Professional Documents
Culture Documents
ITIL 4 Practice Guide CM Information Security Management
ITIL 4 Practice Guide CM Information Security Management
ITIL
This document provides practical guidance for the information security management practice.
Table of Contents
1. About this document 5. Information and technology
the practice’s processes and activities and their roles in the service value chain
2. General information
2.1 purpose and description
Key message
The purpose of the information security management practice is to protect the information needed by the organization to conduct its
business. This includes understanding and managing risks to the confidentiality, integrity, and availability of information, as well as other
aspects of information security such as authentication and non-repudiation.
Information security is becoming an increasingly important but difficult task. The information security management practice is increasingly
important in the context of digital transformation. This is due to the growth of digital services across industries, where information security
breaches might have a major effect on an organization’s business. The wider use of cloud solutions and the wider integration with partners’
and service consumers’ digital services creates new critical dependencies, with limited ability to control how information is collected, stored,
shared, and used. Partners and service consumers are in the same situation, and usually invest in data protection and information security
solutions. However, a lack of integration and consistency between organizations creates new vulnerabilities, which need to be understood and
addressed. The information security management practice in conjunction with other practices (including: availability management, capacity
and performance management, information security management, risk management, service design, relationship management, architecture
management, supplier management and other practices) ensures that an organization’s products and services meet the required level of
information security for all involved parties.
The information security management practice is considered by many organizations to be a specialized branch of wider security management.
In a service economy, every organization’s business is service-driven and digitally-enabled. This may lead to a closer integration of the
disciplines, as security management focuses more on the security of digital services and information. This integration is both possible and
useful where digital transformation has led to the removal of the borders between ‘IT management’ and ‘business management’ (see ITIL®4:
High-velocity IT for more on this topic).
2.2 Terms and concepts
2.2.1 Security characteristics
The information security management practice helps to ensure the confidentiality, integrity, and availability of the information needed to
conduct business, with several activities and controls needed to preserve these characteristics. Additionally, the information security
management practice is often concerned with authentication and non-repudiation.
Definition: Confidentiality
Confidentiality is the first thing that many people think of when they consider information security. People and organizations want to ensure
that their secrets remain secret, and that their personal or business information is not misused.
Definition: Availability[1]
If the information is not available when and where it is needed, then the organization is unable to conduct its business.
The availability management practice considers many aspects of service availability. However, the information security management practice is
mostly concerned with the availability of information.
Definition: Integrity
An assurance that information is accurate and can only be modified by authorized personnel and activities.
Incorrect information may be worse than not having any information at all. For example, if a bank incorrectly believes that a customer has a
large amount of money in their account and allows them to withdraw this, the bank might suffer from a significant loss.
Definition: Authentication
Verification that a characteristic or attribute which appears or is claimed to be true, is in fact true.
Authentication is used to establish the identity of people and things. For example:
Usernames and passwords are often used to authenticate people, although more rigorous authentication using biometrics and security
tokens is often preferred.
Definition: Non-repudiation
Providing undeniable proof that an alleged event happened, or an alleged action was performed, and that this event or action was performed
by a particular entity.
Non-repudiation has been used in business transactions since before the existence of IT systems and services. Traditionally, a signature would
be used, and if a higher level of proof was needed then this signature might be notarized. Information security relies on non-repudiation so
that transactions can occur. This is essential to preserve the integrity of information.
Definition: Asset
An asset is anything that has value to an organization.
Assets may include hardware, software, networking, information, people, business processes, services, organizations, buildings, or anything
else that is valuable to an organization. The information security management practice helps to protect assets so that the organization can
conduct its business.
Definitions:
A threat is any potential event that could have a negative impact on an asset.
These terms are related in the following way: Threat actors exploit vulnerabilities to have an impact on assets.
A vulnerability assessment is used to identify vulnerabilities in a specific environment, service, or configuration item. This typically involves
compiling a list of potential vulnerabilities and using tools to test each component in the environment, to see if that vulnerability exists.
Vulnerability assessments can be performed on a regular basis, and as a check during the deployment of infrastructure or applications. There
are many tools available to support vulnerability assessments and many suppliers can perform vulnerability assessments as a service.
Risk Definition
management
term
Risk A possible event that could cause harm or loss, or make it more difficult to achieve objectives. It can also be defined as an
uncertainty of the outcome, and can be used in the context of measuring the probability of positive outcomes as well as
negative outcomes.
Control The means of managing a risk, ensuring that a business objective is achieved, or that a process is followed.
