How ITIL Can Improve Information Security
by Steven Weil
ITIL - the Information Technology Infrastructure Library - is a set of best practices and guidelines that define an integrated, process-based approach for managing information technology services. ITIL can be applied across almost every type of IT environment.
Interest in and adoption of ITIL has been steadily increasing throughout the world; the numerous public and private organizations that have adopted it include Proctor & Gamble, Washington Mutual, Southwest Airlines, Hershey Foods, and the Internal Revenue Service. In addition to the often touted benefits of ITIL - aligning IT with the needs of the business, improving service quality, decreasing the costs of IT service delivery and support - the framework can aid the information security professional both directly (there is a specific Security Management process) and indirectly.
This article will provide a general overview of ITIL and discuss how ITIL can improve how organizations implement and manage information security.
ITIL began in the 1980s as an attempt by the British government to develop an approach for efficient and cost-effective use of its many IT resources. Using the experiences and expertise of successful IT professionals, a British government agency developed and released a series of best-practice books, each focusing on a different IT process. Since then, ITIL has become an entire industry of organizations, tools, consulting services, related frameworks, and publications. Currently in the public domain and still evolving, the 44-volume set of ITIL guidelines has been consolidated into 8 core books.
When most people discuss ITIL, they refer to the ITIL Service Support and Service Delivery books. These contain a set of structured best practices and standard methodologies for core IT operational processes such as Change, Release, and Configuration Management, as well as Incident, Problem, Capacity, and Availability Management.
ITIL stresses service quality and focuses on how IT services can be efficiently and cost-effectively provided and supported. In the ITIL framework, the business units within an organization who commission and pay for IT services (e.g. Human Resources, Accounting), are considered to be "customers" of IT services. The IT organization is considered to be a service provider for the customers.
ITIL defines the objectives, activities, inputs, and outputs of many of the processes found in an IT organization. It primarily focuses on what processes are needed to ensure high quality IT services; however, ITIL does not provide specific, detailed descriptions about how the processes should be implemented, as they will be different in each organization. In other words, ITIL tells an organization what to do, not how to do it.
The ITIL framework is typically implemented in stages, with additional processes added in a continuous service improvement program.
Organizations can benefit in several important ways from ITIL:
ITIL takes a process-based approach to managing and providing IT services; IT activities are divided into processes, each of which has three levels:
A description of each of the numerous IT processes covered by ITIL is beyond the scope of this article. What follows are brief, general descriptions of the ITIL processes that, along with the Security Management process, have a significant relationship with information security. Each of these areas is a set of best practices:
There is also a Service Desk function that describes best practices for establishing and managing a central point of contact for users of IT services. Two of the Service Desk's most important responsibilities are monitoring incidents and communicating with users.
Figure 1 depicts the above processes, showing how the Service Desk function serves as the single point of contact for the various service management processes.
More detailed information about the above processes and Service Desk function can be found in the references listed at the end of this article.
ITIL and information security
ITIL seeks to ensure that effective information security measures are taken at strategic, tactical, and operational levels. Information security is considered an iterative process that must be controlled, planned, implemented, evaluated, and maintained.
ITIL breaks information security down into:
It defines information security as a complete cyclical process with continuous review and improvement, as illustrated in Figure 2:
Figure 2. Information Security Process
As some organizations look at Implementation and Monitoring as a single step, ITIL's Information Security Process can be described as a seven step process:
Service level agreements
The SLA is a key part of the ITIL information security process. It is a formal, written agreement that documents the levels of service, including information security, that IT is responsible for providing. The SLA should include key performance indicators and performance criteria. Typical SLA information security statements should include:
In addition to SLAs and OLAs, ITIL defines three other types of information security documentation:
Ten ways ITIL can improve information security
There are a number of important ways that ITIL can improve how organizations implement and manage information security.
ITIL does not typically start with IT - it is usually initiated by senior management such as the CEO or CIO. As an information security professional, however, you can add value by bringing ITIL to the attention of senior management. With the framework's rapidly increasing adoption, your organization might already be talking about ITIL; letting your management know specifically about ITIL's information security benefits can help spur its adoption.
Implementing ITIL does take time and effort. Depending on the size and complexity of an organization, implementing it can take significant up front time and effort. For many organizations, successful implementation of ITIL will require changes in their organizational culture and the involvement and commitment of employees throughout the organization.
Critical factors for successful ITIL implementation include:
Information security measures are steadily increasing in scope, complexity, and importance. It is risky, expensive, and inefficient for organizations to have their information security depend on cobbled-together, homegrown processes. ITIL can enable these processes to be replaced with standardized, integrated processes based on best practices. Though some time and effort are required, ITIL can improve how organizations implement and manage information security.
About the author
Steven Weil, CISSP, CISA, CBCP is senior security consultant with Seitel Leeds & Associates, a full service consulting firm based in Seattle, WA. Mr. Weil specializes in the areas of security policy development, HIPAA compliance, disaster recovery planning, security assessments, and information security management. He can be reached at firstname.lastname@example.org.
View more articles by Steven Weil on SecurityFocus.
|Comments or reprint requests can be sent to the editor.|
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.