0. Commonwealth of Massachusetts Statewide Strategic IT Consolidation (ITC) Initiative ITIL v3 and ISO Overview Workshop
August 26, 2009
DRAFT – FOR DISCUSSION PURPOSES ONLY

1. Introduction to Service Management and ITIL
Agenda
ITIL v3
ISO/IEC 27000
Introduction to Service Management and ITIL
Why do we care?
What is it? (i.e. ITIL is a framework for service management…)
Key Components of ITIL
Service desk
Incident management
Request fulfillment
Change management
Asset/configuration management
Problem management
Next Steps with ITIL (in the context of IT Consolidation)
Scope of IT Consolidation
Integration points with ITD
Introduction to ISO/IEC 27000
What is the ISO/IEC series?
What models does ISO/IEC use?
What are the benefits of ISO/IEC 27001?
Implementation of ISO/IEC 27001
Implementing ISO/IEC Clauses 4-8 for the Enterprise
ISO/IEC for the Commonwealth of Massachusetts
How does ISO/IEC apply to the IT Consolidation?
Asset Management
Physical and Environmental Security
Establishing a Management Framework
Next Steps for the Secretariats?

2. Components of ITIL: Service Desk
Introduction to Service Management and ITIL

3. Value is not derived from the elements of a product or a service
Concept of Value
Value is not derived from the elements of a product or a service
Value is derived from the processes with which a product or a service is put together and offered to the customer
There are two layers of value creation: capabilities + assets.
1. Assets
The assets of an organization [including the “tools”] by themselves self don’t mean anything, although it should be obvious you can’t make a good burger if you start with lousy meat. Similarly, you cannot provide good IT services if you start out with a lousy network, deficient servers, outdated operating system etc.
Wendy’s or Burger King or McDonald’s all have access to the same quality of kitchen equipment, so the assets will only minimally differentiate the quality of the product or the service offered.
2. Capabilities
The value is created by the combination of the assets with a set of capabilities in the organization.
This set of capabilities can be dissected as processes [e.g., the way to deal with complaints, the way to do market research or collect business requirements for an IT application] + people [e.g., training, skills]. Some valid argument can be made to include “partners” [e.g., capabilities, contractual structures].
McDonald’s demonstrates that the “people” element is not very important [high school kids!] if the processes are firmly under control. The share value of McDonald’s is determined by its processes.

4. The primary driver … Architectural complexity reduces IT efficiency and effectiveness
* An actual application architecture for a consumer electronics company

5. The Need For IT Service Management (ITSM)
IT (Information Technology) is now a essential part of delivering the key business processes and results.
IT is increasingly being expected to deliver the same or better quality of service to the business that the business delivers to their customers.
Increasing visibility of IT
Increasing demands from the business to deliver effective IT solutions
Increasing complexity of IT infrastructure processes
Increasing need for service standards and repeatable processes
Increasing pressure to realize a return on IT investments

6. What is ITIL?
ITIL (the IT Infrastructure Library) is a set of books and documents that are used to aid the implementation of IT Service Management. It provides a comprehensive framework of processes and best practice advice for IT Service Management.
ITIL is…
What does that mean?
A set of industry “Best Practices” (e.g., need for discipline around changes; need to link capacity planning and budgeting)
Identify and reuse what has worked best in the past and currently at other organizations
A framework, not a methodology
Provides a body of concepts and resources to draw from, not specific required steps
Adoptable and adaptable
Select applicable parts of the framework and adapt them to fit local needs
Not a standard
ISO/IEC is a standard aligned with ITIL
Scalable to the organization’s size and need
Can be adapted to fit an organization’s specific size and situation
Platform independent
Flexible to all development and service efforts; not tied to any particular tool

7. ITIL Version 3: Service Lifecycle Model
The IT Infrastructure Library is a definitive industry resource focused on recommended practices for the management of Information Technology services
Strategy Generation
Financial Management
Service Portfolio Management
Demand Management
7 Step Improvement Process
Service Reporting
Service Measurement
Service Catalogue Management
Service Level Management
Capacity Management
Availability Management
IT Service Continuity Management
Information Security Management
Supplier Management
Service Desk
Incident Management
Event Management
Request Fulfilment
Problem Management
Access Management
Technical Management
IT Operations Management
Application Management
Transition Planning & Support
Change Management
Service Asset & Configuration
Management
Release & Deployment Management
Service Validation & Testing
Evaluation
Knowledge Management

8. What are the benefits of ITIL?
Provides a common vocabulary and allows IT personnel in different groups to communicate more efficiently
Provides a set of principles and processes that can be adapted
to suit any IT environment
Clearly identifies roles and responsibilities for IT infrastructure and operations, and establishes accountability
ITIL can benefit an organization in many ways, and from many perspectives:
Create a “lean and mean” IT organization
Achieve better business alignment
Help IT focus on delivering service to business units and customers, not just focus on technology
Provide a structured framework for process-based excellence
Create operational consistency across multiple departments and locations, as well as with contractors and suppliers
Help drive the right ITSM metrics
Increase accountability, service performance, and customer satisfaction
Help build customer trust and strengthen relationships
Increase internal efficiencies
Match the performance of IT with the customer’s expectations
Improve IT agility to better serve the needs of the business
Help inform business management and end-users, and that can lead to an improved relationship with IT
Improve the long-term cost-effectiveness of IT
Supports the ability of IT to measure and improve internal performance and service provisioning, to increase the value provided to the business
Defines IT in terms of “services” (focusing on the value to the business), rather than “systems” (focusing on IT components)
Improves the relationship of IT with the business by matching the expectations of the business with the service levels provided
Improves the ability of IT to adjust as needs
and legislative mandates change

9. Components of ITIL: Service Desk

10. Service Desk: Overview
The Service Desk (or Helpdesk) is a Function, not a Process. Its role is crucial and central to the whole concept of Service Management.
What is a “Service Desk?”
The point of contact between the customer/user and the IT service, responsible for service requests as well as incident control.
What is the PURPOSE of the Service Desk?
Provides a single point of contact for customers
Facilitates the restoration of normal operational service with minimal business impact on the customer within agreed service levels and business priorities
Manages each user contact/interaction with the IT Service provider throughout its lifecycle
Key Concepts for Service Desk:
Contact
A telephone call, , fax, entry in a user self-service system, or other means of
reporting faults or requesting services
Customer
Someone who buys goods or Services. The Customer of an IT Service Provider is the person or group that defines and agrees the Service Level Targets. The term Customers is also sometimes informally used to mean Users, for example ‘this is a Customer-focused Organization’
IT Infrastructure
All of the hardware, software, networks, facilities, etc. that are required to develop, Test, deliver, Monitor, Control or support IT Services. The term IT Infrastructure includes all of the Information Technology but not the associated people, Processes and documentation
ITSM Toolset
The system for recording customer contacts, service assets and other
configurable items, Changes, Problems, etc. Also includes tools used by staff to
diagnose or resolve incidents, discover assets, and monitor systems
Record
The “ticket” or “case” created in the ITSM system that records the information regarding the Incident or Service Request. (Note – the same term is used for any record in the ITSM tools, including those for Assets, Changes, Problems, etc.)
Service Level
A measured and reported achievement against one or more Service Level Targets. The term Service Level is sometimes used informally to mean Service Level Target
Service Provider
An Organization supplying Services to one or more Internal Customers or External Customers
What are the OBJECTIVES of the Service Desk?
To promote customer satisfaction
To restore normal service as quickly as possible when there is a fault
To attain service level targets for user contact responsiveness and quality
To articulate and route requests to the service provider accurately and appropriately
To ensure accurate and timely communication of status
To act as a strategic function to identify and lower the cost of ownership for supporting the computing and support infrastructure
To reduce costs by the efficient use of resource and technology

