{"id":4542,"date":"2014-04-01T21:28:55","date_gmt":"2014-04-01T21:28:55","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/20000academy\/blog\/2014\/04\/01\/anything-shouldnt-taken-granted-information-security-management\/"},"modified":"2025-06-13T09:16:02","modified_gmt":"2025-06-13T09:16:02","slug":"anything-shouldnt-taken-granted-information-security-management","status":"publish","type":"post","link":"https:\/\/advisera.com\/20000academy\/blog\/2014\/04\/01\/anything-shouldnt-taken-granted-information-security-management\/","title":{"rendered":"If anything shouldn\u2019t be taken for granted\u2026 it\u2019s Information Security Management"},"content":{"rendered":"<p>It was one of our usual off-the-record discussions when I spoke with network admin and asked about the regular password change set up on the system.\u00a0 And, the answer included words like \u201cmy opinion,\u201d \u201cmy experience,\u201d \u2026 but, not a single word about <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=service-assurance-processes&amp;doc=information-security-management-policy\" target=\"_blank\" rel=\"noopener\">policy<\/a>. \u201cWhich policy?\u201d I was asked.\u00a0 Oh, something is, obviously, wrong.<\/p>\n<p>So, we started from the beginning. Information Security Management is one of the cornerstones of IT Service Management and a critical part of the\u00a0<a href=\"\/20000academy\/knowledgebase\/itil-service-strategy-itsm\/\" target=\"_blank\" rel=\"noopener noreferrer\">warranty<\/a>\u00a0of a service. The goal of the <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=service-assurance-processes&amp;doc=information-security-management-process\" target=\"_blank\" rel=\"noopener\">Information Security Management process<\/a> is to provide guidance or direction for security activities and to ensure that security goals are achieved. What does that mean? Let\u2019s see:<\/p>\n<ul>\n<li>Guidance for security activities \u2013 this means that other processes and functions get clear instructions and guidelines on how to approach security issues. Take, for example, the daily activities of the IT Operations or Access Management functions regarding the BYOD (Bring Your Own Device) concept. BYOD is in place, but there is a security policy that defines who can use it, which network resources can be accessed by which users, which authentication method is in place\u2026 etc.<\/li>\n<li>Security goals \u2013 if you have, e.g., <a href=\"https:\/\/advisera.com\/20000academy\/what-is-iso-20000\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 20000<\/a> in place, then you will regularly have to check if security measures are in place. If not, it\u2019s not a bad idea (at least, I have had positive experiences with it) that you establish an <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=sms-related-documents&amp;doc=procedure-for-internal-audit\" target=\"_blank\" rel=\"noopener\">internal audit<\/a> to check if all included parties (e.g., IT Operations, development, users, management\u2026 etc.) comply with the security regulation in place. An ideal case would be to have an (unbiased) external auditor.<\/li>\n<\/ul>\n<p><div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Concept<\/h2>\n<p>The <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/?rel=service-assurance-processes&amp;doc=information-security-management-process\" target=\"_blank\" rel=\"noopener\">Information Security Management process<\/a> is the central point for all security issues inside the organization. Its task is to produce the information security policy. Such policy should cover all issues regarding use (or misuse \u2013 don\u2019t forget that) of IT services and respective systems. Since today\u2019s IT environment covers many services and technological solutions, it\u2019s unrealistic (I would say, even a bad idea) to expect that one document, i.e., policy, will cover all necessary issues. Therefore, the information security policy could be a root document comprising specific documents that regulate particular areas. For example, each of following areas can have a stand-alone policy: password, access to the IT systems, BYOD, backup, clean desk, supplier\u2026 etc.<\/p>\n<p>One more thing: If you don\u2019t have any information security process in place, ITIL or ISO 20000 gives good guidance. But, the most popular and most widely used standard for information security is\u00a0<a href=\"https:\/\/advisera.com\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>, and it can be used to cover information security for all your IT Service Management (ITSM) issues. Even if you have an Information Security process in place.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">CIA<\/h2>\n<p>No, it\u2019s not THE Agency (but, during the seminar, I use the acronym for students to remember), but that\u2019s how ITIL describe objectives of Information Security Management:<\/p>\n<ul>\n<li>Confidentiality \u2013 security objectives are met if information is observed by or disclosed to only those who have a right to know.<\/li>\n<li>Integrity \u2013 security objectives are met when information is complete, accurate and protected against unauthorized modification.<\/li>\n<li>Availability \u2013 there are two levels for security objectives to be met: information is available and usable when needed, and systems that provide that information can resist attacks and recover from failures.<\/li>\n<\/ul>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">IT service lifecycle and information security<\/h2>\n<p>Information security is not a stand-alone process. To the contrary, it interfaces with many other ITSM processes (which is logical, since information security is one of the four parameters that describe service warranty).