Service Design Process
4.6 IT Security Management (ISM)
4.6.1 Purpose, Goals and Objectives
'The goal of the ISM process is to align IT security with business security and ensure that information security is effectively managed in all service and Service Management activities'.
ISM needs to be considered within the overall corporate governance framework. Corporate Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring the objectives are achieved, ascertaining the risks are being managed appropriately and verifying that the enterprise's resources are used effectively.
Information security is a management activity within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved. It further ensures that the information security risks are appropriately managed and that enterprise information resources are used responsibly. The purpose of ISM is to provide a focus for all aspects of IT security and manage all IT security activities.
The term 'information' is used as a general term and includes data stores, databases and metadata. The objective of information security is to protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of availability, confidentiality and integrity.
For most organizations, the security objective is met when:
- Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability)
- Information is observed by or disclosed to only those who have a right to know (confidentiality)
- Information is complete, accurate and protected against unauthorized modification (integrity)
- Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted (authenticity and non-repudiation).
Prioritization of confidentiality, integrity and availability must be considered in the context of business and business processes. The primary guide to defining what must be protected and the level of protection has to come from the business. To be effective, security must address entire business processes from end to end and cover the physical and technical aspects. Only within the context of business needs and risks can management define security.
The ISM process should be the focal point for all IT security issues, and must ensure that an Information Security Policy is produced, maintained and enforced that covers the use and misuse of all IT systems and services. ISM needs to understand the total IT and business security environment, including the:
- Business Security policy and plans
- Current business operation and its security requirements
- Future business plans and requirements
- Legislative requirements
- Obligations and responsibilities with regard to security contained within SLAs
- The business and IT risks and their management.
Understanding all of this will enable ISM to ensure that all he current and future security aspects and risks of the business are cost-effectively managed.
The ISM process should include:
- The production, maintenance, distribution and enforcement of an Information Security Policy and supporting security policies
- Understanding the agreed current and future security requirements of the business and the existing Business Security Policy and plans
- Implementation of a set of security controls that support the Information Security Policy and manage risks associated with access to services, information and systems
- Documentation of all security controls, together with the operation and maintenance of the controls and their associated risks
- Management of suppliers and contracts regarding access to systems and services, in conjunction with Supplier Management
- Management of all security breaches and incidents associated with all systems and services
- The proactive improvement of security controls, and security risk management and the reduction of security risks
- Integration of security aspects within all other ITSM processes.
To achieve effective information security governance, management must establish and maintain an Information Security Management System (ISMS) to guide the development and management of a comprehensive information security programme that supports the business objectives.
4.6.3 Value to the Business
ISM ensures that an Information Security Policy is maintained and enforced that fulfills the needs of the Business Security Policy and the requirements of corporate governance. ISM raises awareness of the need for security within all IT services and assets throughout the organization, ensuring that the policy is appropriate for the needs of the organization. ISM manages all aspects of IT and information security within all areas of IT and Service Management activity.
ISM provides assurance of business processes by enforcing appropriate security controls in all areas of IT and by managing IT risk in line with business and corporate risk management processes and guidelines.
4.6.4 Policies, Principles and Basic Concepts
Prudent business practices require that IT processes and initiatives align with business processes and objectives. This is critical when it comes to information security, which must be closely aligned with business security and business needs. Additionally all processes within the IT organization must include security considerations.
Executive management is ultimately responsible for the organization's information and is tasked with responding to issues that affect its protection. In addition, boards of directors are expected to make information security an integral part of corporate governance. All IT service provider organizations must therefore ensure that they have a comprehensive ISM policy(s) and the necessary security controls in place to monitor and enforce the policies.
126.96.36.199 Security Framework
The Information Security Management process and framework will generally consist of:
- An Information Security Policy and specific security policies that address each aspect of strategy, controls and regulation
- An Information Security Management System (ISMS), containing the standards, management procedures and guidelines supporting the information security policies
- A comprehensive security strategy, closely linked to the business objectives, strategies and plans
- An effective security organizational structure
- A set of security controls to support the policy
- The management of security risks
- Monitoring processes to ensure compliance and provide feedback on effectiveness
- Communications strategy and plan for security
- Training and awareness strategy and plan.
