Creating a Partnership through ITIL and Security ManagementBy Yves St-Arnaud Since the dawn of civilization, humankind has existed within 'family' units. Those inside the perimeter have sought to protect themselves, and their dependants. They have, in fact, sought security.
Since the dawn of civilization, humankind has existed within "family" units, and those units have always felt vulnerable to external -- even internal -- threats. It is human nature to protect what we value and, above all, we value our survival. Those inside the perimeter have sought to protect themselves, and their dependants, from forces attempting to change the established order, by whatever means. They have, in fact, sought security.
In this "Information Age" the most important, most valuable and vulnerable asset of any organization and the focus of IT Security Management (ITSecM) is the security of not only the data but the primary vehicles for managing that information, the IT systems.
Security Management in all organizations is improved by capitalizing on current knowledge of IT Service Management and the ITIL. process-based framework.
From an ITIL. perspective, Security Management is not about the technical aspects of the security of information and infrastructure components, but the management processes required to make it an integral part of the services provided to the organization's customers and end-users and to minimize risk.
The value of protecting information is calculated by its need for confidentiality, integrity and availability. Confidentiality and integrity are derived from privacy requirements for a particular person, anonymity, by concealing user's identity and verifiability.
Security Management concentrates on a number of primary activities and must be reviewed as part of the organization's Continuous Service Improvement Program (CSIP). They include, at high level, the following:
The Service Level Agreement (SLA) is the vehicle to manage information security. Make sure there is a section that contains specific documentation on the management and responsibilities of the customer's security requirements.
It should be noted that some organizations, and, the laws of some countries, place a personal responsibility on managers for safeguarding the information they manage. It is their duty to ensure that proper procedures are in place to protect the information they administer and to identify the level of security requirements.
Corporate policies on how to deal with security of information must also be communicated. More importantly, policies need to be understood by everyone within the organization. This is where the ITIL framework can help achieve a superior level of security management - by defining security measures and policies and by ensuring they are communicated, adhered to and managed for the overall benefit of the organization.