Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Similar documents
San Francisco Chapter. Cassius Downs Network Edge LLC

Data center automation: realizing rapid value. Automation and business transformation. Business white paper

HP Fortify Software Security Center

HPE Datacenter Care for SAP and SAP HANA Datacenter Care Addendum

HPE File Data Migration Service

Integrating ITIL and COBIT 5 to optimize IT Process and service delivery. Johan Muliadi Kerta

Break the network innovation gridlock

HPE Network Transformation Experience Workshop Service

An Executive Overview of ITIL v3

Certified Information Security Manager (CISM) Course Overview

White Paper. View cyber and mission-critical data in one dashboard

Accelerate Your Enterprise Private Cloud Initiative

EXIN Expert in IT Service Management based on ISO/IEC Preparation Guide

HPE 3PAR StoreServ Data Migration Service

Contents. viii. List of figures. List of tables. OGC s foreword. 3 The ITIL Service Management Lifecycle core of practice 17

HPE Data Center Operations Consulting Service

HPE GO4SAP Getting Orchestrated for SAP Automate SAP Basis Management Enterprise-scale end-to-end

The Presentation Will Begin At 12PM EST

HP Device as a Service (DaaS)

ITIL : the basics. Valerie Arraj, Compliance Process Partners LLC. AXELOS.com. The APM Group and The Stationery Office 2013

Contents. List of figures. List of tables. 5 Managing people through service transitions 197. Preface. Acknowledgements.

Implementing ITIL v3 Service Lifecycle

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Information Security Continuous Monitoring (ISCM) Program Evaluation

itsmf ITIL V3: Accelerate Success with Tools Maria A Medvedeva, PMP, ITIL Regional Director CA, Inc. itsmf Middle East Board of Directors

"Charting the Course... ITIL 2011 Managing Across the Lifecycle ( MALC ) Course Summary

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

INTELLIGENCE DRIVEN GRC FOR SECURITY

Goals for Today s Presentation

THE POWER OF TECH-SAVVY BOARDS:

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Achieving ICT Service Management Excellence with ITIL and ISO20000 Frameworks

FDIC InTREx What Documentation Are You Expected to Have?

ARCHITECT. HP ExpertONE. new solutions for change. HP ExpertONE Networking Certification

The Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA

Consolidation Committee Final Report

HPE 3PAR Performance and Capacity Trending Service

TEL2813/IS2820 Security Management

What is ITIL. Contents

John Snare Chair Standards Australia Committee IT/12/4

ITIL Managing Across the Lifecycle Course

What is ISO/IEC 27001?

Company Overview. global-lynx. Version: September 30, 2015

BREAK THE CONVERGED MOLD

HPE 3PAR Remote Copy Extension Software Suite Implementation Service

ISO/ IEC (ITSM) Certification Roadmap

HP D6000 Disk Enclosure Direct Connect Cabling Guide

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

HP BladeSystem Matrix

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

Automating the Top 20 CIS Critical Security Controls

Register for this Exam You need an HPE Learner ID and a Pearson VUE login and password.

Security and Privacy Governance Program Guidelines

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

INFORMATION ASSURANCE DIRECTORATE

CISM Certified Information Security Manager

How to get the Enterprise to Understand the Value of Security

HP Virtual Server Environment Reference Architecture: Shared Infrastructure for Databases

Continuous Monitoring and Incident Response

NCSF Foundation Certification

A Public-Sector Guide to UPS Procurement

Overview. Business value

Framework for Improving Critical Infrastructure Cybersecurity

HPE Aruba Airwave Installation and Startup Service

Information technology Service management. Part 11: Guidance on the relationship between ISO/IEC :2011 and service management frameworks: ITIL

Dell helps you simplify IT

Assessing performance in HP LeftHand SANs

ISSA Guidelines on Information and Communication Technology: Overview

HP StorageWorks LTO-5 Ultrium tape portfolio

PREPARE FOR TAKE OFF. Accelerate your organisation s journey to the Cloud.

The Business Case for Virtualization

HPE Factory Express and Deployment Service for HPE ConvergedSystem 700 solutions

Predstavenie štandardu ISO/IEC 27005

Why you should adopt the NIST Cybersecurity Framework

ITIL and IT Service Management

HP Storage Mirroring Application Manager 4.1 for Exchange white paper

Improve testing for customer services and service management

HPE Factory Express Customized Integration with Onsite Startup Service

IDE Connector Customizer Readme

HPE IT Operations Management (ITOM) Thought Leadership Series

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

Security Management Models And Practices Feb 5, 2008

The HP 3PAR Get Virtual Guarantee Program

EXIN Specialist in IT Service Management based on ISO/IEC Preparation Guide

Enabling efficiency through Data Governance: a phased approach

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

How to prepare for a seamless Windows 10 migration. Windows 7 end of support is due on January 14, are you ready?

