rgs consulting international inc. 1 standards-based service and security management doing it right...

1

RGS Consulting International Inc.

Standards-BasedStandards-BasedService and Security Service and Security ManagementManagement

Doing it Right The First TimeDoing it Right The First Time

22

AgendaAgenda

• Introduction to ITIL Service ManagementIntroduction to ITIL Service Management

• Industry pressures that demand Industry pressures that demand standards-based Security Managementstandards-based Security Management

• Changing the way we do things in ITChanging the way we do things in IT

• Internationally accepted Security Internationally accepted Security Management practisesManagement practises

• A sensible approach to implementing A sensible approach to implementing Security ManagementSecurity Management

33

IT Infrastructure Library (ITIL)IT Infrastructure Library (ITIL)IT Service ManagementIT Service Management• Service SupportService Support - Help Desk; Problem Management; Change

Management; Configuration Management; Software Control & Distribution

• Service DeliveryService Delivery - Service Level Management; Capacity Management; Availability Management; Costing for IT Services; Contingency Planning

• OperationsOperations - Operations Management; Unattended Operations

• Application ManagementApplication Management - S/W Lifecycle support; Release Management; Testing IT Services for Operational Use

• Line ManagementLine Management - Customer Liaison; IT Services Organization;

Planning & Control for IT Services

• Office Environment; Environmental ManagementOffice Environment; Environmental Management

• Security ManagementSecurity Management; Business Continuity; Network ; Business Continuity; Network Services Management; Business & Management Skills; Services Management; Business & Management Skills; Case Studies, etc.Case Studies, etc.

44

ITIL Publication FrameworkITIL Publication Framework

55

Is ITIL the Best Approach for Is ITIL the Best Approach for every area of IT?every area of IT?

• ITIL is not a methodology – rather it is ITIL is not a methodology – rather it is a guiding frameworka guiding framework

• ITIL represents a set of proven ITIL represents a set of proven international Best Practicesinternational Best Practices

• Organizations need to tailor ITIL to Organizations need to tailor ITIL to their needs (a staged approach)their needs (a staged approach)

66

Benefits of an ITIL ImplementationBenefits of an ITIL Implementation

• Improved level of service, in line with market Improved level of service, in line with market costscosts-- Business defined service levelsBusiness defined service levels

-- Guaranteed levels of serviceGuaranteed levels of service

• Reduced time to implement new ITReduced time to implement new IT -- Improved customer satisfaction leading to reduced Improved customer satisfaction leading to reduced

customer turnovercustomer turnover

• Increased availability of IT to the businessIncreased availability of IT to the business• Improved employee commitment Improved employee commitment • Compliance with new corporate reporting Compliance with new corporate reporting

requirementsrequirements

77

ITIL Process ModelITIL Process ModelUser Population Customers

Network &Operations

ManagementApplication

Management

SecuritySecurityManagementManagement

SLM

FinancialManagement

& Costing

AvailabilityManagement

Performance& Capacity

Management

BusinessContinuityPlanning

Contingency Plans

HighAvailabilityPlanning

Service Desk

Help Desk

IncidentControl

Configuration& Asset

Management

ReleaseManagement

ProblemManagement

ChangeManagement

RFC

Service SupportService Support Service DeliveryService Delivery

. . . every aspect of IT Service Management . . . every aspect of IT Service Management has Security Management Considerations!has Security Management Considerations!

88

““Availability is at the Core of User Satisfaction”Availability is at the Core of User Satisfaction”

Source: ITIL Service Delivery, Best Practice, 2002

99

ITIL Security ManagementITIL Security Management

Goals:Goals:1.1. To meet the To meet the external securityexternal security

requirementsrequirements• From SLAs, contracts, legislation and From SLAs, contracts, legislation and

imposed security policiesimposed security policies

2.2. To meet the To meet the internal securityinternal security requirementsrequirements• Information Security PolicyInformation Security Policy• Risk AnalysisRisk Analysis• PlanningPlanning• Operational MeasuresOperational Measures• Evaluation and AuditEvaluation and Audit• Business Continuity PlanningBusiness Continuity Planning

1010

ITIL Security Management MeasuresITIL Security Management Measures

Customer – defines business requirements based on business needs

SLA/Security Section – agreed between customer and provider– agreed between customer and provider

PLAN:- Service Level Agreement- Underpinning Contracts- Operational Level Agreements- Policy Statements

IMPLEMENT:- Create Awareness- Classification and Registration- Personnel Security- Physical Security- Security Management Technologies- Control & Management of access rights- Security Incident Handling & Registration

