IT Services Security

spotlessstareΑσφάλεια

29 Νοε 2013 (πριν από 3 χρόνια και 4 μήνες)

186 εμφανίσεις

IT Services Security





Ing. Ivan Makatura (
imakatura@vub.sk
)

IT Enviroment Management

Faculty of Electronics and Informatics

Technical university in Košice

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

2

Introduction to ITSM/ITIL

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

3

What is ITSM?


In order for the companies in a competitive environment to achieve the objectives set by corporate strategy,
they have to perform quality business processes.


Modern business processes require high quality services for their functioning.


Condition for the proper functioning of IT services is a high quality ICT infrastructure.


High quality ICT infrastructure is not sufficient condition for the proper functionality of IT sevices. It is
necessary to also manage the way of providing IT services


IT service management is called The IT Service Managment(ITSM).


ITSM Content= definition of processes, which should be implemented in the enterprise in order to ensure
continuous supply of quality IT services at optimal cost expenditure.

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

4

What is ITIL?

ITIL „
IT Infrastructure Library
“:


Comprehensive set of „best practices“ for IT services


Contains a series of books, intending to help organizations to develop quality IT
services


ITIL is owned and maintained by
OGC (
UK
Office

of Government Commerce
)



Not a methodology, neither a methodology to IT service management or its
implementation methodology in the organization


Is a global
de
-
facto
framework for ITSM


ITIL framework for proposal of ITSM processes leaves much discretion in the
implementation process


ITIL does not say „HOW“ but „WHAT“ is recommended to perform in ITSM

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

5

ITIL characteristics


Process Management


ITIL uses a process
-
oriented approach to IT service management (as opposed to the traditional
management of functional).


Process is a logical sequence of tasks transforming input to a particular output, the performance of
individual tasks is ensured by challenges with clearly defined responsibilities.


The whole process

is

controlled,

monitored,

measured,

evaluated

and

continuously

improved.



Customer
-
oriented approach


All processes are

designed with
in

customer needs,


ie.

Every

activity,

every

action

in every process

has to

bring

some added

value to the customer.


Clear terminology


Clear

terminology

is

sometimes

a
less appreciated

or

entirely skipped characteristic
of

ITIL,

but

only

until we

first
ly

try

to address

misunderstandings

resulting

from the fact
that

someone

uses the same

term

in another

sense

than

we expect.


Platform independence


The framework of

ITSM

processes

according toITIL

is

independent of

any platform.


Public Domain


The library is

freely available, meaning

that anyone can

buy

books

of ITIL

and

ITSM

processes

according to

ITIL

to implement

in your

business.


The free

availability of

the ITIL

library, among other things

contributed

to the rapid

worldwide spread
of

ITIL.

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

6

ITIL advantages


IT services are becoming more customer
-
oriented


The quality of IT services is improved


The cost of

IT

services

are more

manageable


I
T

organizations

are evolving

into manageable

structures

and become

more
efficient


Changes in

ICT

are simpler

and

clearer


There is a

unified

framework

for

internal communication

with the

IT

organization


ICT

processes

are standardized

and

integrated


Defined

is

auditable

and verifiable

performance

metrics

and

quality

IT

services

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

7

Standardization framework

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

8


ISO/IEC 2
0
00
0
:

IT service management
-

Specification for service management


ISO/IEC 17799
:
Code of Practice for Information Security Management


ISO/IEC 2700
1
:

Information technology
-

Security techniques
-

Information security
management systems: Code of Best Practices for Information Security
Management


ISO/IEC 2700
3
:

Information technology
-

Security techniques
-

Information security
risk management


ISO/IEC
15408
:

Information technology
-

Security techniques
-


Evaluation criteria
for IT security

IT Security standardization

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

9

Relation between ITIL a ISO 20000
(a)

JTC1


Information Technology

Subcommittee


Title


JTC 1/SWG

Accessibility (SWG
-
A)
T
he
convener can be reached through the
secretariat


JTC 1/SC 2

Coded character sets

JTC 1/SC 6

Telecommunications and information exchange between systems

JTC 1/SC 7

Software and systems engineering

JTC 1/SC 17

Cards and personal identification

JTC 1/SC 22

Programming languages, their environments and system software interfaces

JTC 1/SC 23

Digitally Recorded Media for Information Interchange and Storage

JTC 1/SC 24

Computer graphics, image processing and environmental data representation

JTC 1/SC 25

Interconnection of information technology equipment

JTC 1/SC 27

IT Security techniques

JTC 1/SC 28

Office equipment

JTC 1/SC 29

Coding of audio, picture, multimedia and hypermedia information

JTC 1/SC 31

Automatic identification and data capture techniques

JTC 1/SC 32

Data management and interchange

JTC 1/SC 34

Document description and processing languages

JTC 1/SC 35

User interfaces

JTC 1/SC 36

Information technology for learning, education and training

JTC 1/SC 37

Biometrics

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

10

Relation between ITIL a ISO 20000
(b)

