Service Design

Service Design Process

^4.1SC Mgmt

^4.2SLM

^4.3Capacity Mgmt

^4.4Availability Mgmt

^4.5 Continuity Mgmt

^4.6Security Mgmt

^4.7Supplier Mgmt

4.6 IT Security Management (ISM)

4.6.1 Purpose, Goals and Objectives

'The goal of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities'.

ISM needs to be considered within the overall corporate governance framework. Corporate Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring the objectives are achieved, ascertaining the risks are being managed appropriately and verifying that the enterprise's resources are used effectively.

Information security is a management activity within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved. It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly. The purpose of ISM is to provide a focus for all aspects of IT security and manage all IT security activities.

The term 'information' is used as a general term and includes data stores, databases and metadata. The objective of information security is to protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.

For most organizations, the security objective is met when:

Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability)
Information is observed by or disclosed to only those who have a right to know (confidentiality)
Information is complete, accurate and protected against unauthorized modification (integrity)
Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted (authenticity and non-repudiation).

Prioritization of confidentiality, integrity and availability must be considered in the context of business and business processes. The primary guide to defining what must be protected and the level of protection has to come from the business. To be effective, security must address entire business processes from end to end and cover the physical and technical aspects. Only within the context of business needs and risks can management define security.

4.6.2 Scope

The ISM process should be the focal point for all IT security issues, and must ensure that an Information Security Policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services. ISM needs to understand the total IT and business security environment, including the:

Business Security policy and plans
Current business operation and its security requirements
Future business plans and requirements
Legislative requirements
Obligations and responsibilities with regard to security contained within SLAs
The business and IT risks and their management.

Understanding all of this will enable ISM to ensure that all he current and future security aspects and risks of the business are cost-effectively managed.

The ISM process should include:

The production, maintenance, distribution and enforcement of an Information Security Policy and supporting security policies
Understanding the agreed current and future security requirements of the business and the existing Business Security Policy and plans
Implementation of a set of security controls that support the Information Security Policy and manage risks associated with access to services, information and systems
Documentation of all security controls, together with the operation and maintenance of the controls and their associated risks
Management of suppliers and contracts regarding access to systems and services, in conjunction with Supplier Management
Management of all security breaches and incidents associated with all systems and services
The proactive improvement of security controls, and security risk management and the reduction of security risks
Integration of security aspects within all other ITSM processes.

To achieve effective information security governance, management must establish and maintain an Information Security Management System (ISMS) to guide the development and management of a comprehensive information security programme that supports the business objectives.

4.6.3 Value to the Business

ISM ensures that an Information Security Policy is maintained and enforced that fulfills the needs of the Business Security Policy and the requirements of corporate governance. ISM raises awareness of the need for security within all IT services and assets throughout the organization, ensuring that the policy is appropriate for the needs of the organization. ISM manages all aspects of IT and information security within all areas of IT and Service Management activity.

ISM provides assurance of business processes by enforcing appropriate security controls in all areas of IT and by managing IT risk in line with business and corporate risk management processes and guidelines.

4.6.4 Policies, Principles and Basic Concepts

Prudent business practices require that IT processes and initiatives align with business processes and objectives. This is critical when it comes to information security, which must be closely aligned with business security and business needs. Additionally all processes within the IT organization must include security considerations.

Executive management is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. In addition, boards of directors are expected to make information security an integral part of corporate governance. All IT service provider organizations must therefore ensure that they have a comprehensive ISM policy(s) and the necessary security controls in place to monitor and enforce the policies.

4.6.4.1 Security Framework

The Information Security Management process and framework will generally consist of:

An Information Security Policy and specific security policies that address each aspect of strategy, controls and regulation
An Information Security Management System (ISMS), containing the standards, management procedures and guidelines supporting the information security policies
A comprehensive security strategy, closely linked to the business objectives, strategies and plans
An effective security organizational structure
A set of security controls to support the policy
The management of security risks
Monitoring processes to ensure compliance and provide feedback on effectiveness
Communications strategy and plan for security
Training and awareness strategy and plan.

4.6.4.2 The Information Security Policy (ISP)

Information Security Management activities should be focused on and driven by an overall Information Security Policy and a set of underpinning specific security policies. The ISP should have the full support of top executive IT management and ideally the support and commitment of top executive business management. The policy should cover all areas of security, be appropriate, meet the needs of the business and should include:

An overall Information Security Policy
Use and misuse of IT assets policy
An access control policy
A password control policy
An e-mail policy
An internet policy
An anti-virus policy
An information classification policy
A document classification policy
A remote access policy
A policy with regard to supplier access of IT service, information and components
An asset disposal policy.