COBIT 5 With COSO 2013

Improving Cybersecurity through the use of the Cybersecurity Framework

HPE Security ArcSight Connectors

Optimizing Infrastructure Management with Predictive Analytics: The Red Hat Insights Approach

Sales Certifications

COBIT 5 Implementation

Rethinking Information Security Risk Management CRM002

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

2 The IBM Data Governance Unified Process

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Retired. Microsoft SQL Server 2008 R2 Overview

Manchester Metropolitan University Information Security Strategy

Transcription:

Information Security and Service Management for Management better business for State outcomes & Local Governments Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Introduction Over the last decade, there has been a radical change in change the way in the organizations way organizations operate. operate. IT Public executives sector bear IT executives greater responsibility bear greater and responsibility accountability and accountability than than ever ever before. before. Corporate Agency executives and managers boards no of longer directors view no IT longer merely view as a IT provider merely as a provider of technology, of technology, responsible responsible for maintenance for maintenance and and support. support. IT is IT a partner is now a in full-fledged delivering business the mission unit that, along of the with agency. Finance, Engineering, and other business units, contributes to the success of the enterprise. For agencies and organizations to achieve In meaningful this new era, service information outcomes, technology technology is more and aptly described agency decision as business makers technology need to align and their results goals IT produces and strategies are measured more closely strictly while in terms dealing of the with business an outcomes increasing they amount support of technologies, and/or deliver. threats, and regulatory compliance requirements. For organizations and companies to achieve meaningful Therefore organizations business outcomes, need to technology build and and run business an integrated decision service makers management need to align system their that goals and addresses strategies security more and closely risk while management dealing as with well an increasing the regulatory amount compliance of technologies, imposed threats, on the andagency regulatory while ensuring compliance that agreed requirements. services are provided to internal and external customers and managed end-to-end. Standards Therefore organizations that can be leveraged need to build for such and run an integrated service management system that include addresses ISO 9001 security (processes), and risk management ISO/IEC 20000 as well (service as the management), compliance ISO/IEC imposed 27001 on (security), the business COBIT while (IT ensuring organi- regulatory zations), that agreed and services many others. are provided These standards to customers typically and provide managed a end-to-end control framework at maintained for a given levels topic of and scope competitive without advantage significant in and chosen detailed markets. guidance on how to implement the control framework. For Standards that can be leveraged for such integrated implementation, agencies are also turning to sources service management system include ISO 9001 of industry best practice such as ITIL (from the British (processes), ISO/IEC 20000 (service management), Government) and CMMI (from the Software Engineering Institute of Carnegie Mellon). ISO/IEC 27001 (security), COBIT (IT organizations), and many others. These standards typically provide a control This framework white paper for a given describes topic and how scope HP is without helping customers significant and to build detailed and run guidance information on how to security implement management the control framework. system using For implementation, the HP Information companies Security are also turning Service to Management sources of industry (ISSM) best Reference practice such Model as ITIL (from as an the integral British part Government) of a service and management CMMI (from system the Software provided Engineering by the HP Institute Service of Carnegie Management Mellon). Framework which is bringing together relevant international This white paper standards describes with how HP HP and is industry helping best customers practices. to build and run an information security management system using the HP Information Security Service Management (ISSM) Reference Model as an integral part of a service management system provided by the HP Service Management Framework which is bringing together relevant international standards with HP and industry best practices. 2

