ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations).[1] ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties."
A basic concept of security management is information security. The primary goal of information security is to control access to information. The value of the information is what must be protected. These values include confidentiality, integrity and availability. Inferred aspects are privacy, anonymity and verifiability.
The goal of security management comes in two parts:
Security requirements defined in service level agreements (SLA) and other external requirements that are specified in underpinning contracts, legislation and possible internal or external imposed policies.
Basic security that guarantees management continuity. This is necessary to achieve simplified service-level management for information security.
SLAs define security requirements, along with legislation (if applicable) and other contracts. These requirements can act as key performance indicators (KPIs) that can be used for process management and for interpreting the results of the security management process.
The inputs are requirements from clients. The requirements are translated into security services and security metrics. Both the client and the plan sub-process affect the SLA. The SLA is an input for both the client and the process. The provider develops security plans for the organization. These plans contain policies and operational level agreements. The security plans (Plan) are then implemented (Do) and the implementation is then evaluated (Check). After the evaluation, the plans and the plan implementation are maintained (Act).
The activities, results/products and the process are documented. External reports are written and sent to the clients. The clients are then able to adapt their requirements based on the information received through the reports. Furthermore, the service provider can adjust their plan or the implementation based on their findings in order to satisfy all the requirements stated in the SLA (including new requirements).
Control
The first activity in the security management process is the “Control” sub-process. The Control sub-process organizes and manages the security management process. The Control sub-process defines the processes, the allocation of responsibility for the policy statements and the management framework.
The security management framework defines the sub-processes for development, implementation and evaluations into action plans. Furthermore, the management framework defines how results should be reported to clients.
Table 2.1.2: Concept and definition control sub-process Security management
Activities
Sub-Activities
Descriptions
Control
Implement policies
This process outlines the specific requirements and rules that have to be met in order to implement security management. The process ends with policy statement.
Set up the security organization
This process sets up the organizations for information security. For example, in this process the structure the responsibilities are set up. This process ends with security management framework.
Reporting
In this process the whole targeting process is documented in a specific way. This process ends with reports.
The meta-process model of the control sub-process is based on a UMLactivity diagram and gives an overview of the activities of the Control sub-process. The grey rectangle represents the control sub-process and the smaller beam shapes inside it represent activities that take place inside it.
Concept
Description
Control documents
Control is a description of how security management is organized and how it is managed.
Policy statements
Policy statements outline specific requirements or rules that must be met. In the information security realm, policies are usually point-specific, covering a single area. For example, "acceptable use" policies cover the rules and regulations for appropriate use of the computing facilities.
Security management framework
Security management framework is an established management framework to initiate and control the implementation of information security within an organization and to manage ongoing information security provision.
The meta-data model of the control sub-process is based on a UML class diagram. Figure 2.1.2 shows the metamodel of the control sub-process.
Figure 2.1.2: Meta-process model control sub-process
The CONTROL rectangle with a white shadow is an open complex concept. This means that the Control rectangle consists of a collection of (sub) concepts.
Figure 2.1.3 is the process data model of the control sub-process. It shows the integration of the two models. The dotted arrows indicate the concepts that are created or adjusted in the corresponding activities.
Figure 2.1.3: Process-data model control sub-process
Plan
The Plan sub-process contains activities that in cooperation with service level management lead to the (information) Security section in the SLA. Furthermore, the Plan sub-process contains activities that are related to the underpinning contracts which are specific for (information) security.
In the Plan sub-process the goals formulated in the SLA are specified in the form of operational level agreements (OLA). These OLA's can be defined as security plans for a specific internal organization entity of the service provider.
Besides the input of the SLA, the Plan sub-process also works with the policy statements of the service provider itself. As said earlier these policy statements are defined in the control sub-process.
The operational level agreements for information security are set up and implemented based on the ITIL process. This requires cooperation with other ITIL processes. For example, if security management wishes to change the IT infrastructure in order to enhance security, these changes will be done through the change management process. Security management delivers the input (Request for change) for this change. The Change Manager is responsible for the change management process.
Table 2.2.1: (Sub) activities and descriptions Plan sub-process ITIL Security Management
Activities
Sub-activities
Descriptions
Plan
Create Security section for SLA
This process contains activities that lead to the security agreements paragraph in the service level agreements. At the end of this process the Security section of the service level agreement is created.
Create underpinning contracts
This process contains activities that lead to underpinning contracts. These contracts are specific for security.
