Branimir Valentic
April 1, 2014
It was one of our usual off-the-record discussions when I spoke with network admin and asked about the regular password change set up on the system. And, the answer included words like “my opinion,” “my experience,” … but, not a single word about policy. “Which policy?” I was asked. Oh, something is, obviously, wrong.
So, we started from the beginning. Information Security Management is one of the cornerstones of IT Service Management and a critical part of the warranty of a service. The goal of the Information Security Management process is to provide guidance or direction for security activities and to ensure that security goals are achieved. What does that mean? Let’s see:
The Information Security Management process is the central point for all security issues inside the organization. Its task is to produce the information security policy. Such policy should cover all issues regarding use (or misuse – don’t forget that) of IT services and respective systems. Since today’s IT environment covers many services and technological solutions, it’s unrealistic (I would say, even a bad idea) to expect that one document, i.e., policy, will cover all necessary issues. Therefore, the information security policy could be a root document comprising specific documents that regulate particular areas. For example, each of following areas can have a stand-alone policy: password, access to the IT systems, BYOD, backup, clean desk, supplier… etc.
One more thing: If you don’t have any information security process in place, ITIL or ISO 20000 gives good guidance. But, the most popular and most widely used standard for information security is ISO 27001, and it can be used to cover information security for all your IT Service Management (ITSM) issues. Even if you have an Information Security process in place.
No, it’s not THE Agency (but, during the seminar, I use the acronym for students to remember), but that’s how ITIL describe objectives of Information Security Management:
Information security is not a stand-alone process. To the contrary, it interfaces with many other ITSM processes (which is logical, since information security is one of the four parameters that describe service warranty).
Process / Function | Relation |
Incident / Problem Management | Security incidents are handled and resolved by the incident management or problem management process. It is advisable that security incidents (and, consequently) problems have their own category. |
Service Desk, IT Operations | These two functions are in regular contact with information security issues. Service Desk will, at first, get in touch with security incidents and IT Operations will fulfill security requirements (e.g., apply password to new user by following rules defined in password policy). |
Access Management | What this process does is apply the security policy that defines rules to access the information. |
IT Service Continuity Management | While applying IT Service Continuity, information security is one of the most critical parameters needed to be considered, since it manages all security issues regarding information, IT systems, third parties, customers and own people. |
Change Management | Many changes are taking place due to information security breaches (e.g., introducing identity management on existing network topology due to lack of user control), and changes that take place have to be assessed from an information security point of view. |
Supplier Management | Very often, third parties are part of the ITSM team. Their involvement should be considered from an information security point of view, and regulation should be imposed (since suppliers access companies’ IT systems and information). |
Availability Management | Availability is one of the objectives of information security management and it impacts directly, together with integrity of the information, availability of the service. I.e. if data are unavailable or lack integrity – availability of the service is not provided. |
Information security is sometimes taken for granted. I often experienced answers like: “It’s logical, common sense…” etc. This is correct. But, it is also true that if you leave things to be self-organized because they are logical – another kind of logic takes place: someone else will do it. Information security does not leave any space for improvisation. The stakes are too high and it could be expensive.
To learn more on how to improve your overall information security, try this free online Security Awareness Training.