ITIL Can Improve Information Security

Introduction

ITIL - the Information Technology Infrastructure Library - is a set of best

practices and guidelines that define an integrated, process-based
approach for managing information technology services. ITIL can be
applied across almost every type of IT environment.

Interest in and adoption of ITIL has been steadily increasing throughout

the world; the numerous public and private organizations that have
adopted it include Proctor & Gamble, Washington Mutual, Southwest
Airlines, Hershey Foods, and the Internal Revenue Service. In addition to
the often touted benefits of ITIL - aligning IT with the needs of the
business, improving service quality, decreasing the costs of IT service
delivery and support - the framework can aid the information security
professional both directly (there is a specific Security Management
process) and indirectly.

This article will provide a general overview of ITIL and discuss how ITIL
can improve how organizations implement and manage information
security.

ITIL overview

ITIL began in the 1980s as an attempt by the British government to

develop an approach for efficient and cost-effective use of its many IT
resources. Using the experiences and expertise of successful IT
professionals, a British government agency developed and released a
series of best-practice books, each focusing on a different IT process.
Since then, ITIL has become an entire industry of organizations, tools,
consulting services, related frameworks, and publications. Currently in the
public domain and still evolving, the 44-volume set of ITIL guidelines has
been consolidated into 8 core books.

When most people discuss ITIL, they refer to the ITIL Service Support and
Service Delivery books. These contain a set of structured best practices
and standard methodologies for core IT operational processes such as
Change, Release, and Configuration Management, as well as Incident,
Problem, Capacity, and Availability Management.

ITIL stresses service quality and focuses on how IT services can be

efficiently and cost-effectively provided and supported. In the ITIL
framework, the business units within an organization who commission and
pay for IT services (e.g. Human Resources, Accounting), are considered to
be "customers" of IT services. The IT organization is considered to be a
service provider for the customers.

ITIL defines the objectives, activities, inputs, and outputs of many of the
processes found in an IT organization. It primarily focuses on what
processes are needed to ensure high quality IT services; however, ITIL

Prepared by V Patel 1
does not provide specific, detailed descriptions about how the processes
should be implemented, as they will be different in each organization. In
other words, ITIL tells an organization what to do, not how to do it.

The ITIL framework is typically implemented in stages, with additional

processes added in a continuous service improvement program.

Organizations can benefit in several important ways from ITIL:

• IT services become more customer-focused

• The quality and cost of IT services are better managed
• The IT organization develops a clearer structure and becomes more
efficient
• IT changes are easier to manage
• There is a uniform frame of reference for internal communication
about IT
• IT procedures are standardized and integrated
• Demonstrable and auditable performance measurements are
defined

ITIL details

ITIL takes a process-based approach to managing and providing IT

services; IT activities are divided into processes, each of which has three
levels:

• Strategic: An organization's objectives are determined, along with

an outline of methods to achieve the objectives.

• Tactical: The strategy is translated into an appropriate

organizational structure and specific plans that describe which
processes have to be executed, what assets have to be deployed,
and what the outcome(s) of the processes should be.

• Operational: The tactical plans are executed. Strategic objectives

are achieved within a specified time.

A description of each of the numerous IT processes covered by ITIL is

beyond the scope of this article. What follows are brief, general
descriptions of the ITIL processes that, along with the Security
Management process, have a significant relationship with information
security. Each of these areas is a set of best practices:

• Configuration Management: Best practices for controlling

production configurations (for example, standardization, status
monitoring, and asset identification). By identifying, controlling,
maintaining and verifying the items that make up an organization's
IT infrastructure, these practices ensure that there is a logical
model of the infrastructure.

Prepared by V Patel 2
 • Incident Management: Best practices for resolving incidents (any
event that causes an interruption to, or a reduction in, the quality
of an IT service) and quickly restoring IT services. These practices
ensure that normal service is restored as quickly as possible after
an incident occurs.