Create operational level agreements
The general formulated goals in the SLA are specified in operational level agreements. These agreements can be seen as security plans for specific organization units.
Reporting
In this process the whole Create plan process is documented in a specific way. This process ends with reports.
Plan consists of a combination of unordered and ordered (sub) activities. The sub-process contains three complex activities that are all closed activities and one standard activity.
Table 2.2.2: Concept and definition Plan sub-process security management
Concept
Description
Plan
Formulated schemes for the security agreements.
Security section of the security level agreements
The security agreements paragraph in the written agreements between a service provider and the customer(s) that documents agreed service levels for a service.
Underpinning contracts
A contract with an external supplier covering delivery of services that support the IT organisation in their delivery of services.
Operational level agreements
An internal agreement covering the delivery of services which support the IT organization in their delivery of services.
Just as the Control sub-process the Plan sub-process is modeled using the meta-modeling technique. The left side of figure 2.2.1 is the meta-data model of the Plan sub-process.
The Plan rectangle is an open (complex) concept which has an aggregation type of relationship with two closed (complex) concepts and one standard concept. The two closed concepts are not expanded in this particular context.
The following picture (figure 2.2.1) is the process-data diagram of the Plan sub-process. This picture shows the integration of the two models. The dotted arrows indicate which concepts are created or adjusted in the corresponding activities of the Plan sub-process.
Figure 2.2.1: Process-data model Plan sub-process
Implementation
The Implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented. During the Implementation sub-process no measures are defined nor changed. The definition or change of measures takes place in the Plan sub-process in cooperation with the Change Management Process.
Process of formally grouping configuration items by type, e.g., software, hardware, documentation, environment and application.
Process of formally identifying changes by type e.g., project scope change request, validation change request, infrastructure change request this process leads to asset classification and control documents.
Implement personnel security
Measures are adopted to give personnel safety and confidence and measures to prevent a crime/fraud. The process ends with personnel security.
Implement security management
Specific security requirements and/or security rules that must be met are outlined and documented. The process ends with security policies.
Implement access control
Specific access security requirements and/or access security rules that must be met are outlined and documented. The process ends with access control.
Reporting
The whole implement as planned process is documented in a specific way. This process ends with reports.
The left side of figure 2.3.1 is the meta-process model of the Implementation phase. The four labels with a black shadow mean that these activities are closed concepts and they are not expanded in this context. No arrows connect these four activities, meaning that these activities are unordered and the reporting will be carried out after the completion of all four activities.
During the implementation phase concepts are created and /or adjusted.
Table 2.3.2: Concept and definition Implementation sub-process Security management
Concept
Description
Implementation
Accomplished security management according to the security management plan.
Asset classification and control documents
A comprehensive inventory of assets with responsibility assigned to ensure that effective security protection is maintained.
Personnel security
Well defined job descriptions for all staff outlining security roles and responsibilities.
Security policies
Documents that outline specific security requirements or security rules that must be met.
Access control
Network management to ensure that only those with the appropriate responsibility have access to information in the networks and the protection of the supporting infrastructure.
The concepts created and/or adjusted are modeled using the meta-modeling technique. The right side of figure 2.3.1 is the meta-data model of the implementation sub-process.
Implementation documents are an open concept and is expanded upon in this context. It consists of four closed concepts that are not expanded because they are irrelevant in this particular context.
In order to make the relations between the two models clearer the integration of the two models is illustrated in Figure 2.3.1. The dotted arrows running from the activities to the concepts illustrate which concepts are created/ adjusted in the corresponding activities.
Figure 2.3.1: Process-data model Implementation sub-process
Evaluation
Evaluation is necessary to measure the success of the implementation and security plans. The evaluation is important for clients (and possibly third parties). The results of the Evaluation sub-process are used to maintain the agreed measures and the implementation. Evaluation results can lead to new requirements and a corresponding Request for Change. The request for change is then defined and sent to Change Management.
The three sorts of evaluation are self-assessment, internal audit and external audit.
The self-assessment is mainly carried out in the organization of the processes. Internal audits are carried out by internal IT-auditors. External audits are carried out by external, independent IT-auditors. Besides those already mentioned, an evaluation based on communicated security incidents occurs. The most important activities for this evaluation are the security monitoring of IT-systems; verify the security legislation and security plan implementation; trace and react to undesirable use of IT-supplies.
Examine implemented security agreements. The result of this process is self-assessment documents.
Internal Audit
Examine implemented security agreements by an internal EDP auditor. The result of this process is internal audit.
