We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byBrianna Wentworth
Modified over 3 years ago
© 2007 Jupitermedia Corporation The Role of Security in IT Service Management October 31, :00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC Optimizing The Business Value of IT
© 2007 Jupitermedia Corporation Housekeeping Submitting questions to speaker –Submit question at any time by using the Ask a question section located on lower left-hand side of your console. –Questions about presentation content will be answered during 10 minute Q&A session at end of webcast. Technical difficulties? –Click on Help button –Use Ask a question interface
© 2007 Jupitermedia Corporation Main Presentation
© 2007 Jupitermedia Corporation Agenda How to view security in the world of ITSM Risk Management and Controls –Getting Started –Enterprise Risk Management Why security plays an important role in Service Delivery and Service Support Where there are resources to learn more
© 2007 Jupitermedia Corporation What ITIL Represents ITIL is the de facto standard approach towards IT Service Management (ITSM) It is about IT delivering quality services that meet the needs of the organization IT services enable business processes that, in turn, enable the business to meet goals The management of risk to attain goals is essential Security is a key stakeholder in requirements definition Security requirements are business requirements! –Security in support of X service –Security in support of the enterprise
© 2007 Jupitermedia Corporation Security in ITIL v3 In the Service Design book The goal of the ISM [Information Security Management] process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities. Confidentiality, Integrity, Availability Information Security Policy ISO for the Information Security Management System Control – Organize, establish management framework, roles & responsibilities Plan – SLAs, UCs, OLAs, Policies Implement – Awareness, classification, personnel security, physical security, logical security, incident handling Evaluate – Audits, assessments, incident review Maintain – Continuous improvement
© 2007 Jupitermedia Corporation The Goal
© 2007 Jupitermedia Corporation Each Functional Area Has Objectives that Support the Goal Examples: A1 – Provide accurate and timely financial reporting data for the public and internal decision making. A2 – HR will track timely and accurate vital information about employees including key dates, training, performance, skills, and benefits. A3 – Customer service will ensure that all customer master profiles are current and accurate.
© 2007 Jupitermedia Corporation IT Provisions Services That Add Value and/or Mitigate Risks IT in support of X business service …
© 2007 Jupitermedia Corporation Why is risk management so important? Limited Resources and Seemingly Unlimited Risks! US companies are adopting a risk based approach and going after what matters most in order to be sustainable. It makes sense to spend $1,000 to safeguard $1Billion but not to safeguard $100. Understand and prioritize risks to focus compliance efforts.
© 2007 Jupitermedia Corporation If a risk doesnt map to objectives and goals, then does it matter? NO
© 2007 Jupitermedia Corporation Getting Started with Risk Management Formal ERM can take a lot of time to ramp up Need a method to start & fast ramp up Interview senior management, audit, and finance to understand what matters to the business Identify material systems –Review the Institute of Internal Auditors Guide to the Assessment of IT General Controls Scope (GAIT) Identify gaps in key IT General Controls not all vulnerabilities Identify mitigation options Gain senior management approval –Mitigate –Accept the risk More to come in Visible Ops Security due later this year
© 2007 Jupitermedia Corporation Enterprise Risk Management Ideally, risk management needs to be implemented, ideally at the enterprise level, to ensure that organizational risks are identified and properly managed. –IT needs risk management to prioritize mitigation efforts and to help facilitate discussions with senior management –Senior management can use risk management to understand risks to objectives, the current risk levels and prioritize investments intended to mitigate risks
© 2007 Jupitermedia Corporation One challenge is how to prioritize hundreds, if not thousands, of risks. We still need to focus on what matters using a top down approach
