Search
Topics
  Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Feedback
· Forums
· Search
· Statistics
· Surveys
· Top
· Topics
· Web Links
· Your_Account

Current Membership

Latest: SLeventha
New Today: 4
New Yesterday: 50
Overall: 146267

People Online:
Visitors: 51
Members: 1
Total: 52 .

Languages
Select Interface Language:


Major ITIL Portals
For general information and resources, ITIL and ITSM World is the most well known for both ITIL and ITIL Books. A shorter snapshot approach can be found at ITIL Zone

Related Resources
Service related resources
Service Level Agreement
Outsourcing

Note: ® ITIL is a registered trademark of OGC. This portal is totally independent and is in no way related to them. See our Feedback Page for more information.


The Itil Community Forum: Forums

ITIL :: View topic - Security management is NOT a process !
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Security management is NOT a process !

 
Post new topic   Reply to topic    ITIL Forum Index -> ITIL Discussion
View previous topic :: View next topic  
Author Message
ChasingSleep
Senior Itiler


Joined: Nov 18, 2008
Posts: 78

PostPosted: Thu Mar 31, 2011 3:00 am    Post subject: Security management is NOT a process ! Reply with quote

It is a function.

Just like Capacity management and availability management, it needs a dedicated team (or person), with the expertise and tools necessary to execute all activities under their responsibility.

So here we are establishing a security management function but I see myself doing the exact same things I always do in order to establish a process: Requirements workshops, documentation, training...

My question is: How do you guys deal with theses functions in your organizations? Am I missing something?

Cheers!
Back to top
View user's profile
BorisBear
Senior Itiler


Joined: Mar 10, 2008
Posts: 403
Location: Sunderland

PostPosted: Thu Mar 31, 2011 8:54 am    Post subject: Re: Security management is NOT a process ! Reply with quote

ChasingSleep wrote:
It is a function.

Just like Capacity management and availability management, it needs a dedicated team (or person), with the expertise and tools necessary to execute all activities under their responsibility.

So here we are establishing a security management function but I see myself doing the exact same things I always do in order to establish a process: Requirements workshops, documentation, training...

My question is: How do you guys deal with theses functions in your organizations? Am I missing something?

Cheers!



I tend to agree that you need to find the right personnel to run the security management function but they're going to need some security policies as parameters for their work. Start off by establishing these.
Back to top
View user's profile
Flasheart
Newbie
Newbie


Joined: Jan 13, 2011
Posts: 14
Location: California

PostPosted: Fri Apr 01, 2011 6:10 am    Post subject: Reply with quote

Might be wrong, but I thought functions are defined / staffed based on organizational needs. In my previous life we had many people dedicated to each process area. Heck, I was one of eight in the Business Continuity Program Office (function) that performed IT Service Continuity Management (process) and other BCI related activities (like crisis management).

Think my point is you need people to follow the process, and they may solely be assigned that process if the business environment requires it.

Then again, I could be wrong.
Back to top
View user's profile
Flasheart
Newbie
Newbie


Joined: Jan 13, 2011
Posts: 14
Location: California

PostPosted: Fri Apr 01, 2011 6:17 am    Post subject: Reply with quote

Just realized I totally missed the point of the post... Sad

IMHO you need the process that should have several workflows showing inputs, outputs, triggers.

Obviously you have business requirements for security management, industry best practices, and procedures for your tools (which would be supporting documentation). You may have other requirements such as CISSP or Security+ certifications to perform or manage the process.

Back to my earlier post, if it makes business sense create an Information Security (or Information Assurance) department and staff it with qualified people. Develop the ITIL process that they should follow and ensure your Roles / RASCI are defined with your workflow processes.

again, just another 2 cents Very Happy
Back to top
View user's profile
ChasingSleep
Senior Itiler


Joined: Nov 18, 2008
Posts: 78

PostPosted: Sat Apr 02, 2011 1:46 am    Post subject: Reply with quote

Hi guys,

I think the point here is that instead of talking of a SM process, ITIL and ISO20000 should talk of different processes, procedures, working instructions, tools, expertise, roles and responsibilities needed in order to establish a SM function.

Like the SD function, which participates in different process (like IM, PM, CM), has different procedures (escalating, security incidents, and urgent incidents) and working instructions (e.g. how to create a ticket in the SD tool), expertise (dealing with people...), and need different roles and responsibilities (SD Manager, SD coordinator, SD analyst...)