These policies should be widely available to all customers and users, and their compliance should be referred to in all SLRs, SLAs, contracts and agreements. The policies should be authorized by top executive management within the business and IT, and compliance to them should be endorsed on a regular basis. All security policies should be reviewed - and, where necessary, revised - on at least an annual basis.

4.6.4.3 The Information Security Management System (ISMS)

Figure 4.26 Framework for managing IT security

The framework or the ISMS in turn provides a basis for the development of a cost-effective information security programme that supports the business objectives. It will involve the Four Ps of People, Process, Products Technology as well as Partners and Suppliers to ensure high levels of security are in place.

ISO 27001 is the formal standard against which organizations may seek independent certification of their ISMS (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). The ISMS shown in Figure 4.26 shows an approach that is widely used and is based on the advice and guidance described in many sources, including ISO 27001.

The five elements within this framework are as follows:

Control
The objectives of the control element of the ISMS are to:

Establish a management framework to initiate and manage information security in the organization
Establish an organization structure to prepare, approve and implement the Information Security Policy
Allocate responsibilities
Establish and control documentation.

Plan
The objective of the plan element of the ISMS is to devise and recommend the appropriate security measures, based on an understanding of the requirements of the organization.

The requirements will be gathered from such sources as business and service risk, plans and strategies, SLAs and OLAs and the legal, moral and ethical responsibilities for information security. Other factors, such as the amount of funding available and the prevailing organization culture and attitudes to security, must be considered.

The Information Security Policy defines the organization's attitude and stance on security matters. This should be an organization-wide document, not just applicable to the IT service provider. Responsibility for the upkeep of the document rests with the Information Security Manager.

Implement
The objective of the implementation of the ISMS is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy.

Amongst the measures are:

Accountability for assets - Configuration Management and the CMS are invaluable here
Information classification - information and repositories should be classified according to the sensitivity and the impact of disclosure.

The successful implementation of the security controls and measures is dependent on a number of factors:

The determination of a clear and agreed policy, integrated with the needs of the business
Security procedures that are justified, appropriate and supported by senior management
Effective marketing and education in security requirements
A mechanism for improvement.

Evaluation
The objectives of the evaluation element of the ISMS are to:

Supervise and check compliance with the security policy and security requirements in SLAs and OLAs
Carry out regular audits of the technical security of IT systems
Provide information to external auditors and regulators, if required.

Maintain
The objectives of this maintain element of the ISMS are to:

Improve security agreements as specified in, for example, SLAs and OLAs
Improve the implementation of security measures and controls.

This should be achieved using a PDCA (Plan-Do-Check-Act) cycle, which is a formal approach suggested by ISO 27001 for the establishment of the Information Security Management System (ISMS) or framework. This cycle is described in more detail in the Continual Service Improvement publication.

Security Governance
Information security governance, when properly implemented, should provide six basic outcomes:

Strategic Alignment:

Security requirements should be driven by enterprise requirements
Security solutions need to fit enterprise processes
Investment in information security should be aligned with the enterprise strategy and agreed on risk profile.

Value Delivery:

A standard set of security practices, i.e. baseline security requirements following best practices
Properly prioritized and distributed effort to areas with greatest impact and business benefit
Institutionalized and commoditized solutions
Complete solutions, covering organization and process as well as technology
A culture of continual improvement.

Risk Management:

Agreed-on risk profile
Understanding of risk exposure
Awareness of risk management priorities
Risk mitigation
Risk acceptance/deference.

Performance Management:

Defined, agreed and meaningful set of metrics
Measurement process that will help identify shortcomings and provide feedback on progress made resolving issues
Independent assurance.

Resource Management:

Knowledge is captured and available
Documented security processes and practices
Developed security architecture(s) to efficiently utilize infrastructure resources.

Business process assurance.

4.6.5 Process Activities, Methods and Techniques

Figure 4.27 IT Security Management process

The purpose of the ISM process is to ensure that the security aspects with regard to services and all Service Management activities are appropriately managed and controlled in line with business needs and risks.

