ITIL and Security Management Overview
What is ITIL?For the purpose of this chapter, the focus is how information security management works within the Information Technology Infrastructure Library (ITIL).
The Information Technology Infrastructure Library (ITIL) is a framework of best practices. The concepts within ITIL support information technology services delivery organizations with the planning of consistent, documented, and repeatable or customized processes that improve service delivery to the business. The ITIL framework consists of the following IT processes: Service Support (Service Desk, Incident Management, Problem Management, Change Management, Configuration Management, and Release Management) and Services Delivery (Service Level Management, Capacity Management, Availability Management, Financial Management and IT Service Continuity Management).
History of ITIL
The ITIL concept emerged in the 1980s, when the British government determined that the level of IT service quality provided to them was not sufficient. The Central Computer and Telecommunications Agency (CCTA), now called the Office of Government Commerce (OGC), was tasked with developing a framework for efficient and financially responsible use of IT resources within the British government and the private sector.
Figure 1. ITIL Overview.
The earliest version of ITIL was actually originally called GITIM, Government Information Technology Infrastructure Management. Obviously this was very different to the current ITIL, but conceptually very similar, focusing around service support and delivery.
Large companies and government agencies in Europe adopted the framework very quickly in the early 1990s. ITIL was spreading far and, and was used in both government and non-government organizations. As it grew in popularity, both in the UK and across the world, IT itself changed and evolved, and so did ITIL.
What Is Security Management?
Security management details the process of planning and managing a defined level of security for information and IT services, including all aspects associated with reaction to security Incidents. It also includes the assessment and management of risks and vulnerabilities, and the implementation of cost justifiable countermeasures.
Security management is the process of managing a defined level of security on information and IT services. Included is managing the reaction to security incidents. The importance of information security has increased dramatically because of the move of open internal networks to customers and business partners; the move towards electronic commerce, the increasing use of public networks like Internet and Intranets. The wide spread use of information and information processing as well as the increasing dependency of process results on information requires structural and organized protection of information.
Descriptions
Service Support Overview
Service support describes the processes associated with the day-to day support and maintenance activities associated with the provision of IT services: Service Desk, Incident Management, Problem Management, Change Management, Configuration Management, and Release Management.
- Service Desk: This function is the single point of contact between the end users and IT Service Management.
- Incident Management: Best practices for resolving incidents (any event that causes an interruption to, or a reduction in, the quality of an IT service) and quickly restoring IT services.
- Problem Management: Best practices for identifying the underlying causes of IT incidents in order to prevent future recurrences. These practices seek to proactively prevent incidents and problems.
- Change Management: Best practices for standardizing and authorizing the controlled implementation of IT changes. These practices ensure that changes are implemented with minimum adverse impact on IT services, and that they are traceable.
- Configuration Management: Best practices for controlling production configurations; for example, standardization, status monitoring, and asset identification. By identifying, controlling, maintaining and verifying the items that make up an organization’s IT infrastructure, these practices ensure that there is a logical model of the infrastructure.
- Release Management: Best practices for the release of hardware and software. These practices ensure that only tested and correct versions of authorized software and hardware is provided to IT customers.
Service Support Details
Service Desk
The objective of the service desk is to be a single point of contact for customers who need assistance with incidents, problems, questions, and to provide an interface for other activities related to IT and ITIL services.
Figure 2. Service desk diagram.
Benefits of Implementing a Service Desk
- Increased first call resolution
- Skill based support
- Rapidly restore service
- Improved incident response time
- Quick service restoration
- Improved tracking of service quality
- Improved recognition of trends and incidents
- Improved employee satisfaction
Processes Utilized by the Service Desk
- Workflow and procedures diagrams
- Roles and responsibilities
- Training evaluation sheets and skill set assessments
- Implemented metrics and continuous improvement procedures
Incident Management
The objective of Incident management is minimize the disruption to the business by restoring service operations to agreed levels as quickly as possible and to ensure the availability of IT services is maximized, and could also protect the integrity and confidentiality of information by identifying the root cause of a problem.