EVALUATE:- Internal Audits- External Audits- Self Assessments- Security Incidents

MAINTAIN:- Learn- Improve- Plan Next

Implementation CONTROL:- Get Organized- Establish Management

Framework- Allocate Responsibilities

REPORT:-- SLA conformanceSLA conformance

1111

ITIL Process ModelITIL Process ModelUser Population Customers

Service DeskNetwork &Operations

Management

Help Desk

IncidentControl

Configuration& Asset

Management

ReleaseManagement

ProblemManagement

ChangeManagement

SLM

FinancialManagement

& Costing

AvailabilityManagement

Performance& Capacity

Management

BusinessContinuityPlanning

SecuritySecurityManagementManagement

Contingency Plans

HighAvailabilityPlanning

RFC

ApplicationManagement

1212

The TRUTH about Security The TRUTH about Security Management and PrivacyManagement and Privacy

FACT:FACT:

• You can have You can have SECURITYSECURITY without without PRIVACYPRIVACY

BUTBUT

• You CANNOT have You CANNOT have PRIVACYPRIVACY without without SECURITYSECURITY

THEREFORE . . .THEREFORE . . .

Organizations that practice good Security Organizations that practice good Security Management MUST have both Management MUST have both SECURITYSECURITY and and PRIVACYPRIVACY ! !

1313

Internationally AcceptedInternationally Accepted Best PractisesBest Practises Security Security & Privacy& Privacy ManagementManagement

Security & Accounting Management Focus:Security & Accounting Management Focus:

GENERALGENERAL

• CobIT CobIT ((Control Objectives for Information and related TechnologyControl Objectives for Information and related Technology))

• GASSP GASSP (Generally Accepted System Security Principles)(Generally Accepted System Security Principles)

• CASPR CASPR ((Commonly Accepted Security Practices & RecommendationsCommonly Accepted Security Practices & Recommendations))

USAUSA

• Sarbanes-Oxley Act Sarbanes-Oxley Act ((US Congress July 2002) US Congress July 2002)

• HIPAA HIPAA ((Health Insurance Portability and Accountability Act - Aug 1996)Health Insurance Portability and Accountability Act - Aug 1996) – – Security & Privacy of Protected Health Information (PHI)Security & Privacy of Protected Health Information (PHI)

In many instances, best practices are over-ridden In many instances, best practices are over-ridden by laws and regulationsby laws and regulations

1414


CobiTCobiT ((Control Objectives for Information and Related TechnologyControl Objectives for Information and Related Technology))

1.1. TheThe main theme is business orientation. main theme is business orientation.

– Provides comprehensive guidance for management and business process owners

– Firmly based in business objectives.

2.2. CobiT is designed to help three distinct audiences:CobiT is designed to help three distinct audiences:

– Management, who need to balance risk and control investment in an often unpredictable IT environment.

– Users, who need to obtain assurance on the security and controls of the IT services upon which they depend to deliver their products and services to internal and external customers.

– Auditors, who can use it to substantiate their opinions and/or provide advice to management on internal controls.

1515

Internationally AcceptedInternationally Accepted Best PractisesBest Practises Security Security & Privacy& Privacy ManagementManagementGASSPGASSP (Generally Accepted System Security Principles)(Generally Accepted System Security Principles)

Accountability Awareness Ethics Multidisciplinary Proportionality Integration Timeliness Assessment Equity

Broad Functional PrinciplesBroad Functional Principles cont’dcont’dPervasive PrinciplesPervasive Principles::

Environmental Management Personnel Qualifications System Integrity Information Systems Life Cycle Access Control Operational Continuity and

Contingency Planning Information Risk Management Network and Infrastructure

Security Legal, Regulatory, and

Contractual Requirements of Information Security

Ethical Practices

Information Security Policy Education and Awareness Accountability Information Management

Broad Functional Principles:Broad Functional Principles:

1616


CASPRCASPR ((Commonly Accepted Security Practices & Commonly Accepted Security Practices &

RecommendationsRecommendations))

• TheThe goal goal of the CASPR Project of the CASPR Project is to distil the knowledge of is to distil the knowledge of the world’s Information Security experts into a series of the world’s Information Security experts into a series of papers that are freely available on the Internet to everyone. papers that are freely available on the Internet to everyone. Using the OpenUsing the Open Source movement as a guide, the papers will Source movement as a guide, the papers will be developed and released under the GNU Free Document be developed and released under the GNU Free Document License to make sure that they and any derivates remain License to make sure that they and any derivates remain freely available.freely available.