188.8.131.52 The Information Security Policy (ISP)
Information Security Management activities should be focused on and driven by an overall Information Security Policy and a set of underpinning specific security policies. The ISP should have the full support of top executive IT management and ideally the support and commitment of top executive business management. The policy should cover all areas of security, be appropriate, meet the needs of the business and should include:
- An overall Information Security Policy
- Use and misuse of IT assets policy
- An access control policy
- A password control policy
- An e-mail policy
- An internet policy
- An anti-virus policy
- An information classification policy
- A document classification policy
- A remote access policy
- A policy with regard to supplier access of IT service, information and components
- An asset disposal policy.
These policies should be widely available to all customers and users, and their compliance should be referred to in all SLRs, SLAs, contracts and agreements. The policies should be authorized by top executive management within the business and IT, and compliance to them should be endorsed on a regular basis. All security policies should be reviewed - and, where necessary, revised - on at least an annual basis.
184.108.40.206 The Information Security Management System (ISMS)
|Figure 4.26 Framework for managing IT security|
The framework or the ISMS in turn provides a basis for the development of a cost-effective information security programme that supports the business objectives. It will involve the Four Ps of People, Process, Products Technology as well as Partners and Suppliers to ensure high levels of security are in place.
ISO 27001 is the formal standard against which organizations may seek independent certification of their ISMS (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). The ISMS shown in Figure 4.26 shows an approach that is widely used and is based on the advice and guidance described in many sources, including ISO 27001.
The five elements within this framework are as follows:
The objectives of the control element of the ISMS are to:
- Establish a management framework to initiate and manage information security in the organization
- Establish an organization structure to prepare, approve and implement the Information Security Policy
- Allocate responsibilities
- Establish and control documentation.
The objective of the plan element of the ISMS is to devise and recommend the appropriate security measures, based on an understanding of the requirements of the organization.
The requirements will be gathered from such sources as business and service risk, plans and strategies, SLAs
and OLAs and the legal, moral and ethical responsibilities for information security. Other factors, such as the amount of funding available and the prevailing organization culture and attitudes to security, must be considered.
The Information Security Policy defines the organization's attitude and stance on security matters. This should be an organization-wide document, not just applicable to the IT service provider. Responsibility for the upkeep of the document rests with the Information Security Manager.
The objective of the implementation of the ISMS is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy.
Amongst the measures are:
- Accountability for assets - Configuration Management and the CMS are invaluable here
- Information classification - information and repositories should be classified according to the sensitivity and the impact of disclosure.
The successful implementation of the security controls and measures is dependent on a number of factors:
- The determination of a clear and agreed policy, integrated with the needs of the business
- Security procedures that are justified, appropriate and supported by senior management
- Effective marketing and education in security requirements
- A mechanism for improvement.
The objectives of the evaluation element of the ISMS are to:
- Supervise and check compliance with the security policy and security requirements in SLAs and OLAs
- Carry out regular audits of the technical security of IT systems
- Provide information to external auditors and regulators, if required.
The objectives of this maintain element of the ISMS are to:
- Improve security agreements as specified in, for example, SLAs and OLAs
- Improve the implementation of security measures and controls.
This should be achieved using a PDCA (Plan-Do-Check-Act) cycle, which is a formal approach suggested by ISO 27001 for the establishment of the Information Security Management System (ISMS) or framework. This cycle is described in more detail in the Continual Service Improvement publication.
Information security governance, when properly implemented, should provide six basic outcomes:
- Security requirements should be driven by enterprise requirements
- Security solutions need to fit enterprise processes
- Investment in information security should be aligned with the enterprise strategy and agreed on risk profile.
- A standard set of security practices, i.e. baseline security requirements following best practices
- Properly prioritized and distributed effort to areas with greatest impact and business benefit
- Institutionalized and commoditized solutions
- Complete solutions, covering organization and process as well as technology
- A culture of continual improvement.
- Agreed-on risk profile
- Understanding of risk exposure
- Awareness of risk management priorities
- Risk mitigation
- Risk acceptance/deference.
- Defined, agreed and meaningful set of metrics
- Measurement process that will help identify shortcomings and provide feedback on progress made resolving issues
- Independent assurance.
Business process assurance.
- Knowledge is captured and available
- Documented security processes and practices
- Developed security architecture(s) to efficiently utilize infrastructure resources.