© 2007 Jupitermedia Corporation Quantifying Risk Simple approach is to use Likert (1-5) scales to develop ordinal ranking Inherent Risk Score = Probability x Impact Residual Risk Score = IRS x (100% - % Mitigated) If nothing has been mitigated, RRS = IRS Management defines what level of RRS is acceptable How do you factor risks to objectives with varying importance? One method is multivariate risk models. –Weighted Average IRS = Probability x (Risk 1 weight x impact) x (Risk 2 weight x impact) x …. Note – Risk Management is an exercise in objective subjectivity hence the need to get buy-in on the model and scores/values used
© 2007 Jupitermedia Corporation A Spreadsheet-based ERM Model Note, this spreadsheet model is at
© 2007 Jupitermedia Corporation In response to risks we implement controls
© 2007 Jupitermedia Corporation What Are Controls? Controls safeguard objectives / value All processes contain an inherent level of variation that can not be eliminated. Only put in enough controls to lower the residual risk to a level that is acceptable to management. Controls can be –Manual – Meaning they take a person to perform without automation. –Automated – Meaning that technology is used to enable the process partially or entirely. –Important Note – In accounting terminology, an automated control is a control that is embedded in a system such as bounds checking, audit trails, workflow, etc. Three broad types –Preventive Controls – Intended to stop a future transgression. Examples – policies and procedures –Detective Controls – Attempt to find out about an event that has already happened. Example – Log review –Corrective Controls – Aimed at restoring the last known good state. Example – Restore from tape
© 2007 Jupitermedia Corporation Cost of Control Level of Assurance Level of Investment 100% You can spend a fortune and you will never truly hit a 100% level of assurance. The objective is to lower risk to an acceptable level, not eliminate it because you cant!
© 2007 Jupitermedia Corporation Defense in Depth Think of the rings of walls in a castle. More walls equate to an overall better defensive posture. The idea is to layer controls in a cost effective fashion. If the first control fails, then there is a second, etc. The objective is to create an acceptable level of residual risk and stop! Dont spend more on controls than what you are protecting is worth. Dont forget processes, systems and people always have variation – go for layers. Control 3 Control 2 Control 1
© 2007 Jupitermedia Corporation Control Objectives for Information and related Technologies (COBIT) Maintained by the IT Governance Institute (ITGI), which is part of the Information Systems Audit and Control Association (http://www.isaca.org)http://www.isaca.org ISACA started in 1967, has over 50,000 members in over 140 countries. Essentially, COBIT is the de facto reference for IT Controls. Nothing else quite like it exists. Four domains –Plan and Organize – Strategy, Tactics, Vision –Acquire and Implement – Identification, Development, Purchase, Implementation –Deliver and Support – Security, Continuity, Management of Data, Operations –Monitor and Evaluate – Assessments and Audit 34 High-Level Control Objectives Over 250 Detailed Control Objectives Example: –Domain: Deliver and Support High Level Control Objective – DS5 Ensure Systems Security –Detailed Control Objective – DS5.1 Management of IT Security –Detailed Control Objective – DS5.2 IT Security Plan –Detailed Control Objective – DS5.6 Security Event Definition –…and so on
© 2007 Jupitermedia Corporation Security is a Risk Mitigation Process We implement security controls commensurate with risk to safeguard objectives and goals
© 2007 Jupitermedia Corporation Appropriate PPT Blending A process is a course of action with an intended result Technology has been the mainstay of Information Technology –Technology cant fix all of our problems! The need to find and retain qualified people is known, but not always stressed enough –They need adequate training –Segregation of Duties –Cross-training/backups What hasnt received as much attention are the processes –Leveraging best practices –A focus on quality management –Continuous Improvement Processes Any technology can be rendered ineffectual by poor personnel and process choices –Very true for security as well as other processes People Processes Technology Outcomes
© 2007 Jupitermedia Corporation You can have processes without adequate controls, but you can not have an effective and efficient control environment without good processes.