External audit
Examine implemented security agreements by an external EDP auditor. The result of this process is external audit.
Evaluation based on security incidents
Examine implemented security agreements based on security events that are not part of the standard operation of a service and which cause, or may cause, an interruption to, or a reduction in, the quality of that service. The result of this process is security incidents.
Reporting
Document the Evaluate implementation process in a specific way. This process ends with reports.
Figure 2.4.1: Process-data model Evaluation sub-process
The process-data diagram illustrated in the figure 2.4.1 consists of a meta-process model and a meta-data model. The Evaluation sub-process was modeled using the meta-modeling technique. The dotted arrows running from the meta-process diagram (left) to the meta-data diagram (right) indicate which concepts are created/ adjusted in the corresponding activities. All of the activities in the evaluation phase are standard activities. For a short description of the Evaluation phase concepts see Table 2.4.2 where the concepts are listed and defined.
Concept
Description
EVALUATION
Evaluated/checked implementation.
RESULTS
The outcome of the evaluated implementation.
SELF ASSESSMENT DOCUMENTS
Result of the examination of the security management by the organization of the process itself.
INTERNAL AUDIT
Result of the examination of the security management by the internal EDP auditor.
EXTERNAL AUDIT
Result of the examination of the security management by the external EDP auditor.
SECURITY INCIDENTS DOCUMENTS
Results of evaluating security events which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service.
Table 2.4.2: Concept and definition evaluation sub-process Security management
Maintenance
Because of organizational and IT-infrastructure changes, security risks change over time, requiring revisions to the security section of service level agreements and security plans.
Maintenance is based on the results of the Evaluation sub-process and insight in the changing risks. These activities will produce proposals. The proposals either serve as inputs for the plan sub-process and travel through the cycle or can be adopted as part of maintaining service level agreements. In both cases the proposals could lead to activities in the action plan. The actual changes are made by the Change Management process.
This keeps the service level agreements in proper condition. The process ends with maintained service level agreements.
Maintenance of operational level agreements
This keeps the operational level agreements in proper condition. The process ends with maintained operational level agreements.
Request for change to SLA and/or OLA
Request for a change to the SLA and/or OLA is formulated. This process ends with a request for change.
Reporting
The implemented security policies process is documented in a specific way. This process ends with reports.
Figure 2.5.1 is the process-data diagram of the implementation sub-process. This picture shows the integration of the meta-process model (left) and the meta-data model (right). The dotted arrows indicate which concepts are created or adjusted in the activities of the implementation phase.
Figure 2.5.1: Process-data model Maintenance sub-process
The maintenance sub-process starts with the maintenance of the service level agreements and the maintenance of the operational level agreements. After these activities take place (in no particular order) and there is a request for a change the request for change activity will take place and after the request for change activity is concluded the reporting activity starts. If there is no request for a change then the reporting activity will start directly after the first two activities. The concepts in the meta-data model are created/ adjusted during the maintenance phase. For a list of the concepts and their definition take a look at table 2.5.2.
Table 2.5.2: Concept and definition Plan sub-process Security management
Concept
Description
MAINTENANCE DOCUMENTS
Agreements kept in proper condition.
MAINTAINED SERVICE LEVEL AGREEMENTS
Service Level Agreements(security paragraph) kept in proper condition.
MAINTAINED OPERATIONAL LEVEL AGREEMENTS
Operational Level Agreements kept in proper condition.
REQUEST FOR CHANGE
Form, or screen, used to record details of a request for a change to the SLA/OLA.
Table 2.5.2: Concept and definition Plan sub-process Security management
Complete process-data model
Figure 2.6.1: Complete process-data model Security Management process
Relations with other ITIL processes
The Security Management Process, as stated in the introduction, has relations with almost all other ITIL-processes. These processes are:
Within these processes activities concerning security are required. The concerning process and its process manager are responsible for these activities. However, Security Management gives indications to the concerning process on how to structure these activities.
Example: internal e-mail policies
Internal e-mail is subject to multiple security risks, requiring corresponding security plan and policies. In this example the ITIL security Management approach is used to implement e-mail policies.
The Security management team is formed and process guidelines are formulated and communicated to all employees and providers. These actions are carried out in the Control phase.
In the subsequent Planning phase, policies are formulated. Policies specific to e-mail security are formulated and added to service level agreements. At the end of this phase the entire plan is ready to be implemented.
Implementation is done according to the plan.
After implementation the policies are evaluated, either as self-assessments, or via internal or external auditors.