• Membership of the CASPR Project is open to all Certified Membership of the CASPR Project is open to all Certified Information Systems Security Professionals (CISSP’s) world-Information Systems Security Professionals (CISSP’s) world-wide who have a valid contribution to make to the body of wide who have a valid contribution to make to the body of knowledge.knowledge.

1717

Sarbanes-Oxley ActSarbanes-Oxley Act WHY? WHY?

In the wake of recent corporate scandals, the U.S. In the wake of recent corporate scandals, the U.S. Congress passed the Sarbanes-Oxley Act in July 2002 to Congress passed the Sarbanes-Oxley Act in July 2002 to re-establish corporate accountability and reinforce re-establish corporate accountability and reinforce investor confidence. investor confidence.

Sarbanes-Oxley is a far-reaching piece of legislation that Sarbanes-Oxley is a far-reaching piece of legislation that covers all companies publicly traded on the U.S. stock covers all companies publicly traded on the U.S. stock exchanges. exchanges.

Although the act has many facets, including criminal Although the act has many facets, including criminal penalties for corporate officers, the following three penalties for corporate officers, the following three sections impose the most significant compliance and sections impose the most significant compliance and governance challenges for business and IT executives: governance challenges for business and IT executives:


1818

Section 302:Section 302:

• CCertifertification of ication of financial reports financial reports by by CEOs and CFOs personallyCEOs and CFOs personally (a (a MUSTMUST ))..-- Build CEO and CFO confidence in the accuracy of information by Build CEO and CFO confidence in the accuracy of information by

providing real-time views into IT performance.providing real-time views into IT performance.


• Disclosure of internal controls and processes for financial reporting:Disclosure of internal controls and processes for financial reporting:– Auditors Auditors MUSTMUST verify adequacyverify adequacy– Company Company MUSTMUST Establish IT processes based on best practices Establish IT processes based on best practices

(COBIT, ITIL, ISO-17799, Six Sigma)(COBIT, ITIL, ISO-17799, Six Sigma)


• Aggressive deadlines for financial reporting (real-time reporting of material Aggressive deadlines for financial reporting (real-time reporting of material financial events).financial events).

– Company Company MUSTMUST meet meet Service Level Agreements (Service Level Agreements (SLAsSLAs)) for business for business critical systems.critical systems.

– Company Company MUSTMUST achieve visibility into IT cost overruns and business achieve visibility into IT cost overruns and business impact of IT systems. impact of IT systems.

Internationally AcceptedInternationally Accepted Best PractisesBest Practises Security Security & Privacy& Privacy ManagementManagementSarbanes-Oxley ActSarbanes-Oxley Act WHAT: WHAT:

1919

HIPAAHIPAA (Health Insurance Portability and Accountability Act (Health Insurance Portability and Accountability Act Aug 1996)Aug 1996)

– – Security & Privacy of Protected Health Information (PHI)Security & Privacy of Protected Health Information (PHI)

Basic HIPAA Rules:Basic HIPAA Rules: Guarantee health insurance coverage of employees.Guarantee health insurance coverage of employees. Reduce health care fraud and abuse.Reduce health care fraud and abuse. Introduce/implement administrative simplificationsIntroduce/implement administrative simplifications Protect the health information of individuals against access Protect the health information of individuals against access

without consent or authorization.without consent or authorization.

Privacy and Security Concepts of HIPAAPrivacy and Security Concepts of HIPAA:: ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability


2020

Privacy Management Focus:Privacy Management Focus:

CANADACANADA

• PIPEDAPIPEDA (Personal Information Privacy Electronic Documents Act - - (Personal Information Privacy Electronic Documents Act - - known as PIPA - Personal Information Privacy Act - in both BC and known as PIPA - Personal Information Privacy Act - in both BC and

Alberta)Alberta)

USAUSA

• Gramm-Leach-Bliley ActGramm-Leach-Bliley Act – (US Congress 1999)– (US Congress 1999)

• SB 1386SB 1386 – (State of California July 2003)– (State of California July 2003)


In many instances, best practices are over-ridden In many instances, best practices are over-ridden by laws and regulationsby laws and regulations

2121

PIPEDAPIPEDA (Personal Information Privacy Electronic Documents Act)(Personal Information Privacy Electronic Documents Act)


AccountabilityAccountability Identifying PurposesIdentifying Purposes ConsentConsent Limiting CollectionLimiting Collection Limiting Use, Disclosure, and RetentionLimiting Use, Disclosure, and Retention AccuracyAccuracy SafeguardsSafeguards OpennessOpenness Individual AccessIndividual Access Challenging ComplianceChallenging Compliance

The TEN basic principles of PIPEDA and similar Provincial The TEN basic principles of PIPEDA and similar Provincial Acts:Acts:

2222

Gramm-Leach-Bliley ActGramm-Leach-Bliley Act – (US Congress 1999)– (US Congress 1999)

-- Privacy of Consumer Financial InformationPrivacy of Consumer Financial Information


Financial institutions have restrictions on when they may disclose a consumer's personal financial information to non-affiliated third parties.

