(SD 4.7, SO 4.5)
INTRODUCTION AND SCOPE
The security of data and information is of vital importance to any organisation and it is therefore a business decision as to what information should be protected and to what level. The business’s approach to the protection and use of data should be contained in a security policy to which everyone in the organisation should have access and the contents of which everyone should be aware. The system in place to enforce the security policy and ensure that the business’s IT security objectives are met is known as the information security management system (ISMS). Information security management supports corporate governance by ensuring that information security risks are properly managed.
Information security management and access management are separate processes in ITIL in different parts of the service lifecycle but are covered together in this chapter because of their common purpose.
PURPOSE AND OBJECTIVES
The two processes, information security management and access management have a common objective in that both are concerned with making sure that only the right people get to see information, but information security management, which is a fundamental part of the governance framework, has a much broader remit.
The objective of the information security management process is to make sure that IT security is consistent with business security, ensuring that information security is effectively managed in all service and service management activities and that information resources have effective stewardship and are properly used. This includes the identification and management of information security risks.
The purpose of information security management is primarily to be a focal point for the management of all activities concerned with information security. This is not just about protecting information resources today. It is about putting in place, maintaining and enforcing an effective information security policy. It is about understanding how the business will develop, anticipating the risks it will face, articulating how legislation and regulation will affect security requirements and making sure that information security management is able to meet these challenges of the future.
120
INFORMATION SECURITY MANAGEMENT AND ACCESS MANAGEMENT
Information security management ensures an effective information security policy is in place and enforced through effective, documented security controls that apply not only to in-house employees, but also to suppliers and others who have business/
contact with the organisation. It must ensure that any security breaches are man-aged promptly and effectively, and that risks are identified and documented and lessons are learned accordingly.
Access management is concerned with the management of people’s rights of access to information, and as such has common purpose not only with informa-tion security management, but also with availability management, giving practical effect to the policies and requirements of both processes. Its purpose is to ensure that the confidentiality, integrity and availability of information are effectively managed across the organisation. Data and information must not only be protected against unauthorised access and the possibility of it being stolen or changed. It must also be readily available to those who are authorised to access it.
A key part of access management is the management of people’s rights to access information and services. People who have the right, in terms of business policy and need, to access information should have that right implemented through access controls. These rights must be consistent with relevant legislation, such as data pro-tection legislation, and must be kept under review and changed or revoked when a person’s status changes within the organisation, or when a material risk is identified.
EXAMPLE
A doctor needs access to a patient’s notes to help diagnose the possible cause of an illness and prescribe the appropriate remedy, but the confidentiality of these notes needs to be protected against access by unauthorised users. However, the patient may have a legal right to reserve access to certain information to specified individuals (e.g. HIV status, abortions, mental illness and so on).
In order for access rights to have proper effect and value, access management must ensure that people can be properly identified: that each person has a unique identity to which their rights can be attached and to which activities, legitimate or otherwise, can be traced. Identity management is critical to effective access management, pre-venting, for example one person from pretending to be another and hijacking their rights to access and change information or, some would say even more importantly, to create new information. Organisations must take action to manage circumstance where access controls may be bypassed, for example where software developers require access to live systems during incident management.
EXAMPLE
In one organisation, access to payroll information was very tightly controlled, but software developers fixing faults in what was a very old piece of software had full access to all parts of the system, with the ability to access, change and create records.
IT SERVICE MANAGEMENT
The security objective of an organisation is usually considered to be met when the availability, confidentiality, integrity and authenticity and non-repudiation are under control. These are defined below:
•
Availability: Information is accessible and usable when required and the host systems can resist attacks and recover from or prevent failures.•
†“Confidentiality: Information is observed by or disclosed only to those who have a right to know.”•
Integrity: Information is complete, accurate and protected against unauthor-ised modification.•
†“Authenticity: Authenticity concerns the correct labelling or attribution of information to prevent, for example, the originator of an email making it appear that the email came from another person. Authenticity is about ensuring that business transactions, as well as information exchanges between enterprises or with partners, can be trusted.”•
†“Non-repudiation: The mechanism that prevents the originator of a trans-action falsely denying that they originated it or prevents the receiver falsely denying having received it.”THE INFORMATION SECURITY POLICY
The information security policy should support and be aligned to the business security policy. It should include policies covering the use of IT assets, email, the internet, important documents, remote access, access by third parties (such as suppliers) and asset disposal. In addition, it defines the approach to resetting passwords, maintaining anti-virus controls and classifying information. These policies should be available to all customers and users as well as to IT staff, and compliance to the policy should be referenced in all internal agreements and exter-nal contracts. The policy should be reviewed and revised on at least an annual basis.
