is the process that manages and improves agreed level of service betweenparties, the provider and the receiver of a service.

SLM is responsible for negotiating and agreeing to service requirements and expected service characteristics with thCustomer, measuring and reporting of Service Levels actually being achieved against target, resources required, coservice provision. SLM is also responsible for continuously improving service levels in line with business processes,SIP, co-coordinating other Service Management and support functions, including third party suppliers, reviewing SLmeet changed business needs or resolving major service issues and producing, reviewing and maintaining the ServiCatalogue.

Benefits of Implementing Service Level Management

Implementing the service level management process enables both the customer and the IT servicesprovider to have a clear understanding of the expected level of delivered services and their associatfor the organization, by documenting these goals into formal agreements.Service level management can be used as a basis for charging for services, and can demonstrate tocustomers the value they are receiving from the Service Desk.It also assists the service desk with managing external supplier relationships, and introduces the poof negotiating improved services or reduced costs.

Capacity Management Capacity management is responsible for ensuring that IT processing and storage capacity provisioning match the ev

demands of the business in a cost effective and timely manner. The process includes monitoring the performance anthroughput of the IT services and supporting IT components, tuning activities to make efficient use of resources,understanding the current demands for IT resources and deriving forecasts for future requirements, influencing the dfor resource in conjunction with other Service Management processes, and producing a capacity plan predicting the Iresources needed to achieve agreed service levels.

Capacity management has three main areas of responsibility. First of these is BCM, which is responsible for ensurinthe future business requirements for IT services are considered, planned and implemented in a timely fashion. Thesrequirements will come from business plans outlining new services, improvements and growth in existing services,


11/15

development plans, etc. This requires knowledge of existing service levels and SLAs, future service levels and SLRsBusiness and Capacity plans, modeling techniques (Analytical, Simulation, Trending and Base lining), and applicatiomethods.

The second main area of responsibility is SCM, which focuses on managing the performance of the IT services provi

the Customers, and is responsible for monitoring and measuring services, as detailed in SLAs and collecting recordianalyzing and reporting on data. This requires knowledge of service levels and SLAs, systems, networks, service thr and performance, monitoring, measurement, analysis, tuning and demand management.

The third and final main area of responsibility is RCM, which focuses on management of the components of the ITinfrastructure and ensuring that all finite resources within the IT infrastructure are monitored and measured, and colldata is recorded, analyzed and reported. This requires knowledge of the current technology and its utilization, futurealternative technologies, and the resilience of systems and services.

Capacity Management Processes:

Performance monitoringWorkload monitoringApplication sizingResource forecastingDemand forecastingModeling

From these processes come the results of capacity management, these being the capacity plan itself, forecasts, tuniand Service Level Management guidelines.

Availability Management Availability management is concerned with design, implementation, measurement and management of IT services tothe stated business requirements for availability are consistently met. Availability management requires an understathe reasons why IT service failures occur and the time taken to resume this service. Incident management and problmanagement provide a key input to ensure the appropriate corrective actionss are being implemented.

Availability Management is the ability of an IT component to perform at an agreed level over a periotime.

Reliability is the ability of an IT component to perform at an agreed level at described conditions. Maintainability is the ability of an IT Component to remain in, or be restored to an operational state. Serviceability is the ability for an external supplier to maintain the availability of a component or func

under a third party contract Resilience is a measure of freedom from operational failure and a method of keeping services reliab

popular method of resilience is redundancy. Security refers to the confidentiality, integrity, and availability of the data associated with a service.

Availability Management

Security is an essential part of availability management, this being the primary focus of ensuring IT infrastructure conto be available for the provision of IT services.

Some of the elements mentioned earlier are the products of performing risk analysis to identify how reliable elementand how many problems have been caused as a result of system failure.

The risk analysis also recommends controls to improve availability of IT infrastructure such as development standardtesting, physical security and the right skills in the right place at the right time.


12/15

Financial Management Financial management for IT services is an integral part of service management. It provides the essential manageminformation to ensure that services are run efficiently, economically and cost effectively. An effective financial managsystem will assist in the management and reduction of overall long term costs, and identify the actual cost of serviceprovisioning provides accurate and vital financial information to assist in decision making, identify the value of IT ser enable the calculation of TCO and ROI.