4.6.5 Process Activities, Methods and Techniques
The purpose of the ISM process is to ensure that the security aspects with regard to services and all Service Management activities are appropriately managed and controlled in line with business needs and risks.
|Figure 4.27 IT Security Management process|
The key activities within the ISM process are:
- Production, review and revision of an overall Information Security Policy and a set of supporting specific policies
- Communication, implementation and enforcement of the security policies
- Assessment and classification of all information assets and documentation
- Implementation, review, revision and improvement of a set of security controls and risk assessment and responses
- Monitoring and management of all security breaches and major security incidents
- Analysis, reporting and reduction of the volumes and impact of security breaches and incidents
- Schedule and completion of security reviews, audits and penetration tests.
The interactions between these key activities are illustrated in Figure 4.27.
The developed Information Security Management processes, together with the methods, tools and techniques, constitute the security strategy. The security manager should ensure that technologies, products and services are in place and that the overall policy is developed and well published. The security manager is also responsible for security architecture, authentication, authorization, administration and recovery.
The security strategy also needs to consider how it will embed good security practices into every area of the business. Training and awareness are vital in the overall strategy, as security is often weakest at the end-user stage. It is here, as well, that there is a need to develop methods and processes that enable the policies and standards to be more easily followed and implemented.
Resources need to be assigned to track developments in these enabling technologies and the products they support. For example, privacy continues to be important and, increasingly, the focus of government regulation, making privacy compliance technologies an important enabling technology.
220.127.116.11 Security Controls
The Information Security Manager must understand that security is not a step in the lifecycle of services and systems and that security cannot be solved through technology. Rather, information security must be an integral part of all services and systems and is an ongoing process that needs to be continuously managed using a set of security controls, as shown in Figure 4.28.
|Figure 4.28 Security Controls for Threats and Incidents|
The set of security controls should be designed to support and enforce the Information Security Policy and to minimize all recognized and identified threats. The controls will be considerably more cost-effective if included within the design of all services. This will ensure the continued protection of all existing services and that new services and access to them are in line with the policy.
Security measures can be used at a specific stage in the prevention and handling of security incidents, as illustrated in Figure 4.28. Security incidents are not solely caused by technical threats - statistics show that, for example, the large majority stem from human errors (intended or not) or procedural errors, and often have implications in other fields such as safety, legal or health.
The following stages can be identified. At the start there is a risk that a threat will materialize. A threat can be anything that disrupts the business process or has negative impact on the business. When a threat
materializes, we speak of a security incident. This security incident may result in damage (to information or to assets) that has to be repaired or otherwise corrected. Suitable measures can be selected for each of these stages. The choice of measures will depend on the importance attached to the information.
- Preventive: security measures are used to prevent a security incident from occurring. The best-known example of preventive measures is the allocation of access rights to a limited group of authorized people. The further requirements associated with this measure include the control of access rights (granting, maintenance and withdrawal of rights), authorization (identifying who is allowed access to which information and using which tools), identification and authentication (confirming who is seeking access) and access control (ensuring that only authorized personnel can gain access).
- Reductive: further measures can be taken in advance to minimize any possible damage that may occur. These are 'reductive' measures. Familiar examples of reduction measures are making regular backups and the development, testing and maintenance of contingency plans.
- Detective: if a security incident occurs, it is important to discover it as soon as possible - detection. A familiar example of this is monitoring, linked to an alert procedure. Another example is virus-checking software.
- Repressive: measures are then used to counteract any continuation or repetition of the security incident. For example, an account or network address is temporarily blocked after numerous failed attempts to log on or the retention of a card when multiple attempts are made with a wrong PIN number.
- Corrective: The damage is repaired as far as possible using corrective measures. For example, corrective measures include restoring the backup, or returning to a previous stable situation (roll-back, back-out). Fall-back can also been seen as a corrective measure.
The documentation of all controls should be maintained to reflect accurately their operation, maintenance and their method of operation.
18.104.22.168 Management of Security Breaches and Incidents
In the case of serious security breaches or incidents, an evaluation is necessary in due course, to determine what went wrong, what caused it and how it can be prevented in the future. However, this process should not be limited to serious security incidents. All breaches of security and security incidents need to be studied in order to gain a full picture of the effectiveness of the security measures as a whole. A reporting procedure for security incidents is required to be able to evaluate the effectiveness and efficiency of the present security measures based on an insight into all security incidents. This is facilitated by the maintenance of log files and audit files and, of course, the incident records of the Service Desk function. The analysis of these statistics on security issues should lead to improvement actions focused on the reduction of the impact and volume of all security breaches and incidents, in conjunction with Problem Management.
