Service Design
Information Security management
Introduction
Availability is for those who are granted access to the information. This information should be secure and protected to maintain authenticity.
Purpose and Objectives
The purpose of Information Security Management is
to align IT security with business security and ensure that information security is effectively managed in all service and IT Service Management activities.
Information Security Management (ISM) ensures that:
• an Information
Security
Policy is implemented,
maintained and enforced that fulfills the needs
of the
Business Security
policy and the requirements
of corporate governance.
• awareness of the need for security within all IT services and assets is properly raised.
• the Information Security Policy is appropriate for the needs of the organization.
• all aspects
of IT and information security within
all areas of IT and Service
Management activity are managed.
The objectives of Information Security Management are met when the following are properly managed:
• Availability: Information is available
and usable when required.
• Confidentiality: Information is observed
by or disclosed to only those who have a right to know.
• Integrity: Information is complete, accurate
and protected against unauthorized
modification.
• Authenticity and Non-repudiation: Business transactions, as well as information exchanges between
enterprises or with partners, can be trusted.
• Security Baselines: The security level adopted
by the IT organization for its own security and from the point of view of “due diligence”. It would be possible to have multiple baselines.
Scope
The information security
management
process should be the focal point for all IT security issues, and must ensure that an information security policy is produced,
maintained and
enforced
that
covers the
use and
misuse
of all IT systems and
services.
The information security management process should include:
• The production,
maintenance, distribution and enforcement
of an information security policy and supporting security policies
• Understanding
the
agreed current
and
future security requirements
of the business and the existing business security policy and plans
• Implementation
of
a
set
of
security controls
that support the information security policy and manage risks
associated with
access to services, information and systems
• Documentation
of all security controls, together
with
the
operation and maintenance of the controls
and their associated risks
• Management of suppliers and
contracts regarding
access to systems
and services, in conjunction with supplier management
• Management of all security breaches, incidents and problems associated with all systems and services
• The proactive
improvement
of
security controls, and security risk management and the reduction of security risks
• Integration of security aspects within all other ITSM processes.
Information Security Policy
Information Security Management should
be driven by an Information
Security Policy and a set of underpinning specific security policies.
The policy should cover all areas of security, meet the needs of the business and include the following:
• An overall Information Security Policy
• Use and misuse of IT assets policy
• An access control policy
• A password control policy
• An e-mail policy
• An internet
policy
• An anti-virus policy
• An information classification policy
• A document classification policy
• A remote access
policy
• A policy
with
regard to supplier access of IT service, information and components
• An asset disposal policy
These policies should be widely available
to
all customers
and
users and their
compliance should
be referred to in all SLRs, SLAs, contracts and agreements.
Roles
An Information Security Manager is responsible
for
ensuring
that
the
aims of
Information Security Management are met.
The responsibilities of an Information Security Manager include:
• The achievement of the process goals.
• Development, communication,
maintenance and enforcement of the Information
Security Policy.
• Assisting in Business Impact Analysis.
• Security Risk Management
is performed in conjunction with Availability and IT Service Continuity Management.
More details on the roles of Information Security Manager:
• Develop and maintain the Information Security Policy.
• Communicate and publicize the Information Security Policy to other parties.
• Identify and classify IT and information assets.
• Assist with Business Impact
Analyses.
• Perform security risk analysis and risk management.
• Design security controls and develop security plans.
• Monitor and manage all security breaches.
• Report, analyze and reduce the impact and volumes of all security incidents.
• Promote education and awareness of security.
• Ensure all changes are assessed for impact on all security aspects.
• Perform security tests.
• Participate in security reviews.
• Maintain the integrity, confidentiality and availability of services.
• Ensure access
to
services
by
external partners
and
suppliers
is
subject
to contractual agreement.
• Act as a focal point for all security issues.
ITIL, ITIL Foundation Course, ITIL V3, ITIL Course, ITIL - Course, online itil, itil certification, online material for itil course