The practice of financial management enables the service manager to identify the amount being spent on security comeasures in the provision of the IT services. The amount being spent on these counter measures needs to be balanthe risks and the potential losses that the service could incur as identified during a business impact assessment (BIArisk assessment. Management of these costs will ultimately reflect on the cost of providing the IT services, and potewhat is charged in the recovery of those costs.

Service Continuity Management Management is to support the overall business continuity management process by ensuring that the required IT techand services facilities can be recovered within required and agreed business time-scales.

IT service continuity management is concerned with managing an organization's ability to continue to provide a pre-

determined and agreed level of IT services to support the minimum business requirements, following an interruptionbusiness. This includes ensuring business survival by reducing the impact of a disaster or major failure, reducing thevulnerability and risk to the business by effective risk analysis and risk management, preventing the loss of customeuser confidence, and producing IT recovery plans that are integrated with and fully support the organization's overallbusiness continuity plan.

IT service continuity is responsible for ensuring that the available IT service continuity options are understood and thappropriate solution is chosen in support of the business requirements. It is also responsible for identifying roles andresponsibilities and making sure these are endorsed and communicated from a senior level to ensure respect andcommitment for the process. Finally, IT service continuity is responsible for guaranteeing that the IT recovery plans abusiness continuity plans are aligned, and are regularly reviewed, revised and tested.

The Security Management Process

Security management provides a framework to capture the occurrence of security-related incidents and limit the impsecurity breaches. The activities within the security management process must be revised continuously, in order to sto-date and effective. security management is a continuous process and it can be compared to Deming's Quality Cir (Plan, Do, Check and Act).


13/15


14/15

The security management framework defines the sub-processes for the development of security plans, the implemeof the security plans, the evaluation and how the results of the evaluations are translated into action plans.

Plan The plan sub-process contains activities that in cooperation with the service level management lead to the informatio

security section in the SLA. The plan sub-process contains activities that are related to the underpinning contracts wspecific for information security.

In the plan sub-process, the goals formulated in the SLA are specified in the form of operational level agreements (OThese OLAs can be defined as security plans for a specific internal organization entity of the service provider.

Besides the input of the SLA, the plan sub-process also works with the policy statements of the service provider itselsaid earlier these policy statements are defined in the control sub-process.

The operational level agreements for information security are setup and implemented based on the ITIL process. Thimeans that there has to be cooperation with other ITIL processes. For example, if the security management wishes tchange the IT infrastructure in order to achieve maximum security, these changes will only be done through the chamanagement process. The security management will deliver the input (request for change) for this change. The cha

manager is responsible for the change management process itself.

Implementation The implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented.the implementation sub-process no (new) measures are defined or changed. The definition or change of measuresplace in the plan sub-process in cooperation with the change management process.

Evaluation The evaluation of the implementation and the plans is very important. The evaluation is necessary to measure the suof the implementation and the security plans. The evaluation is also very important for the clients and possibly third pThe results of the evaluation sub-process are used to maintain the agreed measures and the implementation itself.Evaluation results can lead to new requirements and so lead to a request for change. The request for change is thenand it is then sent to the change management process.

Maintenance It is necessary for the security to be maintained. Because of changes in the IT infrastructure and changes in the orgaitself, security risks are bound to change over time. The maintenance of the security concerns both the maintenancesecurity section of the service level agreements and the more detailed security plans.

The maintenance is based on the results of the evaluation sub-process and insight in the changing risks. These actionly produce proposals. The proposals serve as inputs for the plan sub-process and will go through the whole cycleproposals can be taken in the maintenance of the service level agreements. In both cases the proposals could lead tactivities in the action plan. The actual changes will be carried by the change management process.

The maintenance sub-process starts with the maintenance of the service level agreements and the maintenance of toperational level agreements. After these activities take place in no particular order and there is a request for a chanrequest for change activity will take place and after the request for change activity is concluded the reporting activitythere is no request for a change then the reporting activity will start directly after the first two activities.


15/15

itil and security management overview

Documents