For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone
Note: ® ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.
The Itil Community Forum: Forums
ITIL :: View topic - Security management is NOT a process !
Posted: Thu Mar 31, 2011 3:00 am Post subject: Security management is NOT a process !
It is a function.
Just like Capacity management and availability management, it needs a dedicated team (or person), with the expertise and tools necessary to execute all activities under their responsibility.
So here we are establishing a security management function but I see myself doing the exact same things I always do in order to establish a process: Requirements workshops, documentation, training...
My question is: How do you guys deal with theses functions in your organizations? Am I missing something?
Joined: Mar 10, 2008 Posts: 401 Location: Sunderland
Posted: Thu Mar 31, 2011 8:54 am Post subject: Re: Security management is NOT a process !
ChasingSleep wrote:
It is a function.
Just like Capacity management and availability management, it needs a dedicated team (or person), with the expertise and tools necessary to execute all activities under their responsibility.
So here we are establishing a security management function but I see myself doing the exact same things I always do in order to establish a process: Requirements workshops, documentation, training...
My question is: How do you guys deal with theses functions in your organizations? Am I missing something?
Cheers!
I tend to agree that you need to find the right personnel to run the security management function but they're going to need some security policies as parameters for their work. Start off by establishing these.
Joined: Jan 13, 2011 Posts: 14 Location: California
Posted: Fri Apr 01, 2011 6:10 am Post subject:
Might be wrong, but I thought functions are defined / staffed based on organizational needs. In my previous life we had many people dedicated to each process area. Heck, I was one of eight in the Business Continuity Program Office (function) that performed IT Service Continuity Management (process) and other BCI related activities (like crisis management).
Think my point is you need people to follow the process, and they may solely be assigned that process if the business environment requires it.
Joined: Jan 13, 2011 Posts: 14 Location: California
Posted: Fri Apr 01, 2011 6:17 am Post subject:
Just realized I totally missed the point of the post...
IMHO you need the process that should have several workflows showing inputs, outputs, triggers.
Obviously you have business requirements for security management, industry best practices, and procedures for your tools (which would be supporting documentation). You may have other requirements such as CISSP or Security+ certifications to perform or manage the process.
Back to my earlier post, if it makes business sense create an Information Security (or Information Assurance) department and staff it with qualified people. Develop the ITIL process that they should follow and ensure your Roles / RASCI are defined with your workflow processes.
I think the point here is that instead of talking of a SM process, ITIL and ISO20000 should talk of different processes, procedures, working instructions, tools, expertise, roles and responsibilities needed in order to establish a SM function.
Like the SD function, which participates in different process (like IM, PM, CM), has different procedures (escalating, security incidents, and urgent incidents) and working instructions (e.g. how to create a ticket in the SD tool), expertise (dealing with people...), and need different roles and responsibilities (SD Manager, SD coordinator, SD analyst...)
The key here is to understand that SM is NOT a process per se, but rather a group of all items described above.
Joined: Mar 10, 2008 Posts: 401 Location: Sunderland
Posted: Mon Apr 04, 2011 6:06 pm Post subject:
ChasingSleep wrote:
Hi guys,
I think the point here is that instead of talking of a SM process, ITIL and ISO20000 should talk of different processes, procedures, working instructions, tools, expertise, roles and responsibilities needed in order to establish a SM function.
Like the SD function, which participates in different process (like IM, PM, CM), has different procedures (escalating, security incidents, and urgent incidents) and working instructions (e.g. how to create a ticket in the SD tool), expertise (dealing with people...), and need different roles and responsibilities (SD Manager, SD coordinator, SD analyst...)
The key here is to understand that SM is NOT a process per se, but rather a group of all items described above.
Cheers!
You're wrong.....ITIL can't be that prescriptive or specific without being too narrow and outdated before it's published. ITIL gives you a framework of good practice to use or put aside as suits your needs. The fact that it doesn't tell you chapter and verse how to implement and manage functions/processes/tools is neither here nor there........ITIL Management qualifications used to require that candidates had 5 years prior service management experience before sitting the exams - I can see how removing this criteria leaves a lot of folks with the qualifications but no clue what to do with them.
Finally, you talk about Service Desk as if they do all those things in all organisations.....they don't
I understand your point. But I understand that ITIL should reflect the best practices in IT Management.
And that means IMO correctly identifying process and functions. SM, CM and AM don't fit in a process definition, so they should be identified and explained as functions.
Below to what others said below are some highlevel points that ITSM covers :
• Structure
• Risk Assessment and Treatment
• Security Policy
• Organization of Information Security
• Asset Management Security
• Human Resources Security
• Physical Security
• Communications and Ops Management
• Access Control
• Information Systems Acquisition, Development, Maintenance
• Information Security Incident management
• Business Continuity
• Compliance
In addition, if you want to go more in depth I strongly recommend ISO/IEC 27000-series(ISO/IEC 27001,27002,27002,27003,27004,27005, 27011) as a reference.
Regards,
Ali _________________ Ali Makahleh
Configuration Management(Blue Badge),
ITILV2 Service Manager(Red Badge),
ITILV3 Expert(Lilac Badge) Certified.
“If you can't describe what you are doing as a process, you don't know what you're doing." W. Edwards Deming.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