4.6.6 Triggers, Inputs, Outputs and Interfaces
ISM activity can be triggered by many events. These include:
- New or changed corporate governance guidelines
- New or changed Business Security Policy
- New or changed corporate risk management processes and guidelines
- New or changed business needs or new or changed services
- New or changed requirements within agreements, such as SLRs, SLAs, OLAs or contracts
- Review and revision of business and IT plans and strategies
- Review and revision of designs and strategies
- Service or component security breaches or warnings, events and alerts, including threshold events, exception reports
- Periodic activities, such as reviewing, revising or reporting, including review and revision of ISM policies, reports and plans
- Recognition or notification of a change of risk or impact of a business process or VBF, an IT service or component
- Requests from other areas, particularly SLM for assistance with security issues.
The effective and efficient implementation of an Information Security Policy within an organization will, to a large extent, be dependent on good Service Management processes. Indeed, the effective implementation of some processes can be seen as a prerequisite for effective security control. The key interfaces that ISM has with other processes are as follows:
- Incident and Problem Management: in providing assistance with the resolution and subsequent justification and correction of security incidents and problems. The Incident Management process must include the ability to identify and deal with security incidents. Service Desk and Service Operations staff must 'recognize' a Security Incident
- ITSCM: with the assessment of business impact and risk, and the provision of resilience, fail-over and recovery mechanisms. Security is a major issue when continuity plans are tested or invoked. A working ITSCM plan is a mandatory requirement for ISO 27001
- SLM: assistance with the determining of security requirements and responsibilities and their inclusion within SLRs and SLAs, together with the investigation and resolution of service and component security breaches
- Change Management: ISM should assist with the assessment of every change for impact on security and security controls. Also ISM can provide information on unauthorized changes
- Legal and HR: issues must be considered when investigating security issues
- Configuration Management: provides accurate asset information to assist with security classifications. Having an accurate CMS is therefore an extremely useful ISM input.
- Availability ManagementD: ISM should work with both Availability Management and ITSCM to conduct integrated Risk Analysis and Management exercises
- Capacity Management: considers security implications when selecting and introducing new technology. Security is an important consideration when procuring any new technology or software
- Financial Management: provides adequate funds to finance security requirements
- Supplier Management: assists with the joint management of suppliers and their access to services and systems, and the terms and conditions to be included within contracts concerning supplier responsibilities.
Information Security Management will need to obtain input from many areas, including:
- Business information: from the organization's business strategy, plans and financial plans, and information on their current and future requirements.
- Corporate governance and business security policies and guidelines, security plans, risk analysis and responses
- IT information: from the IT strategy and plans and current budgets
- Service information: from the SLM process with details of the services from the Service Portfolio and the Service Catalogue and service level targets within SLAs and SLRs, and possibly from the monitoring of SLAs, service reviews and breaches of the SLAs
- Risk Analysis processes and reports: from ISM, Availability Management and ITSCM
- Details of all security events and breaches: from all areas of IT and SM, especially Incident Management and Problem Management
- Change information: from the Change Management process with a Change Schedule and a need to assess all changes for their impact on all security policies, plans and controls
- CMS: containing information on the relationships between the business, the services, supporting services and the technology
- Details of partner and supplier access: from Supplier Management and Availability Management on external access to services and systems.
The outputs produced by the Information Security Management process are used in all areas and should include:
- An overall Information Security Management Policy, together with a set of specific security policies
- A Security Management Information System (SMIS), containing all the information relating to ISM
- Revised security risk assessment processes and reports
- A set of security controls, together with details of the operation and maintenance and their associated risks
- Security audits and audit reports
- Security test schedules and plans, including security penetration tests and other security tests and reports
- A set of security classifications and a set of classified information assets
- Reviews and reports of security breaches and major incidents
- Policies, processes and procedures for managing partners and suppliers and their access to services and information.
4.6.7 Key Performance Indicators
Many KPIs and metrics can be used to assess the effectiveness and efficiency of the ISM process and activities. These metrics need to be developed from the service, customer and business perspective such as:
- Business protected against security violations:
- Percentage decrease in security breaches reported to the Service Desk
- Percentage decrease in the impact of security breaches and incidents
- Percentage increase in SLA conformance to security clauses
- The determination of a clear and agreed policy, integrated with the needs of the business: decrease in the number of non-conformances of the ISM process with the business security policy and process.
