ITIL security management

src: wiki.en.it-processmaps.com

ITIL security management (originally the Information Technology Infrastructure Library) outlines the structured security adjustment within an organization. ITIL security management is based on ISO 27001 standards. "ISO/IEC 27001: 2005 includes all types of organizations (eg commercial companies, government agencies, nonprofit organizations) ISO/IEC 27001: 2005 establishes requirements for establishing, implementing, operating, monitoring, , maintains and enhances a documented Information Security Management System within the context of the organization's overall business risk This establishes requirements for the implementation of security controls tailored to the needs of individual organizations or their parts ISO/IEC 27001: 2005 is designed to ensure adequate elections. and proportional security controls that protect information assets and provide confidence to interested parties. "

The basic concept of security management is information security. The main purpose of information security is to control access to information. The value of information is what should be protected. These values ​​include confidentiality, integrity, and availability. The concluded aspects are privacy, anonymity and verifiability.

The purpose of security management comes in two parts:

• The security requirements specified in the service level agreements (SLAs) and other external requirements set out in support of the contract, legislation, and possible internal or external policies imposed.
• Basic security that ensures management continuity. This is necessary to achieve simplified level of service management for information security.

The SLA determines the security requirements, together with the law (if applicable) and other contracts. This requirement can act as a key performance indicator (KPI) that can be used for process management and to interpret the results of the security management process.

The security management process is associated with other ITIL processes. However, in this particular section the most obvious relationship is the relationship with service level management, incident management and change management processes.

Video ITIL security management

Security management

Security management is an ongoing process that can be compared to the W. Edwards Deming Quality Circle (Plan, Do, Check, Act).

Input is a requirement of the client. These requirements translate into security services and security metrics. Both the client and the planning subprocess affect the SLA. The SLA is an input to the client and the process. The provider develops a security plan for the organization. This plan contains operational level policies and agreements. The security plan (Plan) is then implemented (Do) and its implementation is then evaluated (Check). After evaluation, plans and implementation of the plan are maintained (Act).

Activities, results/products and processes are documented. The external report is written and sent to the client. Clients can then customize their requirements based on information received through reports. Furthermore, service providers may adjust their plans or implementation based on their findings to meet all the requirements listed in the SLA (including new requirements).

Control

The first activity in the security management process is the "Control" sub-process. The Control sub-process organizes and manages the security management process. Control sub-processes define the process, allocation of responsibilities for policy statements and management frameworks.

The security management framework defines subprocesses for development, implementation, and evaluation into action plans. Furthermore, the management framework defines how the results should be reported to the client.

The meta-process model of the control sub-process is based on the UML activity diagram and provides an overview of the Control sub-process activities. The gray rectangle represents the sub-process of control and the smaller form of light within it represents the activity that occurs within it.

The meta-data model of the control sub-process is based on UML class diagrams. Figure 2.1.2 shows the metamodel of the control sub-process.

Figure 2.1.2: Meta process-process control sub-process

Rectangles CONTROL with white shadows is an open concept complex. This means that the control box consists of a set of (sub) concepts.

Figure 2.1.3 is the process data model of the control sub-process. It shows the integration of the two models. Dotted arrows indicate the concepts created or adjusted in appropriate activities.

Figure 2.1.3: Process-process control data sub-process

Plan

The Plan subprocess contains activities that work together with the service level management that leads to the Security (information) section of the SLA. Further, the Plan subprocess contains activities related to specific support contracts for (information) security.

In the Plan sub-process, the objectives formulated in the SLA are stipulated in the form of an operational level agreement (OLA). This OLA can be defined as a security plan for a particular internal organizational entity of the service provider.

In addition to input from the SLA, the Plan subprocess also works with the policy statement of the service provider itself. As said before, this policy statement is defined in the control sub-process.

An operational level agreement for information security is defined and implemented based on the ITIL process. This requires cooperation with other ITIL processes. For example, if security management wants to change the IT infrastructure to improve security, this change will be done through the change management process. Security management provides feedback (Request changes) for this change. The Change Manager is responsible for the change management process.

The plan consists of a combination of irregular and ordered activities (sub). Subprocesses contain three complex activities that are all closed activities and a standard activity.

Just like the sub-process Control of Plan sub-processes is modeled using meta-modeling techniques. The left side of Figure 2.2.1 is the meta-data model of the Plan sub-process.

The rectangular plan is an open concept (complex) that has a kind of aggregation relationship with two closed concepts (complex) and one standard concept. Both closed concepts are not expanded in this particular context.

The following figure (figure 2.2.1) is a process-data diagram of the Plan sub-process. This image shows the integration of the two models. Dotted arrows indicate which concepts are created or adjusted in the related activities of the sub-process Plan.

Figure 2.2.1: Process-data model Plan the sub-process

Implementation

The Implementation Sub-process ensures that all actions, as specified in the plan, are implemented correctly. During sub-process Implementation no action is specified or changed. The definition or action change takes place in the Plan sub-process in collaboration with the Change Management Process.

The left side of Figure 2.3.1 is the Meta-process model of the Implementation phase. The four labels with black shadows mean that this activity is a closed concept and not expanded in this context. No arrows connect these four activities, which means that these activities are not regulated and reporting will be done after the completion of all four activities.

During the implementation phase the concept is created and/or adjusted.