THE INFORMATION SECURITY MANAGEMENT SYSTEM
The information security management system (ISMS – also referred to as the security framework) helps establish a cost-effective security programme to support business objectives. Figure 18.1 shows an example framework widely used and based on the ISO 27001 standard that gives the five stages of the ISMS and the scope of each stage.
The objective of the ISMS is to ensure that appropriate controls, tools and proce-dures are established to support the information security policy.
ACCESS MANAGEMENT
Access management is the process of controlling access to data and information to ensure that authorised users have timely access while preventing access by 122
INFORMATION SECURITY MANAGEMENT AND ACCESS MANAGEMENT
Figure 18.1 ISMS framework (Source: The Cabinet Office ITIL Service Design ISBN 978-0-113313-05-1)
Customers – Requirements – Business Needs MAINTAIN
unauthorised users. The access management process may be the responsibility of a dedicated function but is usually carried out by all technical and application management functions.
If the service desk is operating as the single point of contact, it is usual that it should receive any service requests for new or changed access rights and may also be authorised by the owner of the security policy to grant these rights.
Typically this occurs when a new person joins the organisation or a new supplier is engaged, but it may also occur when someone moves from one department to another or changes role. Access rights should be withdrawn when someone leaves the organisation.
The access management process should include monitoring access to secure information so that in the event of a security-related incident arising, the cause can be traced and any security risks discovered can be removed. Monitoring will also identify unauthorised access attempts and instances of password errors as indica-tions of possible security threats.
FACILITIES MANAGEMENT – THE CONTROL OF PHYSICAL ACCESS
Information security management defines the access control policy, and identifies the necessary physical security measures and who should have access to which site (e.g. the data centre). Facilities management is responsible for enforcing this policy.
The major components of physical access control are:
IT SERVICE MANAGEMENT
•
the installation, maintenance and management of physical access security controls such as locks and barriers and surveillance equipment;•
monitoring of physical access to protected areas;•
physical security staffing;•
maintenance of floor plans showing areas of restricted access and the relevant security controls.One of the most common means of breaching physical security is by ‘social engi-neering’: a rather grandiose term that usually refers simply to talking your way into a secure facility (e.g. by posing as a legitimate contractor, posing as someone else or simply following a legitimate person through an open door). For this rea-son, security access must not only be controlled appropriately but also continually monitored so that such breaches can be detected and security controls improved.
RELATIONSHIPS WITH OTHER SERVICE MANAGEMENT PROCESSES
To one extent or another, all other processes interface with security management.
Availability management
Information security and access management are key contributors to availability management because without the right level of protection, the availability and integrity of data and systems is compromised.
Service desk
The service desk usually has the authority to respond to requests for changes to access rights and passwords and therefore contributes to the operational manage-ment of security.
Other processes
Other process interfaces are with:
•
incident and problem management (response to and resolution of security-related issues);•
IT service continuity management (a design consideration and a risk during testing);•
change management (impact assessment on security controls);•
configuration management (assistance with security classification for CIs);•
capacity management (when introducing new technology);•
supplier management (to ensure maintenance of security controls for opera-tional activities carried out by third parties).METRICS
Security management metrics are needed to ensure that the organisation can meet both internal and external security requirements found in SLAs, contracts, legisla-tion and governance. Metrics that can be used for this purpose include:
124
INFORMATION SECURITY MANAGEMENT AND ACCESS MANAGEMENT
•
the number of security-related incidents per unit of time;•
the percentage of security-related incidents that impacted services or users;•
the number of security audit issues and risks identified;•
the percentage of security audit issues and risks resolved;•
the number of changes and releases backed-out because of security issues;•
the average time to install security patches.ROLES
The IT security manager is responsible for defining the information security policy and establishing the ISMS. Once these are in place, it is the IT security manager’s job to ensure that all the proper controls are in place, people are aware of the policy and their responsibilities and that the security system is functioning correctly. The IT security manager is the focal point for all security issues.
Service operation teams are responsible for conducting day-to-day activities to manage operational security. It is important that these roles are kept separate from those of security management to prevent a conflict of interest. Operation roles include:
•
policing and reporting;•
providing technical support and assistance;•
managing security controls;•
screening and vetting individuals;•
providing training and awareness;•
ensuring that security controls are appropriately referenced in operational documentation.The facilities manager is responsible for physical security at an organisation’s sites and computer facilities.
TEST QUESTIONS FOR CHAPTER 18 SD 14, SD 24, SD 25
SO 04, SO 10, SO 16, SO 20 A 18