Scribd
Upload
125 views31 pages

ITSM and Information Security - Nolan Declan 01

This document discusses bridging the gap between IT service management and information security by aligning frameworks like ITIL and ISO 27002. It provides examples of how key ITSM processes like incident management, change management, and asset configuration management can be integrated with information security processes. Mapping ITIL processes to ISO 27002 controls shows opportunities for overlap and integration between the two approaches to help reduce inefficiencies and security risks.

Uploaded by

Kubra Aslan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
125 views31 pages

ITSM and Information Security - Nolan Declan 01

This document discusses bridging the gap between IT service management and information security by aligning frameworks like ITIL and ISO 27002. It provides examples of how key ITSM processes like incident management, change management, and asset configuration management can be integrated with information security processes. Mapping ITIL processes to ISO 27002 controls shows opportunities for overlap and integration between the two approaches to help reduce inefficiencies and security risks.

Uploaded by

Kubra Aslan
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

ITSM and Information Security

Bridging the Gap


DeclanNolan,DevoteamUK

About Devoteam

www.devoteam.co.uk

Information Security in the news


Weaksecuritypolicies HackersexploitingweakWiFi security
10/22/2009

Failureinthedisposalprocess UseofunencryptedUSB drive

Unenforcedpolicy
3 www.devoteam.co.uk

Conference Theme

www.devoteam.co.uk

Overview

www.devoteam.co.uk

Fundamentals of Information Security


Confidentiality
Istheinformationonlyaccessiblebyauthorisedpersonnel?

Integrity
Canwebesurethattheinformationhasnotbeentamperedwith?

Availability
IstheinformationavailablewhenIneedit?

www.devoteam.co.uk

Frameworks for Information Security

www.devoteam.co.uk

Frameworks for Information Security

www.devoteam.co.uk

ISO/IEC 27000 Series

ISO/IEC27002hasevolvedfrom BS7799/ISO17799

www.devoteam.co.uk

ISO/IEC 27002 Sections


RiskAssessment&Treatment SecurityPolicy OrganisationofInformationSecurity AssetManagement HRSecurity Physical&Env.Security Comms&OpsMgmt AccessControl ISAcquisition,Dev&Maint. InformationSecurityIncidentMgmt BusinessContinuityMgmt Compliance

www.devoteam.co.uk

Mapping ITIL to ISO 27002


Version3

ServiceDesign

ServiceLevelMgmt CapacityMgmt ITServiceContinuityMgmt InformationSecurityMgmt

toalignITsecuritywith businesssecurityandensure thatinformationsecurityis RiskAssessment&Treatment effectivelymanagedinall serviceandService SecurityPolicy Managementactivities.


OrganisationofInformationSecurity AssetManagement

ServiceTransition

ChangeMgmt ServiceAsset&Config.Mgmt ReleaseMgmt ServiceValidation&Testing

HRSecurity

Information security is an Physical&Env.Security integral part of all IT services Comms&OpsMgmt and all ITSM processes
AccessControl ISAcquisition,Dev&Maint.

ServiceOperation

EventMgmt IncidentManagement RequestFulfilment ProblemMgmt AccessManagement

AccessManagement

providestherightforusers InformationSecurityIncidentMgmt tobeabletouseaservice BusinessContinuityMgmt orgroupofservices.


Compliance

www.devoteam.co.uk

Mapping ITIL to ISO 27002


ServiceDesign
Version3

ServiceLevelMgmt CapacityMgmt

RiskAssessment&Treatment
27002

SecurityPolicy ITServiceContinuityMgmt InformationSecurityMgmt OrganisationofInformationSecurity AssetManagement

