Security Management 17.1 Introduction

Everyone has heard about the impact a virus can have on a business.

Names as the Kournikova virus, Nimda and the Trojan Horse does ring bells about the vulnerability of our Business and the reliability of the businesses on IT services,

The following example of a different nature occurred recently in The Netherlands.

A national event would take place, which would attract a lot of attention. The event was the life chat session with Prince Willem Alexander and his fiancé Maxima on the Internet. The main telecom provider in the Netherlands provided it and they bragged about how they could ensure the availability and the high performance of the event.

A group of activists thought this was the time to show the country how vulnerable even the big companies are by hacking in to the systems, causing the servers to go down and so interrupting the life chat session for a period of time.

In both cases there is a risk of information being damaged or misused due to a breach in security or lack thereof.

The security of Information is a key management concern in the modern, electronic business world. In order for companies to maintain their competitive edge, business decisions must be based on accurate, complete and accessible information.

According to BS 7799, Security of information refers to the preservation of:

? Confidentiality - Ensuring that information is accessible only to those authorized to have access.

? Integrity- Safeguarding the accuracy and completeness of information and processing

methods.

? Availability– Ensuring that authorized users have access to information and associated

assets when required.

The degree to which these aspects are preserved must be based on the business requirements for security. This can be properly understood through accurate risk and impact analysis. Security management is concerned with addressing activities that are required to maintain risks at a manageable level.

17.2 Objective

The objective of Security Management is twofold:

• To ensure that it complies with the external requirements of, legislation regarding privacy, insurance policies, and the SLA’s.

17.3 Process Description

The process of Security Management is a flexible one and needs to be reviewed continuously to ensure that it is still up to date. It therefore should, plan, do, check and act in a continuous cycle. The activities of Security Management are undertaken either by the process itself or by other processes under the control of Security Management.

17.4 Activities

The following activities are part of the security management process: o Control o Plan o Implement o Evaluate o Maintenance o Reporting Control

In this process the basics for the Security Process are laid out. This includes among others; describing the roles and responsibilities, description of the sub processes, the Security plan and the implementation thereof and selecting the tools.

This sub process will plan the security sections of the SLA’s with Servi ce Level Management. It also includes addressing the Security sections in the Under Pinning Contracts (UPCs) and the operational level agreements.

Implement

Implementation of all the security measures is the aim of this sub process.

Evaluate

It is necessary to evaluate the implementation of the security measures to see if they are effective. Regular audits also need to be done to ensure that the process is working efficiently en effectively.

Maintenance

The maintenance of the security aspects of the SLA’s and the maintenance of the security plan are the responsibilities of this sub process.

Reporting

Main things that will be reported are: • Security incidents

• Results of audits

• Performance of security tests • Identification of incident trends

17.5 Roles

In most cases there will be only the Security Manager however in very large organization there may be more persons involved in the process.

The security manager is responsible for implementing and maintaining the process. The Security Manager has close ties with the Business Information Security officer

17.6 Relationships

The Security Management process has links with all the ITIL processes. Each process carries out one or more of the activities of Security Management. Although the responsibilities for these actions are still within the separate processes Security management provides the input for the activities.

Service Level Management provides information about the required service levels and receives

input about the achieved levels.

Configuration management: The CMDB contains the information about the C.I.’s. Every C.I.

should be classified indicating the required availability, integrity and confidentiality, which will determine the level of security that is required.

breach of security levels and the cause is investigated and resolved by Problem Management.

Change Management implements the changes, which ensure security or enhance it. On the

other hand they need to address the security issues for every change. In most cases the Security Manager will be part of the CAB.

Availability Management is supported by Security Management in the way that the measures

to increase security result in a higher availability of the IT services.

17.7 Benefits

Benefits of implementing Security management are:

• Information that is vital to the business is kept secure • Higher availability of the Information