JTC1 SC7


Software and Systems Engineering

JTC1 SC7

WG1A

WG2

WG4

WG6

WG7

WG10

WG19

WG25

WG20

WG21

WG22

IT Governance

ISO 38500

SW Life
-
Cycle Processes

ISO 12 207, ISO 15 288

IT Service Management

ISO 20000
-
1, ISO 20000
-
2

WG23

WG24

WG26

WG42

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

11

Vzťah ITIL a ISO 20000
(c)

JTC1 SC27


IT Security Techniques

JTC1 SC27

WG1

WG2

WG3

WG4

WG5

ISMS

ISO 27001, ISO 27002

Cryptography and Security Mechanisms

Security Evaluation Criteria

Security controls and services

Identity management and privacy technologies

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

12








WG 5




„Privacy, Identity &

Biometric Security“

Scope of ISO/IEC JTC1 / SC 27 (IT Security techniques)


ISO/IEC JTC1 / SC 27 = SÚTN TK37 / SK02


Subcommission distribution TK37 / SK02 is identical to JTC1 / SC 27

WG 3

„Security Evaluation“

WG 1

„ISMS“

WG 4

„Security Controls & Services“

WG 2

„Cryptography & Security

Mechanisms“

Product


System


Process


Environment

Assessment





Guidelines





Techniques


FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

13

IT infrastructure library v.2

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

14

ITIL v2 Library structure


Mutual relation of ITIL publications


Relations of specific pubications with business processes and ICT infrastructure

The Business
The Technology
Planning to implement Service Management
Application Management
Service Management
IT
Infrastructure
Management
The Business
Perspective
Service
delivery
Service
support
Security
Management
©

OGC

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

15

Operational

discipline

according to

ITIL

v2


Operational

ITSM

disciplines

described in the

Service

Support

book
:
:


Service Desk (function)


SD

is

to

provide the user with

a

focal point

for

addressing

the

requirements


his chapter describes

how to create

and

perform

SD

as an effective

communication channel

between

users

and

providers of

IT

services


Configuration Management


provides a

logical

model

of infrastructure

or

services

through the identification,

management,
administration

and

verification

of all

configuration items

that are implemented


Incident Management


process that

ensures

the

fastest

delivery

of
service

restoration

and

minimiz
ing

the consequences of

failure

of
services

to

business


Problem Management


the process of discovering

the underlying causes of

incidents.

Problem

Management

initiates security

bug fixes
in

ICT

infrastructure

and implement a

proactive

and

prevent

problems


Change Management


process

that uses

standardized methods

and

procedures

to

effectively

and

quickly

implement the

changes.

The
purpose

is to minimize the

formation

of incidents

due to

changes


Release Management


process that

ensures

successful

deployment

and

distribution of

changes

in

ICT

infrastructure.

It
ensures

that

both

aspects of the

deployment(technical

and

organizational)

will be consistent.

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

16

Tactical disciplines according to ITIL v2


Tactical processes ITSM described in
Service Delivery book
:


Service Level Management


deals with

planning,

coordinating, designing
,

closing
, monitoring

and

evaluation of

contracts
for

service
support

(SLA)

with customers

and

subcontractors

with

contracts

(OLA

and

UC).

The aim

is to
manage

and

improve

service quality

and

customer
relationships


Capacity Management



responsible for ensuring

a
permanent

infrastructure

of sufficient capacity

so that
the
y
always
met

all

business

requirements,

both current and

future


Availability Management



responsible for achieving

a level of

availability
of

IT

services,

which corresponds to the

business
requirements.

Achieves

this

by measuring

and

monitoring

the availability of

IT

Services
,

comparing

these values

​​with
business

requirements

for

availability

and

then

initiating

steps

leading to the

attainment of

desired
state


IT Service Continuity Management


process

management

capabilities

to provide

the defined

service levels

for

system failure

(failure

of

the
application

components

to the complete

loss of

the conditions necessary

for

business)


Financial Management for IT Services



responsible for

recording

the cost of

IT

services, evaluating

return on

investment in

IT

services

and

costs

for all aspects
of

the

restoration

operation
.

Provides

documentation

to establish the

ICT

budgets

and

price list

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

17

ITIL v2 Library


brief summary
(a)


Service Support


Description of the

processes

at the

operational
management


Processes

predominate

character of

daily,

routine
operation


Summary

The process

described

in the book
of

daily

service

support can

support

users

of IT
services




Service

Delivery


Description of the

processes

at the

tactical

management.


Predominant

character of

long
-
term
planning

processes


Summary

of

process
es

described

in the
book


Service

delivery

is

building relationships

with customers

and

achieve

their

long
-
term

satisfaction

with the
provision of

IT

services



ICT Infrastructure Management


Description of the

processes

relating to

the management of

ICT

infrastructure


The
book

addresses

all aspects of

ICT

to

identify

business
requirements

through



Bidding

to testing, installation,

implementation

and

maintenance

of components

in support of

ICT

services



Application Management


Description of

life cycle processes

of application
software


The
book

deals with

the processes

from

initial

feasibility

studies

through

development,

testing
,

creating

documentation,

user training
,

implementation

into the

production environment
,

run
applications,
change control

management

to the end

use

application

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

18

ITIL v2 Library


brief summary
(b)


The Business Perspective


Books for

business

managers.



Presents

the basic principles of

ICT

infrastructure

needed

to

support

business
processes

(
eg
,

IT

Service

Management
)


The
book also

includes

ITIL

publication

Quality

Management

for

IT

Services,

which describes
the

correlation

ITSM

processes

with the provisions
of

quality
management standards

(ISO 9000)


Planning to Implement Service Management


The book

is

intended for

members

of implementation

teams


It
describes the

processes, tasks

and

problems

associated

with planning,

implementing

and

improving

processes,

IT

Service

Management


Security Management


The book

describes

the organization

and

management

of ICT security

infrastructure

from the perspective
of

IT

managers


Describes

the process of planning

and

managing

a
defined

level of

information security

and

IT

services

including all

aspects related to
the

response

to security
incidents


Software Asset Management


The book

describes the

process for management
,

control

and

protection of

software assets

in
all

stages
of

its

life cycle


FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

19

IT infrastructure library v.3

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

20

ITIL v3 core

Service
operation
Service
design
Service
transition
Service
strategy
Continual
service
improvement
©

OGC

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

21

ITIL v3 library structure

©

OGC

Service strategy
Service design
Service transition
Service operation
Strategy generation
Service portfolio
management
Demand management
Financial management
Service catalogue
management
Service level
management
Supplier management
Supplier management
Availability management
IT Service continuity
management
Information security
management
Service Asset
&
Configuration Mgt
.
Knowledge Mgt
.
Change Mgt
.
Release
&
Deployment
Mgt
.
Transition Planning
&
Support
Service Validation
&
Testing
Evaluation
Event Management
Incident Management
Access Management
Problem Management
Service desk
Apps Mgt
.
Tech
.
Mgt
.
IT Ops
.
Mgt
.
Continual Service Improvement
Service Measurement
Service Reporting
7
Step Impovement
Process
FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

22

Basic differences between ITIL v2 and ITIL v3 (a)


Changes in concept


dominant life
-
cycle


Changes in range


added new

processes
:
"Demand

Management",

"Test

Management",

"Supplier

Management",

"Event

Management„

and others.


Changes in terminology


service definition, process definition of „Service
Management“, new terms Cataloque/Portfolio of services, DSL/DML


Changes in position of IT services


traceability in business


Changes in structure


individual position of CSI process


Good Practice
instead of
Best Practice


New understanding

in terms of

customer

service: a combination
of

"utility"

(utility)

and

"guarantees"(warrants)

Service
operation
Service
design
Service
transition
Service
strategy
Continual
service
improvement
The Business
The Technology
Planning to implement Service Management
Application Management
Service Management
IT
Infrastructure
Management
The Business
Perspective
Service
delivery
Service
support
Security
Management
ITIL v2

ITIL v3

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

23

Relations of ITSM processes

and IT security processes

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

24

Security process


Security = maintaining an acceptable level of identified risk


Complex

of
processes

and

activities

to avert

or reduce

the identified risks,

respectively

manifestations of

threats

that affect

information assets
.


Security is

not

closing,

nor

product.

Safety

is an ongoing

continuous

process

Evaluation

Protection

Detection

Reaction

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

25

C



I


A


A

Confidentiality



(Authorized personnel access only)

Integrity

-


(Data protection against modification)

Availability



(Reliable and prompt access to data)

Accountability




(
unambiguous

identifiability of data access...)

Basic goals of IT security

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

26

Príklady incidentov v jednotlivých kategóriách

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

27

Vrstvový model ochrany informácií

Security program

Internet / exterior

Perimeter

Network

Host

Application

Monitoring procedures

Reporting and
escalation

Incident management

Forensic evidence

Firewalling

VPN
’s

Intrusion detection


Data

Premises

Routing

Entrance

Extranets

LAN/WAN traffic

Intranets

OS monitoring

Vulnerability checking


Application controls

Database monitoring

Information assets


FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

28

Benevolent

Liberal

Careful

Paranoid

Everything is allowed, including
that which should be not

Everything is allowed except
activities, which are explicitly
disabled

Everything is disabled except
activities, which are explicitly
allowed

Everything is disabled including
activities, which shoud be allowed

Non
-
restrictive
policy

Restrictive
policy

Security levels

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

29

Relations between security attributes acc. to
ISO/IEC 15408

©

Common Criteria for Information Technology Security Evaluation
:
Security concepts and relationships

Relations between basic terms in IT security according to
Common Criteria
:

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

30

IT security according to ITIL


ITIL

requires

effective

information security

measures

implemented

at the
strategic,

tactical

and

operational level


Information security

is

considered to be

an

iterative

process

that

must

be

controlled,

planned,

implemented,
tested

and

maintained


ITIL

divides

information security

into

separate parts:

Policy

-

the overall objectives

which the organization

wants to achieve

Processes

-

what should be

done

to

achieve the objectives

Procedures

-

who does what

and

when to

perform

to

achieve the
objectives

Work

instructions

-

instructions

for

specific activities


ITIL

defines

information security

as a complex,

cyclical
process

of

continuous

review and

improvement

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

31

IT security according to ITIL

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

32

IT security according to ITIL

1.
Recipients of

ICT

services

through

a risk analysis

to identify

their

security requirements

2.
IT

department

will assess

the suitability

requirements

and

compare them with

the
minimum requirements for

information security

3.
Recipients of

ICT

services

and

IT

department

together

define

formally

agreed

service
levels(Service

Level Agreement

-

SLA):

1.

SLA

contains a definition

of requirements for

information security

in

clear

measurable

terms

and

values

2.

SLA

specifies

how it

can

be

proven to

meet the agreed

level

of information security

4.
Within the

IT

department

and

the organization of

the

contractors

jointly

define

and

agree

a formal

Operational

Level Agreement
(OLA)

5.
OLA

specifies

in detail

how to ensure

information security services

SLA

and

OLA

are

continuously

monitored

and

implemented

6.
Subscribers

receive

regular

ICT

service

reports

on the effectiveness of

state

services

and

information security

7.
SLA

and

OLA

are

continuously

adjusted, if necessary

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

33

IT security ITIL v2 vs. ITIL v3

ITIL v2

ITIL v3

„Information security management“

Does not exist as an individual discipline of ITSM

„Information security management“

Is understood as an individual discipline of ITSM

Processes

related to

information security are

described

in

a
book:

Security

Management

Processes

related to

information security are

integrated

into
most

processes

I
nformation

security

processes

are divided

into two main

segments:

Setting

the base

level of security

by

SLA

Implementation of the

security requirements

defined

in the

SLA

Information security

processes

are incorporated

into

all parts of
the

Service

Design

book:

Service

Catalogue

Management

(Section

4.1

pg.60)

Service

Level

Management

(Section

4.2

pg.

65)

Capacity

management

(Section

4.3

pg.

79)

Availability

management

(Section

4.4

pg.

97)

IT

Service

Continuity

Management

(Section

4.5pg.

125)

Information

security

management

(Section

4.6

pg.141)

Common

features of

the process of

information security

according to

ITIL

v2

and

ITIL

v3:

Information security

processes

are based

on standards:

-

ISO

/

IEC 17799

-

Code

of

Practice

for Information

Security

Management

-

ISO

/

IEC 27001

-

Information

Security

Management

Systems

standard


Security

incident

is

seen as a

subset of the

Incident

Management

process


Vulnerability

management

is

viewed as a

subset of the

Problem

Management

process

Differences

in the processes of

information security

according to

ITIL

v2

and

ITIL

v3:

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

34

IT Service continuity management


ITSCM (ITIL v3)


The main

goal of the course

ITSCM
:


Total

support

Business Continuity

Management

process
, ensuring

the required

replacement

of
equipment

in the required

and

agreed

timescales


The
"IT

Service

Continuity"

is related

to the management

organization's ability to

continuously

provide

a
predetermined

and

agreed

minimum level of

ICT

services to ensure

business processes

in

the event of
failure

of current

ICT

services.



In

the process

ITSCM

includes
:


Ensuring
the sustainability of

business
processes

by
reducing

the impact

of large
-
scale

emergency

outages

or

errors


Reducing

vulnerability and risk

through

effective

risk
analysis

using

risk
management


Prevention of

loss of

customer
confidence


Development
of

recovery plans for

ICT

equipment, suitably

harmonized

with the plans

of
business

continuity

processes

of

customer



FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

35

Information Security Management
-

IsM (ITIL v3)


The main objective of

the ISM

process
:

Align

information security

with business

security

and

ensure that

information security

is
managed

effectively

across all

service areas

and in all

activities of

ITSM


IsM process includes:


Information security policy

and

specific security

policies

that are aimed

at

all

aspects
of

strategy,

control

and

regulation


The

ISMS

(Information

Security

Management

System
-

ISMS),

containing the

standards,
procedures

and

guidelines for

policy support


Comprehensive security strategy,

linked

with the commercial

objectives,
strategies

and

plans


Effective

organizational structure

of security


Set of

control mechanisms

to

support

security policy


Management

of security risks


Monitoring

processes

to ensure compliance

and

provid
ing

feedback


Communication strategy

and

security plan


Plan

training

and

awareness

of users

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

36

IsM process according to Service Design book
(a)


Development

and

maintenance of

an information security policy

and

supporting
specific

policies


Ensuring

proper

authorization,

a formal

expression of

commitment

and

approval

by

senior

IT

management

and

business

management


Notification

of information security

policies

applicable

to all stakeholders


Ensuring that

information security policy

is

enforced

and

observed


Identification

and

classification

of information assets

(configuration items

-

Configuration

Items)and

their

desired

level of control,

management

and

protection


Implementation of the

BIA

(Business

Impact

Analyses)


Implementation of

security risk

analysis,

risk management

and

linking them

to

Availability

Management

and

IT

Service

Continuity

Management


Design and development

of security plans


Design and

documentation of

procedures

for the operation

and

maintenance

of safety


Monitoring

and

management of all

security breaches,

incident

management

(incident

handling)

including

corrective actions

to prevent recurrence

of the incident

ITIL V3 Pre Reading Notes V1.60
-

36
-

Copyright of Purple Griffon 2007 ©


FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

37

IsM process according to Service Design book
(b)


Reporting,

Analysis

and

minimization

of the impact

and extent of

any

security incidents,
together with the

Problem

Management

process


A model for

how

education and awareness

of users


Security

control

and

monitoring

of safety documentation


Review and

auditing

of all processes


Ensuring that

all

changes

are reviewed

for their

impact

on

information

security
,

including

information security policy,

and

the convening of

the CAB

(Change

Advisory

Board)

meeting
s
whenever

necessary


Implementation of

safety tests


Strict compliance with the

additional

security checks

in

the Action Plan

for

the
previous

violation of

safety rules


Ensuring

the

confidentiality,

integrity

and

availability

of services

is

maintained at a level

agreed

in the

SLA

and

their

adaptation

to all relevant

legislative requirements


Ensuring that

all

third party access

as well as

suppliers

of

ICT

services

are appropriate

and

contractually

based


Operating in

the role of

a local

point of contact

forall

security incidents

ITIL V3 Pre Reading Notes V1.60
-

36
-

Copyright of Purple Griffon 2007 ©


FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

38

Service level agreement
-

SLA

-
SLA

is a formal,

written agreement,

which

documents
the

level

of services,

including

information
security services.

