280 likes | 552 Views
Standards-Based Service and Security Management. Doing it Right The First Time. Agenda. Introduction to ITIL Service Management Industry pressures that demand standards-based Security Management Changing the way we do things in IT Internationally accepted Security Management practises
E N D
Standards-BasedService and Security Management Doing it Right The First Time
Agenda • Introduction to ITIL Service Management • Industry pressures that demand standards-based Security Management • Changing the way we do things in IT • Internationally accepted Security Management practises • A sensible approach to implementing Security Management
IT Infrastructure Library (ITIL) IT Service Management • Service Support-Help Desk; Problem Management; Change Management; Configuration Management; Software Control & Distribution • Service Delivery- Service Level Management; Capacity Management; Availability Management; Costing for IT Services; Contingency Planning • Operations- Operations Management; Unattended Operations • Application Management- S/W Lifecycle support; Release Management; Testing IT Services for Operational Use • Line Management- Customer Liaison; IT Services Organization; Planning & Control for IT Services • Office Environment; Environmental Management • Security Management; Business Continuity; Network Services Management; Business & Management Skills; Case Studies, etc.
Is ITIL the Best Approach for every area of IT? • ITIL is not a methodology – rather it is a guiding framework • ITIL represents a set of proven international Best Practices • Organizations need to tailor ITIL to their needs (a staged approach)
Benefits of an ITIL Implementation • Improved level of service, in line with market costs - Business defined service levels - Guaranteed levels of service • Reduced time to implement new IT - Improved customer satisfaction leading to reduced customer turnover • Increased availability of IT to the business • Improved employee commitment • Compliance with new corporate reporting requirements
Service Desk SLM FinancialManagement& Costing BusinessContinuityPlanning Help Desk Configuration& AssetManagement IncidentControl Performance& CapacityManagement ProblemManagement ChangeManagement RFC HighAvailabilityPlanning ReleaseManagement AvailabilityManagement Contingency Plans ITIL Process Model User Population Customers ApplicationManagement Network &OperationsManagement Service Support Service Delivery Security Management . . . every aspect of IT Service Management has Security Management Considerations!
“Availability is at the Core of User Satisfaction” Source: ITIL Service Delivery, Best Practice, 2002
ITIL Security Management Goals: • To meet the external security requirements • From SLAs, contracts, legislation and imposed security policies • To meet the internal security requirements • Information Security Policy • Risk Analysis • Planning • Operational Measures • Evaluation and Audit • Business Continuity Planning
ITIL Security Management Measures Customer – defines business requirements based on business needs REPORT: - SLA conformance SLA/Security Section– agreed between customer and provider • PLAN: • Service Level Agreement • Underpinning Contracts • Operational Level Agreements • Policy Statements • MAINTAIN: • Learn • Improve • Plan Next Implementation • CONTROL: • Get Organized • Establish Management Framework • Allocate Responsibilities • IMPLEMENT: • Create Awareness • Classification and Registration • Personnel Security • Physical Security • Security Management Technologies • Control & Management of access rights • Security Incident Handling & Registration • EVALUATE: • Internal Audits • External Audits • Self Assessments • Security Incidents
ITIL Process Model User Population Customers ApplicationManagement Network &OperationsManagement Service Desk SLM FinancialManagement& Costing BusinessContinuityPlanning Help Desk Configuration& AssetManagement IncidentControl Performance& CapacityManagement ProblemManagement ChangeManagement RFC HighAvailabilityPlanning ReleaseManagement AvailabilityManagement Contingency Plans Security Management
The TRUTH about Security Management and Privacy FACT: • You can have SECURITY without PRIVACY BUT • You CANNOT have PRIVACY without SECURITY THEREFORE . . . Organizations that practice good Security Management MUST have both SECURITYand PRIVACY !
Internationally AcceptedBest PractisesSecurity & PrivacyManagement Security & Accounting Management Focus: GENERAL • CobIT (Control Objectives for Information and related Technology) • GASSP (Generally Accepted System Security Principles) • CASPR (Commonly Accepted Security Practices & Recommendations) USA • Sarbanes-Oxley Act (US Congress July 2002) • HIPAA (Health Insurance Portability and Accountability Act - Aug 1996)– Security & Privacy of Protected Health Information (PHI) In many instances, best practices are over-ridden by laws and regulations
Internationally AcceptedBest PractisesSecurity & PrivacyManagement CobiT(Control Objectives for Information and Related Technology) • The main theme is business orientation. • Provides comprehensive guidance for management and business process owners • Firmly based in business objectives. • CobiT is designed to help three distinct audiences: • Management, who need to balance risk and control investment in an often unpredictable IT environment. • Users, who need to obtain assurance on the security and controls of the IT services upon which they depend to deliver their products and services to internal and external customers. • Auditors, who can use it to substantiate their opinions and/or provide advice to management on internal controls.
Internationally AcceptedBest PractisesSecurity & PrivacyManagement GASSP(Generally Accepted System Security Principles) Pervasive Principles: Broad Functional Principlescont’d • Accountability • Awareness • Ethics • Multidisciplinary • Proportionality • Integration • Timeliness • Assessment • Equity • Environmental Management • Personnel Qualifications • System Integrity • Information Systems Life Cycle • Access Control • Operational Continuity and Contingency Planning • Information Risk Management • Network and Infrastructure Security • Legal, Regulatory, and Contractual Requirements of Information Security • Ethical Practices Broad Functional Principles: • Information Security Policy • Education and Awareness • Accountability • Information Management
Internationally AcceptedBest PractisesSecurity & PrivacyManagement CASPR(Commonly Accepted Security Practices & Recommendations) • The goal of the CASPR Project is to distil the knowledge of the world’s Information Security experts into a series of papers that are freely available on the Internet to everyone. Using the OpenSource movement as a guide, the papers will be developed and released under the GNU Free Document License to make sure that they and any derivates remain freely available. • Membership of the CASPR Project is open to all Certified Information Systems Security Professionals (CISSP’s) world-wide who have a valid contribution to make to the body of knowledge.
Internationally AcceptedBest PractisesSecurity & PrivacyManagement Sarbanes-Oxley Act WHY? In the wake of recent corporate scandals, the U.S. Congress passed the Sarbanes-Oxley Act in July 2002 to re-establish corporate accountability and reinforce investor confidence. Sarbanes-Oxley is a far-reaching piece of legislation that covers all companies publicly traded on the U.S. stock exchanges. Although the act has many facets, including criminal penalties for corporate officers, the following three sections impose the most significant compliance and governance challenges for business and IT executives:
Internationally AcceptedBest PractisesSecurity & PrivacyManagement Section 302: • Certification of financial reports by CEOs and CFOs personally (a MUST). - Build CEO and CFO confidence in the accuracy of information by providing real-time views into IT performance. Section 404: • Disclosure of internal controls and processes for financial reporting: • Auditors MUSTverify adequacy • Company MUSTEstablish IT processes based on best practices (COBIT, ITIL, ISO-17799, Six Sigma) Section 409: • Aggressive deadlines for financial reporting (real-time reporting of material financial events). • Company MUST meet Service Level Agreements (SLAs) for business critical systems. • Company MUST achieve visibility into IT cost overruns and business impact of IT systems. Sarbanes-Oxley Act WHAT:
Internationally AcceptedBest PractisesSecurity & PrivacyManagement HIPAA(Health Insurance Portability and Accountability Act Aug 1996) – Security & Privacy of Protected Health Information (PHI) Basic HIPAA Rules: • Guarantee health insurance coverage of employees. • Reduce health care fraud and abuse. • Introduce/implement administrative simplifications • Protect the health information of individuals against access without consent or authorization. Privacy and Security Concepts of HIPAA: • Confidentiality • Integrity • Availability
Internationally AcceptedBest PractisesSecurity & PrivacyManagement Privacy Management Focus:CANADA • PIPEDA(Personal Information Privacy Electronic Documents Act - - known as PIPA - Personal Information Privacy Act - in both BC and Alberta) USA • Gramm-Leach-Bliley Act– (US Congress 1999) • SB 1386– (State of California July 2003) In many instances, best practices are over-ridden by laws and regulations
Internationally AcceptedBest PractisesSecurity & PrivacyManagement PIPEDA(Personal Information Privacy Electronic Documents Act) The TEN basic principles of PIPEDA and similar Provincial Acts: • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting Use, Disclosure, and Retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance
Internationally AcceptedBest PractisesSecurity & PrivacyManagement Gramm-Leach-Bliley Act– (US Congress 1999) - Privacy of Consumer Financial Information • Financial institutions have restrictions on when they may disclose a consumer's personal financial information to non-affiliated third parties. • Financial institutions are required to provide notices to their customers about their information-collection and information-sharing practices. • Consumers may decide to "opt out" if they do not want their information shared with non-affiliated third parties. • The GLB Act provides specific exceptions under which a financial institution may share customer information with a third party and the consumer may not opt out. • All financial institutions are required to provide consumers with a notice and opt-out opportunity before they may disclose information to non-affiliated third parties outside of what is permitted under the exceptions.
Internationally AcceptedBest PractisesSecurity & PrivacyManagement SB 1386– (State of California July 2003) - Personal Information: Privacy • Covered parties must disclose any breach of the security of personal data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. • The law applies to state agencies, or a person or business that conducts business in California, that owns or licenses computerized data containing personal information. • The bill requires an agency, person, or business that maintains computerized data that includes personal information owned by another to notify the owner or licensee of the information of any breach of security of the data. • The essence of this legislation is that, regardless of the jurisdiction of the agency, person or business – if you have a client in California, the law applies to you.
A sensible approach to implementing Security& PrivacyManagement • MakeSecurity& PrivacyManagement Integral to the governance of the organization: • Create and publish a comprehensive Information Security& Privacy POLICY • Adopt relevant best practices as part of normal business processes • Invest in, and support, Security& PrivacyManagement personnel skills and training • Make Security& PrivacyManagement part of the job descriptions of the functionaries • Hold Security& PrivacyManagement personnel accountable with regular reviews and re-enforcement
A sensible approach to implementingSecurity& PrivacyManagementcont’d • Be aware of, and adhere to, the relevant rules and regulations pertaining to the organization: • Appoint an internal Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO) and give them the necessary authority and responsibility • Maintain appropriate documentation and reading matter • Publish periodic updates to inform personnelto make everyone part of the solution • LEAD by example. • Treat Security& PrivacyManagement like an investment in the future - NOT an overhead item.
Project Management • IT managers are always juggling more priorities than budgets and resources allow • Involving Service and Security management early in the development process will prevent many challenges later • Implementation of standardized Security and Privacy Managementpractices require strong project management and leadership. • Experienced and knowledgeable resources will ensure your success.
Summary • Implementation of Standards-based Service, Security and Privacy Management processes affords the organization many benefits that result in increased availability and improved reliability for the business • Project Management and Change Management practices should be strengthened in parallel • Standards-based Service, Security and Privacy Management is good for business!
Thank you for your attention! QUESTIONS ? For additional information or assistance with these vital issues, please feel free to contact either: Rob Shirra RGS Consulting International Inc, E-Mail: rshirra@rgs-consult.com> 604-341-1692 or John Glover E-Mail: john@aps-group.com 604-760-2464 or 250-888-6564