© 2007 Jupitermedia Corporation ITIL v2
© 2007 Jupitermedia Corporation Change Management IDC – 80% of network availability issues caused by human error CompTIA – 60% of breaches are caused by human error Change management is a risk management function that assesses the potential impacts of a change to the organization Security must be able to understand What Changed? as quickly as possible –Has a vested interest in detecting all changes to infrastructure Security should: –Sit on the Change Advisory Board (CAB) –Review change requests –Review changes that are rolled back –Review unauthorized changes for security events Security must work through Change Management and not around it –Ideally through operations and not direct –Quis custodiet ipsos custodes – Who will guard the guards? –Never forget about human error!
© 2007 Jupitermedia Corporation Configuration Management Focuses on tracking and documenting configurations and then providing this information to other areas Configuration tracks relationships to understand who is affected and assesses impact. Enables the control of configuration items by monitoring, maintaining and verifying –Resources –Status –Relationships Security is a consumer of Configuration Management –Infrastructure details Relationships IT and Business Owner Contact information –User profiles –Incident records (alerts + manually logged) –License information (if tasked with tracking down unlicensed information) –Reviewing security configurations –Security logs / records –Review of CMDB access levels
© 2007 Jupitermedia Corporation CMDB Design Tip A control is a CI type Potential attributes include –Control ID –Control Objective –Standard Control Activity –Applicable Regulations (1 to many relationship) –Date last reviewed You can then relate the to other CIs –Systems (HW CI + SW CI) –Processes –Services Is governed then by Change Management Document / Version Control Can immediately understand relationships and where used Can relate control activity per CI / per control –What is actually being done for the CI –Audit findings –Mitigation activities
© 2007 Jupitermedia Corporation Service Level Management The goal for SLM is to maintain and improve IT Service quality, through a constant cycle of agreeing, monitoring and reporting upon IT Service achievements and instigation of actions to eradicate poor service – in line with business or cost justification. – ITIL Service Support Concerned with understanding the customer/organizations security requirements for each service SLM negotiates service security levels based on input from the security function SLAs define security requirements
© 2007 Jupitermedia Corporation Incident Management / Service Desk Concerned with restoring service as quickly as possible Alerts should route into Incident Management, not pagers –Key is to manage alerts, not fire and forget –Need consistent handling Security needs to help IM with –The development of incident call scripts and workflow –The identification and proper coding of security incidents –Processing of security related Incidents
© 2007 Jupitermedia Corporation Problem Management Determination of root cause of actual and potential incidents and, where it makes business sense, eliminate it. Security involved with problem teams to establish solid solutions –Working on security related problem ticket –Ensuring that proposed solution doesnt compromise security Security opens problem tickets for Problems
© 2007 Jupitermedia Corporation Release Management Ensures the quality of releases into production via formal checks. Spans from development through testing to operations Security will define what the security requirements of releases will be –Controls in a service –Testing of controls –Documentation of controls Security will check on the contents and security of the Definitive Software Library (DSL)
© 2007 Jupitermedia Corporation Capacity Management Tasked with translating business capacity requirements into IT service and then Configuration Item (CI) resource requirements Ensure that security is factored into capacity requirements Ensure that capacity constraints dont cause vulnerabilities –Out of disk space errors causing untrapped script failures, etc.