• Problem Management: Best practices for identifying the

underlying cause(s) of IT incidents in order to prevent future
recurrences. These practices seek to proactively prevent incidents
and problems.

• Change Management: Best practices for standardizing and

authorizing the controlled implementation of IT changes. These
practices ensure that changes are implemented with minimum
adverse impact on IT services, and that they are traceable.

• Release Management: Best practices for the release of hardware

and software. These practices ensure that only tested and correct
versions of authorized software and hardware are provided to IT
customers.

• Availability Management: Best practices for maintaining the

availability of IT services guaranteed to a customer (for example,
optimizing maintenance and design measures to minimize the
number of incidents). These practices ensure that an IT
infrastructure is reliable, resilient, and recoverable.

• Financial Management: Best practices for understanding and

managing the cost of providing IT services (for example, budgeting,
IT accounting, charging). These practices ensure that IT services
are provided efficiently, economically, and cost-effectively.

• Service Level Management: Best practices for ensuring that

agreements between IT and IT customers are specified and fulfilled.
These practices ensure that IT services are maintained and
improved through a cycle of agreeing, monitoring, reporting, and
reviewing IT services.

There is also a Service Desk function that describes best practices for
establishing and managing a central point of contact for users of IT
services. Two of the Service Desk's most important responsibilities are
monitoring incidents and communicating with users.

Figure 1 depicts the above processes, showing how the Service Desk
function serves as the single point of contact for the various service
management processes.

Prepared by V Patel 3
 Figure 1. ITIL Service Management Processes

More detailed information about the above processes and Service Desk
function can be found in the references listed at the end of this article.

ITIL and information security

ITIL seeks to ensure that effective information security measures are

taken at strategic, tactical, and operational levels. Information security is
considered an iterative process that must be controlled, planned,
implemented, evaluated, and maintained.

ITIL breaks information security down into:

• Policies - overall objectives an organization is attempting to achieve

• Processes - what has to happen to achieve the objectives
• Procedures - who does what and when to achieve the objectives
• Work instructions - instructions for taking specific actions

It defines information security as a complete cyclical process with

continuous review and improvement, as illustrated in Figure 2:

Prepared by V Patel 4
 Figure 2. Information Security Process

As some organizations look at Implementation and Monitoring as a single

step, ITIL's Information Security Process can be described as a seven step
process:

1. Using risk analysis, IT customers identify their security

requirements.
2. The IT department determines the feasibility of the requirements
and compares them to the organization's minimum information
security baseline.
3. The customer and IT organization negotiate and define a service
level agreement (SLA) that includes definition of the information
security requirements in measurable terms and specifies how they
will be verifiably achieved.
4. Operational level agreements (OLAs), which provide detailed
descriptions of how information security services will be provided,
are negotiated and defined within the IT organization.
5. The SLA and OLAs are implemented and monitored.
6. Customers receive regular reports about the effectiveness and
status of provided information security services.
7. The SLA and OLAs are modified as necessary.

Service Level agreements

The SLA is a key part of the ITIL information security process. It is a

formal, written agreement that documents the levels of service, including
information security, that IT is responsible for providing. The SLA should
include key performance indicators and performance criteria. Typical SLA
information security statements should include:

• Permitted methods of access

• Agreements about auditing and logging
• Physical security measures
• Information security training and awareness for users
• Authorization procedure for user access rights
• Agreements on reporting and investigating security incidents
• Expected reports and audits

Prepared by V Patel 5
In addition to SLAs and OLAs, ITIL defines three other types of
information security documentation:

• Information security policies: ITIL states that security policies

should come from senior management and contain:
1. Objectives and scope of information security for an
organization
2. Goals and management principles for how information
security is to be managed
3. Definition of roles and responsibilities for information security
• Information security plans: describes how a policy is implemented
for a specific information system and/or business unit.
• Information security handbooks: operational documents for day-to-
day usage; they provide specific, detailed working instructions.

