Get Pricing For SunView Solutions

Review platform features & packaging to decide what best meets your needs.

IT Service Management

ChangeGear is an industry-leading ITSM platform that helps organizations to better track, manage, and deliver critical services.
Get Pricing

IT Operations Management

LivePulse offers out-of-the-box system and application monitoring essentials in the cloud.

Get Pricing

How ITIL Addresses Security (Security Series - Part 2)

08/11/2011 by: The SunView Team

In my prior post, I presented the case that security, like quality, needs to be "built in" to an organization, and that ITIL provides a framework upon which to start building. In this post, I will highlight how each of the core sets of ITIL best practices contribute to improved security. Some of these practices are directly related to security, while others are foundational.
Overall, ITIL addresses security from all angles: strategically, tactically, and operationally. Along each of these angles, it does so iteratively through the PDCA cycle (plan-do-check-act), which as was discussed in the prior posting, is borrowed from Deming. The result is a holistic view of security that goes way beyond a focus on monitoring. Clearly there's more to say on this than can fit into a blog post, if you want to read more, I recommend the ITIL v3 Security Book , especialy chapter 5.

What can be tackled in a blog post are examples that demonstrate some of the ways ITIL best practices help improve security, here are such examples:

Incident Management - Whether reported by human or a well-tuned monitoring application, potential security holes or attacks need to be investigated systematically. Auditors will want evidence that you have a system in place to log threats and to systematically investigate them. The responsibility for processing these incidents needs to be clearly assigned. An incident management tool can largely automate this. On the front end, the Service Desk by way of the Service Catalog, should help inform employees on which types of incidents to report and guide them through the act of logging the incident. There should be a specific incident type for routing and reporting on security issues.

Problem Management - The details of security threats flow in from the Incident function. Those reports that are real and require further analysis should be raised to the security team through Problem Management. As part of that analysis, learning should be feedback to the organization through the knowledge management system. As the problems are addressed, lessons will be learned regarding specific tools and technology, this should be distilled into best practices for the users and IT staff to follow more securely deploy and use those technologies. Where appropriate, this knowledge should be made available through the self-service portal's knowledgebase.

Change Management - As changes are made, an auditable log must be kept of detailing the change and who approved it. Any change that has even the remotest possibility of introducing a vulnerability should go through a formal change process. Part of that process should include risk analysis. The risks to be analyzed are not only the likelihood of operational impairment, but also the risk of introducing vulnerabilities.

Release Management - If release management is not carefully controlled in an auditable way, it is easy for staff to intentionally or unintentionally deploy changes in a way that introduces vulnerabilities. Many organizations are fully automating the release of software, automatically staging and then pushing changes into production. This automation removes some of the human element, thereby not only reducing the chance for errors, but also eliminating some of the opportunities for an internal staff member to put in a back door, for example.

Configuration Management - The control and monitoring of configuration changes is probably the most obvious step toward improving security. Often malware attacks by first making a configuration change that opens the door more widely for it to attack, if it is clear how the system should be configured, then monitoring may point to the start of an attack.