How ITIL Can Improve Information SecurityITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels.
There are a number of important ways that ITIL can improve how organizations implement and manage information security.
Ten ways ITIL can improve information security
- ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
- ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
- With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
- ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
- ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
- ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
- The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
- The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
- ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so.
- ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services.