Residual risk The risk that remains after the application of controls
2.3 Scope
The purpose of the information security management practice, as described in section 2.1, is to “protect the information needed by the
organization to conduct its business”. This information may be stored and processed on information systems, but equally it may be recorded
on paper, or communicated in speech. This practice is concerned with the confidentiality, integrity, and availability of this information,
regardless of where and how it is stored and processed. Although the focus is on information, this practice is concerned with all four
dimensions of service management.
Each organization must define the scope of its information security management practice, which will typically include:
client devices, such as phones, laptops, and tablets, including: all hardware, firmware, software, and applications
IoT devices, which typically have network connectivity and processing capabilities and might also have sensors and actuators which
interact with the physical world
business processes
people, including understanding the risks they pose and how these risks are managed
partners and suppliers who play a part in the provision, management, or support of services
data and information, whether it is stored, processed, or communicated, and the format it is in.
Within this scope, the information security management practice should ensure that:
risks that could impact these assets are identified and analysed
monitoring and continual improvement are in place to ensure that information security risks continue to be appropriately managed.
Some important aspects of the information security management practice are described in other practice guides. These are listed in Table 2.2,
along with references to the practices in which they can be found.
Table 2.2 Activities related to the information security management practice described in other practice guides
Activity Practice
Strategic communication with customers, sponsors, regulators, and governance body Relationship management
Organizational change management
A practice success factor (PSF) is more than a task or activity, as it includes components of all four dimensions of service management. The
nature of the activities and resources of PSFs within a practice may differ, but together they ensure that the practice is effective.
embedding information security into all aspects of the service value system.
Information security management policies and plans may address the following aspects:
access control
password control
malware protection
information classification
remote access
intellectual property
record management and retention
To ensure the effective management of information security, organizations might establish a formal information security management system,
which follows relevant standards such as ISO/IEC 27001[2]1.
The identification of information security risks includes identifying all assets that are within the scope of the service value system, and then
identifying risks to those assets. This can be supported by threat and vulnerability assessments, architecture and design reviews, and many
other techniques.
The analysis of information security risks includes ascertaining the likelihood of each information security risk, and the potential impact of that
risk. The data provided can evaluate the cost, benefit, and ROI of potential controls.
The management of information security risks includes defining and managing the controls, which manage the wide range of risks that might
impact information security. This is performed in conjunction with risk management and other risk-focused practices, such as capacity and
performance management, availability management, and service continuity management practices. The agreed information security controls
are often implemented as part of other practices, such as service design, software development and management, infrastructure and platform
management, architecture management, service request management, continual improvement, workforce and talent management depending
on the nature of the control.
The established policies and plans should drive behaviour and implement controls to maintain a balance between:
Prevention – ensuring that security incidents don’t occur
More preventative countermeasures should be adopted if risk analysis indicates an earlier and greater impact on the service. If the initial
impact is smaller and takes longer to develop, a more economically effective approach would be to invest in detection and correction
countermeasures.
Controls may involve any of the four dimensions of service management. For example:
value stream and process controls such as backup, patch management, or peer review
partner and supplier controls such as contractual requirements, process audits, or third-party certification.
When choosing an information security countermeasure, the effectiveness and efficiency of each option should be assessed. The effectiveness
and efficiency of information security countermeasures must be continually controlled and validated.
Exercises should be conducted at planned intervals and when significant changes occur in the policies, plans, and controls. The greater the
impact of an information security incident, the more often the exercises should occur.
2.4.4 Embedding information security into all aspects of the service value system
The information security management practice must be embedded into every part of the service value system.
focus on value: value can be realized through an improvement in the quality of information
2.4.4.2 Governance
Governance is essential for an effective information security management practice. Even the smallest organization needs to establish the
governance of this practice to:
monitor the organization to ensure that these requirements are being met.
For example, consider a value stream that creates a new or significantly changed service:
this step will include documenting service requirements for information security
in this step, consider the information security issues that could pose a risk to the organization
design the new service to meet customer requirements (design and transition)
this step will include designing and architecting to meet security requirements
users and IT staff may require training, including security training, as part of the release.
2.4.4.4 Practices
Every practice needs to include aspects of information security management. This could relate to any of the four dimensions of service
management.
Processes defined by a practice might need to include this practice’s activities. For example, the deployment process might need to include
checks to ensure that the software components are untampered.
Roles defined by the practices might need to include skills and competences from this practice. For example, a software developer might need
the ability to design software that meets defined security standards.
Information and technology used by a practice must meet security requirements and often require embedded security controls. For example,
a tool used for information exchange in the incident management practice might need to be confidential, so staff can see their organization’s
incidents but not those of other organizations.