© 2007 Jupitermedia Corporation Availability Management To understand the Availability needs of the business and to continuously strive to improve Availability is a key element of Customer satisfaction You can not have sustainable high-availability without fundamentally sound security Availability Management contributes to the Security Policy Availability Management advises SLM on all Confidentiality, Integrity, and Availability (CIA) issues
© 2007 Jupitermedia Corporation IT Financial Management Budgeting, Costing, Charge backs and Value for IT services Need to ensure security requirements are understood and budgeted for –Want to avoid cutting security features due to budget constraints –Information Security and the organization will pay in the long- term for short cuts in development / procurement Security measures need proper budgeting, costing, etc. –ROI is often ex post facto – in the value is often only provable after an event –Security of the ITFM services
© 2007 Jupitermedia Corporation IT Service Continuity Management Defines how IT will support the Business Continuity Plans (BCP) of the organization A disaster may create/exacerbate vulnerabilities Security needs to understand and approve the security implications of the ITSCM plans
© 2007 Jupitermedia Corporation Are compliance, security and operations mutually exclusive? Of Course Not! Operations Compliance Security
© 2007 Jupitermedia Corporation Continuous Improvement Is Key Like any process, you must pick a place to start and begin As you gain more experience, evolve the various aspects of security as the organization matures Be sure to tie security activities to functional area objectives and organizational goals * Adapted from ITIL Service Support Graphic
© 2007 Jupitermedia Corporation Additional Resources
© 2007 Jupitermedia Corporation IT Infrastructure Library (ITIL) Office of Government Commerce British Educational Communications and Technology Agency (BECTA) Microsofts Operations Framework (MOF) IT Service Management Forum
© 2007 Jupitermedia Corporation The IT Process Institute Maintained by the Information Technology Process Institute (http://www.itpi.org)http://www.itpi.org Visible Ops leverages ITIL and is prescriptive –Change Management is key, as is reduction in variation and integration of process areas –It is split into three project phases to start Phase 1 – Stabilize the Patient Phase 2 – Catch & Release and Find Fragile Artifacts Phase 3 – Create a Repeatable Build Library Phase 4 – Continual Improvement – is the start of a process. ITPI Controls Benchmark Study –Scientific study of what controls really matter –From 200+ to 53 to foundation controls with August 2007 release Can you detect unauthorized change? Do you have defined consequences for intentional unauthorized change? Do you have a formal process for managing known errors? The 9 are largely communication and coordination controls –Highly recommended!! Visible Ops Security –Four discrete catalytic phases –The phases at this point are: Phase 1: Stabilize the Patient and Get Plugged In Phase 2: Find Business Risks, Identify Controls and Fix Fragile Artifacts Phase 3: Implement Development and Release Controls Phase 4: Enable Continuous Improvement –Coming late Fall 2007
© 2007 Jupitermedia Corporation Other Best Practice Sources Australia Standard 4360 Risk Management - British Standards Institute (BSI) - Carnegie Mellons Software Engineering Institute (SEI) - Computer Emergency Response Team (CERT) - COSO ERM - Federal Financial Institutions Examination Council (FFIEC) – IIAs GAIT Page - International Organization for Standardization (ISO) –- ISACA – COBIT- OECD Guidelines on Information Security - ml ml The Systems Security Engineering Capability Maturity Model – (SSE-CMM) - US General Accounting Office (GAO) – US National Institute of Standards (NIST) -
© 2007 Jupitermedia Corporation Thank you for the privilege of facilitating this webcast George Spafford Daily News Archive and Subscription Instructions
© 2007 Jupitermedia Corporation Questions?
© 2007 Jupitermedia Corporation Thank you again for attending If you have any further questions, For future ITSM Watch Webcasts, visit
© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management December 19, :00pm EST, 11:00am PST Speaker: George Spafford,
© 2006 Jupitermedia Corporation Webcast TitleThe Impact of Outsourcing on ITIL Initiatives The Impact of Outsource on ITIL Initiatives September 25, 2006.
1 Enforcing Compliance: A Patch Management Strategy That Works.
© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, :00pm EST, 11:00am PST George Spafford, President Spafford.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
1/13/20161 ITIL Awareness UC JDCMG Discussion. 1/13/20162 Capability Maturity Model - SEI.
ITIL: Why Your IT Organization Should Care Service Support Wendy Shih Kent State University.
© 2006 Jupitermedia Corporation Webcast TitleITSM: From Theory to Reality ITSM: From Theory to Reality How to better understand ITIL’s role in process.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
© 2007 Jupitermedia Corporation Using Network Behavior Analysis (NBA) and Service Asset and Configuration Management (SACM) to Improve Management Information.
Serving IT up with ITIL By Thane Price. IT is the laboratory’s pit crew Goal : Make technology transparent while accomplishing valuable internal customer.
