Some ITILv3 resources and the relation to information security

I did talk about Deming, the father of quality management but apparently I haven't mentioned ITIL.

The Information Technology Infrastructure Library (ITIL) is a set of concepts and techniques for managing information technology (IT) infrastructure, development, and operations.

What is the relation to (information) security? Well, the triad of security C-I-A, confidentiality, integrity and availability can be supported by ITIL concepts such as capacity management, problem management, change management etc.....

Since May 2007, version 3 is available and is an extension on version 2. If you want to have a look at the Key Differences Between ITIL v2 and v3, the previous link is a good place to start.

Have also a look on the ILX website, which has a nice introduction video.

For those who want to dive deeper into this framework, you can start with the excellent free resource "E-book An Introductory Overview of ITIL V3 (English version) 0,00EUR".

ITIL v3, published in May 2007, comprises 5 key volumes:

1. Service Strategy

2. Service Design

3. Service Transition

4. Service Operation

5. Continual Service Improvement

Here is the Official ITIL Website and The ITIL Open Guide.

So let's give you 10 ways ITIL can improve information security:

There are a number of important ways that ITIL can improve how organizations implement and manage information security.

1. ITIL keeps information security business and service focused. Too often, information security is perceived as a "cost center" or "hindrance" to business functions. With ITIL, business process owners and IT negotiate information security services; this ensures that the services are aligned with the business' needs.
2. ITIL can enable organizations to develop and implement information security in a structured, clear way based on best practices. Information security staff can move from "fire fighting" mode to a more structured and planned approach.
3. With its requirement for continuous review, ITIL can help ensure that information security measures maintain their effectiveness as requirements, environments, and threats change.
4. ITIL establishes documented processes and standards (such as SLAs and OLAs) that can be audited and monitored. This can help an organization understand the effectiveness of its information security program and comply with regulatory requirements (for example, HIPAA or Sarbanes Oxley).
5. ITIL provides a foundation upon which information security can build. It requires a number of best practices - such as Change Management, Configuration Management, and Incident Management - that can significantly improve information security. For example, a considerable number of information security issues are caused by inadequate change management, such as misconfigured servers.
6. ITIL enables information security staff to discuss information security in terms other groups can understand and appreciate. Many managers can't "relate" to low-level details about encryption or firewall rules, but they are likely to understand and appreciate ITIL concepts such as incorporating information security into defined processes for handling problems, improving service, and maintaining SLAs. ITIL can help managers understand that information security is a key part of having a successful, well-run organization.
7. The organized ITIL framework prevents the rushed, disorganized implementation of information security measures. ITIL requires designing and building consistent, measurable information security measures into IT services rather than after-the-fact or after an incident. This ultimately saves time, money, and effort.
8. The reporting required by ITIL keeps an organization's management well informed about the effectiveness of their organization's information security measures. The reporting also allows management to make informed decisions about the risks their organization has.
9. ITIL defines roles and responsibilities for information security. During an incident, it's clear who will respond and how they will do so.
10. ITIL establishes a common language for discussing information security. This can allow information security staff to communicate more effectively with internal and external business partners, such as an organization's outsourced security service

Bonus (from Adventures of ITIL Imp):

• Moving your ITIL Implementation Forward
• Moving your ITIL Implementation Forward - part 2
• Moving your ITIL Implementation Forward - part 3

Related articles:

• Deming’s Seven Deadly Diseases applied to Information Security
• Deming's principles applied to IT security programs