ServiceTransition

ChangeMgmt ServiceAsset&Config.Mgmt ReleaseMgmt ServiceValidation&Testing

HRSecurity Physical&Env.Security Comms&OpsMgmt AccessControl

ServiceOperation

EventMgmt IncidentManagement RequestFulfilment ProblemMgmt AccessManagement

ISAcquisition,Dev&Maint. InformationSecurityIncidentMgmt BusinessContinuityMgmt Compliance

www.devoteam.co.uk

Mind the Gap


ServiceDesign
Version3

ServiceLevelMgmt CapacityMgmt

RiskAssessment&Treatment
27002

SecurityPolicy ITServiceContinuityMgmt InformationSecurityMgmt OrganisationofInformationSecurity AssetManagement

ServiceTransition

ChangeMgmt ServiceAsset&Config.Mgmt ReleaseMgmt ServiceValidation&Testing

HRSecurity Physical&Env.Security Comms&OpsMgmt AccessControl

ServiceOperation

EventMgmt IncidentManagement RequestFulfilment ProblemMgmt AccessManagement

ISAcquisition,Dev&Maint. InformationSecurityIncidentMgmt BusinessContinuityMgmt Compliance

www.devoteam.co.uk

Mind the Gap

Strategy Development Operations Risk Organisation

www.devoteam.co.uk

The cost of misalignment

Inefficiency Increasedrisk Conflict Extracost

www.devoteam.co.uk

Mapping ITIL to ISO 27002


ServiceDesign
Version3

ServiceLevelMgmt CapacityMgmt

RiskAssessment&Treatment
27002

SecurityPolicy ITServiceContinuityMgmt InformationSecurityMgmt OrganisationofInformationSecurity AssetManagement

ServiceTransition

ChangeMgmt ServiceAsset&Config.Mgmt ReleaseMgmt ServiceValidation&Testing

HRSecurity Physical&Env.Security Comms&OpsMgmt AccessControl

ServiceOperation

EventMgmt IncidentManagement RequestFulfilment ProblemMgmt AccessManagement

ISAcquisition,Dev&Maint. InformationSecurityIncidentMgmt BusinessContinuityMgmt Compliance

www.devoteam.co.uk

Mapping ITIL to ISO 27002


ServiceDesign
Version3

ServiceLevelMgmt CapacityMgmt

RiskAssessment&Treatment
27002

SecurityPolicy ITServiceContinuityMgmt InformationSecurityMgmt OrganisationofInformationSecurity AssetManagement

ServiceTransition

ChangeMgmt ServiceAsset&Config.Mgmt ReleaseMgmt ServiceValidation&Testing

HRSecurity Physical&Env.Security Comms&OpsMgmt AccessControl

ServiceOperation

EventMgmt IncidentManagement RequestFulfilment ProblemMgmt AccessManagement

ISAcquisition,Dev&Maint. InformationSecurityIncidentMgmt BusinessContinuityMgmt Compliance

www.devoteam.co.uk

Overlaps and Integrations


ITServiceManagement SecurityManagement

ITILv3 ISO2700x

www.devoteam.co.uk

Overlaps and Integrations


ITServiceManagement SecurityManagement

ServiceAsset& Config.Mgmt Incident& ProblemMgmt

Asset& Config.Mgmt IncidentMgmt

AssetMgmt InformationSecurity IncidentMgmt RiskAssessment &Treatment

ChangeMgmt Identity& AccessMgmt

AccessMgmt

AccessControl

ITILv3

ISO2700x

www.devoteam.co.uk

Asset & Configuration Management


ITServiceManagement SecurityManagement

ServiceAsset& Config.Mgmt Incident& ProblemMgmt

Asset& Config.Mgmt IncidentMgmt

AssetMgmt InformationSecurity IncidentMgmt RiskAssessment &Treatment

ChangeMgmt Identity& AccessMgmt

AccessMgmt

AccessControl

ITILv3

ISO2700x

www.devoteam.co.uk

Asset & Configuration Management


Recordinformationassetsin ServiceAsset& Config.Mgmt CMDB
Asset& Config.Mgmt AssetMgmt