Figure 1. HP Service Management Framework Regulatory environment Maturity Supplier Supporting services Governance Service lifecycle management Resource and capability management Continual improvement Services Customer Competitive environment An Integrated Service Management System Hewlett-Packard (HP) has developed the HP Service Management Framework to provide an integrated service management system for agreed, predictable, predictable, consistent and consistent delivery delivery of services of services that balance that bal- and performance, performance, quality, quality, risk and risk cost. and It cost. reduces It reduces complexity, brings organizations up-to-speed quickly and takes everything service providers need to to do to to mitigate operational risk risk and and drive drive positive positive business business outcomes into account. into account. With With this framework, this framework, executives outcomes responsible executives responsible for generating for generating positive results positive through results business through information technology technology can understand can understand the requirements the and requirements best practices and best required practices for effective required service for effective management service management better. better. The HP Service Management Framework is is a holistic approach for service providers that want to build and run and an run effective an effective service service management management system. system. The framework The framework organizes organizes the service the service assets assets within within a service provider a service (for provider example, (for people, example, processes people, and processes technology) and technology) and brings and brings together together international international standards (for example, ISO/IEC 27001, ISO/IEC 20000), industry best practices (for example, ITIL v3, standards (for example, ISO/IEC 27001, ISO/IEC COBIT, 20000), CMMI) industry and best HP practices best practices (for example, (for ITIL v3, example, COBIT, CMMI) HP Information and HP best Security practices Service (for example, HP Management Information Security (ISSM) Service Reference Management Model, IT (ISSM) Governance Reference Model, Capability IT Governance Model and Capability the HP IT Model Service and the Management HP IT Service Management Reference Model). Reference Model). The purpose of the HP Service Management Framework is to help enterprises: Position themselves correctly as as service providers with appropriate providers with inputs appropriate and outputs inputs Provide and outputs consistent quality services that will achieve desired Provide business consistent outcomes quality services that will Manage achieve desired all of the outcomes service assets required Understand Manage all the of the many service standards assets and required sources of best practice Understand for service the many management standards and Transform sources of themselves best practice into for a strategic service partner to the business management HP s Transform Service themselves Management into Framework a strategic provides detailed partner guidance to the business on implementation side of the agency and operation of a successful service management system. HP s Service Management Framework provides detailed guidance on implementation and operation of a successful service management system. 3

Figure 2. HP ISSM Reference Model Control implementation templates Establish continuous improvement plan Scope definition & initiation Risk modeling Implementation ISSM Transformation Engine Business Impact Analysis & Risk Assessment Applicability maps Define KPIs, metrics, reporting Control system design Maturity modeling INFOSec Framework Reference guides Information Security Service Management In order to address topics like security, governance, risk, and compliance, the HP Information Security Service Management (ISSM) Reference Model was developed. This is a holistic, standards-based security model that guides an organization toward a defense-in-depth approach to managing and mitigating operational risk through the deployment of highly operationalized security controls. The HP ISSM Reference Model helps organizations to build and run an information security management system within the context of a service management system. The ISSM reference model components include: 3 ISSM Transformation Engine This calculates compliance gaps between an organization s present and future state, compensating controls in order to determine the level of adherence to standards and regulations 4 Reference Guides These authoritative sources of security controls provide deployment guidance, referring to standards and industry best practices 5 Applicability Maps These critical touch points show where security controls are applied throughout an enterprise 6 Control Implementation Templates Technical specifications and standards provide detailed guidance on the implementation of compensating controls 1 Risk Modeling Modeling helps to capture and summarize likely threats and impacts quickly 2 ISSM Framework This organizational structure articulates risk management emphasis, describing present and future control state with associated maturity and compliance ratings 4

The purpose of the HP ISSM Reference Model is to help enterprises: Establish a rational basis for control system decision-making Ensure security alignment with business objectives Uncover inadequate or failing internal processes to reduce operational risk Identify threats and vulnerabilities early and aligns proper compensating controls Structure complex security environments into a cohesive architecture of manageable components Implement a pragmatic, quality-driven security solution Provide a vehicle for facilitating security messaging across business functions Addressing the security gap By their very nature, international standards and industry best practices provide requirements, control frameworks, and concepts that must be translated and implemented to each organization s unique context and mixture of resources and capabilities. And also every organization has a unique set of technologies/ products to deliver and manage services with. For example, if the perfect organizational structure would exist, then everybody would already have it by now. Specifically for security management, the most common standards used are ISO/IEC 17799, ISO/IEC 27001, and COBIT. Unfortunately, none of these standards provide detailed design and implementation guidance. Also ITIL which is often expected to provide more depth does not provide nor has a good track record for a direct security treatment but only references to the standards mentioned before. Let s look at an overview of the security management gap within ITIL: Version: Effective Dates: Books: Security Treatment: ITIL Version 1 1986 to 1999 30 Not available ITIL Version 2 1999 to 2006 10 Referenced ISO 17799, COBRA, ISO Interactive Manuals ITIL Version 3 2007 to now 5 Referenced ISO/IEC Understanding the international standards and industry best practices around security today, HP recognizes the need to bridge the security gap and offer a current and more in-depth Information Security Management approach that could snap into any organization s current or planned Service Management implementation efforts. To that end, HP developed the Information Security Service Management (ISSM) Reference Model. The ISSM Reference Model offers (very) prescriptive design guidance and implementation blueprints on how to deploy a best-practice information security service management system through an INFOSec program. Although this is an excellent foundation, without the application of service management practices to ensure that the security controls are implemented within the processes, it runs the risk of becoming ineffectual. The combination of the HP ISSM Reference Model and the HP Service Management Framework results in an approach to security where safeguards and controls are aligned to process and offered as strategic value-added services. This is accomplished by relating and integrating People, Policies, Processes, Products, and Proof points (P5 Model) completely to an organization s IT processes. 5

