The roles of risk and security are key elements within responsible service management. They interlink across the whole of the service management discipline.
How do you ensure therefore that security is appropriate for your needs? How do you apply a security baseline throughout your operation? Essentially, how do you ensure that your services are secure?
As with contingency planning, the solution may not be as complex as it appears. Indeed, the products identified below are selected because they address security management in a straightforward and efficient manner. They are designed to make your job easier, rather than introducing unnecessary challenges and barriers.
Learn more about ITIL Security in our ITIL Foundation training
Risk Analysis
When first launched, COBRA introduced a revolution to the risk management arena. It is a self-contained software product which is designed to measure risk and identify appropriate solutions right across the IT service board.
The key principles of COBRA are ease of use, flexibility and top-class reporting. These qualities ensure that the product can be installed and used without specialist security training.
Risk management is not on the list of official ITIL 2011 processes, but concepts for dealing with risks are described in several ITIL processes.
Having a basic Risk Management process in place provides a good starting point for introducing best-practice Risk Management frameworks like M_o_R (as recommended in ITIL v3).
ITIL 4 refers to ‘Risk Management’ as a general management practice.
Security Policies
Security policies are the foundation, the bottom line, of information security within an organization. Whereas risk analysis strives to ensure that security matches need, policies define the baseline – the minimum acceptable security level.
With such a fundamental role within the organization, it is essential to ensure that the security policies are comprehensive, complete, up to date and of course of the highest quality.
ITIL security management describes the structured fitting of security into an organization. ITIL security management is based on the ISO 27001 standard and covers all types of organizations. ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization’s overall business risks
A basic concept of security management is information security. The primary goal of information security is to control access to information. The value of the information is what must be protected. These values include confidentiality, integrity and availability.
Security Management
Any organization concerned about its short- and long-term wellbeing will have assigned responsibility for security to one or more suitable individuals…. often given the title of Information Security Officer or Security Manager. This is of course an extremely demanding role, whether taken on full-time or part-time.
The role, like many others, can be made easier via the provision of the right supporting tools. The Information Security Officer’s Online Manual is a prime example.
The ISO Interactive Manual gives practical advice on how to establish a formal Information Security process. It discusses the responsibilities of the Information Security Officer, and how to manage and administrate security properly. It can be navigated (online) with ease and provides guidance and reference for the security professional and the novice.
As with the other tools in this segment, it is designed to make security management far easier and indeed, far more effective.