The key activities within the ISM process are:

Production, review and revision of an overall Information Security Policy and a set of supporting specific policies
Communication, implementation and enforcement of the security policies
Assessment and classification of all information assets and documentation
Implementation, review, revision and improvement of a set of security controls and risk assessment and responses
Monitoring and management of all security breaches and major security incidents
Analysis, reporting and reduction of the volumes and impact of security breaches and incidents
Schedule and completion of security reviews, audits and penetration tests.

The interactions between these key activities are illustrated in Figure 4.27.

The developed Information Security Management processes, together with the methods, tools and techniques, constitute the security strategy. The security manager should ensure that technologies, products and services are in place and that the overall policy is developed and well published. The security manager is also responsible for security architecture, authentication, authorization, administration and recovery.

The security strategy also needs to consider how it will embed good security practices into every area of the business. Training and awareness are vital in the overall strategy, as security is often weakest at the end-user stage. It is here, as well, that there is a need to develop methods and processes that enable the policies and standards to be more easily followed and implemented.

Resources need to be assigned to track developments in these enabling technologies and the products they support. For example, privacy continues to be important and, increasingly, the focus of government regulation, making privacy compliance technologies an important enabling technology.

4.6.5.1 Security Controls

Figure 4.28 Security Controls for Threats and Incidents

The Information Security Manager must understand that security is not a step in the lifecycle of services and systems and that security cannot be solved through technology. Rather, information security must be an integral part of all services and systems and is an ongoing process that needs to be continuously managed using a set of security controls, as shown in Figure 4.28.

The set of security controls should be designed to support and enforce the Information Security Policy and to minimize all recognized and identified threats. The controls will be considerably more cost-effective if included within the design of all services. This will ensure the continued protection of all existing services and that new services and access to them are in line with the policy.

Security measures can be used at a specific stage in the prevention and handling of security incidents, as illustrated in Figure 4.28. Security incidents are not solely caused by technical threats - statistics show that, for example, the large majority stem from human errors (intended or not) or procedural errors, and often have implications in other fields such as safety, legal or health.

The following stages can be identified. At the start there is a risk that a threat will materialize. A threat can be anything that disrupts the business process or has negative impact on the business. When a threat materializes, we speak of a security incident. This security incident may result in damage (to information or to assets) that has to be repaired or otherwise corrected. Suitable measures can be selected for each of these stages. The choice of measures will depend on the importance attached to the information.

Preventive: security measures are used to prevent a security incident from occurring. The best-known example of preventive measures is the allocation of access rights to a limited group of authorized people. The further requirements associated with this measure include the control of access rights (granting, maintenance and withdrawal of rights), authorization (identifying who is allowed access to which information and using which tools), identification and authentication (confirming who is seeking access) and access control (ensuring that only authorized personnel can gain access).
Reductive: further measures can be taken in advance to minimize any possible damage that may occur. These are 'reductive' measures. Familiar examples of reduction measures are making regular backups and the development, testing and maintenance of contingency plans.
Detective: if a security incident occurs, it is important to discover it as soon as possible - detection. A familiar example of this is monitoring, linked to an alert procedure. Another example is virus-checking software.
Repressive: measures are then used to counteract any continuation or repetition of the security incident. For example, an account or network address is temporarily blocked after numerous failed attempts to log on or the retention of a card when multiple attempts are made with a wrong PIN number.
Corrective: The damage is repaired as far as possible using corrective measures. For example, corrective measures include restoring the backup, or returning to a previous stable situation (roll-back, back-out). Fall-back can also been seen as a corrective measure.

The documentation of all controls should be maintained to reflect accurately their operation, maintenance and their method of operation.

4.6.5.2 Management of Security Breaches and Incidents

In the case of serious security breaches or incidents, an evaluation is necessary in due course, to determine what went wrong, what caused it and how it can be prevented in the future. However, this process should not be limited to serious security incidents. All breaches of security and security incidents need to be studied in order to gain a full picture of the effectiveness of the security measures as a whole. A reporting procedure for security incidents is required to be able to evaluate the effectiveness and efficiency of the present security measures based on an insight into all security incidents. This is facilitated by the maintenance of log files and audit files and, of course, the incident records of the Service Desk function. The analysis of these statistics on security issues should lead to improvement actions focused on the reduction of the impact and volume of all security breaches and incidents, in conjunction with Problem Management.

