The author Steven Weil is senior security consultant with Seitel Leeds & Associates. Steven Weil provided the overview of the information security issues based on ITIL implementation. The coming section represented his idea.
ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.
ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.
ITIL breaks information security down into:
- Policies - overall objectives an organization is attempting to achieve
- Processes - what has to happen to achieve the objectives
Procedures - who does what and when to achieve the objectives - Work instructions - instructions for taking specific actions
- It defines information security as a complete cyclical process with continuous review and improvement
ITIL's Information Security Process can be described as a seven step process:
- Using risk analysis, IT customers identify their security requirements.
- The IT department determines the feasibility of the requirements and compares them to the organization's minimum information security baseline.
- The customer and IT organization negotiate and define a service level agreement (SLA) that includes definition of the information security requirements in measurable terms and specifies how they will be verifiably achieved.
- Operational level agreements (OLAs), which provide detailed descriptions of how information security services will be provided, are negotiated and defined within the IT organization.
- The SLA and OLAs are implemented and monitored.
- Customers receive regular reports about the effectiveness and status of provided information security services.
- The SLA and OLAs are modified as necessary.
Ten ways ITIL can improve information security. There are a number of important ways that ITIL can improve how organizations implement and manage information security.
1. ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
2. ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
3. With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
4. ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
5. ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
6. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
7. The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
8. The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
9. ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so. ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security services.
The Conclusion for Steven Weil's idea, Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled-together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.
In my view, majority of ITIL articles is talking about the implementation theory. Also the content just represented the benefits when audience jumps in the ITIL pool. No more authors or papers mention the information security issues in article, including the direction or processes. Fortunately, I found Steven Weil’s article. I understand more about the information security issues improvement based on ITIL framework form his article. Even that information I can’t practice, but least I know which area should be focus on the practical.
No comments:
Post a Comment