Benefits of an Incident Management Process
- Incident detection and recording
- Classification and initial support
- Investigation and diagnosis
- Resolution and recovery
- Incident closure
- Incident ownership, monitoring, tracking and communication
- Repeatable Process
With a formal incident management practice, IT quality will improve through ensuring ticket quality, standardizing ticket ownership, and providing a clear understanding of ticket types while decreasing the number of un-reported or misreported incidents.
Figure 3. Incident management ticket owner workflow diagram.
Problem Management
The object of problem management is to resolve the root cause of incidents to minimize the adverse impact of incidents and problems on the business and secondly to prevent recurrence of incidents related to these errors. A `problem’ is an unknown underlying cause of one or more incidents, and a `known error’ is a problem that is successfully diagnosed and for which a work-around has been identified. The outcome of known error is a request for change (RFC).
Figure 4. Problem management diagram overview.
A problem is a condition often identified as a result of multiple Incidents that exhibit common symptoms. Problems can also be identified from a single significant incident, indicative of a single error, for which the cause is unknown, but for which the impact is significant.
A known error is a condition identified by successful diagnosis of the root cause of a problem, and the subsequent development of a work-around.
An RFC is a proposal to IT infrastructure for a change to the environment.
Incident Management and Problem Management: What’s the Difference?
Incidents and service requests are formally managed through a staged process to conclusion. This process is referred to as the “incident management lifecycle.” The objective of the incident management lifecycle is to restore the service as quickly as possible to meet service level agreements (SLAs). The process is primarily aimed at the user level.
Problem management deals with resolving the underlying cause of one or more incidents. The focus of problem management is to resolve the root cause of errors and to find permanent solutions. Although every effort will be made to resolve the problem as quickly as possible this process is focused on the resolution of the problem rather than the speed of the resolution. This process deals at the enterprise level.
Change Management
Change management ensures that all areas follow a standardized process when implementing change into a production environment. Change is defined as any adjustment, enhancement, or maintenance to a production business application, system software, system hardware, communications network, or operational facility.
Benefits of Change Management
- Planning change
- Impact analysis
- Change approval
- Managing and implementing change
- Increase formalization and compliance
- Post change review
- Better alignment of IT infrastructure to business requirements
- Efficient and prompt handling of all changes
- Fewer changes to be backed out
- Greater ability to handle a large volume of change
- Increased user productivity
Configuration Management
Configuration management is the implemtation of a configuration management database (CMDB) that contains details of the organization’s elements that are used in the provision and management of its IT services. The main activities of configuration management are:
- Planning: Planning and defining the scope, objectives, policy and process of the CMDB.
- Identification: Selecting and identifying the configuration structures and items within the scope of your IT infrastructure.
- Configuration control: Ensuring that only authorized and identifiable configuration items are accepted and recorded in the CMDB throughout its lifecycle.
- Status accounting: Keeping track of the status of components throughout the entire lifecycle of configuration items.
- Verification and audit: Auditing after the implementation of configuration management to verify that the correct information is recorded in the CMDB, followed by scheduled audits to ensure the CMDB is kept up-to-date.
Configuration Management and Information Security
Without the definition of all configuration items that are used to provide an organizations’s IT services, it can be very difficult to identify which items are used for which services. This could result in critical configuration items being stolen, moved or misplaced, affecting the availability pf tje services dependent on them. It could also result in unauthorized items being used in the provision of IT services.
Benefits of Configuration Management
- Reduced cost to implement, manage, and support the infrastructure
- Decreased incident and problem resolution times
- Improved management of software licensing and compliance
- Consistent, automated processes for infrastructure mapping
- Increased ability to identify and comply with architecture and standards requirements
- Incident troubleshooting
- Usage trending
- Change evaluation
- Financial chargeback and asset lifecycle management
- Service Level Agreement (SLA) and software license negotiations
Release Management
Release Management is used for platform-independent and automated distribution of software and hardware, including license controls across the entire IT infrastructure. Proper Software and Hardware Control ensure the availability of licensed, tested, and version certified software and hardware, which will function correctly and respectively with the available hardware. Quality control during the development and implementation of new hardware and software is also the responsibility of Release Management. This guarantees that all software can be conceptually optimized to meet the demands of the business processes.
