SlideShare a Scribd company logo

ITIL and IT Security Architecture

Leo de Sousa, profile picture
Leo de Sousa

This paper discusses the interaction between ITIL® (Information Technology Infrastructure Library) and IT security architecture (ITSA) within the context of enterprise architecture (EA). It highlights how ITIL® provides a framework for IT service management, emphasizing best practices and continuous improvement, while ITSA focuses on securing business systems across various layers. The study illustrates the need for integrating ITIL® and ITSA to enhance organizational security and value delivery in IT services.

BusinessTechnology
1 of 7
Downloaded 123 times
1
2
3
4
5
6
7
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® and IT Security Architecture Leo de Sousa – IST 725 Abstract This paper describes the interaction between the IT Infrastructure Library (ITIL®) and IT Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA). Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology. IT Security Architecture is a component of Enterprise Architecture. The EA3 Cube Framework shows how ITSA fits in a documented enterprise architecture. IT Security is considered a planning thread that is a “common activity that is present in all levels of the framework.” (Bernard, 2005, p. 42) ITIL® specifically addresses the IT service component of Enterprise Architecture. ITIL® is an approach to IT Service Management “to drive consistency, efficiency and excellence into the business of managing IT services.” (itSMF Ltd, UK Chapter, 2007, p. 3) ITIL® contains five components built around a Service Lifecycle. The components are Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. The sections of this paper are: (a) Introduction, (b) Relations between ITIL®, IT Security Architecture and Enterprise Architecture (c) Interactions of ITIL® and ITSA and (d) Conclusion. After reading this paper, the reader should have a clear understanding of how ITIL® interacts with IT Security Architecture practices within Enterprise Architecture. Introduction This paper uses Enterprise Architecture as the overarching framework to model and understand how ITIL® and IT Security Architecture interact together. Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology. EA addresses “policy, planning, decision-making and resource development that is useful to executives, line managers, and support staff.” (Bernard, 2005, p. 33) IT Infrastructure Library (ITIL®) was developed by the UK Office of Government Commerce in the 1980’s. The current version is ITIL® V3 and is a major rewrite from ITIL® V2. IT Infrastructure Library (ITIL®) “provides a framework of Best Practice guidance for IT Service Management and since its creation, ITIL® has grown to become the most widely accepted approach to IT Service Management in the world.” (itSMF Ltd, UK Chapter, 2007, p. 2) ITIL® suggests organizations take a holistic approach to IT service management with a focus on value to customers. Services have two value measures: • Utility – is the service delivering the required functionality? “fit for purpose” • Warranty – is the service delivered in the expected timeframe, in a secure manner and available for customers when necessary? “fit for use” Leo de Sousa Page 1
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® contains five components built around a Service Lifecycle. The components are Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. IT Security Architecture “is the art and science of designing and supervising the construction of business systems, usually business information systems, which are: free from danger, damage, etc.; free from fear, care, etc.; in safe custody; not likely to fail; able to be relied upon; safe from attack.” (Sherwood, Clark, & Lynas, 2005, p. 2) The SABSA® Model captures IT Security Architecture in six layers: Contextual Security Architecture, Conceptual Security Architecture, Logical Security Architecture, Physical Security Architecture, Component Architecture and Operational Security Architecture. (Sherwood, Clark, & Lynas, 2005, p. 34) (SABSA, 2012) Components of IT Security Architecture reside within parts of the ITIL® Service Lifecycle and both reside in the Enterprise Architecture framework which encompasses the entire business. Relations between ITIL®, IT Security Architecture and Enterprise Architecture The EA3 Cube Documentation Framework (Bernard, 2005, p. 38) provides an excellent framework for understanding the interactions between ITIL® and ITSA. The EA3 Cube describes an Enterprise Architecture by documenting the current state and future state of an enterprise as well as creating a management plan for change. Here is an image of the EA3 Cube Documentation Framework and the ITIL® V3 Framework: Looking at the EA3 Cube, we can see how each component interacts when modeling an organization. ITIL® suggests IT Service Management best practices for the Service Lifecycle for Services, Data and Information, Systems and Applications, Networks and Infrastructure and Security/Standards in the EA framework. IT Security Architecture (ITSA) is one of the planning threads in the EA3 Cube framework. IT Security Architecture helps identify issues and the risks that could impact a company and its partners. ITSA also provides a framework for planning and implementing secure business practices. Integrating ITSA and ITIL® enables a business to Leo de Sousa Page 2 focus on best practices in security and IT service management to deliver value.
