For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone
Note: ® ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.
Posted: Sun Oct 01, 2006 7:39 pm Post subject: Availability + Security
As most of us are aware, ITIL v2 does not have a Security Management process, I have been informed that this will be part of ITIL v3.
I've been taught that Security Management is part of Availability Management.
- Does anyone have any thoughts that can support that fact? Please explain some?
- In case we agree on the above, can someone tell how can availability management (as a support for security) protect against security threats, ie: a website hack?
Joined: Sep 16, 2006 Posts: 3118 Location: London, UK
Posted: Mon Oct 02, 2006 12:43 am Post subject:
Funny
I see Security Management as a separate process set covering Service Support Delivery, ICT Infrastructure & Application Management
The graphic from itSMF pocketbook IT Security Managment shows that
BS7799 is another standard for this endevour.
Or are you talking about specific threats or setup
If you are talking about a hack attack or an exploit, it is an Incident - solved by a Change to the environment
SQL Slammer worm patch from Micrsoft prevents the worm from working
Cisso IOS vulnerability patch prevents exploits
Period MS patches fixing holes.
If you are talking about what ports/protocols the specific network groups should block allow etc... that is a business decision not an ITIL or any other process decision.
What ITIL and the other processes should do is help you write the processes, review them, evaluate and enforce them. _________________ John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter
Indeed we can clearly see "Security Management" in the graph from the ITSMF booklet... But if we dig within the same booklet we won't find any chapter about Security Management. While we can find Security as an Element of Availability Management (page 65).
So yes, Security Management is part of of Availability Management.
You are right, BS7799 handles all aspects of security but I wanted to know how is this handeled with ITIL.
I am not trying to play the smart guy here, but my question was in reference to a question that was part of a previous Service Manager exam (I do not know which one), it was referred to be by a friend since I am currently preparing to sit for my Service Manager exam early next month.
Joined: Sep 16, 2006 Posts: 3118 Location: London, UK
Posted: Mon Oct 02, 2006 4:52 am Post subject:
Bonk.. Ouch... that hurts
You are right.
OK How would ITIL handle security.
OK let us look from all the support disciplines
Service Support
Incident Mgmt
Any security event could be an incident or a Major Incident
Problem Mgmt
A recurring event could be a candidate for Problem Mgmt - problem or error control
Change Mgmt
In order to fix the security issue, a RFC has to be raised
Release Mgmt
Pushing out the fix after the required Build//Test
Configuration Mgmt
Having the details about the software version, IP ranges, software...
Service Desk
poor sods.. they have to get the monitoring alerts, customer complaints, and create all the incident tickets
Service Delivery
Availability
Any security issue can affect the Availability of Service
Service Level MGMT
Any SLA should have a clause for emergency patching, network protocals and ports open (relevent to the particular service of course)
Capacity
Will the security concerns adversely affect the capacity of IT to provide services.
Continuity (Disaster Recovery)
need I say more.... a Security breach may force you to activate your DR site
Financial
Cost of the security breach or the fix to prevent it if ithas not occured
This I think is more what you want _________________ John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter
Joined: Aug 11, 2006 Posts: 262 Location: Netherlands
Posted: Mon Oct 02, 2006 6:43 am Post subject:
Actually, a seperate book on security management was published by CCTA/OGC in 1999. I think it was somewere in between of ITIL1 and ITIL2 that this was published. For years, it has been debated whether it was a full part of service delivery. It has in my opinion always "stood apart".
Book ISBN: 011330014X
CD ISBN: 0113309422
Online Subscription Code: 7003152
Date Published: 20 April 1999
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Forum FAQ
Search
Usergroups
Profile
Log in to check your private messages
Log in