- Security procedures that are justified, appropriate and supported by senior management:
- Increase in the acceptance and conformance of security procedures
- Increased support and commitment of senior management
- A mechanism for improvement:
- The number of suggested improvements to security procedures and controls
- Decrease in the number of security nonconformance detected during audits and security testing
- Information security is an integral part of all IT services and all ITSM processes: increase in the number of services and processes conformant with security procedures and controls.
- Effective marketing and education in security requirements, IT staff awareness of the technology supporting the services:
- Increased awareness of the security policy and its contents, throughout the organization
- Percentage increase in completeness of the technical Service Catalogue against IT components supporting the services
- Service Desk supporting all services.
4.6.8 Information Management
All the information required by ISM should be contained within the Security Management Information System (SMIS). This should include all security controls, risks, breaches, processes and reports necessary to support and maintain the Information Security Policy and the ISMS. This information should cover all IT services and
components and needs to be integrated and maintained in alignment with all other IT information management systems, particularly the Service Portfolio and the CMS. The SMIS will also provide the input to security audits and reviews and to the continual improvement activities so important to all ISMSs as well as invaluable input to the design of new systems and services.
4.6.9 Challenges, Critical Success Factors and Risks
ISM faces many challenges in establishing an appropriate Information Security Policy with an effective supporting process and controls. One of the biggest challenges is to ensure that there is adequate support from the business, business security and senior management. If these are not available, it will be impossible to establish an effective ISM process. If there is senior IT management support, but there is no support from the business, IT security controls and risk assessment will be severely limited in what they can achieve because of this lack of support from the business. It is pointless implementing security policies, procedures and controls in IT if these cannot be enforced throughout the business. The major use of IT services and assets is outside of IT, and so are the majority of security threats and risks.
In some organizations the business perception is that security is an IT responsibility, and therefore the business assumes that IT will be responsible for all aspects of IT security and that IT services will be adequately protected. However, without the commitment and support of the business and business personnel, money invested in expensive security controls and procedures will be largely wasted and they will mostly be ineffective.
If there is a business security process established, then the challenge becomes one of alignment and integration. ISM must ensure that accurate information is obtained from the business security process on the needs, risks, impact and priorities of the business and that the ISM policies, information and plans are aligned and integrated with those of the business. Having achieved that alignment, the challenge becomes one of keeping them aligned by management and control of business and IT change using strict Change Management and Configuration Management control. Again, this requires support and commitment from the business and senior management.
The main CSFs for the ISM process are:
Information systems can generate many direct and indirect benefits, and as many direct and indirect risks.
These risks have led to a gap between the need to protect systems and services and the degree of protection applied. The gap is caused by internal and external factors, including the widespread use of technology, increasing dependence of the business on IT, increasing complexity and interconnectivity of systems, disappearance of the traditional organizational boundaries and increasingly onerous regulatory requirements.
- Business protected against security violations
- The determination of a clear and agreed policy, integrated with the needs of the business
- Security procedures that are justified, appropriate and supported by senior management
- Effective marketing and education in security requirements
- A mechanism for improvement
- Information security is an integral part of all IT services and all ITSM processes
- The availability of services is not compromised by security incidents
- Clear ownership and awareness of the security policies amongst the customer community.
This means that there are new risk areas that could have a significant impact on critical business operations, such as:
- Increasing requirements for availability and robustness
- Growing potential for misuse and abuse of information systems affecting privacy and ethical values
- External dangers from hackers, leading to denial-of-service and virus attacks, extortion, industrial espionage and leakage of organizational information or private data.
Because new technology provides the potential for dramatically enhanced business performance, improved and demonstrated information security can add real value to the organization by contributing to interaction with trading partners, closer customer relationships, improved competitive advantage and protected reputation. It can also enable new and easier ways to process electronic transactions and generate trust. In today's competitive global economy, if an organization wants to do business, it may well be asked to present details of its security posture and results of its past performance in terms of tests conducted to ensure security of its information resources.
Other areas of major risks associated with ISM include:
lack of commitment from the business to the ISM processes and procedures
- Lack of commitment from the business and a lack of appropriate information on future plans and strategies
- lack of senior management commitment or a lack of resources and/or budget for the ISM process
- The processes focus too much on the technology issues and not enough on the IT services and the needs and priorities of the business
- Risk assessment and management is conducted in isolation and not in conjunction with Availability Management and ITSCM
- ISM policies, plans, risks and information become out-of-date and lose alignment with the corresponding relevant information and plans of the business and business security.