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 The diagram below represents the relationships between EAITILITSA. •Assets (What) •Process (How) EA (S+B+T) •Location (Where) •People (Who) •Time (When) •Motivation (Why) •Service Strategy ITIL (ITSM) •Service Design •Service Transition •Service Operation •Continual Service Improvement •Contextual Security Architecture •Conceptual Security Architecture ITSA (CIA) •Logical Security Architecture •Physical Security Architecture •Component Architecture •Operational Security Architecture Interactions of ITIL® and ITSA This section explores the impacts of ITIL® on ITSA. The table below lists all the ITIL processes by component type - interactions with ITSA are bolded. (Clinch, 2009, pp. 16-17) Service Strategy Service Design Service Service Continual Service Transition Operations Improvement Demand Mgmt Service Catalogue Knowledge Mgmt Incident Mgmt Service Mgmt Measurement Financial Mgmt Service Level Change Mgmt Problem Mgmt Service Reporting Mgmt Strategy Capacity Mgmt Asset and Event Mgmt Service Generation Configuration Improvement Mgmt Service Portfolio Availability Release and Request Mgmt Mgmt Deployment Fulfillment Mgmt Service Transition Access Mgmt Continuity Mgmt Planning and Support Information Service Operations Mgmt Security Mgmt Validation and Testing Supplier Mgmt Evaluation Service Desk Application Mgmt Technical Mgmt IT Operations Leo de Sousa Page 3
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 Service Strategy ITIL® defines Service Strategy as “collaboration between business strategists and IT to develop IT service strategies that support the business strategy.” (Kneller, 2010, p. 3) This section of ITIL® only has generalized references to IT security architecture. There is one specific reference to in the Service Value section: “Service Warranty: how the service is delivered and its fitness for use, in terms of availability, capacity, continuity and security.” (itSMF Ltd, UK Chapter, 2007, p. 14) The intent is security is considered a part of the strategy for creating valuable services for the organization. Service Design ITIL® defines Service Design as “designing the overarching IT architecture and each IT service to meet customers’ business objectives by being both fit for purpose (utility) and fit for use (warranty).” (Kneller, 2010, p. 4) Availability Management, IT Service Continuity Management and Information Security Management processes in ITIL® all provide guidance for implementing security practices. • Availability Management – considers both reactive and proactive activities to ensure services are available for use. IT security architecture provides proactive guidance to protect services as well as responding to security attacks or breaches that compromise a service (e.g. Denial of Service attacks) • IT Service Continuity Management – considers ongoing recovery capabilities for services. IT security architecture guides the design of recovery capabilities and infrastructures to ensure that services can be recovered and delivered securely • Information Security Management – is the main ITIL® process for IT security architecture. This process seeks to align IT security with business security and protect the information assets for all services. This process uses the CIA (confidentiality, integrity, availability) model to suggest best practices of IT security in services. Service Transition ITIL® defines Service Transition as “managing and controlling changes into the live IT operational environment, including the development and transition of new or changed IT services.” (Kneller, 2010, p. 4) Knowledge Management, Change Management, Asset and Configuration Management, Release and Deployment Management and Service Validation and Testing processes all have IT security architecture components. • Knowledge Management – ensures that the correct person has access to the right knowledge, at the correct time to deliver and support business services. This process uses the IT Security Architecture CIA (confidentiality, integrity, availability) model to suggest best practices for information security • Change Management – delivers standard and secure methods to manage change to services. IT security architecture should be integrated with Change Management processes to ensure that introduction of new configuration items do not increase the risk to the services they support. IT security reviews are also important for reviewing Leo de Sousa Page 4
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 changes to existing services to maintain the agreed upon security levels. IT security architecture must be considered for all levels of change from strategic to tactical to operational. Effective implementation of this process limits unauthorized changes that could create security risks. • Asset and Configuration Management – accounts for service assets and configuration items to protect their integrity for the service lifecycle. IT Security architecture integrates with this process especially when considering Data and Information Architecture, Systems and Application Architecture and Networks and Infrastructure Architecture segments. Being able to identify, control and account for corporate information assets protects companies from security breaches, data leakage and information security compliance failures. Creating a Configuration Management System to record and track all configuration items used to deliver services is a key function for security. • Release and Deployment Management – ensures that changes are securely released into the production environment that supports business services. Implementing auditing and release controls following IT security best practices align this ITIL® process with ITSA. Effective implementation of this process limits unauthorized changes that could create security risks. • Service Validation and Testing – provides objective evidence that services are meeting their established service level agreements for functionality, availability, continuity, security and usability. Conducting security audits including penetration tests are examples of how ITSA and this ITIL® process interact. Service Operations ITIL® defines Service Operations as “delivering and supporting operational IT services in such a way that they meet business needs and expectations and deliver forecasted business benefits.” (Kneller, 2010, p. 4) Incident Management, Problem Management, Event Management and Access Management processes in ITIL® all use