Service Design Information Security management in ITIL – ITIL Course

Service Design

Information Security management 
Availability is for those who are granted access to the information.  This information should be secure and protected to maintain authenticity.
Purpose and Objectives
The purpose of Information Security Management is to align IT security with business security and ensure that information security is effectively managed in all service and IT Service Management activities.
Information Security Management (ISM) ensures that:
•              an Information  Security  Policy is implemented,  maintained  and enforced  that fulfills  the  needs  of  the  Business  Security  policy  and  the  requirements  of corporate governance.
•              awareness of the need for security within all IT services and assets is properly raised.
•   the Information Security Policy is appropriate for the needs of the organization.
•   all aspects  of IT and information  security  within  all areas  of IT and Service
Management activity are managed.
The objectives of Information Security Management are met when the following are properly managed:
•   Availability: Information is availableand usable when required.
•              Confidentiality: Information is observedby or disclosed to only those who have a right to know.
•              Integrity: Information is complete, accurateand protected against unauthorized modification.
•              Authenticity and Non-repudiation:  Business transactions, as well as information exchanges betweenenterprises or with partners, can be trusted.
•              Security Baselines: The security level adoptedby the IT organization for its own security and from the point of view of “due diligence”. It would be possible to have multiple baselines.

The information  security  management  process  should  be the focal point for all IT security  issues,  and  must  ensure  that an information  security  policy  is produced, maintained  and  enforced  that  covers  the  use  and  misuse  of  all  IT  systems  and services.
The information security management process should include:
•              The pr
oduction,maintenance, distribution and enforcementof an information security policy and supporting security policies
•              Understanding  the  agreed  current  and  future  security  requirements  of  the business and the existing business security policy and plans
•              Implementation  of  a  set  of  security  controls  that  support  the  information securit policy   and  manage   risks   associated   with  acces to  services, information and systems
•              Documentation   of  all  security  controls,  together  with  the  operation  and maintenance of the controlsand their associated risks
Management  of suppliers  and  contracts  regarding  access  to systems  and services, in conjunction with supplier management
•              Management of all security breaches, incidents and problems associated with all systems and services
•              The    proactive    improvement    of   security    controls,    and    security    risk management and the reduction of security risks
•   Integration of security aspects within all other ITSM processes.
Information Security Policy
Information Security Management shouldbe driven by an InformationSecurity Policy and a set of underpinning specific security policies.
The policy should cover all areas of security,  meet the needs of the business and include the following:
•   An overall Information Security Policy
•   Use and misuse of IT assets policy
•   An access control policy
•   A password control policy
•   An email policy
•   An internetpolicy 
•   An anti-virus policy
•   An information classification policy
•   A document classification policy
•   A remote accesspolicy
•              A  policy   with  regard   to  supplier   access   of  IT  service informatio and components
•   An asset disposal policy
These  policies  should  be  widely  available  to  all  customers  and  users  and  their compliance shouldbe referred to in all SLRs, SLAs, contracts and agreements.
An  Information  Security  Manager  is  responsible  for  ensuring  that  the  aims  of
Information Security Management are met.
The responsibilities of an Information Security Manager include:
•   The achievement of the process goals.
•   Development, communication,maintenance and enforcement of the Information
Security Policy.
•   Assisting in Business Impact Analysis.
•              Security Risk Management  is performed in conjunction with Availability and IT Service Continuity Management.
More details on the roles of Information Security Manager:
•   Develop and maintain the Information Security Policy.
•   Communicate and publicize the Information Security Policy to other parties.
•   Identify and classify IT and information assets.
•   Assist with Business ImpactAnalyses.
•   Perform security risk analysis and risk management.
•   Design security controls and develop security plans.
•   Monitor and manage all security breaches.
•   Report, analyze and reduce the impact and volumes of all security incidents.
•   Promote education and awareness of security.
•   Ensure all changes are assessed for impact on all security aspects.
•   Perform security tests.
•   Participate in security reviews.
•   Maintain the integrity, confidentiality and availability of services.
•              Ensure  access  to  services  by  external  partners  and  suppliers  is  subject  to contractual agreement.
•   Act as a focal point for all security issues.

ITIL, ITIL Foundation Course, ITIL V3, ITIL Course, ITIL – Course, online itil, itil certification, online material for itil course