The key here is to understand that SM is NOT a process per se, but rather a group of all items described above.

Cheers!
Back to top
View user's profile
BorisBear
Senior Itiler


Joined: Mar 10, 2008
Posts: 403
Location: Sunderland

PostPosted: Mon Apr 04, 2011 6:06 pm    Post subject: Reply with quote

ChasingSleep wrote:
Hi guys,

I think the point here is that instead of talking of a SM process, ITIL and ISO20000 should talk of different processes, procedures, working instructions, tools, expertise, roles and responsibilities needed in order to establish a SM function.

Like the SD function, which participates in different process (like IM, PM, CM), has different procedures (escalating, security incidents, and urgent incidents) and working instructions (e.g. how to create a ticket in the SD tool), expertise (dealing with people...), and need different roles and responsibilities (SD Manager, SD coordinator, SD analyst...)

The key here is to understand that SM is NOT a process per se, but rather a group of all items described above.

Cheers!



You're wrong.....ITIL can't be that prescriptive or specific without being too narrow and outdated before it's published. ITIL gives you a framework of good practice to use or put aside as suits your needs. The fact that it doesn't tell you chapter and verse how to implement and manage functions/processes/tools is neither here nor there........ITIL Management qualifications used to require that candidates had 5 years prior service management experience before sitting the exams - I can see how removing this criteria leaves a lot of folks with the qualifications but no clue what to do with them.

Finally, you talk about Service Desk as if they do all those things in all organisations.....they don't
Back to top
View user's profile
ChasingSleep
Senior Itiler


Joined: Nov 18, 2008
Posts: 78

PostPosted: Tue Apr 05, 2011 12:52 am    Post subject: Reply with quote

Boris,

I understand your point. But I understand that ITIL should reflect the best practices in IT Management.

And that means IMO correctly identifying process and functions. SM, CM and AM don't fit in a process definition, so they should be identified and explained as functions.

Cheers!
Back to top
View user's profile
Timo
Senior Itiler


Joined: Oct 26, 2007
Posts: 295
Location: Calgary, Canada

PostPosted: Tue Apr 19, 2011 3:20 am    Post subject: Reply with quote

ChasingSleep wrote:
Boris,

I understand your point. But I understand that ITIL should reflect the best practices in IT Management.

Cheers!


... actually because it doesn't always ITIL's done away with being call "best" practices. Wink
Back to top
View user's profile
BorisBear
Senior Itiler


Joined: Mar 10, 2008
Posts: 403
Location: Sunderland

PostPosted: Tue Apr 19, 2011 5:36 pm    Post subject: Reply with quote

Timo wrote:
ChasingSleep wrote:
Boris,

I understand your point. But I understand that ITIL should reflect the best practices in IT Management.

Cheers!


... actually because it doesn't always ITIL's done away with being call "best" practices. Wink


Yep......he's wrong about that as well Wink
Back to top
View user's profile
thechosenone69
Senior Itiler


Joined: Jun 06, 2007
Posts: 268

PostPosted: Wed Apr 20, 2011 8:28 am    Post subject: Reply with quote

Below to what others said below are some highlevel points that ITSM covers :

• Structure
• Risk Assessment and Treatment
• Security Policy
• Organization of Information Security
• Asset Management Security
• Human Resources Security
• Physical Security
• Communications and Ops Management
• Access Control
• Information Systems Acquisition, Development, Maintenance
• Information Security Incident management
• Business Continuity
• Compliance

In addition, if you want to go more in depth I strongly recommend ISO/IEC 27000-series(ISO/IEC 27001,27002,27002,27003,27004,27005, 27011) as a reference.

Regards,
Ali
_________________
Ali Makahleh
Configuration Management(Blue Badge),
ITILV2 Service Manager(Red Badge),
ITILV3 Expert(Lilac Badge) Certified.

“If you can't describe what you are doing as a process, you don't know what you're doing." W. Edwards Deming.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    ITIL Forum Index -> ITIL Discussion All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.8 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

Logos/trademarks property of respective owner. Comments property of poster. Rest © 2004 Itil Community for Service Management & Foundation Certification. SV
Site source copyright (c)2003, and is Free Software under the GNU / GPL licence. All Rights Are Reserved.