guidance from information security practices. • Incident Management – restores normal service as quickly as possible so that business impacts are minimized. Incidents can come from any part of the business. When they are IT security related, the IT service desk and security teams initiate an incident response process: identification, containment, eradication and recovery. (Killmeyer, 2006, p. 215) Security incidents can range from external attacks, data breaches (e.g. FIPPA and HIPPA compliance), internal attacks and copyright violations. • Problem Management – determines the root causes of incidents, recommends changes to resolve the issue and provides workarounds if a resolution cannot be found. The IT security team takes a lead in this process for security problems. The focus in this process is the eradication of the problem by implementing new security practises and technology. This process initiates the Change Management process when resolutions need to put into production. • Event Management – depends on monitoring of configuration items and services. The process generates notifications about changes and initiates the Incident Management process. This process relates to proactive security monitoring and logging. If a monitored security alert is triggered, the IT service desk and security team initiate the Incident Management process for a security incident. Leo de Sousa Page 5
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 • Access Management – provides the access rights for people to use services while blocking non-authorized access. Specifically, this ITIL® process manages privileges using the CIA model – confidentiality, integrity, availability to protect data and assets. Other IT security practices like auditing and logging access are practiced in this process. Continual Service Improvement ITIL® defines Continual Service Improvement as “learning from experience and adopting an approach which ensures continual improvement of IT services.” (Kneller, 2010, p. 4) This component of ITIL® focuses on continual evaluation and improvement of services and value to customers. ITIL® suggests a 7-Step Improvement Process to “collect meaningful data, analyze this data to identify trends and issues, present the information to management for their prioritization and agreement and implement improvements.” (itSMF Ltd, UK Chapter, 2007, p. 36) This approach could be taken to continuously improve IT security architecture practices. The Continual Service Improvement component of ITIL® only has generalized references to IT security architecture. There is a section that advocates the use of Standards. There are a series of Security standards that ITIL relates with the main standards family being ISO/IEC 27000 Information Security Management. Here are some of the related standards that ITIL® leverages: (Clinch, 2009, pp. 18-19) • ISO/IEC 27001:2005 Information Security Management Systems – Requirements • ISO/IEC 27002:2005 Code of Practice for Information Security Management • ISO/IEC 27005:2008 Information Security Risk Management • ISO/IEC 27006:2007 Requirements for Bodies Providing Audit and Certification of Information Security Management Systems • ISO/IEC 27799:2008 Health Informatics – Information Security Management in Health Using ISO/IEC 27002 Conclusion Enterprise Architecture models and documents all the parts of an organization not just the IT components. As such, it provides a guiding framework for understanding the interactions between the various components of an organization, how IT service management is implemented (ITIL®) and how IT security architecture is deployed. Many organizations see IT security as purely an IT function and the result is a failure to adequately implement a holistic approach to securing the business. “If we take to heart ITIL’s message that a service is something that delivers business value by improving customer outcomes, we should be seeking to position ISM (information security management) as a business activity that directly contributes towards the delivery of enhanced business value to customers.” (Clinch, 2009, p. 8) Leo de Sousa Page 6
IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® interacts effectively with IT Security Architecture in Service Design, Service Transition and Service Operations and has some influence in Service Strategy and Continual Service Improvement. Here are the ITIL® processes with strong IT security architecture interactions. Service Design Service Transition Service Operations Availability Mgmt Knowledge Mgmt Incident Mgmt Service Continuity Mgmt Change Mgmt Problem Mgmt Information Security Mgmt Asset and Configuration Mgmt Event Mgmt Release and Deployment Mgmt Access Mgmt Service Validation and Testing ITIL® leverages many of the existing and evolving IT Security standards particularly from the ISO/IEC 27k family. “Awareness and consideration of security risks and issues are background obligations for every step of successful IT Service Management under ITIL®.” (Clinch, 2009, p. 20) References Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse. Clinch, J. (2009, May). ITIL V3 and Information Security. Retrieved from Best Management Practice: http://www.best-management- practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf itSMF Ltd, UK Chapter. (2007). An Introductory Overview of ITIL V3. Retrieved from Best Management Practice: http://www.best-management- practice.com/gempdf/itSMF_An_Introductory_Overview_of_ITIL_V3.pdf Killmeyer, J. (2006). Information Security Architecture 2nd Edition. Boca Raton: Auerbach Publications. Kneller, M. (2010, Sept). Executive Briefing: The Benefits of ITIL. Retrieved from Best Management Practice: http://www.best-management- practice.com/gempdf/OGC_Executive_Briefing_Benefits_of_ITIL.pdf SABSA. (2012). SABSA Matrix. Retrieved from SABSA: http://www.sabsa.org/the-sabsa- method/the-sabsa-matrix.aspx Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven Approach. San Francisco: CMP Books. Leo de Sousa Page 7

