Basic concepts of Security Management are usually included in the process of Information Security, which tries to ensure the safety of information.
In this context, safety refers to: not being vulnerable to known risks, and avoiding unknown risks where possible.
So Security Management is really to help you achieve this level of safety by trying to protect the value of the information.
Value is in the eye of the beholder, but often it depends on confidentiality, integrity and availability. Confidentiality: protecting information against unauthorised access and use. Integrity: accuracy, completeness and timeliness of the information. Availability: the information should be accessible at any agreed time.This depends on the continuity provided by the information processing systems.
Other components of information security include privacy (confidentiality and integrity of information relating to individuals), keeping information about people anonymous, and making sure you can verify verify that the information is used correctly.
Objectives of Security Management:
Almost all businesses have become more dependent on information systems. The use of computer networks has also grown, not only within businesses but also between them, and between businesses and the world outside.
The increasing complexity of IT infrastructure means that businesses are now more vulnerable to technical failures, human error, intentional human acts, hackers and crackers, computer viruses, etc.
This growing complexity requires a unified management approach.
Security Management has important ties with other processes.
Other ITIL processes, under the supervision of Security Management, carry out some security activities.
Security Management has two objectives: To meet the security requirements of the SLAs and other external requirements further to contracts, legislation and externally imposed policies. To provide a basic level of security, independent of external requirements Security Management is essential to maintaining the uninterrupted operation of the IT organisation. It also helps to simplify Information Security Service Level Management, as it is much more difficult to manage a large number of different SLAs than a limited number. The process input is provided by the SLAs, which specify security requirements, possibly supplemented by policy documents and other external requirements.
The process also receives information about relevant security issues in other processes, such as security incidents.
The output includes information about the achieved implementation of the SLAs, including exception reports and routine security planning. At present, many organisations deal with Information Security at the strategic level in information policy and information plans, and at the operational level by purchasing tools and other security products.
Insufficient attention is given to the active management of Information Security, the continuous analysis and translation of policies into technical options, and ensuring that the security measures continue to be effective when the requirements and environment change.
The consequence of this missing link is that, at the tactical management level, significant investments are made in measures that are no longer relevant, at a time when new, more effective measures ought to be taken.
Security Management aims to ensure that effective Information Security measures are taken at the strategic, tactical and operational levels. Benefits Information Security is not a goal in itself; it aims to serve the interests of the business or organisation.
Some information and information services will be more important to the organisation than others.
Information Security must be appropriate to the importance of the information.
Striking a balance between security measures and the value of the information, and threats in the processing environment develops tailor-made security. An effective information supply, with adequate Information Security is important to an organisation for two reasons: Internal reasons: an organisation can only operate effectively if correct and complete information is available when required.
The level of Information Security should be appropriate for this. External reasons: the processes in an organisation create products and services, which are made available to the market or society, to meet defined objectives.
An inadequate information supply will lead to substandard products and services, which cannot be used to meet the objectives and which will threaten the survival of the organisation.
Adequate Information Security is an important condition for having an adequate information supply. The external significance of Information Security is therefore determined in part by the internal significance. Security can provide significant added value to an information system.
Effective security contributes to the continuity of the organisation and helps to meet its objectives.
Process Organisations and their information systems change.
Checklists such as the Code of Practice for Information Security Management are static and insufficiently address rapid changes in IT.
For this reason, Security Management activities must be reviewed continuously to ensure their effectiveness. Security Management amounts to a never-ending cycle of plan, do, check, and act.
The security section of the Service Level Agreement defines these requirements in terms of the security services and the level of security to be provided. The service provider communicates these agreements to his organisation in the form of a Security Plan, defining the security standards or Operational Level Agreements.
This plan is implemented, and the implementation is evaluated.
The plan and its implementation are then updated.
Service Level Management reports about these activities to the customer.
Thus, the customer and the service provider together form a complete cyclical process.
The customer can modify his requirements on the basis of the reports and the service provider can adjust the plan or its implementation on the basis of these observations, or aim to change the agreements defined in the SLA.
Security Management has links with the other ITIL processes; This is because the other processes undertake security-related activities.
These activities are carried out in the normal way, under the responsibility of the relevant process and process manager.
However, Security Management gives instructions about the structure of the security-related activities to the other processes.
Normally, these agreements are defined after consultation between the Security Manager and the other process managers.
Configuration Management In the context of Information Security, Configuration Management is primarily relevant because it can classify Configuration Items.
This classification links the CI with specified security measures or procedures. The classification of a CI indicates its required confidentiality, integrity and availability.
This classification is based on the security requirements of the SLA.
The customer of the IT organisation determines the classification, as only the customer can decide how important the information or information systems are to the business processes.
The customer bases the classification on an analysis of the extent to which the business processes depend on the information systems and the information.
The IT organisation then associates the classification with the relevant CIs.
The IT organisation must also implement this set of security measures for each classification level.
These sets of measures can be described in procedures.
Example: ‘Procedure for handling storage media with personal data’.