Ten ways ITIL can improve information security

There are a number of important ways that ITIL can improve how
organizations implement and manage information security.

1. ITIL keeps information security business and service focused. Too

often, information security is perceived as a "cost centre" or
"hindrance" to business functions. With ITIL, business process
owners and IT negotiate information security services; this ensures
that the services are aligned with the business' needs.
2. ITIL can enable organizations to develop and implement
information security in a structured, clear way based on best
practices. Information security staff can move from "fire fighting"
mode to a more structured and planned approach.
3. With its requirement for continuous review, ITIL can help ensure
that information security measures maintain their effectiveness as
requirements, environments, and threats change.
4. ITIL establishes documented processes and standards (such as
SLAs and OLAs) that can be audited and monitored. This can help
an organization understand the effectiveness of its information
security program and comply with regulatory requirements (for
example, HIPAA or Sarbanes Oxley).
5. ITIL provides a foundation upon which information security can
build. It requires a number of best practices - such as Change
Management, Configuration Management, and Incident
Management - that can significantly improve information security.
For example, a considerable number of information security issues
are caused by inadequate change management, such as
misconfigured servers.
6. ITIL enables information security staff to discuss information
security in terms other groups can understand and appreciate.
Many managers can't "relate" to low-level details about encryption
or firewall rules, but they are likely to understand and appreciate
ITIL concepts such as incorporating information security into
defined processes for handling problems, improving service, and
maintaining SLAs. ITIL can help managers understand that

Prepared by V Patel 6
 information security is a key part of having a successful, well-run
organization.
7. The organized ITIL framework prevents the rushed, disorganized
implementation of information security measures. ITIL requires
designing and building consistent, measurable information security
measures into IT services rather than after-the-fact or after an
incident. This ultimately saves time, money, and effort.
8. The reporting required by ITIL keeps an organization's management
well informed about the effectiveness of their organization's
information security measures. The reporting also allows
management to make informed decisions about the risks their
organization has.
9. ITIL defines roles and responsibilities for information security.
During an incident, it's clear who will respond and how they will do
so.
10. ITIL establishes a common language for discussing
information security. This can allow information security staff to
communicate more effectively with internal and external business
partners, such as an organization's outsourced security services.

Implementing ITIL

ITIL does not typically start with IT - it is usually initiated by senior

management such as the CEO or CIO. As an information security
professional, however, you can add value by bringing ITIL to the attention
of senior management. With the framework's rapidly increasing adoption,
your organization might already be talking about ITIL; letting your
management know specifically about ITIL's information security benefits
can help spur its adoption.

Implementing ITIL does take time and effort. Depending on the size and
complexity of an organization, implementing it can take significant up
front time and effort. For many organizations, successful implementation
of ITIL will require changes in their organizational culture and the
involvement and commitment of employees throughout the organization.

Critical factors for successful ITIL implementation include:

• Full management commitment and involvement with the ITIL

implementation
• A phased approach
• Consistent and thorough training of staff and management
• Making ITIL improvements in service provision and cost reduction
sufficiently visible
• Sufficient investment in ITIL support tools

Conclusion

Information security measures are steadily increasing in scope,

complexity, and importance. It is risky, expensive, and inefficient for
organizations to have their information security depend on cobbled-

Prepared by V Patel 7
together, homegrown processes. ITIL can enable these processes to be
replaced with standardized, integrated processes based on best practices.
Though some time and effort are required, ITIL can improve how
organizations implement and manage information security.

Saturday, December 29, 2007

ITIL Planning to implement service man

The planning to implement service management is a set in the information

technology infra structure library [ITIL] framework. This set is about the
alignment of business needs and IT provision requirements. Besides, this
set describes how to implement or improve it service management within
an organisation and it describes steps to ensure that business needs and
IT provision requirements will be met. Furthermore, the planning to
implement service management set is mainly focused on the service
management processes, but also generically applicable to other ITIL sets.

