In this tutorial, we are going to discuss the ITIL Information Security Management Process (ITIL ISM). This process is the foundation of ITIL Security Management Procedure.
In this article, you will learn the details about the Definition, Objective, Activities, Roles, and Sub-Process of Information Security Management - ITIL V3 Process.
What is ITIL Information Security Management Process (ISM)?
Information Security Management (ISM) is one of the well-defined main processes under Service Design process group of the ITIL best practice framework.
As defined, ITIL Information Security Management Process describes the approach and controls the measure of IT security inside an organization.
ITIL Information Security Management Scope:
As described in ITIL V3, Information Security Management (ISM) is used to align IT security with business security and ensures that information security is effectively managed in all services and Service Management activities.
ITIL ISM process is the foundation of ITIL Security Management Process. The primary goal of Information Security Management, ITIL V3 Process, is to efficiently control the access to organizational information.
ISM has a strong relationship with other ITIL Processes such as availability management and IT service continuity management for doing resource and contingency planning.
It also coordinates with incident management to check for any occurrence of security-related incidents. Further, it coordinates with change management process to check and validate all the proposed changes from the point of organizational security.
ITIL Information Security Management (ISM) Objective:
The Primary objective of ITIL Information Security Management Process (ITIL ISM) is to align IT security with business security and ensure that information security is effectively managed in all service and IT Service Management activities.
It also ensures the confidentiality, integrity, availability, and role-based accessibility of an organization’s assets, information, data and IT Services are maintained.
ITIL V3 Information Security Management (ISM) Activities:
As described by ITIL v3, the ITIL Security Management process has four major activities performed under it:
(i) Plan:
The objective of this activity is to devise and recommend the appropriate security measures, based on an understanding of the organization’s requirement.
In this stage, information security management coordinates with service level management to understand the security requirements defined under SLA.
(ii) Implement:
This key element ensures that appropriate procedures, tools, and controls are in place to support the ITIL Information Security Management Policy.
It also ensures that the security measures are implemented according to the defined plan.
(iii) Evaluation:
This phase is responsible for measuring the success of the security implementation. For doing this it carries out regular technical security audits of IT systems.
It also checks the compliance of security implementation with IT security policy and security requirements defined in SLAs and OLAs.
(iv) Maintain:
This phase takes the security evaluation results and suggests improvements on security implementation, and on security agreements as specified in, for example, SLAs and OLAs.
Things to remember that, these above phases are NOT one-time activity. These are continuous and cyclic activities, as shown in the following diagram.
ITIL Information Security Management Sub-Process:
According to ITIL V3, ISM has four sub-process. Below are the objectives and short descriptions of those sub-processes, followed by a diagram illustrating the ITIL Information Security Management Process Flow:
1) Design of Security Controls:
Responsible for designing appropriate technical and organizational measures in order to ensure the confidentiality, integrity, security, and availability of an organization's assets, information, data, and services.
It can farther be categorized as Administrative, Logical & Physical Control.
2) Security Validation & Testing:
Responsible for regular testing & validation of the effectiveness of the IT Security activities and implementation.
3) Management of Security Incidents:
To detect and fight attacks and intrusions, and to minimize the damage incurred by security breaches.
4) Security Review:
To review if security measures and procedures are still in line with risk perceptions from the business side, and to verify if those measures and procedures are regularly maintained and tested.
Important Terminologies & Definitions:
Below lists describes the important terminologies and definitions used in ISM - ITIL V3 Process:
Confidentiality:
- Means protecting information against unauthorized access and use.
- It also means Information can only be accessed by those authorized. Examples: passwords, access cards etc.
Integrity:
- A measure of Accuracy, completeness, and timeliness of services, data information, systems and physical locations.
- It ensures Information is complete, accurate and protected against unauthorized modification.
- Examples: Rollback mechanisms, test procedures, audits etc.
Availability:
- Defines that, information should always be accessible by authorized personnel whenever required.
Authenticity and Non-repudiation:
- It means Information exchanges between parties should be done securely & can be trusted.
Information Security Policy:
- The Information Security Management Policy describes and records the organization's approach towards managing information security.
- It includes references to more specific Underpinning Information Security Policies.
Underpinning Information Security Policy:
- Underpinning Information Security Policies are specific policies complementing the organization's primary ITIL Security Management Policy, by setting binding rules for the use of systems and information.
- It also defines rules for the use and delivery of services.
- The main aim is to improve information security.
Information Security Report:
- The Information Security Report provides a detailed analysis report of Information Security issues, and shares that with other Service Management processes and IT Management.
Security Advisories:
- A list of known security vulnerabilities compiled from inputs by third-party product suppliers.
- The list contains instructions for preventive measures and for the handling of security breaches once they occur.
Security Alert:
- A warning raised by ITIL Information Security Management Process about future or current outbreak of security threats.
- The main purpose is to increase awareness of users and IT staffs so that they are able to identify any attack and take appropriate precautions.
Security Management Information System (SMIS):
- A virtual repository of all Information Security Management data, usually stored in multiple physical locations.
Security Baseline:
- The security level adopted by the IT organization for its own security and from the point of view of good ‘due diligence’.
- It is possible to have multiple baselines within the same organization, applied to different functions.
Security Incident:
- Any incident related to information security that may obstruct with achieving the SLA security requirements.
ITIL Information Security Management (ISM) Roles:
Information Security Manager:
- This role is the Process Owner of ITIL Information Security Management (ISM) process.
- The Information Security Manager is responsible for ensuring the confidentiality, integrity, and availability of an organization’s assets, information, data and IT services.
- Information Security Manager role has a wider scope of work than the IT service provider, generally includes monitoring & handling of paper (hard copy), building access, phone calls etc., for the entire organization.
We hope that you have enjoyed the above article describing the ITIL Information Security Management Process. Be with us to explore free training on Leading Technologies and Certifications.
Leave us some comments if you have any questions or you need further clarification on ITIL ISM process, we would be happy to help you.
If you like our articles please like our facebook and twitter page to receive notifications on recent and updated contents.