11. Service Desk: Structure
Standard Roles
Service Desk Manager
Manage overall desk activities, act as an escalation point for analysts, and take overall responsibility for Incident and Service Request handling on the Service Desk
Service Desk Supervisor
In larger organizations, in addition to a Manager there will be one or more Supervisors, often serving as the leader on shifts in 7x24 operations. Supervisors also act as an escalation point for analysts, and interface with the rest of IT Operations on day-to-day business. In small organizations the senior Service Desk Analyst may take this role
Service Desk Analysts
The primary Service Desk Analyst role is that of providing first-level support through taking calls and handling the resulting incidents or requests for service
Super Users
Business users who act as liaison points with IT, to facilitate communication between IT and the business at an operational level. These sometimes provide staff training in their area, or support for minor incidents or simple requests

12. Service Desk: Benefits
The value of an effective Service Desk should not be underrated – a good Service Desk can often compensate for deficiencies elsewhere in the IT organization; but a poor Service Desk (or the lack of a Service Desk) can give a poor impression of an otherwise very effective IT organization!
Specific Benefits include:
Improved customer understanding and satisfaction with IT Services
With what the Services are, and how to obtain them
With status on Incidents and Requests
Lower costs to the business through faster resolution of incidents and fulfillment of requests
Improved ability to attain service level targets through the management of the flow of work
Reduced costs by the efficient use of resources and technology – simpler work can be done by Service Desk Analysts rather than by the senior technical staff

13. Components of ITIL: Incident Management

14. Incident Management: Overview
What is an “Incident?”
An incident is an unplanned interruption of a Service, or a reduction in the agreed-to quality of an IT Service.
What is the PURPOSE of Incident Management?
The Incident Management process strives to restore normal service operation as quickly as possible and minimize the impact on business operations.
Key Incident Management Concepts
Classification
Grouping similar types of incidents into categories.
Configuration Item
Any Component that needs to be managed in order to deliver an IT Service. CIs typically include IT Services, hardware, software, buildings, people, and formal documentation such as Process documentation and SLAs
Escalation
Incidents that cannot be resolved by available resources are escalated either to those with greater skills (functional escalation) or to those at higher levels of management (hierarchical escalation).
Incident Models
Predefined workflows for specific types of incidents.
Major Incidents
Incidents of such a high urgency and impact that they are treated with special procedures.
Prioritization
The impact and urgency of an incident. Impact is the effect the incident has on the business and urgency indicates how quickly the incident will have that effect.
Recovery
Returning a configuration item to its working state after resolution.
Repair
Replacing or fixing a configuration item.
Resolution
Actions taken to repair the Cause of an Incident, or to implement a Workaround.
What are the OBJECTIVES of Incident Management?
Restore services as quickly as possible following a deviation from agreed upon service levels
Log, track, capture and process all incidents in the IT environment according to existing SLAs and defined interfaces with other processes and based on defined fault-specifications

15. Incident Management: Process Diagram
Incident Management Roles
Incident Manager
Responsible for the Incident Management process and incident management staff
First Tier
The Service Desk:
Provides initial handling of user contact.
Responsible for identifying, logging, categorizing, prioritizing and providing initial diagnosis of an incident.
Will resolve the incident if it can, or will dispatch to the appropriate Support Group
Second Tier
Provides more technical expertise, and is usually given more time, for diagnosing and resolving incidents
Third Tier
Possesses highly specialized technical skills for the most in-depth support of incident resolution. These can be internal technical groups or 3rd party suppliers/maintainers

16. Incident Management: Benefits
Incident Management is highly visible to the business when it is needed. How well incidents are resolved has a major impact on Customer Satisfaction with IT support.
Benefits from the process include:
The ability to detect and resolve Incidents quickly, resulting in shorter downtime to the business, and hence less impact
The ability to align IT activity to real-time business priorities: Urgency and Impact = Priority
The ability to identify potential improvements to services: the data collected helps to identify where to focus to prevent future incidents
The Service Desk can, during its handling of Incidents, identify additional service or training requirements