In the maintenance phase the e-policies are adjusted based on the evaluation. Needed changes are processed via Requests for Change.
Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. Protected information may take any form, e.g. electronic or physical, tangible or intangible. Information security's primary focus is the balanced protection of the data confidentiality, data integrity, and data availability of data while maintaining a focus on efficient policy implementation, all without hampering organization productivity. This is largely achieved through a structured risk management process that involves:
Configuration management (CM) is a process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems. Outside the military, the CM process is also used with IT service management as defined by ITIL, and with other domain models in the civil engineering and other industrial engineering segments such as roads, bridges, canals, dams, and buildings.
In systems engineering, information systems and software engineering, the systems development life cycle (SDLC), also referred to as the application development life cycle, is a process for planning, creating, testing, and deploying an information system. The SDLC concept applies to a range of hardware and software configurations, as a system can be composed of hardware only, software only, or a combination of both. There are usually six stages in this cycle: requirement analysis, design, development and testing, implementation, documentation, and evaluation.
The Information Services Procurement Library (ISPL) is a best practice library for the management of Information Technology related acquisition processes. It helps both the customer and supplier organization to achieve the desired quality using the corresponded amount of time and money by providing methods and best practices for risk management, contract management, and planning. ISPL focuses on the relationship between the customer and supplier organization: It helps constructing the request for proposal, it helps constructing the contract and delivery plan according to the project situation and risks, and it helps monitoring the delivery phase. ISPL is a unique Information Technology method because where most other Information Technology methods and frameworks focus on development, ISPL focuses purely on the procurement of information services. The target audience for ISPL consists of procurement managers, acquisition managers, programme managers, contract managers, facilities managers, service level managers, and project managers in the IT area. Because of ISPL's focus on procurement it is very suitable to be used with ITIL and PRINCE2.
COBIT is a framework created by ISACA for information technology (IT) management and IT governance.
Microsoft Operations Framework (MOF) 4.0 is a series of guides aimed at helping information technology (IT) professionals establish and implement reliable, cost-effective services.
ISO/IEC 20000 is the international standard for IT service management. It was developed in 2005 by ISO/IEC JTC1/SC7 and revised in 2011 and 2018. It was originally based on the earlier BS 15000 that was developed by BSI Group.
IT security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.
The implementation maturity model (IMM) is an instrument to help an organization in assessing and determining the degree of maturity of its implementation processes.
Parallel adoption is a method for transferring between a previous (IT) system to a target (IT) system in an organization. In order to reduce risk, the old and new system run simultaneously for some period of time after which, if the criteria for the new system are met, the old system is disabled. The process requires careful planning and control and a significant investment in labor hours.
The change request management process in systems engineering is the process of requesting, determining attainability, planning, implementing, and evaluating of changes to a system. Its main goals are to support the processing and traceability of changes to an interconnected set of factors.
Financial Management for IT Services is a Service Strategy element of the ITIL best practice framework. The aim of this ITIL process area is to give accurate and cost effective stewardship of IT assets and resources used in providing IT Services. It is used to plan, control and recover costs expended in providing the IT Services negotiated and agreed to in a service-level agreement (SLA).
Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.
Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.
The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
A process-data diagram (PDD), also known as process-deliverable diagram is a diagram that describes processes and data that act as output of these processes. On the left side the meta-process model can be viewed and on the right side the meta-data model can be viewed.
Security level management (SLM) comprises a quality assurance system for electronic information security.
The IT baseline protection approach from the German Federal Office for Information Security (BSI) is a methodology to identify and implement computer security measures in an organization. The aim is the achievement of an adequate and appropriate level of security for IT systems. To reach this goal the BSI recommends "well-proven technical, organizational, personnel, and infrastructural safeguards". Organizations and federal agencies show their systematic approach to secure their IT systems by obtaining an ISO/IEC 27001 Certificate on the basis of IT-Grundschutz.
IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:
The Open Group Information Security Management Maturity Model (O-ISM3) is a maturity model for managing information security. It aims to ensure that security processes in any organization are implemented so as to operate at a level consistent with that organization’s business requirements. O-ISM3 defines a comprehensive but manageable number of information security processes sufficient for the needs of most organizations, with the relevant security control(s) being identified within each process as an essential subset of that process.
Tse, D. (2005). Security in Modern Business: security assessment model for information security Practices. Hong Kong: University of Hong Kong.
This page is based on this Wikipedia article Text is available under the CC BY-SA 4.0 license; additional terms may apply. Images, videos and audio are available under their respective licenses.