<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\"><strong>Process \/ Function<\/strong><\/td>\n<td style=\"padding-left: 5px;\"><strong>Relation<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">Incident \/ Problem Management<\/td>\n<td style=\"padding-left: 5px;\">Security incidents are handled and resolved by the\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/blog\/2013\/05\/21\/incident-management-itil-solid-foundations-operational-processes\/\" target=\"_blank\" rel=\"noopener noreferrer\">incident management<\/a>\u00a0or\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/blog\/2013\/08\/05\/itil-problem-management-getting-rid-problems\/\" target=\"_blank\" rel=\"noopener noreferrer\">problem management<\/a>\u00a0process. It is advisable that security incidents (and, consequently) problems have their own category.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">Service Desk, IT Operations<\/td>\n<td style=\"padding-left: 5px;\">These two functions are in regular contact with information security issues.\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/knowledgebase\/service-desk-single-point-contact\/\" target=\"_blank\" rel=\"noopener noreferrer\">Service Desk<\/a>\u00a0will, at first, get in touch with security incidents and\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/knowledgebase\/operations-management-function-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">IT Operations<\/a>\u00a0will fulfill security requirements (e.g., apply password to new user by following rules defined in password policy).<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">Access Management<\/td>\n<td style=\"padding-left: 5px;\">What this\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/blog\/2014\/02\/12\/itil-access-management-think-youre-going\/\" target=\"_blank\" rel=\"noopener noreferrer\">process<\/a>\u00a0does is apply the security policy that defines rules to access the information.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">IT Service Continuity Management<\/td>\n<td style=\"padding-left: 5px;\">While applying IT Service Continuity, information security is one of the most critical parameters needed to be considered, since it manages all security issues regarding information, IT systems, third parties, customers and own people.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">Change Management<\/td>\n<td style=\"padding-left: 5px;\">Many\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/blog\/2013\/04\/23\/elements-change-management-itil\/\" target=\"_blank\" rel=\"noopener noreferrer\">changes<\/a>\u00a0are taking place due to information security breaches (e.g., introducing identity management on existing network topology due to lack of user control), and changes that take place have to be assessed from an information security point of view.<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">Supplier Management<\/td>\n<td style=\"padding-left: 5px;\">Very often,\u00a0<a href=\"https:\/\/advisera.com\/20000academy\/blog\/2013\/12\/30\/itil-supplier-management-third-party-depend\/\" target=\"_blank\" rel=\"noopener noreferrer\">third parties<\/a>\u00a0are part of the ITSM team. Their involvement should be considered from an information security point of view, and regulation should be imposed (since suppliers access companies\u2019 IT systems and information).<\/td>\n<\/tr>\n<tr>\n<td style=\"width: 30%; padding-left: 5px;\">Availability Management<\/td>\n<td style=\"padding-left: 5px;\"><a href=\"https:\/\/advisera.com\/20000academy\/blog\/2013\/08\/21\/availability-management-calculating-improvement\/\" target=\"_blank\" rel=\"noopener noreferrer\">Availability<\/a>\u00a0is one of the objectives of information security management and it impacts directly, together with integrity of the information, availability of the service. I.e. if data are unavailable or lack integrity \u2013 availability of the service is not provided.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Improvisation \u2013 \u201cAccess denied\u201d<\/h2>\n<p>Information security is sometimes taken for granted. I often experienced answers like: \u201cIt\u2019s logical, common sense\u2026\u201d etc. This is correct. But, it is also true that if you leave things to be self-organized because they are logical \u2013 another kind of logic takes place: someone else will do it. Information security does not leave any space for improvisation. The stakes are too high and it could be expensive.<\/p>\n<p><em>To implement ISO 20000 easily and efficiently, use our<\/em> <a href=\"https:\/\/advisera.com\/20000academy\/iso-20000-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 20000 Documentation Toolkit<\/a> <em>that provides step-by-step guidance for full ISO 20000 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>It was one of our usual off-the-record discussions when I spoke with network admin and asked about the regular password change set up on the system.\u00a0 And, the answer included words like \u201cmy opinion,\u201d \u201cmy experience,\u201d \u2026 but, not a single word about policy. \u201cWhich policy?\u201d I was asked.\u00a0 Oh, something is, obviously, wrong. So, &#8230;<\/p>\n","protected":false},"author":32,"featured_media":17350,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[406,391,432,416,438,344,447,360,405],"class_list":["post-4542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-availability","tag-change","tag-continuity","tag-incident","tag-information-security","tag-itil","tag-problem","tag-service-desk","tag-supplier"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/4542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/comments?post=4542"}],"version-history":[{"count":3,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/4542\/revisions"}],"predecessor-version":[{"id":18386,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/posts\/4542\/revisions\/18386"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media\/17350"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/media?parent=4542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/categories?post=4542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/20000academy\/wp-json\/wp\/v2\/tags?post=4542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}