An approach to implement or improve service management is the

Continuous Service Improvement Programme (CSIP). A CSIP is defined
as: “an ongoing formal programme undertaken within an organization to
identify and introduce measurable improvements within a specified work
area or work process.”

All the activities within a CSIP regarding one single improvement can be
visualized generically by using the mete. This results in a process-data
diagram (figure 1), which does not describe the continuous improvement
activity of the programme. The process-data diagram shows the
relationship between processes and artefacts and this diagram consists of
two integrated diagrams. The left-hand side of the process-data diagram
describes the activities (processes) and is based on the UML activity
diagram. The right-hand side describes the data (artefacts) and is based
on the UML class diagram. The table of concepts and the activity
description regarding the process-data diagram can be found in the
paragraph

The planning to implement service management set

Every activity in the planning to implement service management set, as

depicted in figure 1, will be further explained.

Create vision

As figure 1 show, the first step that needs to be taken in the process is
creating CSIP. The vision statement describes the aim and purpose of the
CSIP on a high level and should align the different strategy of business
and IT. Additionally, the vision statement should be well communicated to
the stake holder, to create commitment and buy-in for the CSIP.

Prepared by V Patel 8
Analyse organization

After having created a vision an IT organization should analyse itself,

wherein the question ‘where are we now?’ has to be answered. A useful
technique to determine the current position is the IT organization growth
model. This model determines the maturity level of the IT organization
and is based on the Process Maturity Framework (PMF), as well as on the
CMM The maturity of the organization will be determined in terms of
vision and strategy, steering, processes, people, technology and culture.
It is also required to understand who the stakeholders are, because
stakeholders have an impact on the CSIP. This can be achieved by
defining, identifying and mapping the stakeholders. Additionally, the
specific needs of the stakeholders have to be identified and this can result
in a stakeholder assessment report.

The third step of the organizational analysis in figure 1, consists of

assessing the current report and measurement system. Knowing the
current way of using and producing reports, facts and figures gives insight
in how well the organization is steered, but it also provides information
about the next activity ‘set goals’.

The last step in analysing the organization is conducting benchmarks. A

benchmarks a useful management technique to improve performance. In
a benchmark different parts of the organization can be compared, like
units or processes. But also organizations as a whole can be compared in
a benchmark. It is important to determine whether a service management
process should be benchmarked or not. A focus on the relevant service
management processes is essential. The results of the benchmarks can
result in the identification of gaps.

Set goals

The next activity in the CSIP is about the agreement between business
and IT regarding the required and expected future roles and
characteristics of the organization, which are based on the current
maturity of the organization. The first step that needs to be taken is the
creation of a business casse to describe the added value and the
justification of the CSIP. The business case is determined by the current
maturity of the organization and the organizational strategy. A
stakeholder assessment, conducted in the previous activity, can also be a
contribution to the focus on the results and the aim of the improvement
programme.

Furthermore, risks should be identified and managed. An approach to risk

management should be applied during the CSIP. Mainly the risks related
to the business vision, existing processes and the environment and
business constraints should be managed to reduce the effects of those
risks.

After having created a business case, a gap assessment report should be

completed. A gap assessment report is used to compare the current state

Prepared by V Patel 9
with the future state of the organization and these results in gaps to
overcome (‘where do we want to be’). It provides information about gaps,
risks and the prioritization on where to start. Once a gap assessment
report has been completed, there is a need for understanding and clarity.
That means that the problems and the following steps have to be
presented to the key stakeholders, to establish creditability for the
assessment and support concerning the change.

The following step is the creation of a plan for quick wins. A quick win is
an early success during an improvement programme. In the plan for quick
wins short term wins should be identified and attained to keep the
improvement programme running and to keep the commitment level high
during the improvement programme.

The last step is setting the goals regarding the improvement programme
in relation to the earlier defined stakeholder needs. A management tool
for setting goals and measuring performance is the balance

Implement IT service management

The first thing to consider regarding implementing or improving service

management is finding an answer on where to start (‘which service
management process?’). Before identifying a process that need to be
improved, the first condition that needs to be fulfilled is that the
organization should have documented its current and desired state, which
includes a completed gap assessment report. ‘Where to start’ also
depends on the level of maturity of the organization. Besides these
dependencies, it is important to understand the interrelationships between
all the IT service management processes.

Another aspect which should be taken into consideration during the

improvement programme is creating awareness of the change. This can
be done by making communication plant, which will give an explanation
about the IT policy to the stakeholders.

The next thing to consider is how the changes are going to be achieved.
Achieving changes requires a reliable program To prevent a CSIP from
missing its intended goals the OGC recommends [1] the approach from
J.P. Kotter, called: ‘Eight steps to transforming your organisation’ in
combination with project management such as prince. The main reason
for using this approach in combination with regular project management is
that this approach also takes the softer sides of change into account like
resistance to change and creating commitment.

J.P. Kotter studied more than 100 companies with regard to their
transformations in the past years. This has resulted in eight main reasons
why transformations fail. The duration of the studied transformations was
quite long, about six to eight years.

The eight main reasons why transformations fail are transformed into
eight steps.

Prepared by V Patel 10
 1. Creating a sense of urgency
2. Forming a guiding coalition
3. Creating a vision
4. Communicating the vision
5. ‘Empowering’ to act on the vision
6. Planning for and creating quick wins
7. Consolidating improvements and producing more change
8. Institutionalizing the change

These eight steps can be applied equally to a service management

improvement programme.

The culture of the organization is a main issue to be taken into account

during organisation during because organizational change could support
an implementation, and it can as well lead to resistance. For that reason
the organizational culture should be managed in order to avoid problems
like resistance.

A critical success factor for a CSIP is the clear definition of accountability,

roles and responsibility in relation to the new processes and the existing
organisational structure new processes and working practices do often not
fit within the existing organizational structure, because processes are
often cross functional. In other words, processes may run through the
whole organization. In this way new processes and working practices may
introduce new roles, which may overlap the existing organizational
structure.

The last aspect that has to be taken into account regarding the
implementation of IT service management is training. Training can
contribute to a higher quality of service management and it can also lead
to more productive and responsive employees. Before setting up a
training programme, questions like who to train, when to train, how to
train and what to train should be answered. For ITIL training see : ITIL
certificate

Measure goals

After the completion of each improvement process a Post Implementation

Review (PIR) should be conducted to indicate if the objectives have been
achieved, this can be done by making a comparison between the
achievement of the improvement and the goals earlier set in the
programme. When the results of the PIR are confirmed, new targets
regarding improvement should be defined. During the improvement
programme the key performance information (KPIs), which are earlier
created during setting the goals as a part of the balanced scorecard, are
needed to be constantly monitored to confirm the PIR. Also, the
improvement of the customers’ perception (customer KPIs) during the
CSIP needs to be surveyed. This can be done by conducting a regular
statistic survey regarding customer satisfaction, also called a Customer
Satisfaction Survey (CSS).

Prepared by V Patel 11
Case study

Hochstein, Brenner and Tamm (2005) conducted six case studies about
the factors of success, benefits and costs concerning ITIL transformation
projects in large European companies. Hochstein et al. deduced a few
initiatives from the case studies which were effective:

• showing ‘quick wins’

• continuous improvement to sustain the success
• marketing campaigns for awareness and acceptance
• management support as a mechanism for pressure
• the implementation of a broad-based training
• simultaneously development of new processes to integrate service
orientation

Furthermore, Hochstein et al. discovered that bureaucracy and lack of

individuality are general disadvantages of ITIL principles. Therefore, they
state that ITIL principles should be adapted to fit within the organization
with its specific requirements and that the appliance of ITIL principles
should be selective.

Prepared by V Patel 12