Partners and suppliers that support a practice must meet the organization’s information security requirements. For example, a partner that
provides service continuity arrangements might need to provide assurance that their staff do not make use of data that was provided to them
as part of a continuity test.
2.4.4.5Continual improvement
The information security management practice, like every other practice, requires continual improvement. In a world of increasing threats and
increasing dependency on IT services, it is essential to constantly monitor and improve information security.
All improvement activities, even those that have no specific information security management practice content, should be assessed for their
potential impact on information security. This assessment should be a routine part of any improvement activity.
Key metrics for the information security management practice are mapped to its PSFs. They can be used as KPIs in the context of value
streams to assess the contribution of the practice to the effectiveness and efficiency of those value streams. Some examples of this are given
in Table 2.3.
Table 2.3 Example of key metrics for the practice success factors
Practice success factor Key metrics
Developing and managing information Percentage of products and services with clearly documented information security
security policies and plans requirements
Percentage of products and services with documented information security plans
Updating information security plans in a timely manner
Mitigating information security risks Number and percentage of information security risks for which analysis and evaluation
have been performed
Number and percentage of information security risks where the residual risk has been
reduced to an acceptable level by implementing controls
Exercising and testing information security Number and percentage of information security management plans that have been tested
management plans in the previous 12 months
Number of improvement actions identified as a result of testing information security
management plans
Embedding information security in all aspects The governing body has discussed information security management at least once in the
of the service value system previous three months
Number and percentage of value streams that include specific steps and activities for
information security
Number and percentage of practices that include specific steps and activities in its process
flows and role definitions for information security
Number and percentage of improvement activities that include a security assessment
The correct aggregation of metrics into complex indicators will make it easier to use the data for the ongoing management of value streams,
and for the periodic assessment and continual improvement of the information security management practice. There is no single best solution.
Metrics will be based on the overall service strategy and priorities of an organization, as well as the goals of the value streams to which the
practice contributes.
[1] This definition is different from the one used for the availability management practice. Service availability is defined differently from the
availability of information.
The contribution of the information security management practice to the service value chain is shown in Figure 3.1.
Figure 3.1 Heat map of the contribution of the information security management practice to value chain activities
3.2 Processes
Each practice may include one or more processes and activities that may be necessary to fulfil the purpose of that practice.
Definition: Process
A set of interrelated or interacting activities that transform inputs into outputs. A process takes one or more defined inputs and turns them
into defined outputs. Processes define the sequence of actions and their dependencies.
Many information security management practice activities are embedded into processes from other practices. For example:
designing security into new and changed IT services is part of the service design practice
integrating security controls into applications is part of the software development and management practice
ensuring that people are entitled to use a service before granting them access is part of the service request management practice.
Minor security incidents are typically managed in the same way as any other incident, following the incident handling and resolution process
described in the ITIL incident management practice guide. More significant security incidents might require specialist management, which can
be based on the process described here.
Each organization should define a criteria to determine whether an incident requires specialist security incident management or can be
managed using the normal incident handling and resolution process.
This process includes the following activities listed in Table 3.1 and transforms the following inputs into outputs.
Table 3.1 Inputs, activities, and outputs of the security incident management process
These activities might be performed with varying levels of formality by many people within the organization.
Preparation Before a security incident occurs, the organization must perform actions to prepare for potential future security
incidents. This includes:
defining and communicating the policies and procedures for security incident management
identifying critical services and assets for which specific response plans may be needed
agreeing communication that will occur during a security incident, including communications with: governing
bodies, regulators, law enforcement, press, customers, internal staff, users, suppliers, and any other affected
stakeholders
defining how security incidents and breaches will be reported
identifying threats and vulnerabilities that need to be managed
documenting incident response plans for specific scenarios
engaging partners and suppliers to provide products and services that may be needed to support specific scenarios
testing incident response plans.
Detection Information security incidents might be: detected by monitoring tools, supported by correlation tools, and
and supported by security incident and event management (SIEM) tools. Incidents may also be detected by people;
escalation these may be reported to the service desk, or to a security incident response team, depending on who has detected
the incident and the nature of the incident.
The incident is escalated to the appropriate person or team, depending on the specific incident response plan. This
may involve assembling a computer security incident response team (CSIRT).
If required, an initial notification is sent to the appropriate regulatory or governance authorities.
Triage and Evidence might need to be preserved for possible use in future court proceedings. To prevent contamination,
analysis forensic data must be collected before any analysis is performed.
The nature and severity of the security incident is ascertained by examining systems, endpoints, applications, log
files, and so on.
If required then further notification may be sent to regulatory or governance authorities, when the nature and
severity of the incident are understood.