Using ITIL to Improve Sarbanes- Oxley Related IT Processes By George Spafford, Principal Consultant Pepperweed Consulting, LLC October 31, 2006.
© 2007 Jupitermedia Corporation Understanding the ITIL Trinity of Configuration, Change and Release Management June 28, :00pm EDT, 11:00am PDT George.
The Service Monitoring and Control Toolkit 1 Protect your business with an effective alert management system and high service availability. https://store.theartofservice.com/the-service-monitoring-and-control-toolkit.html.
Assessment Workshop Title of the Project (date). Project Title Assessment Workshop October 25, 2015© Company Name All rights reserved2 Agenda Purpose.
© 2007 Jupitermedia Corporation Aligning via IT Service Management April 12, :00pm EST, 11:00am PST George Spafford, Principal Consultant Pepperweed.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
ITIL Process Management An Overview of Service Management Processes Thanks to Jerree Catlin, Sue Silkey & Thelma Simons University of Kansas.
Driving Value from IT Services using ITIL and COBIT 5 July 24, 2013 Gary Hardy ITWinners.
© 2007 Jupitermedia Corporation Asking the Right Questions February 15, :00pm EST, 11:00am PST George Spafford, Principal Consultant Pepperweed Consulting,
Class 11 Security Evaluation Framework & Operational Security Standards.
ITSM Information Technology Service Management. ITSM Course Offerings ITSM Executive Awareness Seminar The Service Management Executive Awareness 1-day.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Continual Service Improvement Process General Understanding.
ITIL Process Management An Overview of Service Management Processes Presented by Jerree Catlin, Sue Silkey & Thelma Simons.
Changing IT Managing Networks in a New Reality Alex Bakman Founder and CEO Ecora Software.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
ITIL A Team GALIP Presentation A. Silverman, N. Elovitz, L. Johnson, M. Saxena, W. Zhao.
Process Scoring 1Ineffective. Basics not in place. Major exposures. 2Tasks defined; Weaknesses identified; plans in place for improvement. 3Process.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
ITIL® Service Asset & Configuration Management Foundations Service Transition Thatcher Deane 02/17/2010.
Slide 1 Course: e-Governance Project Lifecycle Day 1 Session 3 e-Governance Project Development LifeCycle.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
ITG using COBIT Successful organisations require an appreciation for and a basic understanding of the risks and constraints of IT at all levels within.
Project and Service Management Office Computing and Information Technology IT Service Management (ITSM) Essentials March 9 – 14, 2007 ITIL Foundation.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
CERN - IT Department CH-1211 Genève 23 Switzerland t A Quick Overview of ITIL John Shade CERN WLCG Collaboration Workshop April 2008.
Process Definition Document Overview. This document defines the standard MN.IT roles and responsibilities for managing release and deployment of normal.
Change Advisory Board COIN v1.ppt Change Advisory Board ITIL COIN June 20, 2007.
Aliant Telecom Services & Solutions Technology Infrastructure Information Library ITILITIL ITILITIL.
Project Tracking. Questions... Why should we track a project that is underway? What aspects of a project need tracking?
Chapter 10 Accounting Information Systems and Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001) Dr. Julian Lo Consulting Director ITIL v3 Expert.
Agenda What is Compliance? Risk and Compliance Management What is a Framework? ISO 27001/27002 Overview Audit and Remediate Improve and Automate.
Seattle Area Software Quality Assurance Group Release and Configuration Management, The Acceleration of Change and Its Contribution To Software Quality.
Service Catalog Management and ITIL. The Service Catalog Objective: To enable the service provider and the customer to clearly understand the services.
Microsoft Office Project 2003: Selling EPM in your Organization Matt Wilson Business Solutions Specialist LMR Solutions.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Overview of ISO Requirements Lynn Penniman Penniman LLC.
© 2017 SlidePlayer.com Inc. All rights reserved.