More Related Content

PDF
Strategic governance performance_management_systems
Ramsés Gallego
 
PDF
Culture structure strategy_for_a_grc_program
Ramsés Gallego
 
PDF
Combining Itil And Six Sigma To Improve
Ahmad Refai
 
PPTX
IBM Smarter Business 2012 - PureSystems - PureData
IBM Sverige
 
PDF
Itil Overview Johannesburg November 2009
robertryan25
 
PDF
ITIL V3 Highlights
geoffharmer
 
PPT
PCTY 2012 keynote præsentation
IBM Danmark
 
PDF
M2MSys ITIL Executive Summary
Filipe Pinto
 
Strategic governance performance_management_systems
Ramsés Gallego
 
Culture structure strategy_for_a_grc_program
Ramsés Gallego
 
Combining Itil And Six Sigma To Improve
Ahmad Refai
 
IBM Smarter Business 2012 - PureSystems - PureData
IBM Sverige
 
Itil Overview Johannesburg November 2009
robertryan25
 
ITIL V3 Highlights
geoffharmer
 
PCTY 2012 keynote præsentation
IBM Danmark
 
M2MSys ITIL Executive Summary
Filipe Pinto
 

What's hot (20)

PDF
From technology risk_to_enterprise_risk_the_new_frontier
Ramsés Gallego
 
PDF
Soa Governance And Security V1.1
Dr. Mehmet Yildiz
 
PDF
Chris Madrid Master Data Management
SOA Symposium
 
PDF
IT Controls Cloud Webinar - ISACA
Ramsés Gallego
 
PPT
Global forum 2012: Gaetano Santucci
GlobalForum
 
PDF
How to implement effective ITSM System
Ana Meskovska
 
PDF
The Perfect Storm
Ramsés Gallego
 
PDF
ITIL overview
QAI
 
PPTX
Technology in support of utilities challenges
Aitor Ibañez
 
PDF
Expanding mission critical ci
HP ESSN Philippines
 
PPT
Itil v3 versus itil v2 overview
Dr Richard Motie
 
PPTX
Guerilla Marketing of Enterprise Architecture Management
Christian Kählig
 
PDF
4. it governance a compass without a map v.2.6 pink elephant
aventia
 
PPTX
IBM Software Day 2013. Turning opportunities into outcomes
IBM (Middle East and Africa)
 
PDF
Integrated Service Management for zEnterprise will be key for Cloud success
dkang
 
PDF
Benno Zollner - Reshaping IT
Fujitsu France
 
PDF
Integrating ITSM Frameworks, Standards and Processes - ITSM Academy Webinar
ITSM Academy, Inc.
 
PDF
Smarter Software for Smarter Governments
IBMGovernmentCA
 
PDF
Luis lima v3
EuroCloud
 
PDF
Overview of IBM Capabilities
IBMGovernmentCA
 
From technology risk_to_enterprise_risk_the_new_frontier
Ramsés Gallego
 
Soa Governance And Security V1.1
Dr. Mehmet Yildiz
 
Chris Madrid Master Data Management
SOA Symposium
 
IT Controls Cloud Webinar - ISACA
Ramsés Gallego
 
Global forum 2012: Gaetano Santucci
GlobalForum
 
How to implement effective ITSM System
Ana Meskovska
 
The Perfect Storm
Ramsés Gallego
 
ITIL overview
QAI
 
Technology in support of utilities challenges
Aitor Ibañez
 
Expanding mission critical ci
HP ESSN Philippines
 
Itil v3 versus itil v2 overview
Dr Richard Motie
 
Guerilla Marketing of Enterprise Architecture Management
Christian Kählig
 
4. it governance a compass without a map v.2.6 pink elephant
aventia
 
IBM Software Day 2013. Turning opportunities into outcomes
IBM (Middle East and Africa)
 
Integrated Service Management for zEnterprise will be key for Cloud success
dkang
 
Benno Zollner - Reshaping IT
Fujitsu France
 
Integrating ITSM Frameworks, Standards and Processes - ITSM Academy Webinar
ITSM Academy, Inc.
 
Smarter Software for Smarter Governments
IBMGovernmentCA
 
Luis lima v3
EuroCloud
 
Overview of IBM Capabilities
IBMGovernmentCA
 
Ad

Similar to ITIL and IT Security Architecture (20)

PDF
ITIL basics
Mandar Kharkar
 
PDF
Itil the basics
MaryFrances Schurb
 
PPTX
Itil v3
Peleg
 
PPTX
Introduction to ITIL
Chris Jones
 
PPT
Itil overview
Mark Mehmet
 
PDF
Itil the basics
Alvaro Cesar Castro Alves
 
PDF
ITIL 2011 Foundation All Volumes - Signed
Mohammed Sirajudeen
 
PDF
Itil the basics
darshan185
 
PPT
ThinkFaculty ITIL Training Course IBM
Zyma Arsalan
 
PDF
itil2011foundation-allvolumes-signed-131020235516-phpapp01 (1)
Krishna Sujeer
 
PPTX
ITIL BASICS AND COMPLETE PROCESS UNDERSTANDING
shilusarat
 
PPT
ITIL V3 Overview
RamPrasad Kurakula
 
PDF
Download Full Service Operation Book ITIL 1st Edition Office Of Government Co...
chlalapasaco
 
PPT
Information technology Infrastructure library{itil}
Arshad Havaldar
 
PDF
ITIL - The impact of it services management
Danilo Mesquita
 
PPTX
ITIL v3 - Introduction.pptx
ssuser10c466
 
PDF
IBM Service Management Paper
wdpowel
 
PDF
Service Operation Book Itil 1st Edition Office Of Government Commerce
almlkypoppi
 
PDF
Service Operation Book ITIL 1st Edition Office Of Government Commerce
vatanilebdi
 
PPS
Introduction to ITIL v3 Foundation exam
Kadimil
 
ITIL basics
Mandar Kharkar
 
Itil the basics
MaryFrances Schurb
 
Itil v3
Peleg
 
Introduction to ITIL
Chris Jones
 
Itil overview
Mark Mehmet
 
Itil the basics
Alvaro Cesar Castro Alves
 
ITIL 2011 Foundation All Volumes - Signed
Mohammed Sirajudeen
 
Itil the basics
darshan185
 
ThinkFaculty ITIL Training Course IBM
Zyma Arsalan
 
itil2011foundation-allvolumes-signed-131020235516-phpapp01 (1)
Krishna Sujeer
 
ITIL BASICS AND COMPLETE PROCESS UNDERSTANDING
shilusarat
 
ITIL V3 Overview
RamPrasad Kurakula
 
Download Full Service Operation Book ITIL 1st Edition Office Of Government Co...
chlalapasaco
 
Information technology Infrastructure library{itil}
Arshad Havaldar
 
ITIL - The impact of it services management
Danilo Mesquita
 
ITIL v3 - Introduction.pptx
ssuser10c466
 
IBM Service Management Paper
wdpowel
 
Service Operation Book Itil 1st Edition Office Of Government Commerce
almlkypoppi
 
Service Operation Book ITIL 1st Edition Office Of Government Commerce
vatanilebdi
 
Introduction to ITIL v3 Foundation exam
Kadimil
 
Ad

More from Leo de Sousa (17)

PDF
Smart Communities Roadshow 2019 - Vancouver
Leo de Sousa
 
PDF
UAE Higher Education CIO Council Ankabut Users Meeting October 2013
Leo de Sousa
 
PPTX
Create a roadmap for ea using capability maturity models
Leo de Sousa
 
PDF
Canadian Red Cross Tainted Blood Scandal
Leo de Sousa
 
PDF
Planning A Secure Partner Portal
Leo de Sousa
 
PDF
Effective IT Security Governance
Leo de Sousa
 
PDF
BYOD for Employees
Leo de Sousa
 
PDF
Motivating Strategic Practice Development Using CMM
Leo de Sousa
 
PDF
Rewards for Information Workers
Leo de Sousa
 
PDF
Flexible Leadership
Leo de Sousa
 
PDF
Ford and GM A Comparison of 2 Fortune 500 Companies
Leo de Sousa
 
PPT
EA - A Year of Growth
Leo de Sousa
 
PPSX
IT Service Management Overview
Leo de Sousa
 
PPTX
Intrinsic Motivation Using Personal Learning Plans
Leo de Sousa
 
PPTX
Enterprise Architecture And The Business Analyst
Leo de Sousa
 
PPT
BCIT Application Portfolio Mgmt
Leo de Sousa
 
PPT
BCIT Technology Management
Leo de Sousa
 
Smart Communities Roadshow 2019 - Vancouver
Leo de Sousa
 
UAE Higher Education CIO Council Ankabut Users Meeting October 2013
Leo de Sousa
 
Create a roadmap for ea using capability maturity models
Leo de Sousa
 
Canadian Red Cross Tainted Blood Scandal
Leo de Sousa
 
Planning A Secure Partner Portal
Leo de Sousa
 
Effective IT Security Governance
Leo de Sousa
 
BYOD for Employees
Leo de Sousa
 
Motivating Strategic Practice Development Using CMM
Leo de Sousa
 
Rewards for Information Workers
Leo de Sousa
 
Flexible Leadership
Leo de Sousa
 
Ford and GM A Comparison of 2 Fortune 500 Companies
Leo de Sousa
 
EA - A Year of Growth
Leo de Sousa
 
IT Service Management Overview
Leo de Sousa
 
Intrinsic Motivation Using Personal Learning Plans
Leo de Sousa
 
Enterprise Architecture And The Business Analyst
Leo de Sousa
 
BCIT Application Portfolio Mgmt
Leo de Sousa
 
BCIT Technology Management
Leo de Sousa
 

Recently uploaded (20)

PPTX
Amazon (Business Studies) management studies
AbhirupVerma
 
PDF
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
PDF
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
PDF
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
PPTX
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
PPTX
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
PDF
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
PPTX
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
PPTX
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
PPTX
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
PPTX
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
PDF
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
PDF
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
PPT
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
PDF
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
PPTX
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
PDF
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
PPT
Chapter four Project-Preparation material
argachewbochena1
 
PDF
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PDF
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 
Amazon (Business Studies) management studies
AbhirupVerma
 
kom-180-proposal-for-a-directive-amending-directive-2014-45-eu-and-directive-...
nlusch08
 
Reconciliation AND MEMORANDUM RECONCILATION
MANJU N
 
Nidhal Samdaie CV - International Business Consultant
Nidhal Samdaie
 
HR Introduction Slide (1).pptx on hr intro
suhanidwivedi227
 
Business Ethics - An introduction and its overview.pptx
Keerthana Chinnathambi
 
pdfcoffee.com-opt-b1plus-sb-answers.pdfvi
thaoonguyenn2311
 
Belch_12e_PPT_Ch18_Accessible_university.pptx
Haitham327103
 
The Marketing Journey - Tracey Phillips - Marketing Matters 7-2025.pptx
shannonzipoy2
 
New Microsoft PowerPoint Presentation - Copy.pptx
itsmesumedh96
 
AI-assistance in Knowledge Collection and Curation supporting Safe and Sustai...
Barry Hardy
 
20250805_A. Stotz All Weather Strategy - Performance review July 2025.pdf
FINNOMENAMarketing
 
Unit 1 Cost Accounting - Cost sheet
MANJU N
 
340036916-American-Literature-Literary-Period-Overview.ppt
carinaherdiles611
 
COST SHEET- Tender and Quotation unit 2.pdf
MANJU N
 
job Avenue by vinith.pptxvnbvnvnvbnvbnbmnbmbh
kaniece
 
Stem Cell Market Report | Trends, Growth & Forecast 2025-2034
Claight Corporation
 
Chapter four Project-Preparation material
argachewbochena1
 
Katrina Stoneking: Shaking Up the Alcohol Beverage Industry
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
Dr. Enrique Segura Ense Group - A Self-Made Entrepreneur And Executive
Dr. Enrique Segura Ense Group
 

ITIL and IT Security Architecture

  • 1. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® and IT Security Architecture Leo de Sousa – IST 725 Abstract This paper describes the interaction between the IT Infrastructure Library (ITIL®) and IT Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA). Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology. IT Security Architecture is a component of Enterprise Architecture. The EA3 Cube Framework shows how ITSA fits in a documented enterprise architecture. IT Security is considered a planning thread that is a “common activity that is present in all levels of the framework.” (Bernard, 2005, p. 42) ITIL® specifically addresses the IT service component of Enterprise Architecture. ITIL® is an approach to IT Service Management “to drive consistency, efficiency and excellence into the business of managing IT services.” (itSMF Ltd, UK Chapter, 2007, p. 3) ITIL® contains five components built around a Service Lifecycle. The components are Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. The sections of this paper are: (a) Introduction, (b) Relations between ITIL®, IT Security Architecture and Enterprise Architecture (c) Interactions of ITIL® and ITSA and (d) Conclusion. After reading this paper, the reader should have a clear understanding of how ITIL® interacts with IT Security Architecture practices within Enterprise Architecture. Introduction This paper uses Enterprise Architecture as the overarching framework to model and understand how ITIL® and IT Security Architecture interact together. Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology. EA addresses “policy, planning, decision-making and resource development that is useful to executives, line managers, and support staff.” (Bernard, 2005, p. 33) IT Infrastructure Library (ITIL®) was developed by the UK Office of Government Commerce in the 1980’s. The current version is ITIL® V3 and is a major rewrite from ITIL® V2. IT Infrastructure Library (ITIL®) “provides a framework of Best Practice guidance for IT Service Management and since its creation, ITIL® has grown to become the most widely accepted approach to IT Service Management in the world.” (itSMF Ltd, UK Chapter, 2007, p. 2) ITIL® suggests organizations take a holistic approach to IT service management with a focus on value to customers. Services have two value measures: • Utility – is the service delivering the required functionality? “fit for purpose” • Warranty – is the service delivered in the expected timeframe, in a secure manner and available for customers when necessary? “fit for use” Leo de Sousa Page 1
  • 2. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® contains five components built around a Service Lifecycle. The components are Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. IT Security Architecture “is the art and science of designing and supervising the construction of business systems, usually business information systems, which are: free from danger, damage, etc.; free from fear, care, etc.; in safe custody; not likely to fail; able to be relied upon; safe from attack.” (Sherwood, Clark, & Lynas, 2005, p. 2) The SABSA® Model captures IT Security Architecture in six layers: Contextual Security Architecture, Conceptual Security Architecture, Logical Security Architecture, Physical Security Architecture, Component Architecture and Operational Security Architecture. (Sherwood, Clark, & Lynas, 2005, p. 34) (SABSA, 2012) Components of IT Security Architecture reside within parts of the ITIL® Service Lifecycle and both reside in the Enterprise Architecture framework which encompasses the entire business. Relations between ITIL®, IT Security Architecture and Enterprise Architecture The EA3 Cube Documentation Framework (Bernard, 2005, p. 38) provides an excellent framework for understanding the interactions between ITIL® and ITSA. The EA3 Cube describes an Enterprise Architecture by documenting the current state and future state of an enterprise as well as creating a management plan for change. Here is an image of the EA3 Cube Documentation Framework and the ITIL® V3 Framework: Looking at the EA3 Cube, we can see how each component interacts when modeling an organization. ITIL® suggests IT Service Management best practices for the Service Lifecycle for Services, Data and Information, Systems and Applications, Networks and Infrastructure and Security/Standards in the EA framework. IT Security Architecture (ITSA) is one of the planning threads in the EA3 Cube framework. IT Security Architecture helps identify issues and the risks that could impact a company and its partners. ITSA also provides a framework for planning and implementing secure business practices. Integrating ITSA and ITIL® enables a business to Leo de Sousa Page 2 focus on best practices in security and IT service management to deliver value.
  • 3. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 The diagram below represents the relationships between EAITILITSA. •Assets (What) •Process (How) EA (S+B+T) •Location (Where) •People (Who) •Time (When) •Motivation (Why) •Service Strategy ITIL (ITSM) •Service Design •Service Transition •Service Operation •Continual Service Improvement •Contextual Security Architecture •Conceptual Security Architecture ITSA (CIA) •Logical Security Architecture •Physical Security Architecture •Component Architecture •Operational Security Architecture Interactions of ITIL® and ITSA This section explores the impacts of ITIL® on ITSA. The table below lists all the ITIL processes by component type - interactions with ITSA are bolded. (Clinch, 2009, pp. 16-17) Service Strategy Service Design Service Service Continual Service Transition Operations Improvement Demand Mgmt Service Catalogue Knowledge Mgmt Incident Mgmt Service Mgmt Measurement Financial Mgmt Service Level Change Mgmt Problem Mgmt Service Reporting Mgmt Strategy Capacity Mgmt Asset and Event Mgmt Service Generation Configuration Improvement Mgmt Service Portfolio Availability Release and Request Mgmt Mgmt Deployment Fulfillment Mgmt Service Transition Access Mgmt Continuity Mgmt Planning and Support Information Service Operations Mgmt Security Mgmt Validation and Testing Supplier Mgmt Evaluation Service Desk Application Mgmt Technical Mgmt IT Operations Leo de Sousa Page 3
  • 4. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 Service Strategy ITIL® defines Service Strategy as “collaboration between business strategists and IT to develop IT service strategies that support the business strategy.” (Kneller, 2010, p. 3) This section of ITIL® only has generalized references to IT security architecture. There is one specific reference to in the Service Value section: “Service Warranty: how the service is delivered and its fitness for use, in terms of availability, capacity, continuity and security.” (itSMF Ltd, UK Chapter, 2007, p. 14) The intent is security is considered a part of the strategy for creating valuable services for the organization. Service Design ITIL® defines Service Design as “designing the overarching IT architecture and each IT service to meet customers’ business objectives by being both fit for purpose (utility) and fit for use (warranty).” (Kneller, 2010, p. 4) Availability Management, IT Service Continuity Management and Information Security Management processes in ITIL® all provide guidance for implementing security practices. • Availability Management – considers both reactive and proactive activities to ensure services are available for use. IT security architecture provides proactive guidance to protect services as well as responding to security attacks or breaches that compromise a service (e.g. Denial of Service attacks) • IT Service Continuity Management – considers ongoing recovery capabilities for services. IT security architecture guides the design of recovery capabilities and infrastructures to ensure that services can be recovered and delivered securely • Information Security Management – is the main ITIL® process for IT security architecture. This process seeks to align IT security with business security and protect the information assets for all services. This process uses the CIA (confidentiality, integrity, availability) model to suggest best practices of IT security in services. Service Transition ITIL® defines Service Transition as “managing and controlling changes into the live IT operational environment, including the development and transition of new or changed IT services.” (Kneller, 2010, p. 4) Knowledge Management, Change Management, Asset and Configuration Management, Release and Deployment Management and Service Validation and Testing processes all have IT security architecture components. • Knowledge Management – ensures that the correct person has access to the right knowledge, at the correct time to deliver and support business services. This process uses the IT Security Architecture CIA (confidentiality, integrity, availability) model to suggest best practices for information security • Change Management – delivers standard and secure methods to manage change to services. IT security architecture should be integrated with Change Management processes to ensure that introduction of new configuration items do not increase the risk to the services they support. IT security reviews are also important for reviewing Leo de Sousa Page 4
  • 5. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 changes to existing services to maintain the agreed upon security levels. IT security architecture must be considered for all levels of change from strategic to tactical to operational. Effective implementation of this process limits unauthorized changes that could create security risks. • Asset and Configuration Management – accounts for service assets and configuration items to protect their integrity for the service lifecycle. IT Security architecture integrates with this process especially when considering Data and Information Architecture, Systems and Application Architecture and Networks and Infrastructure Architecture segments. Being able to identify, control and account for corporate information assets protects companies from security breaches, data leakage and information security compliance failures. Creating a Configuration Management System to record and track all configuration items used to deliver services is a key function for security. • Release and Deployment Management – ensures that changes are securely released into the production environment that supports business services. Implementing auditing and release controls following IT security best practices align this ITIL® process with ITSA. Effective implementation of this process limits unauthorized changes that could create security risks. • Service Validation and Testing – provides objective evidence that services are meeting their established service level agreements for functionality, availability, continuity, security and usability. Conducting security audits including penetration tests are examples of how ITSA and this ITIL® process interact. Service Operations ITIL® defines Service Operations as “delivering and supporting operational IT services in such a way that they meet business needs and expectations and deliver forecasted business benefits.” (Kneller, 2010, p. 4) Incident Management, Problem Management, Event Management and Access Management processes in ITIL® all use guidance from information security practices. • Incident Management – restores normal service as quickly as possible so that business impacts are minimized. Incidents can come from any part of the business. When they are IT security related, the IT service desk and security teams initiate an incident response process: identification, containment, eradication and recovery. (Killmeyer, 2006, p. 215) Security incidents can range from external attacks, data breaches (e.g. FIPPA and HIPPA compliance), internal attacks and copyright violations. • Problem Management – determines the root causes of incidents, recommends changes to resolve the issue and provides workarounds if a resolution cannot be found. The IT security team takes a lead in this process for security problems. The focus in this process is the eradication of the problem by implementing new security practises and technology. This process initiates the Change Management process when resolutions need to put into production. • Event Management – depends on monitoring of configuration items and services. The process generates notifications about changes and initiates the Incident Management process. This process relates to proactive security monitoring and logging. If a monitored security alert is triggered, the IT service desk and security team initiate the Incident Management process for a security incident. Leo de Sousa Page 5
  • 6. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 • Access Management – provides the access rights for people to use services while blocking non-authorized access. Specifically, this ITIL® process manages privileges using the CIA model – confidentiality, integrity, availability to protect data and assets. Other IT security practices like auditing and logging access are practiced in this process. Continual Service Improvement ITIL® defines Continual Service Improvement as “learning from experience and adopting an approach which ensures continual improvement of IT services.” (Kneller, 2010, p. 4) This component of ITIL® focuses on continual evaluation and improvement of services and value to customers. ITIL® suggests a 7-Step Improvement Process to “collect meaningful data, analyze this data to identify trends and issues, present the information to management for their prioritization and agreement and implement improvements.” (itSMF Ltd, UK Chapter, 2007, p. 36) This approach could be taken to continuously improve IT security architecture practices. The Continual Service Improvement component of ITIL® only has generalized references to IT security architecture. There is a section that advocates the use of Standards. There are a series of Security standards that ITIL relates with the main standards family being ISO/IEC 27000 Information Security Management. Here are some of the related standards that ITIL® leverages: (Clinch, 2009, pp. 18-19) • ISO/IEC 27001:2005 Information Security Management Systems – Requirements • ISO/IEC 27002:2005 Code of Practice for Information Security Management • ISO/IEC 27005:2008 Information Security Risk Management • ISO/IEC 27006:2007 Requirements for Bodies Providing Audit and Certification of Information Security Management Systems • ISO/IEC 27799:2008 Health Informatics – Information Security Management in Health Using ISO/IEC 27002 Conclusion Enterprise Architecture models and documents all the parts of an organization not just the IT components. As such, it provides a guiding framework for understanding the interactions between the various components of an organization, how IT service management is implemented (ITIL®) and how IT security architecture is deployed. Many organizations see IT security as purely an IT function and the result is a failure to adequately implement a holistic approach to securing the business. “If we take to heart ITIL’s message that a service is something that delivers business value by improving customer outcomes, we should be seeking to position ISM (information security management) as a business activity that directly contributes towards the delivery of enhanced business value to customers.” (Clinch, 2009, p. 8) Leo de Sousa Page 6
  • 7. IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012 ITIL® interacts effectively with IT Security Architecture in Service Design, Service Transition and Service Operations and has some influence in Service Strategy and Continual Service Improvement. Here are the ITIL® processes with strong IT security architecture interactions. Service Design Service Transition Service Operations Availability Mgmt Knowledge Mgmt Incident Mgmt Service Continuity Mgmt Change Mgmt Problem Mgmt Information Security Mgmt Asset and Configuration Mgmt Event Mgmt Release and Deployment Mgmt Access Mgmt Service Validation and Testing ITIL® leverages many of the existing and evolving IT Security standards particularly from the ISO/IEC 27k family. “Awareness and consideration of security risks and issues are background obligations for every step of successful IT Service Management under ITIL®.” (Clinch, 2009, p. 20) References Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL: AuthorHouse. Clinch, J. (2009, May). ITIL V3 and Information Security. Retrieved from Best Management Practice: http://www.best-management- practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf itSMF Ltd, UK Chapter. (2007). An Introductory Overview of ITIL V3. Retrieved from Best Management Practice: http://www.best-management- practice.com/gempdf/itSMF_An_Introductory_Overview_of_ITIL_V3.pdf Killmeyer, J. (2006). Information Security Architecture 2nd Edition. Boca Raton: Auerbach Publications. Kneller, M. (2010, Sept). Executive Briefing: The Benefits of ITIL. Retrieved from Best Management Practice: http://www.best-management- practice.com/gempdf/OGC_Executive_Briefing_Benefits_of_ITIL.pdf SABSA. (2012). SABSA Matrix. Retrieved from SABSA: http://www.sabsa.org/the-sabsa- method/the-sabsa-matrix.aspx Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven Approach. San Francisco: CMP Books. Leo de Sousa Page 7