Home �   ITIL�  Index

Creating a Partnership through ITIL and Security Management

Nov 20, 2005

ITSM Watch Staff

By Yves St-Arnaud

A security policy is not just a static document to be filed away but must be functioning at the strategic, tactical and operational levels of management. It must be planned and implemented with any Information Security systems.

IT Security Management enables and ensures that :
  • Measures are implemented and maintained to address changing circumstances such as service requirements, IT architecture elements, threats, etc.
  • Security incidents are dealt with
An organization only operates appropriately if it has access to confidential, accurate and complete information, available when needed.

Since Information Security Management is employed through a variety of measurements, the commitment and willingness of an organization to protect its data is at the core of establishing the appropriate disciplines.

The chosen measures should be designed to limit the vulnerability of the service to threats and to make it possible to reduce or even eliminate the risks associated with the storage and use of information.

To accomplish this, Security Management must be integral to the development of every service management process. For example, when Incident Management is being planned, those responsible must ensure that there will be formal consideration of how Security Incidents will be handled.

When changes are proposed, the Change Management process must consider and record the impact from a Security Management viewpoint. Here, a successful approach might be to ensure that every Request for Change include a security relationship.

Similarly, when Configuration Items (CIs) are defined, the security classification of the CI might need to be recorded as an attribute, reflecting its security confidentiality, integrity or availability aspects.

Establishing a forum for information security is the requisite for successful implementations of the IT Security Management process. This forum would ensure proper representation from line managers, employees and security specialists.

Activities of the forum include: review of the security policy, modification of security measures, evaluation and approval of specific security plans, and monitoring of changing threats and security incidents. The forum is managed by the Security Manager and incorporates, if separately identified, the organization's security coordinators.

A main function of an IT Security Management process is to clearly identify and design measures that protect the organization and its information assets. As a minimum, documentation should include; job descriptions, training requirements, the identification of security weaknesses, how security incidents will be handled, disciplinary measures, ensuring security awareness, procedures, etc.

Since the communications plan is an important aspect of any CSIP, that plan must deal with the development and implementation of all new security policies and the practical measures that will flow from them.

To ensure the planning, implementation and control of IT Security Management issues, a Security Manager role should exist within any organization. It might be a part time activity in many organizations but is likely become an important role where the chosen individual is given overall responsibility for ensuring that security is properly executed.

Like the planning process of IT Service Continuity Management, IT Security Management requires a plan for something that you hope will not happen. Devoting a slice of the budget to the management of service continuity or security may seem to be a waste but it must not be forgotten that lack of Information Security can substantially damage an organization, and statistically, is much more likely to occur than other forms of threat to service continuity.

Even if the organization has not suffered from a known security attack, the threat still exists and it is the organization's responsibility to decide formally what level of risk it is prepared to take.

The planning and implementation of an IT Security Management process does not and will never provide a full-proof security against all threats. However, compared to the cost of unavailability, which for some organizations can reach millions of dollars every day, the Pareto rule should be allowed to prevail.

If you can contain and manage 80% of the threats to your organization and then, through a process of continuous improvement, increase the organization's chances of survival, the future has at least been thoughtfully managed.

The quality of information is becoming the major element in how organizational value is identified. Money is kept in the bank, gold in the vault. How you will safeguard your most valuable asset?

Yves St-Arnaud, ITSM Consultant and President of StAY Technologies Inc., is a respected specialist in the field of IT Service Management. Prior to forming StAY Technologies Inc., Yves spent many years as IT Manager, including CIO, and specialized in many implementation of ITSM implementations, he is also a Project Management Professional from PMI.