Posted: Mon Sep 05, 2005 5:57 pm Post subject: ITIL and Information Security
I am currently working on a project that deals with the relation of ITIL and Information security. Need some help regarding a few concepts.
The client of mine has performed an Information Risk Assessment of all the IT assets in the organization. As a part of the Risk Assessment the following was performed:
1. Asset Identification & Valuation
2. Threat Identification
3. Vulnerability Identification
4. Controls Assessement & Measure of risk
5. Risk treatment and remediation plan
6. Contionious monitoring
The Information security directorate plays the oversight role for all these activities. Each of these activities is performed by seperate departments. For instance, Asset identification, valuation and vulnerability identification would be carried out by the system/ asset owner. Any new vulnerability to be patchd up would be done by the IT department (system admins. etc.)
The client wants us to develop SLA/OLA/UC with the various parties involved so that each of these parties/ teams can be monitored effectively.
Also, could anyone help me out with the relationship of ITIL and security. I am aware that IT Security Management is one of the sections in ITIL. But am not able to draw up a picture of the same.
Joined: Oct 06, 2004 Posts: 77 Location: Bloomington, IL
Posted: Sat Oct 08, 2005 5:08 am Post subject:
Security is best seen as an umbrella that applies to all of ITIL. It really is a sister discipline to Service Level Management-both are the glue that hold the framework together. All activities in IT (not just Information or data) require consideration of Security.
As far as the SLA question, you might consider approaching it from a supply chain perspective. Each item in your list is a process step. Someone must perform the steps. Thus each step is really a service in the delivery of Information Security. Now you have services identified; you can write OLAs between each process/service owner and their receiver in the supply chain. The sum of the OLAs then make up your SLA for Information Security.
You might want to refer to the Business Perspective (Purple) book for more information on building a service/supply chain.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum