Professional Documents
Culture Documents
ITIL Can Improve Information Security
ITIL Can Improve Information Security
ITIL Can Improve Information Security
Introduction
This article will provide a general overview of ITIL and discuss how ITIL
can improve how organizations implement and manage information
security.
ITIL overview
When most people discuss ITIL, they refer to the ITIL Service Support and
Service Delivery books. These contain a set of structured best practices
and standard methodologies for core IT operational processes such as
Change, Release, and Configuration Management, as well as Incident,
Problem, Capacity, and Availability Management.
ITIL defines the objectives, activities, inputs, and outputs of many of the
processes found in an IT organization. It primarily focuses on what
processes are needed to ensure high quality IT services; however, ITIL
Prepared by V Patel 1
does not provide specific, detailed descriptions about how the processes
should be implemented, as they will be different in each organization. In
other words, ITIL tells an organization what to do, not how to do it.
ITIL details
Prepared by V Patel 2
• Incident Management: Best practices for resolving incidents (any
event that causes an interruption to, or a reduction in, the quality
of an IT service) and quickly restoring IT services. These practices
ensure that normal service is restored as quickly as possible after
an incident occurs.
There is also a Service Desk function that describes best practices for
establishing and managing a central point of contact for users of IT
services. Two of the Service Desk's most important responsibilities are
monitoring incidents and communicating with users.
Figure 1 depicts the above processes, showing how the Service Desk
function serves as the single point of contact for the various service
management processes.
Prepared by V Patel 3
Figure 1. ITIL Service Management Processes
More detailed information about the above processes and Service Desk
function can be found in the references listed at the end of this article.
Prepared by V Patel 4
Figure 2. Information Security Process
Prepared by V Patel 5
In addition to SLAs and OLAs, ITIL defines three other types of
information security documentation:
There are a number of important ways that ITIL can improve how
organizations implement and manage information security.
Prepared by V Patel 6
information security is a key part of having a successful, well-run
organization.
7. The organized ITIL framework prevents the rushed, disorganized
implementation of information security measures. ITIL requires
designing and building consistent, measurable information security
measures into IT services rather than after-the-fact or after an
incident. This ultimately saves time, money, and effort.
8. The reporting required by ITIL keeps an organization's management
well informed about the effectiveness of their organization's
information security measures. The reporting also allows
management to make informed decisions about the risks their
organization has.
9. ITIL defines roles and responsibilities for information security.
During an incident, it's clear who will respond and how they will do
so.
10. ITIL establishes a common language for discussing
information security. This can allow information security staff to
communicate more effectively with internal and external business
partners, such as an organization's outsourced security services.
Implementing ITIL
Implementing ITIL does take time and effort. Depending on the size and
complexity of an organization, implementing it can take significant up
front time and effort. For many organizations, successful implementation
of ITIL will require changes in their organizational culture and the
involvement and commitment of employees throughout the organization.
Conclusion
Prepared by V Patel 7
together, homegrown processes. ITIL can enable these processes to be
replaced with standardized, integrated processes based on best practices.
Though some time and effort are required, ITIL can improve how
organizations implement and manage information security.
All the activities within a CSIP regarding one single improvement can be
visualized generically by using the mete. This results in a process-data
diagram (figure 1), which does not describe the continuous improvement
activity of the programme. The process-data diagram shows the
relationship between processes and artefacts and this diagram consists of
two integrated diagrams. The left-hand side of the process-data diagram
describes the activities (processes) and is based on the UML activity
diagram. The right-hand side describes the data (artefacts) and is based
on the UML class diagram. The table of concepts and the activity
description regarding the process-data diagram can be found in the
paragraph
Create vision
As figure 1 show, the first step that needs to be taken in the process is
creating CSIP. The vision statement describes the aim and purpose of the
CSIP on a high level and should align the different strategy of business
and IT. Additionally, the vision statement should be well communicated to
the stake holder, to create commitment and buy-in for the CSIP.
Prepared by V Patel 8
Analyse organization
Set goals
The next activity in the CSIP is about the agreement between business
and IT regarding the required and expected future roles and
characteristics of the organization, which are based on the current
maturity of the organization. The first step that needs to be taken is the
creation of a business casse to describe the added value and the
justification of the CSIP. The business case is determined by the current
maturity of the organization and the organizational strategy. A
stakeholder assessment, conducted in the previous activity, can also be a
contribution to the focus on the results and the aim of the improvement
programme.
Prepared by V Patel 9
with the future state of the organization and these results in gaps to
overcome (‘where do we want to be’). It provides information about gaps,
risks and the prioritization on where to start. Once a gap assessment
report has been completed, there is a need for understanding and clarity.
That means that the problems and the following steps have to be
presented to the key stakeholders, to establish creditability for the
assessment and support concerning the change.
The following step is the creation of a plan for quick wins. A quick win is
an early success during an improvement programme. In the plan for quick
wins short term wins should be identified and attained to keep the
improvement programme running and to keep the commitment level high
during the improvement programme.
The last step is setting the goals regarding the improvement programme
in relation to the earlier defined stakeholder needs. A management tool
for setting goals and measuring performance is the balance
The next thing to consider is how the changes are going to be achieved.
Achieving changes requires a reliable program To prevent a CSIP from
missing its intended goals the OGC recommends [1] the approach from
J.P. Kotter, called: ‘Eight steps to transforming your organisation’ in
combination with project management such as prince. The main reason
for using this approach in combination with regular project management is
that this approach also takes the softer sides of change into account like
resistance to change and creating commitment.
J.P. Kotter studied more than 100 companies with regard to their
transformations in the past years. This has resulted in eight main reasons
why transformations fail. The duration of the studied transformations was
quite long, about six to eight years.
The eight main reasons why transformations fail are transformed into
eight steps.
Prepared by V Patel 10
1. Creating a sense of urgency
2. Forming a guiding coalition
3. Creating a vision
4. Communicating the vision
5. ‘Empowering’ to act on the vision
6. Planning for and creating quick wins
7. Consolidating improvements and producing more change
8. Institutionalizing the change
The last aspect that has to be taken into account regarding the
implementation of IT service management is training. Training can
contribute to a higher quality of service management and it can also lead
to more productive and responsive employees. Before setting up a
training programme, questions like who to train, when to train, how to
train and what to train should be answered. For ITIL training see : ITIL
certificate
Measure goals
Prepared by V Patel 11
Case study
Hochstein, Brenner and Tamm (2005) conducted six case studies about
the factors of success, benefits and costs concerning ITIL transformation
projects in large European companies. Hochstein et al. deduced a few
initiatives from the case studies which were effective:
Prepared by V Patel 12