Containment The impacted systems and services are isolated from the internet and/or from the rest of the organization. This
and recovery enables further analysis to occur, which simultaneously limits the risk of further damage.
If possible, then services might be restored using alternative systems.
After analysis is complete, the impacted systems are shutdown, storage is wiped, and the systems rebuilt from
well-known and reliable sources.
Business processes are considered to be recovered when this can be performed without threat of another incident,
or further damage from the original incident.
Post-incident Systems and services are monitored to ensure that the threat has been removed. Lessons learned analysis is
activity performed to identify improvement opportunities. An incident report is created and shared as appropriate.
This process includes the activities listed in Table 3.3, and transforms the following inputs into outputs.
Table 3.3 Inputs, activities, and outputs of the audit and review process
Business process information Identify changes to business, technology, or threat environment Improvement suggestions
Threat assessment information Identify missing controls Audit report
Service and asset information Assess control effectiveness
External standard(s) Create audit report
Current controls
Vulnerability assessment information
These activities might be performed by internal or external auditors. Many organizations perform internal audits and implement
improvements. External auditors can then perform a more formal audit.
Activity Example
Identify changes to Business processes are assessed to identify changes that could impact information security requirements.
business, Technology is assessed to identify new or changed technology, as well as technology that has become obsolete, and
technology, or changes in vulnerabilities related to technology. This assessment considers all technology used by the organization,
threat environment not just information technology (IT).
Changes to the threat environment are identified by a threat assessment.
Identify missing The business, technology, and threat environments are analysed, and recommended controls are identified. Most
controls organizations use a standard such as ISO/IEC 27002 or NIST 800-53 as a beginning for a list of suggested controls that
should be in place.
The output of a vulnerability assessment might also identify missing controls
The list of recommended controls is compared to the existing controls and improvements are recommended.
Assess control Each existing control is assessed to identify potential vulnerabilities in how it has been implemented. These
effectiveness vulnerabilities could relate to the scope of the control, such as whether it has been deployed everywhere it should be.
It could also relate to the configuration of the control, such as whether it provides the appropriate level of protection.
The method used to assess effectiveness depends on the type of control. For example:
Evaluate policy and process controls by reviewing records and interviewing staff.
Review access rights by comparing directory information with records of granted access requests.
Ensure third parties and suppliers have undergone an appropriate evaluation by a formal assessment body.
New and improved controls are recommended based on the findings from this effectiveness assessment.
Create audit report An audit report is created based on the findings from the earlier stages. This report includes high-level information
that can be provided to the governing body of the organization, as well as detailed recommendations for new and
improved controls.
Roles are described in the context of processes and activities. Each role is characterized with a competency profile based on the model shown
in Table 4.1.
L Leader Decision-making, delegating, overseeing other activities, providing incentives and motivation, and
evaluating outcomes
A Administrator Assigning and prioritizing tasks, record-keeping, ongoing reporting, and initiating basic
improvements
M Methods and techniques expert Designing and implementing work techniques, documenting procedures,
consulting on processes, work analysis, and continual improvement
T Technical expert Providing technical (IT) expertise and conducting expertise-based assignments
establishing the overall information security strategy for the organization, based on an understanding of the organizations business
strategy, and the information security risks that might impact this
ensuring that the organization takes a balanced approach to information security, which provides sufficient protection without having an
adverse impact on the ability to conduct business
strategic communication about information security to the board, and to other stakeholders such as regulators, law enforcement, press,
customers, suppliers, and partners
overseeing the staff responsible for all other aspects of information security, including:
developing, testing, and improving processes, especially for security incident management
selecting, testing, and deploying security products such as firewalls or anti-virus software
defining standards and guidelines for procuring, developing, testing, deploying and the ongoing management of infrastructure and
applications that have security implications, such as servers, operating systems, SaaS products, in-house applications, middleware,
and client devices
operational activities such as security event monitoring, and routine management of security products.
Table 4.2 Examples of roles with responsibility for information security management activities
Detection and reporting Security analyst CAT Recognizing security incidents and
Technical analyst appropriately categorizing it
Service desk agent Assembling a team and communicating
clearly
Containment and recovery Information security manager TCM Technical understanding of services and
Security analyst their components
Technical analyst Evaluation and selection of alternative
courses of action in complex environments
Communication and coordination with
multiple stakeholders
Assess control effectiveness Information security manager TMC Understanding of applicable security
Information Security auditor standards, including detailed understanding
Security analyst
of security controls
Technical understanding of services and
their components
Communication and audit skills
Analytical skills
Activity Responsible roles Competency profile Specific skills
Create audit report Information security manager TCA Evaluating and prioritizing improvement
Information Security auditor opportunities
Security analyst Communicating with a wide range of
stakeholders, including senior management
Preventing information security incidents and breaches by following all required policies, implementing required controls, and noticing
and reporting vulnerabilities
Detecting information security incidents and breaches by noticing and reporting the unusual behaviour of technology, people, or
suppliers
Correcting information security incidents and breaches by following the required processes and procedures when incidents occur.