Benefits of Release Management
- Ability to plan resource requirements in advance
- Provides a structured approach, leading to an efficient and effective process
- Changes are bundled together in a release, minimizing the impact on the user
- Helps to verify correct usability and functionality before release by testing
- Control the distribution and installation of changes to IT systems
- Design and implement procedures for the distribution and installation of changes to IT systems
- Effectively communicate and manage expectations of the customer during the planning and rollout of new releases
The focus of release management is the protection of the live environment and its services through the use of formal procedures and checks.
Release Categories
A release consists of the new or changed software or hardware required to implement approved change.
- Major software releases and hardware upgrades, normally containing large areas of new functionality, some of which may make intervening fixes to problems redundant. A major upgrade or release usually supersedes all preceding minor upgrades, releases and emergency fixes
- Minor software releases and hardware upgrades, normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes. A minor upgrade or release usually supersedes all preceding emergency fixes.
- Emergency software and hardware fixes, normally containing the corrections to a small number of known problems
Figure 5. Release management overview.
Releases can be divided based on the release unit into:
- Delta Release is a release of only that part of the software which has been changed. For example, security patches to plug bugs in a software.
- Full Release means that the entire software program will be release again. For example, an entire version of an application.
- Packaged Release is a combination of many changes: for example, an operating system image containing the applications as well.
Service Delivery Overview
Services delivery is the discipline that ensures IT infrastructure is provided at the right time in the right volume at the right price, and ensuring that IT is used in the most efficient manner. This involves analysis and decisions to balance capacity at a production or service point with demand from customers, it also covers the processes required for the planning and delivery of quality IT services and looks at the longer term processes associated with improving the quality of IT services delivered.
- Service Level Management: Service level management (SLM) is responsible for negotiating and agreeing to service requirements and expected service characteristics with the customer
- Capacity Management: Capacity management is responsible for ensuring that IT processing and storage capacity provision match the evolving demands of the business in a cost effective and timely manner
- Availability Management: Availability management is responsible for optimizing availability
- Financial Management: The object of financial management for IT services is to provide cost effective stewardship of the IT assets and the financial resources used in providing IT services.
- IT Service Continuity Management: Service continuity is responsible for ensuring that the available IT Service Continuity options are understood and the most appropriate solution is chosen in support of the business requirements
Service Level Management
The object of service level management (SLM) is to maintain and gradually improve business aligned IT service quality, through a constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and through instigating actions to eradicate unacceptable levels of service.
SLM is responsible for ensuring that the service targets are documented and agreed in SLAs and monitors and reviews the actual service levels achieved against their SLA targets. SLM should also be trying to proactively improve all service levels within the imposed cost constraints. SLM is the process that manages and improves agreed level of service between two parties, the provider and the receiver of a service.
SLM is responsible for negotiating and agreeing to service requirements and expected service characteristics with the Customer, measuring and reporting of Service Levels actually being achieved against target, resources required, cost of service provision. SLM is also responsible for continuously improving service levels in line with business processes, with a SIP, co-coordinating other Service Management and support functions, including third party suppliers, reviewing SLAs to meet changed business needs or resolving major service issues and producing, reviewing and maintaining the Service Catalogue.
Benefits of Implementing Service Level Management
- Implementing the service level management process enables both the customer and the IT services provider to have a clear understanding of the expected level of delivered services and their associated costs for the organization, by documenting these goals into formal agreements.
- Service level management can be used as a basis for charging for services, and can demonstrate to customers the value they are receiving from the Service Desk.
- It also assists the service desk with managing external supplier relationships, and introduces the possibility of negotiating improved services or reduced costs.
Capacity Management
Capacity management is responsible for ensuring that IT processing and storage capacity provisioning match the evolving demands of the business in a cost effective and timely manner. The process includes monitoring the performance and the throughput of the IT services and supporting IT components, tuning activities to make efficient use of resources, understanding the current demands for IT resources and deriving forecasts for future requirements, influencing the demand for resource in conjunction with other Service Management processes, and producing a capacity plan predicting the IT resources needed to achieve agreed service levels.
