It was one of our usual off-the-record discussions when I spoke with network admin and asked about the regular password change set up on the system. And, the answer included words like “my opinion,” “my experience,”… but, not a single word about policy. “Which policy?” I was asked. Oh, something is, obviously, wrong.
So, we started from the beginning. Information Security Management is one of the cornerstones of IT Service Management and a critical part of the warranty of a service. The goal of the Information Security Management process is to provide guidance or direction for security activities and to ensure that security goals are achieved. What does that mean? Let’s see:
- Guidance for security activities – this means that other processes and functions get clear instructions and guidelines on how to approach security issues. Take, for example, the daily activities of the IT Operations or Access Management functions regarding the BYOD (Bring Your Own Device) concept. BYOD is in place, but there is a security policy that defines who can use it, which network resources can be accessed by which users, which authentication method is in place, etc.
- Security goals – if you have, e.g., ISO 20000 in place, then you will regularly have to check if security measures are in place. If not, it’s not a bad idea (at least, I have had positive experiences with it) that you establish an internal audit to check if all included parties (e.g., IT Operations, development, users, management, etc.) comply with the security regulation in place. An ideal case would be to have an (unbiased) external auditor.
The Information Security Management process is the central point for all security issues inside the organization. Its task is to produce the information security policy. Such policy should cover all issues regarding use (or misuse – don’t forget that) of IT services and respective systems. Since today’s IT environment covers many services and technological solutions, it’s unrealistic (I would say, even a bad idea) to expect that one document, i.e., policy, will cover all necessary issues. Therefore, the information security policy could be a root document comprising specific documents that regulate particular areas. For example, each of following areas can have a stand-alone policy: password, access to the IT systems, BYOD, backup, clean desk, supplier… etc.
One more thing: If you don’t have any information security process in place, ITIL or ISO 20000 gives good guidance. But, the most popular and most widely used standard for information security is ISO 27001, and it can be used to cover information security for all your IT Service Management (ITSM) issues. Even if you have an Information Security process in place.
No, it’s not THE Agency (but, during the seminar, I use the acronym for students to remember), but that’s how ITIL describe objectives of Information Security Management:
- Confidentiality – security objectives are met if information is observed by or disclosed to only those who have a right to know.
- Integrity – security objectives are met when information is complete, accurate and protected against unauthorized modification.
- Availability – there are two levels for security objectives to be met: information is available and usable when needed, and systems that provide that information can resist attacks and recover from failures.
IT service lifecycle and information security
Information security is not a stand-alone process. To the contrary, it interfaces with many other ITSM processes (which is logical, since information security is one of the four parameters that describe service warranty).
Read more @ net-security.org