- The SLA can define the sets of security measures for each classification level.
- The classification system should always be tailored to the customer’s organisation.
However, to simplify management it is advisable to aim for one unified classification system, even when the IT organisation has more than one customer. In summary, classification is a key issue.
The CMDB should indicate the classification of each CI.
This classification links the CI with the relevant set of security measures or procedure. Incident Management Incident Management is an important process for reporting security incidents.
Depending on the nature of the incident, security incidents may be covered by a different procedure than other Incidents. It is therefore essential that Incident Management recognise security incidents as such. Any Incident, which may interfere with achieving the SLA security requirements, is classified as a security incident.
It is useful to include a description in the SLA of the type of Incidents to be considered as security incidents.
An Incident that interferes with achieving the basic internal security level (baseline) is also always classified as a security incident.
Incidents reports are generated not only by users, but also by the management process, possibly on the basis of alarms or audit data from the systems.
It is clearly essential that Incident Management recognise all security incidents, this is to ensure that the appropriate procedures are initiated for dealing with security incidents. It is also advisable to include the procedures for different types of security incidents in the SLA plans and to practice the procedure. It is also advisable to agree a procedure for communicating about security incidents.
It is not unusual for panic to be created by rumours blown out of proportion. Similarly, it is not unusual for damage to result from a failure to communicate in time about security incidents.
It is advisable to route all external communications related to security incidents through the Security Manager.
Problem Management is responsible for identifying and solving structural security failings. A Problem may also introduce a security risk.
In that case, Problem Management must involve Security Management in resolving the Problem.
Finally, the solution or workaround for a Problem or Known Error must always be checked to ensure that it does not introduce new security problems.
This verification should be based on compliance with the SLA and internal security requirements.
Availability Management addresses the technical availability of IT components in relation to the availability of the service.
The quality of availability is assured by continuity, maintainability and resilience.
Availability Management is the most important process related to availability.
As many security measures benefit both availability and the security aspects confidentiality and integrity, effective coordination of the measures between Availability Management, IT Service Continuity Management, and Security Management is essential.
Capacity Management is responsible for the best possible use of IT resources, as agreed with the customer.
The performance requirements are based on the qualitative and quantitative standards defined by Service Level Management.
Almost all Capacity Management activities affect availability and therefore also Security Management.
IT Service Continuity Management
IT Service Continuity Management ensures that the impact of any contingencies is limited to the level agreed with the customer.
Contingencies need not necessarily turn into disasters.
The major activities are defining, maintaining, implementing, and testing the contingency plan, and taking preventive action.
Because of the security aspects, there are ties with Security Management.
On the other hand, failure to fulfil the basic security requirements may be considered itself as a contingency.
Service Level Management
The Service Level Agreement (SLA) defines the agreements with the customer, the Security section of the Service Level Agreement covers all security related issues.
The Service Level Management process is responsible for the SLA, which in itself is the most important driver for all ITIL processes.
The IT organisation indicates to what extent the requirements of the SLA are achieved, including security requirements:
- The security elements addressed in the SLA should correspond to the security needs of the customer.
- The customer should identify the significance of all business processes.
- These business processes depend on IT services, and therefore on the IT organisation.
- The customer determines the security requirements on the basis of a risk analysis.
- The security elements are discussed between the representative of the customer and the representative of the service provider.
The service provider compares the customer’s Service Level Requirements with their own Service Catalogue, which describes their standard security measures (the Security Baseline).
The customer may have additional requirements.
The customer and provider compare the Service Level Requirements and the Service Catalogue.
The security section of the SLA can address issues such as the general Information Security policy, a list of authorised personnel, asset protection procedures, restrictions on copying data, etc.
The security section of the Operational Level Agreement
The Operational Level Agreement is another important document, it describes the services provided by the service provider.The provider must associate these agreements with responsibilities within the organisation.
The Service Catalogue gives a general description of the services, the Operational Level Agreement translates these and general descriptions into all services and their components, and the way in which the agreements about the service levels are assured within the organisation. Example: the Service Catalogue refers to ‘managing authorisations per user and per individual’.
The Operational Level Agreements details this for all relevant services provided by the IT organisation. In this way, the implementation of the measure is defined for the departments providing UNIX, VMS, NT, Oracle services, etc.
Where possible, the customer’s Service Level Requirements are interpreted in terms of the provider’s Service Catalogue, and additional agreements are concluded where necessary. Such additional measurements exceed the standard security level.
When drafting the SLA, measurable Key Performance Indicators (KPI) and criteria must also be agreed for Security Management. KPIs are measurable parameters (metrics), and performance criteria are set at achievable levels. In some cases it will be difficult to agree on measurable security parameters. (this is easier for availability, which can generally be expressed numerically. However, this is much more difficult for integrity and confidentiality.) For this reason, the security section of the SLA normally describes the required measures in abstract terms.
The Code of Practice for Information Security Management is used as a basic set of security measures.
The SLA also describes how performance is measured.
The IT organisation (service provider) must regularly provide reports to the user organisation (customer).