17. Components of ITIL: Request Fulfillment

18. Request Fulfillment: Overview
What is a “Request?”
A Request is any type of demand that is placed upon the IT Department by the users. Many of these are actually small changes: low risk, frequently occurring, or low cost, whose fulfillment can be standardized.
E.G., a request to change a password
What is the PURPOSE of Request Fulfillment?
The Request Fulfillment process seeks to manage the Lifecycle of all Service Requests to provide the prompt, complete, and cost effective provision of the Request.
Key Concepts for Request Fulfillment
Fulfillment
Performing activities to meet a need or requirement, such as providing a new IT
Service, or meeting a Service Request
Service
A means of delivering value to customers by providing outcomes to customers while insulating them from the ownership of specific Costs and Risks
Service Catalog
A database or structured Document, published to Customers, with information
about all IT Services available for request. The Service catalog includes
information about deliverables, prices, contact points, ordering and request
Processes
Service Level
A measured and reported achievement against one or more Service Level Targets. The term Service Level is sometimes used informally to mean Service Level Target
Supplier
A Third Party responsible for supplying goods or Services that are required to deliver IT services
Support Group
A group of people with technical skills. Support Groups provide the technical support needed by all of the ITSM processes. Examples include Desktop Support, Security, support for a specific application, etc.
What are the OBJECTIVES of Request Fulfillment?
To provide a channel for users to request and receive standard services for which a pre-defined approval and qualification process exists
To provide information to users and customers about the availability of services and the procedure for obtaining them
To source and deliver the components of requested standard services
To assist with general information, complaints or comments

19. Request Fulfillment: Process Diagram
Common Roles for Request Fulfillment
Support Group Manager
The planning and oversight of their group’s fulfillment activities, starting with how the work is to be done, and then tracking through to completion, ensuring that service levels are met.
Request Approver
Request Approvers are people with the authority to approve or reject a request for a given Service.
Request Fulfillment Analysts
Tier 1, 2, or 3 staff that perform the tasks required to provide the service. The functional areas of the analysts could include finance and procurement, for those requests requiring purchases.
Third Tier
Possesses highly specialized technical skills for the most in-depth support of incident resolution. These can be internal technical groups or 3rd party suppliers/maintainers.

20. Request Fulfillment: Benefits
The primary benefit of Request Fulfillment is to provide quick and effective access to standard services which business staff can use to improve their productivity or the quality of business services and products.
Specific benefits include:
Reducing the bureaucracy involved in requesting and receiving access to existing or new services, thus also reducing the cost of providing these services.
Through centralizing fulfillment, Request Fulfillment also increases the level of control over these services. This facilitates aggregating demand for suppliers and can result in reduced costs through centralized negotiation.
Repeatable workflows for fulfilling requests can result in faster performance, fewer errors, and a lower cost to provision.

21. Components of ITIL: Change Management

22. Change Management: Overview
What is a “Change?”
ITIL defines a Change as the addition, modification or removal of anything that could have an effect on IT services, usually stated as a change to a configurable item or CI.
What is the PURPOSE of Change Management?
Respond to changing customer and IT requirements, providing a structured avenue for implementing Change while minimizing risk, reducing incidents, and avoiding disruption and re-work
Key Concepts for Change Management
Change Assessment
An evaluation of the change request from various points of view
Change Authorization
Approval of a change request. The approval levels for the change may be different based on the type of change being considered.
Change Priority
The order in which change requests are evaluated and considered for authorization.
Change Process Model
Predefined workflows for various categories or types of changes.
Change Record
A record of a change throughout its lifecycle.
Forward Schedule of Changes
A schedule that contains details of all the changes approved for implementation and their proposed dates
Remediation
The plan to be followed if a change is not successful.
Request for Change (RFC)
A record of a proposed change.
Risk Categorization
An evaluation of the overall risk of a proposed change to IT or business services.
Standard Changes
A pre-authorized change that has a well understood implementation plan and is typically very low risk.
What are the OBJECTIVES of Change Management?
Record changes and then evaluate, authorize, test, implement, document, and review results in a controlled manner
Manage and minimize the risk of disruption to the business from the implementation of Changes

23. Change Management: Process Diagram
Common Roles for Change Management
Change Requestors
Those submitting a request for an addition, modification, or removal of a item under configuration and change control.
Change Authority
Authorizes changes to be implemented based on impact assessments from various stakeholders. This is a function, and can be located in the CAB or in an individual.
Change Manager
Oversees the Change Management process. Receives, logs and allocates a priority, in collaboration with the initiator, to all RFCs; rejects any RFCs that are totally impractical. Chairs the CAB, and monitors the implementation of Changes.
Change Advisory Board (CAB)
A body that exists to support the authorization of changes and to assist Change Management in the assessment and prioritization of changes. As and when a CAB is convened, members should be chosen who are capable of ensuring that all changes within the scope of the CAB are adequately assessed from both a business and a technical viewpoint.

