Can the ITIL® framework contribute to IT security and vice versa? This provides insights for CISOs and security specialists
Although CISOs are responsible for securing their organisation, they are not necessarily experts in the underlying organizational processes of the IT department, perhaps due to a career path that differs from IT colleagues.
Is this a problem? How can the IT security be improved? Should IT practices and processes be improved first? Are these two objectives completely separate? Or are they mutually inclusive, like Yin and Yang?
ITIL® contributions to information security
CISOs can leverage ITIL® (Information Technology Infrastructure Library) best practices and the 25 processes in its framework*which are already embraced by many organisations to embed security processes and principles.
For example, Vulnerability Management and a Security Incident Management processes – both not referenced in ITIL® v3- can be effectively integrated into Incident Management & Problem Management, Event Management and Change Management for processing, detection and patch implementation respectively.
But what should Vulnerability Management and Security incident processes describe? Here again, ITIL® best practices related to process definition can be leveraged. These must include:
1- A list of activities
2- Roles and responsibilities
3- KPIs to monitor their operation
Information security contributions to ITIL®
What are the benefits of information security practices for ITIL®? In order to produce value, IT services must be usable and useful to internal customers. Additionally, there must be service levels and guarantees regarding its delivery. This is where the 4 processes Availability Management, Continuity Management, Capacity Management and Information Security Management are relevant. The first 3 focus on the availability of information, the last covers all the A/I/C/P security criteria.
Other contributions from IT security are relevant (and encouraged) :
- In the “Service Strategy” phase, the Service Management for IT Services should be based on an Information Systems Security Policy and an IS risk map/analysis.
- In the “Service Design” phase, Service Level Management should include a Security Incidents element and Supplier Management should include the development of Security Assurance Plans.
- In the “Services Transition” phase, the Configuration Management Database (CMDB) produced by the Service Asset & Configuration Management (SACM) should identify Configuration Items Security Release & Deployment Management will be enhanced by security measures (technical or organizational), ensuring the integrity of software packages deployed.
- In the “Service Operation” phase, Access Management will rely on a number of security services.
Conclusion on the ITIL® framework
Is it a prerequisite for an organization to adopt ITIL® best practices in order to improve its level of information security? The answer is no, although it would greatly help! Organizations – ITIL compliant or not – should in all cases consider the introduction of information security at strategic, tactical and operational levels. A good starting point is security risk analysis.
About the blogger
Ronan Cloatre is a consultant at Orange Cyberdefense and is regularly involved in risk analysis and compliance audits, as well as other CISO-sponsored projects. He holds a degree in Telecommunications Engineering and a Masters in Cybersecurity from Supélec and Télécom Bretagne and joined Orange after a first experience at a specialist IT security company where he led the creation of a digital investigation service.