Capacity management has three main areas of responsibility. First of these is BCM, which is responsible for ensuring that the future business requirements for IT services are considered, planned and implemented in a timely fashion. These future requirements will come from business plans outlining new services, improvements and growth in existing services, development plans, etc. This requires knowledge of existing service levels and SLAs, future service levels and SLRs, the Business and Capacity plans, modeling techniques (Analytical, Simulation, Trending and Base lining), and application sizing methods.
The second main area of responsibility is SCM, which focuses on managing the performance of the IT services provided to the Customers, and is responsible for monitoring and measuring services, as detailed in SLAs and collecting recording, analyzing and reporting on data. This requires knowledge of service levels and SLAs, systems, networks, service throughput and performance, monitoring, measurement, analysis, tuning and demand management.
The third and final main area of responsibility is RCM, which focuses on management of the components of the IT infrastructure and ensuring that all finite resources within the IT infrastructure are monitored and measured, and collected data is recorded, analyzed and reported. This requires knowledge of the current technology and its utilization, future or alternative technologies, and the resilience of systems and services.
Capacity Management Processes:
- Performance monitoring
- Workload monitoring
- Application sizing
- Resource forecasting
- Demand forecasting
- Modeling
From these processes come the results of capacity management, these being the capacity plan itself, forecasts, tuning data and Service Level Management guidelines.
Availability Management
Availability management is concerned with design, implementation, measurement and management of IT services to ensure the stated business requirements for availability are consistently met. Availability management requires an understanding of the reasons why IT service failures occur and the time taken to resume this service. Incident management and problem management provide a key input to ensure the appropriate corrective actionss are being implemented.
- Availability Management is the ability of an IT component to perform at an agreed level over a period of time.
- Reliability is the ability of an IT component to perform at an agreed level at described conditions.
- Maintainability is the ability of an IT Component to remain in, or be restored to an operational state.
- Serviceability is the ability for an external supplier to maintain the availability of a component or function under a third party contract
- Resilience is a measure of freedom from operational failure and a method of keeping services reliable. One popular method of resilience is redundancy.
- Security refers to the confidentiality, integrity, and availability of the data associated with a service.
Availability Management
Security is an essential part of availability management, this being the primary focus of ensuring IT infrastructure continues to be available for the provision of IT services.
Some of the elements mentioned earlier are the products of performing risk analysis to identify how reliable elements are and how many problems have been caused as a result of system failure.
The risk analysis also recommends controls to improve availability of IT infrastructure such as development standards, testing, physical security and the right skills in the right place at the right time.
Financial Management
Financial management for IT services is an integral part of service management. It provides the essential management information to ensure that services are run efficiently, economically and cost effectively. An effective financial management system will assist in the management and reduction of overall long term costs, and identify the actual cost of services. This provisioning provides accurate and vital financial information to assist in decision making, identify the value of IT services, enable the calculation of TCO and ROI.
The practice of financial management enables the service manager to identify the amount being spent on security counter measures in the provision of the IT services. The amount being spent on these counter measures needs to be balanced with the risks and the potential losses that the service could incur as identified during a business impact assessment (BIA) and risk assessment. Management of these costs will ultimately reflect on the cost of providing the IT services, and potentially what is charged in the recovery of those costs.
Service Continuity Management
Management is to support the overall business continuity management process by ensuring that the required IT technical and services facilities can be recovered within required and agreed business time-scales.
IT service continuity management is concerned with managing an organization’s ability to continue to provide a pre-determined and agreed level of IT services to support the minimum business requirements, following an interruption to the business. This includes ensuring business survival by reducing the impact of a disaster or major failure, reducing the vulnerability and risk to the business by effective risk analysis and risk management, preventing the loss of customer and user confidence, and producing IT recovery plans that are integrated with and fully support the organization’s overall business continuity plan.
