If anything shouldn’t be taken for
granted… it’s Information Security ManagementIt was one of our usual off-the-record discussions when we spoke with a customer network admin and asked about the regular password change set up on the
system. And, the answer included words like “my opinion,” “my
experience,” … but, not a single word about policy. “Which policy?” we were asked. Oh, something is, obviously, wrong.So, we started from the beginning. Information Security Management is
one of the cornerstones of IT Service Management and a critical part of
the warranty of
a service. The goal of the Information Security Management process is
to provide guidance or direction for security activities and to ensure
that security goals are achieved. What does that mean?
- Guidance for security activities – This means that other
processes and functions get clear instructions and guidelines on how to
approach security issues. Take, for example, the daily activities of the
IT Operations or Access Management functions regarding the BYOD (Bring
Your Own Device) concept. BYOD is in place, but there is a security
policy that defines who can use it, which network resources can be
accessed by which users, which authentication method is in place.
- Security goals – If your firm has ISO 20000
in place, then you will regularly have to check if security measures
are in place. If not, it’s not a bad idea that you establish an internal audit
to check if all included parties (e.g., IT Operations, development,
users, management… etc.) comply with the security regulation in place.
An ideal case would be to have an (unbiased) external auditor.
Process and Concept
The Information Security Management process is the central point for
all security issues inside the organization. Its task is to produce the
information security policy. Such policy should cover all issues
regarding use of IT services and
respective systems. Since today’s IT environment covers many services
and technological solutions, it’s unrealistic to expect that one document, i.e., policy, will cover all
necessary issues. Therefore, the information security policy could be a
root document comprising specific documents that regulate particular
areas. For example, each of following areas can have a stand-alone
policy: password, access to the IT systems, BYOD, backup, clean desk, or supplier
If you don’t have any information security process in
place, ITIL or ISO 20000 gives good guidance. But, the most popular and
most widely used standard for information security is ISO 27001,
and it can be used to cover information security for all your IT
Service Management (ITSM) issues. Even if you have an Information
Security process in place.
ITIL describe objectives of
Information Security Management as follows:
- Confidentiality – security objectives are met if information is observed by or disclosed to only those who have a right to know.
- Integrity – security objectives are met when information is complete, accurate and protected against unauthorized modification.
- Availability – there are two levels for security objectives to be
met: information is available and usable when needed, and systems that
provide that information can resist attacks and recover from failures.
Intellisoft - IT service lifecycle and information security
Information security is not a stand-alone process. To the contrary,
it interfaces with many other ITSM processes (which is logical, since
information security is one of the four parameters that describe service
warranty). At Intellisoft, we provide the following information security services:
| Process / Function |
Relation |
| Incident / Problem Management |
Intellisoft can help to set up handling of Security incidents and resolution by the incident management or problem management process. |
| Service Desk, IT Operations |
Intellisoft can help to set up these two operations that are in regular contact with information security issues. Once we establish Service Desk, it will get in touch with security incidents and IT Operations that will fulfill security requirements (e.g., apply password to new user by following rules defined in password policy). |
| Access Management |
Intellisoft can help to set this process that apply the security policy which defines rules to access the information. |
| IT Service Continuity Management |
Intellisoft can help to set up applying IT Service Continuity,
information security is one of the most critical parameters needed to be
considered, since it manages all security issues regarding information,
IT systems, third parties, customers and own people. |
| Change Management |
Many changes are
taking place due to information security breaches (e.g., introducing
identity management on existing network topology due to lack of user
control), Intellisoft can help to set up Change management which take place from an
information security point of view. |
| Supplier Management |
Very often, third parties are
part of the ITSM team. Intellisoft can evaluate their involvement from an
information security point of view, and suggest a regulation to be imposed
(since suppliers access companies’ IT systems and information). |
| Availability Management |
Availability is
one of the objectives of information security management and it impacts
directly, together with integrity of the information, availability of
the service. Intellisoft can asses the data availability and of lack integrity |
|
|