CMDB

www.devoteam.co.uk

Asset & Configuration Management


Recordinformationassetsin CMDB
Asset& Config.Mgmt

Enhancedattributes
Dataclassification(sensitivity& impact) InformationAssetOwner(IAO) Risks(Threats&Vulnerabilities) Riskowner

CMDB

www.devoteam.co.uk

Asset & Configuration Management


Recordinformationassetsin CMDB RelateinformationCIsto infrastructureCIs RecordrolesintheCMDBand linktopeople&information assets
Asset& Config.Mgmt

Enhancedattributes
Dataclassification(sensitivity& impact) InformationAssetOwner(IAO) Risks(Threats&Vulnerabilities) Riskowner

CMDB

Roles

www.devoteam.co.uk

Incident Management
ITServiceManagement SecurityManagement

ServiceAsset& Config.Mgmt Incident& ProblemMgmt

Asset& Config.Mgmt IncidentMgmt

AssetMgmt InformationSecurity IncidentMgmt RiskAssessment &Treatment

ChangeMgmt Identity& AccessMgmt

AccessMgmt

AccessControl

ITILv3

ISO2700x

www.devoteam.co.uk

Incident Management
Incident& ProblemMgmt IncidentMgmt InformationSecurity IncidentMgmt

Consolidatesecurity incident management Relateto infrastructure (information assets/CIs) Applyproblem management processestosecurity

ConsolidatedIncident ManagementSystem

Workflows Reporting Assignment SLAs etc

Problem Management

CMDB
Roles

www.devoteam.co.uk

Change Management and Risk Assessment


ITServiceManagement SecurityManagement

ServiceAsset& Config.Mgmt Incident& ProblemMgmt

Asset& Config.Mgmt IncidentMgmt

AssetMgmt InformationSecurity IncidentMgmt RiskAssessment &Treatment

ChangeMgmt Identity& AccessMgmt

AccessMgmt

AccessControl

ITILv3

ISO2700x

www.devoteam.co.uk

Change Management and Risk Assessment


Utiliseexistingrisk assessmentapproachfor Changes AnalyseChangesin relationtorisksto informationassets LinkChangestoinitiating riskassessments
ChangeMgmt RiskAssessment &Treatment

(e.g.ISO/IEC27005)

Changes

Link

Risks

CMDB
Roles

www.devoteam.co.uk

Identity & Access Management


ITServiceManagement SecurityManagement

ServiceAsset& Config.Mgmt Incident& ProblemMgmt

Asset& Config.Mgmt IncidentMgmt

AssetMgmt InformationSecurity IncidentMgmt RiskAssessment &Treatment

ChangeMgmt Identity& AccessMgmt

AccessMgmt

AccessControl

ITILv3

ISO2700x

www.devoteam.co.uk

Identity & Access Management


UseEnterpriseRole Managementasa startingpoint Integrateuser provisioningtoolswith ServiceRequest Management DefineandIAM strategyandroadmap
AccessMgmt Identity& AccessMgmt AccessControl

EnterpriseRole Management

Provisioning andSRM integration

IAMStrategy

www.devoteam.co.uk

In Summary
AcombinedITSMandinformationsecurity approachwilladdvalue Bepragmatic focusonsomekeyareasinitially Looktointegratetechnologyinordertofacilitate processintegration

www.devoteam.co.uk

Useful Links and Sources


10/22/2009

EverythingyouwantedtoknowaboutISO27000series
www.iso27001security.com

ITILv3ServiceDesign&ServiceOperationbooks ITGI AligningCOBIT4.1,ITILV3andISO/IEC27002forBusiness Benefit


http://www.itgi.org/Template_ITGI.cfm?Section=Recent_Publications&Tem plate=/ContentManagement/ContentDisplay.cfm&ContentID=45948

ISACA InformationSystemsAuditandControlOrganisation
www.isaca.org

Contactme [email protected]

www.devoteam.co.uk

You might also like