IT service continuity is responsible for ensuring that the available IT service continuity options are understood and the most appropriate solution is chosen in support of the business requirements. It is also responsible for identifying roles and responsibilities and making sure these are endorsed and communicated from a senior level to ensure respect and commitment for the process. Finally, IT service continuity is responsible for guaranteeing that the IT recovery plans and the business continuity plans are aligned, and are regularly reviewed, revised and tested.
The Security Management Process
Security management provides a framework to capture the occurrence of security-related incidents and limit the impact of security breaches. The activities within the security management process must be revised continuously, in order to stay up-to-date and effective. security management is a continuous process and it can be compared to Deming’s Quality Circle (Plan, Do, Check and Act).
Figure 6. Security image diagram.
The inputs are the requirements which are formed by the clients. The requirements are translated into security services, security quality that needs to be provided in the security section of the service level agreements. As you can see in the picture there are arrows going both ways; from the client to the SLA; from the SLA to the client and from the SLA to the plan sub-process; from the plan sub-process to the SLA. This means that both the client and the plan sub-process have inputs in the SLA and the SLA is an input for both the client and the process. The provider then develops the security plans for his organization. These security plans contain the security policies and the Operational level agreements. The security plans (Plan) are then implemented (Do) and the implementation is then evaluated (Check). After the evaluation the both the plans and the implementation of the plan are maintained (Act).
Control
The first activity in the security management process is the “control” sub-process. The control sub-process organizes and manages the security management process itself. The control sub-process defines the processes, the allocation of responsibility the policy statements and the management framework.
The security management framework defines the sub-processes for the development of security plans, the implementation of the security plans, the evaluation and how the results of the evaluations are translated into action plans.
Plan
The plan sub-process contains activities that in cooperation with the service level management lead to the information security section in the SLA. The plan sub-process contains activities that are related to the underpinning contracts which are specific for information security.
In the plan sub-process, the goals formulated in the SLA are specified in the form of operational level agreements (OLA). These OLAs can be defined as security plans for a specific internal organization entity of the service provider.
Besides the input of the SLA, the plan sub-process also works with the policy statements of the service provider itself. As said earlier these policy statements are defined in the control sub-process.
The operational level agreements for information security are setup and implemented based on the ITIL process. This means that there has to be cooperation with other ITIL processes. For example, if the security management wishes to change the IT infrastructure in order to achieve maximum security, these changes will only be done through the change management process. The security management will deliver the input (request for change) for this change. The change manager is responsible for the change management process itself.
Implementation
The implementation sub-process makes sure that all measures, as specified in the plans, are properly implemented. During the implementation sub-process no (new) measures are defined or changed. The definition or change of measures will take place in the plan sub-process in cooperation with the change management process.
Evaluation
The evaluation of the implementation and the plans is very important. The evaluation is necessary to measure the success of the implementation and the security plans. The evaluation is also very important for the clients and possibly third parties. The results of the evaluation sub-process are used to maintain the agreed measures and the implementation itself. Evaluation results can lead to new requirements and so lead to a request for change. The request for change is then defined and it is then sent to the change management process.
Maintenance
It is necessary for the security to be maintained. Because of changes in the IT infrastructure and changes in the organization itself, security risks are bound to change over time. The maintenance of the security concerns both the maintenance of the security section of the service level agreements and the more detailed security plans.
The maintenance is based on the results of the evaluation sub-process and insight in the changing risks. These activities will only produce proposals. The proposals serve as inputs for the plan sub-process and will go through the whole cycle or the proposals can be taken in the maintenance of the service level agreements. In both cases the proposals could lead to activities in the action plan. The actual changes will be carried by the change management process.
The maintenance sub-process starts with the maintenance of the service level agreements and the maintenance of the operational level agreements. After these activities take place in no particular order and there is a request for a change, the request for change activity will take place and after the request for change activity is concluded the reporting activity starts. If there is no request for a change then the reporting activity will start directly after the first two activities.
About the Author
From Information Security Management Handbook, Sixth Edition, Volume 2, edited by Harold F. Tipton and Micki Krause. New York: Auerbach Publications, 2008.