The created and/or customized concepts are modeled using meta-modeling techniques. The right-hand side of Figure 2.3.1 is a meta-data model of an implementation sub-process.

The implementation document is an open and expanded concept in this context. It consists of four closed concepts that are not expanded because they are irrelevant in this particular context.

To make the connection between two models more clear the integration of the two models is illustrated in Figure 2.3.1. Dotted arrows that run from activity to concept illustrate which concepts are made/adjusted in the corresponding activity.

Figure 2.3.1: Data-process model Implementation of sub-processes

Evaluation

Evaluation is needed to measure the success of the implementation and the security plan. Evaluations are important to clients (and possibly third parties). The results of the Evaluation sub-process are used to maintain agreed measures and their implementation. Evaluation results may lead to new requirements and corresponding Change Requests. Requests for changes are then determined and sent to Change Management.

Three types of evaluation are self-assessment, internal audit and external audit.

Self-assessment is primarily done in organizational processes. Internal audits are performed by internal IT auditors. External audits are conducted by external and independent IT auditors. In addition to the already mentioned, evaluation based on the communicating security incident occurred. The most important activities for this evaluation are IT system security monitoring; verification of security legislation and implementation of security plans; track and react to unused use of IT equipment.

Figure 2.4.1: Process-data model Evaluation of sub-processes

The data-process diagram illustrated in Figure 2.4.1 consists of a meta-process model and a meta-data model. The Evaluation sub-process is modeled using the meta-modeling technique. Dotted arrows that run from the meta-process diagram (left) to the meta-data diagram (right) show which concepts are made/adjusted in the related activity. All activities in the evaluation phase are standard activities. For a brief explanation of the concept of the Evaluation phase see Table 2.4.2 where the concepts are listed and defined.

Table 2.4.2: Sub-process evaluation of concepts and definitions Security management

Maintenance

Due to organizational changes and IT infrastructure, security risks change over time, requiring revisions to the security level of service level agreements and security plans.

Maintenance is based on the results of the Evaluation sub-process and insights in changing risk. This activity will generate a proposal. Proposals either serve as input for sub-process and travel plans through cycles or can be adopted as part of maintaining service level agreements. In both cases, proposals may lead to activities in the action plan. The actual change was made by the Change Management process.

Figure 2.5.1 is a data-process diagram of an implementation sub-process. This image shows the integration of meta-process model (left) and meta-data model (right). Dotted arrows show which concepts are created or adjusted in the implementation phase activities.

Figure 2.5.1: Data-process model Maintenance of sub-processes

The maintenance sub-process begins with maintenance of service level agreements and maintenance of operational level agreements. After this activity takes place (in no particular order) and there is a request to change the request for the change activity will occur and after the request for the change activity is concluded the reporting activity begins. If there is no request for change, then the reporting activity will start immediately after the first two activities. The concepts in the meta-data model are made/adjusted during the maintenance phase. For a list of concepts and definitions, see table 2.5.2.

Table 2.5.2: Concepts and definitions. Sub-process planning Security management

Complete data-process model

Figure 2.6.1: Complete data-processing model of Security Management Process

Maps ITIL security management

Relationship with other ITIL processes

The Security Management Process, as stated in the introduction, has connections with almost all other ITIL processes. These processes are:

• IT Customer Relations Management
• Service Level Management
• Availability Management
• Capacity Management
• IT Service Continuity Management
• Configuration Management
• Release Management
• Incident & amp; Service Desk
• Problem Management
• Change Management (ITSM)

In these processes security-related activities are required. The associated processes and process managers are responsible for this activity. However, Security Management provides an indication of the related process of how to structure this activity.

src: upload.wikimedia.org

Example: internal e-mail policy

Internal e-mail is subject to a variety of security risks, requiring appropriate security plans and policies. In this example the ITIL Security Management approach is used to implement e-mail policies.

The Security management team is formed and the process guidance is formulated and communicated to all employees and providers. This action is done in the Control phase.

In the next planning phase, policies are formulated. The specific policies for e-mail security are formulated and added to the service level agreement. At the end of this phase the whole plan is ready for implementation.

Implementation is done as planned.

After implementation, the policy is evaluated either as an independent assessment, or through an internal or external auditor.

In the maintenance phase, e-policies are adjusted based on evaluation. Changes are required to be processed through Request for Change.

src: wiki.de.it-processmaps.com

See also

• Infrastructure Management Services
• ITIL v3
• Microsoft Operating Framework
• Information security management system
• COBIT
• Capability Maturity Model
• ISPL

src: rottenraw.com

See also

• Information security

src: upload.wikimedia.org

References

src: rottenraw.com

Source

• Bon van, J. (2004). IT-Service Management: een introductie op base van ITIL. Van Haren Publisher
• Cazemier, Jacques A.; Overbeek, Paul L.; Peters, Louk M. (2000). Security Management, Office Stationery.
• Security management. (February 1, 2005). Microsoft
• Tse, D. (2005). Security in Modern Businesses: a model of security assessment for information security practice. Hong Kong: University of Hong Kong.

src: wiki.en.it-processmaps.com

External links

• Go to Security Architecture
• Microsoft Operating framework framework
• the ISO/IEC 17799 website
• OGC website
• IT Services Management Forum
• ITIL definition site
• ITIL Forum
• ITIL Wiki
• Maturity Model of Information Security Management

Source of the article : Wikipedia