-

SLA

is

a key part of

the process of

information security

framework,

ITIL

-

SLA

should include

performance

indicators

(
Key

Performance

Indicators

-

KPI)

and

performance
criteria



A
typical

SLA

contract

should include
:


-

Permitted

methods of

access to

information assets

-

Agreement

on how

auditing

and

log

management

-

The
level of

physical security

-

Method
of

training

and

user

awareness

of information security

-

General
description of

the life cycle of

identities
,

authentication

methods

and

authentication

procedures

-

Agreement
on the

mode of operation

of security incidents

-

The
requirements for

audit

and

reporting

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

39

Security documentation according to ITIL

Documentation requirements

for

information security

in accordance with

ITIL
:


Service

Level Agreement

(SLA)

-

A
formal agreement

on the level of

services, including

information
security


Operational

Level Agreement (OLA)

-

Detailed

specification of how

to
ensure

information
security
services


Information
security policy:

-

Objectives
and scope

of information security

for the organization

-

The
objectives

and

management

principles

for

information
security management

-

Definition

of roles

and

responsibilities

of information
security


The
security policy

should

be

issued

by

senior management

organization

Plans

Information Security:

-

Description

of how to implement

policies

in specific

information systems,

processes

and

organizational
units


Handbook

of information security:

-

working
documents

for everyday use

-

specific
, detailed

work instructions

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

40

How

ITIL

can

improve the level of

information security
(a)


ITIL

keeps

information security

continually

focused

on

business

and

services

-

Information security

is

often

perceived

as

just

another

cost

barrier to

entry

or

business
functions

-

with the help of

the

owners of

ITIL

business processes

and

IT

service

providers

agree

on
the level

of information

security

-

to

ensure

that

services

are aligned with

business needs


ITIL

allows organizations to

develop

and

implement

information security

in a
structured

manner, based

on

best practice

(good

practice)

-

Information

security

is shifting from

reactive

to

proactive

and

preventive

process


Its requirement for

continuous

assessment of

ITIL

provides a continuous

review

of
the effectiveness

of changes

in

terms of reducing

the level of

risk and threat


ITIL

establishes

documented

processes

and

standards

(eg

SLA

and

OLA),

which
can

be

effectively

monitored

and

audited

-

It

helps an organization's own

perceived

effectiveness of

information security

program

and

compare it

with the

regulatory requirements

(such as

NBS,

NSA,

ÚOOÚ, Basel

II,

SOX)


ITIL

provides the

foundation upon which

can

be built in

information security

-

Many

ITIL

disciplines

(eg

Change

Management,

Configuration

Management

and

Incident

-

-

Management)

can

substantially

increase the

level

way limit

the information security

(eg,

a
significant number of

incidents

are caused by

inadequate

management of change)

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

41

How

ITIL

can

improve the level of

information security
(b)


The organized

ITIL

framework

prevents

subjective,
natural

and

chaotic

implementation of

information security

processes

-

ITIL

requires the design and

build a

consistent,

measurable

information
security

processes

in

ICT

services

before

an incident

occurs.

This

really

saves
time,

money

and effort.


Reporting

required

within

ITIL

provides management with

valuable information

about
the effectiveness of

their organization's

information security

-

Reporting

allows

management

to make informed

decisions

regarding the management of

operational risk


ITIL

defines

roles

and

responsibilities

in

information security

-

During

any

incident

is

then

clear who

is responsible for what

and

who

has

done

what

-

ITIL

establishes a common

language

for discussion of

information

security personnel
, which

can more effectively

communicate

with

internal and external

professional

partners

-

security personnel

can

easily understand

discussion

of

information security

with other
groups

of employees


ITIL

helps

managers

understand that

information security

is

a key part
of

successful

business processes,

well
-
functioning

organization

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

42

Summary


Requirements for

information security

are increasingly growing

in scope,

complexity and

importance


The

organization

is

risky,

costly and inefficient

to have

information
security

based

on

subjective

solutions

developed


The

ITIL

is

possible

to replace

these

processes

standardized,

integrated processes

based

on

best practice

(good

practice)


Although

it

takes time

and effort,

ITIL

can improve

how

the
organization

implements

and

manages

information security

FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

43

itSMF


itSMF

(IT

Service

Management

Forum)

is an international

non
-
profit

and

independentorganization

of professionals

dedicated to

all aspects of

services

in
information

andcommunication technologies


itSMF

is

perceived as a

professional association

of users

ITIL

standard,

which

significantly
affects

the development of

the industry


itSMF

Slovakia

is

a fully
-
fledged

part of

a worldwide network of

itSMF

International


Secetary
:

itSMF Slovensko,

Dlhá 2/B,

900 31 Stupava


E
-
mail
:

itsmf@itsmf.sk


Web (Slovensko)
:

www.itsmf.sk



Web (International)
:

www.itsmf.org


FEI TUKE
-

Riadenie IT služieb


Bezpečnosť IT služieb

44

Ivan Makatura

Chief security officer

VÚB Banka a.s.

imakatura@vub.sk