4.6.6 Triggers, Inputs, Outputs and Interfaces

Triggers

ISM activity can be triggered by many events. These include:

New or changed corporate governance guidelines
New or changed Business Security Policy
New or changed corporate risk management processes and guidelines
New or changed business needs or new or changed services
New or changed requirements within agreements, such as SLRs, SLAs, OLAs or contracts
Review and revision of business and IT plans and strategies
Review and revision of designs and strategies
Service or component security breaches or warnings, events and alerts, including threshold events, exception reports
Periodic activities, such as reviewing, revising or reporting, including review and revision of ISM policies, reports and plans
Recognition or notification of a change of risk or impact of a business process or VBF, an IT service or component
Requests from other areas, particularly SLM for assistance with security issues.

Interfaces

The effective and efficient implementation of an Information Security Policy within an organization will, to a large extent, be dependent on good Service Management processes. Indeed, the effective implementation of some processes can be seen as a prerequisite for effective security control. The key interfaces that ISM has with other processes are as follows:

Incident and Problem Management: in providing assistance with the resolution and subsequent justification and correction of security incidents and problems. The Incident Management process must include the ability to identify and deal with security incidents. Service Desk and Service Operations staff must 'recognize' a Security Incident
ITSCM: with the assessment of business impact and risk, and the provision of resilience, fail-over and recovery mechanisms. Security is a major issue when continuity plans are tested or invoked. A working ITSCM plan is a mandatory requirement for ISO 27001
SLM: assistance with the determining of security requirements and responsibilities and their inclusion within SLRs and SLAs, together with the investigation and resolution of service and component security breaches
Change Management: ISM should assist with the assessment of every change for impact on security and security controls. Also ISM can provide information on unauthorized changes
Legal and HR: issues must be considered when investigating security issues
Configuration Management: provides accurate asset information to assist with security classifications. Having an accurate CMS is therefore an extremely useful ISM input.
Availability Management^D: ISM should work with both Availability Management and ITSCM to conduct integrated Risk Analysis and Management exercises
Capacity Management: considers security implications when selecting and introducing new technology. Security is an important consideration when procuring any new technology or software
Financial Management: provides adequate funds to finance security requirements
Supplier Management: assists with the joint management of suppliers and their access to services and systems, and the terms and conditions to be included within contracts concerning supplier responsibilities.

4.6.6.1 Inputs

Information Security Management will need to obtain input from many areas, including:

Business information: from the organization's business strategy, plans and financial plans, and information on their current and future requirements.
Corporate governance and business security policies and guidelines, security plans, risk analysis and responses
IT information: from the IT strategy and plans and current budgets
Service information: from the SLM process with details of the services from the Service Portfolio and the Service Catalogue and service level targets within SLAs and SLRs, and possibly from the monitoring of SLAs, service reviews and breaches of the SLAs
Risk Analysis processes and reports: from ISM, Availability Management and ITSCM
Details of all security events and breaches: from all areas of IT and SM, especially Incident Management and Problem Management
Change information: from the Change Management process with a Change Schedule and a need to assess all changes for their impact on all security policies, plans and controls
CMS: containing information on the relationships between the business, the services, supporting services and the technology
Details of partner and supplier access: from Supplier Management and Availability Management on external access to services and systems.

4.6.6.2 Outputs

The outputs produced by the Information Security Management process are used in all areas and should include:

An overall Information Security Management Policy, together with a set of specific security policies
A Security Management Information System (SMIS), containing all the information relating to ISM
Revised security risk assessment processes and reports
A set of security controls, together with details of the operation and maintenance and their associated risks
Security audits and audit reports
Security test schedules and plans, including security penetration tests and other security tests and reports
A set of security classifications and a set of classified information assets
Reviews and reports of security breaches and major incidents
Policies, processes and procedures for managing partners and suppliers and their access to services and information.

4.6.7 Key Performance Indicators

Many KPIs and metrics can be used to assess the effectiveness and efficiency of the ISM process and activities. These metrics need to be developed from the service, customer and business perspective such as:

Business protected against security violations:

Percentage decrease in security breaches reported to the Service Desk
Percentage decrease in the impact of security breaches and incidents
Percentage increase in SLA conformance to security clauses

The determination of a clear and agreed policy, integrated with the needs of the business: decrease in the number of non-conformances of the ISM process with the business security policy and process.
Security procedures that are justified, appropriate and supported by senior management:

Increase in the acceptance and conformance of security procedures
Increased support and commitment of senior management

A mechanism for improvement:

The number of suggested improvements to security procedures and controls
Decrease in the number of security nonconformance detected during audits and security testing

Information security is an integral part of all IT services and all ITSM processes: increase in the number of services and processes conformant with security procedures and controls.
Effective marketing and education in security requirements, IT staff awareness of the technology supporting the services:

Increased awareness of the security policy and its contents, throughout the organization
Percentage increase in completeness of the technical Service Catalogue against IT components supporting the services
Service Desk supporting all services.

4.6.8 Information Management

All the information required by ISM should be contained within the Security Management Information System (SMIS). This should include all security controls, risks, breaches, processes and reports necessary to support and maintain the Information Security Policy and the ISMS. This information should cover all IT services and components and needs to be integrated and maintained in alignment with all other IT information management systems, particularly the Service Portfolio and the CMS. The SMIS will also provide the input to security audits and reviews and to the continual improvement activities so important to all ISMSs as well as invaluable input to the design of new systems and services.

4.6.9 Challenges, Critical Success Factors and Risks

ISM faces many challenges in establishing an appropriate Information Security Policy with an effective supporting process and controls. One of the biggest challenges is to ensure that there is adequate support from the business, business security and senior management. If these are not available, it will be impossible to establish an effective ISM process. If there is senior IT management support, but there is no support from the business, IT security controls and risk assessment will be severely limited in what they can achieve because of this lack of support from the business. It is pointless implementing security policies, procedures and controls in IT if these cannot be enforced throughout the business. The major use of IT services and assets is outside of IT, and so are the majority of security threats and risks.

In some organizations the business perception is that security is an IT responsibility, and therefore the business assumes that IT will be responsible for all aspects of IT security and that IT services will be adequately protected. However, without the commitment and support of the business and business personnel, money invested in expensive security controls and procedures will be largely wasted and they will mostly be ineffective.

If there is a business security process established, then the challenge becomes one of alignment and integration. ISM must ensure that accurate information is obtained from the business security process on the needs, risks, impact and priorities of the business and that the ISM policies, information and plans are aligned and integrated with those of the business. Having achieved that alignment, the challenge becomes one of keeping them aligned by management and control of business and IT change using strict Change Management and Configuration Management control. Again, this requires support and commitment from the business and senior management. The main CSFs for the ISM process are:

Business protected against security violations
The determination of a clear and agreed policy, integrated with the needs of the business
Security procedures that are justified, appropriate and supported by senior management
Effective marketing and education in security requirements
A mechanism for improvement
Information security is an integral part of all IT services and all ITSM processes
The availability of services is not compromised by security incidents
Clear ownership and awareness of the security policies amongst the customer community.

Information systems can generate many direct and indirect benefits, and as many direct and indirect risks. These risks have led to a gap between the need to protect systems and services and the degree of protection applied. The gap is caused by internal and external factors, including the widespread use of technology, increasing dependence of the business on IT, increasing complexity and interconnectivity of systems, disappearance of the traditional organizational boundaries and increasingly onerous regulatory requirements.

This means that there are new risk areas that could have a significant impact on critical business operations, such as:

Increasing requirements for availability and robustness
Growing potential for misuse and abuse of information systems affecting privacy and ethical values
External dangers from hackers, leading to denial-of-service and virus attacks, extortion, industrial espionage and leakage of organizational information or private data.

Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated information security can add real value to the organization by contributing to interaction with trading partners, closer customer relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process electronic transactions and generate trust. In today's competitive global economy, if an organization wants to do business, it may well be asked to present details of its security posture and results of its past performance in terms of tests conducted to ensure security of its information resources.

Other areas of major risks associated with ISM include: lack of commitment from the business to the ISM processes and procedures

Lack of commitment from the business and a lack of appropriate information on future plans and strategies
lack of senior management commitment or a lack of resources and/or budget for the ISM process
The processes focus too much on the technology issues and not enough on the IT services and the needs and priorities of the business
Risk assessment and management is conducted in isolation and not in conjunction with Availability Management and ITSCM
ISM policies, plans, risks and information become out-of-date and lose alignment with the corresponding relevant information and plans of the business and business security.

Supporting Material

IT Security ICOM Chart
CSU - Information Security Management Security Framework
CSU - Information Security Management Basic Concepts
CSU - Security Management - Security Policy