24. Change Management: Benefits
Reliability and business continuity are essential for the success and survival of any organization. Service and infrastructure changes can have a negative impact on the business through service disruption.
Change Management controls the risk and reality of disruption, through requiring all changes to be thoroughly analyzed, planned, tested, authorized, communicated, and implemented with appropriate back-out steps planned.
Key benefits are:
Implementing changes that meet the customers’ agreed service requirements while optimizing costs
Reducing failed changes and therefore service disruption, defects and re-work
Delivering change promptly to meet business timescales
Aiding productivity of staff through minimizing disruptions due to high levels of unplanned or ‘emergency’ change and hence maximizing service availability

25. Components of ITIL: Asset and Configuration Management

26. Service Asset and Configuration Management: Overview
What is an “Asset?”
The hardware and software that IT uses to provide service to end users, in support of business functions and applications
What is a “Configuration?”
The set of “items” (CIs) and their relationships that comprises IT services and is the object of most IT tasks
What is the PURPOSE of Asset and Configuration Management?
Identify, control, record, report, audit and verify service assets and configuration items, including versions, baselines, constituent components, their attributes, and relationships
Ensure the integrity of the assets and configurations required to control the services and IT infrastructure by establishing and maintaining an accurate and complete Configuration Management System
Key Concepts for Service Asset and Configuration Management
Configuration Management Database (CMDB)
A database used to store Configuration Records throughout their Lifecycle. The Configuration Management System maintains one or more CMDBs, and each CMDB stores Attributes of CIs, and Relationships with other CIs.
Configuration Management System (CMS)
A set of tools and databases that are used to manage an IT Service Provider’s Configuration data. The CMS also includes information about Incidents, Problems, Known Errors, Changes and Releases; and may contain data about employees, Suppliers, locations, Business Units, Customers and Users. The CMS includes tools for collecting, storing, managing, updating, and presenting data about all Configuration Items and their Relationships.
Configuration Item
Any Component that needs to be managed in order to deliver an IT Service. CIs typically include IT Services, hardware, software, buildings, people, and formal documentation such as Process documentation and SLAs.
Definitive Media Library
One or more locations in which the definitive and approved versions of all software Configuration Items are securely stored. The DML may also contain associated CIs such as licenses and documentation. The DML is a single logical storage area even if there are multiple locations. All software in the DML is under the control of Change and Release Management and is recorded in the Configuration Management System.
Relationship
A link between two Configuration Items that identifies a dependency or connection between them. For example Applications may be linked to the Servers they run on, IT Services have many links to all the CIs that contribute to them.
What are the OBJECTIVES of Asset and Configuration Management?
Support efficient and effective Service Management processes by providing accurate configuration information to enable people to make decisions at the right time, with accurate information: to plan and authorize change and releases, resolve incidents and problems faster, etc.
Provide management with the information required to optimize IT resources

27. Service Asset and Configuration Management: Process Diagram
Common Roles for Service Asset and Configuration Management
Asset manager
Responsible for the management of the activities that record asset information throughout its lifecycle. Also plans and conducts audits of accuracy and completeness of asset records, and plans corrective actions with the responsible parties, to ensure the integrity of the data
Configuration manager
Responsible for the standards and procedures for identifying configuration items and their relationships, as well as for the Configuration Management System. (Similar to Asset Manager, but broader in scope)
Asset /
Configuration Analyst
Responsible for reviewing asset and/or configuration data, conducting audits, preparing reports, and implementing large data transfers or corrections
Configuration administrator/librarian
The custodian and guardian of all master copies of software, assets and documentation CIs registered with Asset and Configuration Management
CMS/tools administrator
Ensures the integrity and operational performance of the Configuration Management systems

28. Service Asset and Configuration Management: Benefits
Having complete and accurate information about IT assets and services enables effective management of those resources
Benefits include:
Faster and less costly resolution of Incidents and Problems, through having configuration information available to support analysis and planning
Less costly forecasting and planning of Changes and Releases
Full enterprise-wide lifecycle management of IT assets, from specification of need, through procurement and installation, through disposal
Support for Supplier management, with regard to leases and warrantees, as well as software licenses
Appropriate protection of organizational information upon asset disposal
Better adherence to standards, legal and regulatory obligations (less non- conformances)

29. Components of ITIL: Problem Management

30. Problem Management: Overview
What is a “Problem?”
The unknown cause of one or more incidents
What is the PURPOSE of Problem Management?
Reduce the number and impact of Incidents
Identify the Root Cause of Incidents or faults in the IT environment
Prevent incidents from re-occurring
Record information that will improve the way in which IT deals with problems
Key Concepts for Problem Management
Known Error
A problem for which the root cause has been determined and a workaround or resolution has been determined.
Known Error Database (KEDB)
A tool that maintains information about known errors and their workarounds.
Proactive Problem Management
Maintaining information about events, incidents, problems and the state of the production environment to determine potential problems before they are reported and resolve them.
Problem Model
A predefined workflow for handling a specific category of problem.
Reactive Problem Management
Activities required to diagnose the root cause of problems that have already been discovered by incident management.
What are the OBJECTIVES of Problem Management?
Find the root causes of errors
Develop solutions to resolve known errors
Plan and request changes to implement the solutions
Prevent future incidents and problems

31. Problem Management: Process Diagram
Standard Roles for Problem Management
Problem Manager
The single point of coordination and owner for the Problem Management process. Creates or reviews Problem records, assigns problem investigation and resolution tasks, closes Problem records, and manages the Known Error database.
Problem Analyst
A technical staff member assigned to investigate or resolve a problem, developing solutions or work-arounds for the Problem, and updating the Known Error database.
Problem-Solving Group
A team that takes responsibility for performing the analysis of the Problems in a technical area, such as Wintel server or desktop.

32. Problem Management: Benefits
Problem Management is directed toward the stabilization and improvement of service availability and quality
Benefits include:
Reduction in the number of Incidents due to more effective and efficient incident handling
Increase in user productivity and service quality
Improved reputation of IT Organization due to decrease in the repetition of incidents.
Increase in productivity of Support staff
Ability to proactively identify beneficial system enhancements, amendments and business opportunities
Improved resolution rates at the Service Desk
Increase in the availability of business-focused management information related to SLAs

33. Next Steps with ITIL

34. Scope of IT Consolidation – Executive Order 510
Agency
Secretariat
Commonwealth
Agency specific applications
Helpdesk services
Desktop & LAN services
Website information architecture services
Application services (as proposed by SCIO)
Data and telecom network services
Data center services
Website hosting and portal services
Shared enterprise services (including and directory)

35. Asset and Configuration Management
Process Integration points with Agencies, Secretariats, and ITD
Service Desk
Coordinate on incidents involving more than one organization
Leverage shared tools
Leverage shared knowledge
Redirect callers to appropriate resources (ITD vs. Secretariat vs. Agency)
Incident Management
Coordination of communications and notifications
Coordination of Incident resolution actions
Request Fulfillment
Calls to one organizaton for services that are the responsibility of another organization
Change Management
Coordinate change planning and approval for resources hosted or managed by ITD
Asset and Configuration Management
Ownership vs. custodianship (e.g., ITD hosts a server owned by Secretariat)
Problem Management
Leverage knowledge beneficial to all: share Known Errors
Share responsibility for Root Cause Analysis and Problem elimination (e.g., application support and server management)

36. Components of ITIL: Service Desk
ISO/IEC Series

37. Components of ITIL: Service Desk
Introduction to ISO/IEC 27000

38. ISO/IEC 27000 Series Standard Definition
An Information Management System (ISMS), based on a business risk approach, that standardizes the establishment, implementation, operation, monitoring, review, maintenance and improvement of information security
Additionally, ISO/IEC is:
Systematic approach to manage risk and provide a consolidated view to management
Auditing guide and details what organizations ‘shall’ do – indicates provisions that reflect the requirements of the ISO standard which are mandatory
For an organization to be on the road to certification, they must implement all of the mandatory clauses 4,5,6,7 and 8 of ISO 27001:2005
Annex A – Non-mandatory controls found within ISO 27002
Definitions: ISMS = Information Security Management System ISO = International Standards Organization IEC = International Electrotechnical Commission
What gets monitored gets measured, what gets measured gets managed.

39. ISO/IEC 27001:2005 ISMS Implementation Program ISO/IEC 27001 Structure
1. Scope
2. Normative References
3. Terms & Definitions
4. Information security management system
4.1 General requirements
4.2 Establishing and managing ISMS
4.3 Documentation requirements
4.3.2 Control of documents
4.3.3 Control of records
5. Management responsibility
5.1 Management commitment
5.2 Resource management
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement
8.1 Continual improvement
8.2 Corrective actions
8.3 Preventive actions
Annex A (normative), B & C (informative)
ISO/IEC 27001:2005
ISMS Implementation Program

40. The Plan – Do – Check – Act (PDCA) model is used in ISO/IEC 27001
The model is used as the basis for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the ISMS
Establish ISMS
Context & Risk
Assessment
Monitor
&
Review ISMS
Design and
Implement
ISMS
Maintain &
Improve ISMS
Interested
Parties
Enterprise
Security
Architecture
Requirements
Business
Strategy
Established
Qualitative ROI
Regulatory /
Legislative
Compliance
Development,
Maintenance,
And
Improvement
Cycle
Do (Design and Implement the ISMS)
Implement and operate the security policy,
controls, processes and procedures.
Check (Monitor & Review the ISMS)
Assess results of detective controls to measure performance and effectiveness.
Act (Maintain and Improve the ISMS)
Take corrective and preventative actions,
based on the results of the performance and
effectiveness metrics to achieve continual
improvement of the ISMS.
Plan
Check
Act Do
Plan (Establish the ISMS & Risk Assessment)
Establish security policy, objectives, targets, processes and procedures relevant to managing risk to information assets and improving information security to deliver results in accordance with an organization’s accordance with an organization overall policies
ISMS Implementation Program

41. ISO/IEC 27001: Control objectives and controls
Satisfies Objectives
Specifies Requirements
133 Controls
11 Domains
ISMS Implementation Program

42. 11 Security Domains of ISO/IEC 27001
A.5 Security policy (1/2)*
A.6 Organization of information security (2/11)*
A.7 Asset management (2/5)*
A.8 Human
resources
security (3/9) *
A.9
Physical
& environmental
security (2/13)*
A.10 Communications &
operations
management (10/ 32)*
A.12 Information
systems acquisition,
development &
maintenance (6/16) *
A.11 Access control (7/25)*
A.13 Information security incident management (2/5)*
A.14 Business continuity management (1/5)*
A.15 Compliance (3/10)*
* (control objectives / controls)
ISMS Implementation Program

43. Advantages of Implementing the ISO/IEC 27000 Series
A single reference point for identifying a range of controls needed for most situations where information systems are used
Facilitation of trading in trusted environment
An internationally recognized structured methodology
A defined process to evaluate, implement, maintain and manage information security
A set of tailored policy, standards, procedures and guidelines
The standard provides a yardstick against which security can be judged
ISMS Implementation Program

44. Components of ITIL: Service Desk
ISO/IEC Implementation Overview

45. Clause 4.0: Information Security Management System (ISMS) Overview
The fundamental concept behind the ISMS is the implementation and management of a set of systems processes to help achieve effective information security
Policy
Demonstration of commitment and principles for action
Planning
Identification of needs, resources, structure and responsibilities
Implementation and Operation
Awareness building and training
Performance Assessment
Monitoring and measuring, handling non-conformities and audits
Improvement
Corrective and preventative action, and continual improvement
Management Review
Management’s awareness, acknowledgement and acceptance of risk

46. Clause 5.0 and 6.0: Management Responsibility and Internal ISMS Audit
Clause 5.0: Management Responsibility
Management Commitment
Evidence of upper management’s commitment to information security is critical
Training, awareness and competency
Resource Management
Clause 6.0: Internal ISMS Audit
Conduct internal ISMS audit at planned intervals to determine whether the control objectives, controls, processes and procedures of ISMS:
Conform to requirements of standard
Conform to identified security requirements
Effectively implemented and maintained and perform as expected

47. Clause 7.0 and 8.0: Management Review and Improvement of ISMS
Clause 7.0 Management Review of ISMS
Review Input
Review Output
Review Internal Audit Findings
Review ISMS at planned intervals to ensure its continuing suitability, adequacy and effectiveness
Assessing opportunities for improvement and the need for changes to the ISMS, including the security policy and security objectives
Clause 8.0: Improvement of ISMS
Continual Improvement
Continually improve the effectiveness of the ISMS through the use of:
The information security policy
Security objectives
Audit results
Analysis of monitored events
Corrective and preventive actions
Management review
Take action to eliminate cause of nonconformities with the ISMS requirements to prevent reoccurrence
Determine and eliminate cause of potential non conformities with ISMS requirements
Corrective Action
Preventive Action

48. Annex A: Non-Mandatory Controls
Control Areas
A5: Security Policy
A6: Organization of IS
A7: Asset Management
A8: Human Resources Security
A9: Physical and Environmental Security
A10: Communications and Operations Management
A11: Access Control
A12: Information Systems Acquisition, Development and Maintenance
A13: Information Security Incident Management
A14: Business Continuity Management
A15: Compliance

49. Components of ITIL: Service Desk
ISO/IEC for the Commonwealth of MA

50. Controls Overview: Responsibility for Assets
Topic
Control Objective
Control
Responsibility for Assets
To achieve and maintain appropriate protection of the organizational assets.
Inventory of assets
Ownership of assets
Acceptable use of assets
How could this control apply at the Commonwealth?:
Develop policy regarding asset management
Documented list of all agency assets, (i.e., through an asset management system)
Documented processes and procedures discussing ownership of assets
Documented Acceptable Use Policy for Assets at an Agency
Documented process which categorizes the importance of different assets to an agency, (i.e., office supplies vs. production computers)
ISMS Implementation Program

51. Controls Overview: Information Classification
Topic
Control Objective
Control
Information Classification
To ensure that Information Assets receive appropriate level of protection.
Classification guidelines
Information labeling and handling
How could this control apply at the Commonwealth?:
Implement an information classification system (manual or automated) that segregates information:
For example: Top Secret
Secret
Confidential
Restricted
Public
ISMS Implementation Program

52. Controls Overview: Equipment Security
Topic
Control Objective
Control
Equipment Security
To prevent loss, damage or compromise of assets and interruption to business activities.
Equipment protection
Supporting utilities
Cabling security
Equipment maintenance
Security of off-equipment
Secure disposal or re-use of equipment
Removal of property
How could this control apply at the Commonwealth?:
Data Center policies and procedures specifically around equipment usage
Documented procedures for equipment disposal (clearing hard drives, etc)
Equipment labeling (barcoding, RFID, etc)
Equipment maintenance schedules
ISMS Implementation Program

53. Components of ITIL: Service Desk
ISO/IEC for the Commonwealth of MA

54. Next Steps for Secretariats
ITIL v3 and ISO provide a framework for Secretariats as they continue their process of IT service consolidation
Review ITIL processes and apply them to meet Secretariat requirements
Leverage and apply the Helpdesk Strategy and Desktop/LAN Strategy Documents, which will provide additional guidance on application of relevant ITIL processes and functions
Promote open communication between Secretariat IT service leads and Service Management Working Group leads to facilitate knowledge sharing between Secretariat and ITD applications of ITIL and ISO standards
Commonwealth ITIL and ISO Point of Contact
ITIL: John Letchford
ISO: Dan Walsh
Supported by: Jeff Tarbox
ISMS Implementation Program

55. 55
© 2008 Deloitte Touche Tohmatsu