People can also contribute to each of these in a negative way, if they don’t have the appropriate skills, competence, and motivation. There are
many things that can be done to help ensure that everyone in the organization contributes to information security in a positive way.
4.1.3.1 Security awareness training
Security awareness training should help staff recognize risks and take the appropriate actions. The training typically includes issues such as:
endpoint security, including phones, tablets, laptops, use of removable media, personal devices, and so on
understanding relevant parts of the organization’s information security policies and controls.
Security awareness training should be held regularly, as well as for new staff. Some organizations have annual refresher training that covers
the entire required material. Other organizations deliver more regular training that only covers part of the material in each training event, but
include everything needed over the course of a year.
Many organizations have a dedicated IT security team, that provides expertise across the whole of the organization, but it is also important to
have information security expertise in other IT teams. For example:
Service architects and service designers must be able to architect and design secure IT services. They must possess enough knowledge
and understanding to perform much of the work themselves, even if they might require assistance from specialist security staff.
Application developers must be able to write secure code. This requires an understanding of secure coding practices and of common
mistakes to avoid.
Service desk staff must be able to recognize security incidents, and take appropriate action based on the organization’s security policy
and security incident response plans.
All staff must be aware of their responsibility to detect common security attacks and know how they should react to these attacks.
technology and services available on the market, which might be relevant to information security
Preparation Knowledge management Documenting and communicating Medium to very high, depending on
tools and document policies, procedures, and incident the size and complexity of the
repositories response plans organization
Detection and reporting Monitoring tools Detecting possible security incidents Essential
Security incident and event Analysing data and detecting Medium to very high, depending on
management (SIEM) and possible security incidents the complexity of the services,
correlation tools applications and infrastructure
Triage and analysis Data forensic tools Preserving evidence that may be Could be anything from low to
needed in court proceedings essential, depending on the legal
and regulatory environment
Containment and recovery Backup and recovery tools Recovering data after a security event Essential
Identify changes to Process maps and process Documenting and communicating High
business, technology, or mapping tools business processes
threat environment
Identify missing controls Security audit tools or Identify possible controls that might High
questionnaires be needed
Vulnerability assessment
tools
Assess control Security audit tools or Compare existing controls to good High
effectiveness questionnaires practice
Vulnerability assessment
tools
Very few services are delivered using only an organization’s own resources. Most, if not all, depend on other services, often provided by third
parties outside the organization (see section 2.4 of ITIL Foundation: ITIL 4 Edition for a model of a service relationship). Relationships and
dependencies introduced by supporting services are described in the ITIL practice guides for supplier management and service level
management.
Partners and suppliers might provide critical products and service components. The service provider needs to negotiate and agree information
security requirements with partners and suppliers to meet information security requirements.
Partners and suppliers might also provide information security services and solutions, such as: vulnerability assessments, threat assessments,
security incident management, provision of security relevant infrastructure or applications, and so on. In this case, they should also be involved
in the testing and reviewing of these services and solutions.
If suppliers have access to the organization’s network, servers, or other resources, it could be a security breach. This risk needs to be identified
and controlled. Typically, this is controlled with:
network isolation: preventing the supplier from accessing more sensitive parts of the network
strong authentication and encryption: preventing the supplier from accessing sensitive data and systems
contractual terms with regular audits: ensuring the supplier understands what is expected of them and meets these expectations.
7. Important reminder
Most of the content of the practice guides should be taken as a suggestion of areas that an organization might consider when establishing and
nurturing their own practices. The practice guides are catalogues of topics that organizations might think about, not a list of answers. When
using the content of the practice guides, organizations should always follow the ITIL guiding principles:
focus on value
More information on the guiding principles and their application can be found in section 4.3 of the ITIL® Foundation: ITIL 4 Edition.
8. Acknowledgements
AXELOS Ltd is grateful to everyone who has contributed to the development of this guidance. These practice guides incorporate an
unprecedented level of enthusiasm and feedback from across the ITIL community. In particular, AXELOS would like to thank the following:
8.1 AUTHORS
Stuart Rance, Ana Cecilia Perez, Mauricio Corona
8.2 REVIEWERS
Dinara Adyrbayeva, Pavel Demin