HP s ISSM Reference Model has been designed as complimentary to ITIL and as an integral part of the HP Service Management Framework. The ISSM Reference Model, by design, supplements and overcomes the inherent deficiencies existing within Version 1 and 2 of ITIL in the area of Security Management as well as provides practical implementation guidance to (the ITILv3 reference to) ISO/IEC 27001. Ostensibly, the ISSM Reference Model becomes the new and vastly-improved Information Security Management process and system indicated within the ITILv3 Service Design book and joins the following other processes included within this document: Supplier Management Availability Management IT Service Continuity Management Capacity Management Service Level Management Information Security Management (ISSM) The ISSM Reference Model also benefits substantially from service management by applying the processes necessary to deploy high-value and cost-effective security services. For example, ISO/IEC 27001 provides little in the way of budget management; however, ITILv3 has a well defined Financial Management process that articulates the basis for managing and controlling the operational cost of an Information Security Management System through an INFOSec program. This, as well as other Service Management processes provide the operationalization guidance necessary to run an enterprise INFOSec program as a business function and best-in-class operation. By applying Service Management guidance, the ISSM Reference Model components benefit directly from the following service management function and processes: Service Desk/Request and Incident Management Problem Management process Change Management process Service Asset and Configuration Management process Release and Deployment Management process Service Validation and Testing process Service Design Processes Making a direct correlation to the HP Service Management framework is one of the best ways to understand what the HP ISSM Reference Model provides. For example, ITILv3 is a comprehensive set of standards and the HP Service Management Framework is the realization of those standards in a practical sense, which guides their applicability and deployment within a service provider environment. HP s ISSM Reference Model is to the ISO/IEC 27001 security standards as the HP Service Management Framework is to ITILv3 in as much as both are based on internationally recognized standards and practices that take purposeful approaches to integrating IT and agency business management functions. 6

Figure 3. The HP SMF and the HP ISSM Reference Model. The following depiction shows the relation between the HP ISSM Reference Model and the HP Service Management Framework HP ISSM and Service Management Based on Open Standards ISO 17799/27001 Business processes HP Service Management Framework Business ISSM Information Security Management System Controls IT Controls Processes COBIT People, Processes & Technology (Service Assets) ISO 20000 ITIL v3 Bringing Security and Service Management together The security controls defined and managed within the ISSM Reference Model are implemented using service management best practices on how to apply and manage service assets such as people, process and technology, which brings high-operational value to the compensating controls defined within the HP ISSM Reference Model. Considering the substantial security gap in ITIL the ISSM Reference Model is ideally suited and positioned to address the Security Management Process and System within a Service Management implementation. The following table shows in general how the HP Service Management Framework is complemented by the HP ISSM Reference Model. HP ISSM Reference Model complements the HP Service Management Framework ISO 9001:2000 Tier 1 policies and processes Service Management ITIL V3, HP Service Management Framework Security & Risk Management ISSM Framework, Risk Modeling Tier 2 operating procedures HP Service Management process guides Reference Guides, Applicability Maps Tier 3 work instructions HP Service Management work instructions Control Implementation Guides Tier 4 forms and templates HP Service Management templates, HP Software settings ISSM Transformation Engine

In particular, the following HP Service Management Framework processes are being complemented by the HP ISSM Reference model materials: 1. Availability management 2. IT Service Continuity Management 3. Information Security Management 4. Assess and Manage IT Risks 5. Capacity Management 6. IT Financial Management 7. Service Level Management 8. Release and Deployment Management 9. Incident Management 10. Problem Management 11. Change Management 12. Service Asset and Configuration Management 13. Service Validation and Testing process 14. Service Design Processes Summary ITILv3 does not actually provide detailed guidance on security management but rather references ISO/IEC 27001 as the suggested path for designing and deploying an Information Security Management System. HP s Information Security Service Management Reference Model complements the HP Service Management Framework and is ideally suited and positioned to address the Information Security Management System within a Service Management implementation. To learn more, visit www.hp.com/hps/security 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. 4AA1-9600ENW, April 2008 Technology for better business outcomes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback