|
The ITIL security management process describes the structured fitting of security in the management organization. ITIL security management is based on the ISO 27001 standard. According to (ISO.ORG ) "ISO/IEC 27001:2005 covers all types of organizations (e.g. commercial enterprises, government agencies, not-for profit organizations). ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented Information Security Management System within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties." A basic concept of security management is the information security. The primary goal of information security is to guarantee safety of information. When protecting information it is the value of the information that must be protected. These values are stipulated by the confidentiality, integrity and availability. Inferred aspects are privacy, anonymity and verifiability. The goal of the Security Management is split up in two parts: # The realization of the security requirements defined in the service level agreement (SLA) and other external requirements which are specified in underpinning contracts, legislation and possible internal or external imposed policies. # The realization of a basic level of security. This is necessary to guarantee the continuity of the management organization. This is also necessary in order to reach a simplified service-level management for the information security, as it happens to be easier to manage a limited number of SLAs than it is to manage a large number of SLAs. The input of the security management process is formed by the SLAs with the specified security requirements, legislation documents (if applicable) and other (external) underpinning contracts. These requirements can also act as key performance indicators (KPIs) which can be used for the process management and for the justification of the results of the security management process. The output gives justification information to the realization of the SLAs and a report with deviations from the requirements. The security management process has relations with almost all other ITIL-processes. However, in this particular section the most obvious relations will be the relations to the service level management process, the incident management process and the Change Management process. == The security management process == The security management process consists of activities that are carried out by the security management itself or activities that are controlled by the security management. Because organizations and their information systems constantly change, the activities within the security management process must be revised continuously, in order to stay up-to-date and effective. Security management is a continuous process and it can be compared to W. Edwards Deming's Quality Circle (Plan, Do, Check, Act). The inputs are the requirements which are formed by the clients. The requirements are translated into security services, security quality that needs to be provided in the security section of the service level agreements. As you can see in the picture there are arrows going both ways; from the client to the SLA; from the SLA to the client and from the SLA to the plan sub-process; from the plan sub-process to the SLA. This means that both the client and the plan sub-process have inputs in the SLA and the SLA is an input for both the client and the process. The provider then develops the security plans for his/her organization. These security plans contain the security policies and the operational level agreements. The security plans (Plan) are then implemented (Do) and the implementation is then evaluated (Check). After the evaluation then both the plans and the implementation of the plan are maintained (Act). The activities, results/products and the process are documented. External reports are written and sent to the clients. The clients are then able to adapt their requirements based on the information received through the reports. Furthermore, the service provider can adjust their plan or the implementation based on their findings in order to satisfy all the requirements stated in the SLA (including new requirements). 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「ITIL security management」の詳細全文を読む スポンサード リンク
|