Financial institutions are required to provide notices to their customers about their information-collection and information-sharing practices.

Consumers may decide to "opt out" if they do not want their information shared with non-affiliated third parties.

The GLB Act provides specific exceptions under which a financial institution may share customer information with a third party and the consumer may not opt out.

All financial institutions are required to provide consumers with a notice and opt-out opportunity before they may disclose information to non-affiliated third parties outside of what is permitted under the exceptions.

2323

SB 1386SB 1386 – (State of California July 2003)– (State of California July 2003)-- Personal Information: PrivacyPersonal Information: Privacy


Covered parties must disclose any breach of the security of personal data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The law applies to state agencies, or a person or business that conducts business in California, that owns or licenses computerized data containing personal information.

The bill requires an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data.

The essence of this legislation is that, regardless of the jurisdiction of the agency, person or business – if you have a client in California, the law applies to you.

2424

A sensible approach to implementing A sensible approach to implementing SecuritySecurity & & PrivacyPrivacy ManagementManagement

1.1. MakeMake SecuritySecurity & & PrivacyPrivacy ManagementManagement Integral to the Integral to the governance of the organization:governance of the organization:

– Create and publish a comprehensive Information Create and publish a comprehensive Information SecuritySecurity & & PrivacyPrivacy POLICY POLICY

– Adopt relevant best practices as part of normal business Adopt relevant best practices as part of normal business processesprocesses

– Invest in, and support, Invest in, and support, SecuritySecurity & & PrivacyPrivacy ManagementManagement personnel skills and trainingpersonnel skills and training

– Make Make SecuritySecurity & & PrivacyPrivacy ManagementManagement part of the job part of the job descriptions of the functionariesdescriptions of the functionaries

– Hold Hold SecuritySecurity & & PrivacyPrivacy ManagementManagement personnel accountable personnel accountable with regular reviews and re-enforcementwith regular reviews and re-enforcement

2525

A sensible approach to implementingA sensible approach to implementing

SecuritySecurity & & PrivacyPrivacy ManagementManagement cont’dcont’d

2.2. Be aware of, and adhere to, the relevant rules and Be aware of, and adhere to, the relevant rules and regulations pertaining to the organization:regulations pertaining to the organization:

– Appoint an internal Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO) and give them the necessary authority and responsibility

– Maintain appropriate documentation and reading matter

– Publish periodic updates to inform personnelto make everyone part of the solution

3.3. LEAD by example. LEAD by example.

4.4. Treat Treat SecuritySecurity & & PrivacyPrivacy ManagementManagement like an like an investment in the future - NOT an overhead item.investment in the future - NOT an overhead item.

2626

Project ManagementProject Management

• IT managers are always juggling more IT managers are always juggling more priorities than budgets and resources allowpriorities than budgets and resources allow

• Involving Service and Security management Involving Service and Security management early in the development process will early in the development process will prevent many challenges laterprevent many challenges later

• Implementation of standardized Implementation of standardized SecuritySecurity and and PrivacyPrivacy Management Management practices require practices require strong project management and leadership.strong project management and leadership.

• Experienced and knowledgeable resources Experienced and knowledgeable resources will ensure your success. will ensure your success.

2727

SummarySummary

• Implementation of Standards-based Service, Implementation of Standards-based Service, SecuritySecurity and and PrivacyPrivacy Management processes Management processes affords the organization many benefits that affords the organization many benefits that result in increased availability and improved result in increased availability and improved reliability for the businessreliability for the business

• Project Management and Change Management Project Management and Change Management practices should be strengthened in parallelpractices should be strengthened in parallel

• Standards-based Service,Standards-based Service, Security Security and and PrivacyPrivacy Management is good for business!Management is good for business!

2828

Thank you for your attention!

QUESTIONS ?

For additional information or assistance with these vital issues, please feel free to contact either:

Rob ShirraRGS Consulting International Inc,E-Mail: [email protected]> 604-341-1692

or

John GloverE-Mail: [email protected] or 250-888-6564

rgs consulting international inc. 1 standards-based service and security management doing it right...

Documents

security management

standardsbased service

itil implementation

guiding framework itil

time slide

infrastructure library

staged approach slide

best approach