Information security management is the IT service management (ITSM) practice that protects the business and its data from threats. Done well, it can keep customer data safe, reduce the threat landscape, and increase protection against cyber threats and malware. If you’d like to know how ITIL 4, the body of service management best practice, has updated its information security management guidance, then this blog is for you – with it outlining the key changes in the updated ITIL 4 publication.
The information security management basics
The ITIL 4 information security management practice is based on AXELOS’s RESILIA framework. RESILIA is a best practice framework designed to help organizations to build cyber resilience skills and knowledge. It provides practical guidance on how to enhance existing management strategies and to help align cyber resilience with IT operations, security, and incident management.
RESILIA is, first and foremost, a way to protect your organization and its information. This is reflected in the ITIL 4 key purpose statement for information security management which is “to protect the information needed by the organization in order to carry out its business.”
The scope of the ITIL 4 information security management practice
Unlike other ITIL 4 practices which are invoked as and when needed, information security management is a continuous practice and as such needs to be embedded into all elements of the ITIL service value system – because information security has a role to play throughout the IT service delivery and support ecosystem.
Sadly, in many organizations, formal security training and practice management are usually under-resourced meaning that it doesn’t get the visibility it needs to be effective. Whereas the harsh reality of modern business is that information security needs to be part of everyone’s day job and should be prioritized as such.
There’s a need to “protect, detect, and correct”
A key information security management concept in the new ITIL 4 guidance is that, to achieve an appropriate level of security, activities must include:
- Prevention – ensuring that security incidents don’t occur. Preventative methods could include securing network devices and centralizing firewalls to reduce the threat of external attacks. The end user community is still the biggest area of exposure so training end users on outside threats and how to react accordingly is critical.
- Detection – rapidly and reliably detecting incidents that can’t be prevented. This could take the form of having antivirus, antispyware, and anti-malware software installed, so that the environment is continuously protected and monitored, and having a defined incident response capability.
- Correction – recovering from incidents after they’ve been detected. Corrective activities could include incident review meetings, to ensure lessons learned are captured, documented, and acted on, and introducing network auditing.
Taking a more balanced approach to security management
The new ITIL 4 guidance highlights the need for information security controls to be balanced.
In high velocity or multi-cadence IT environments, care must be taken to balance the need for agility with strong IT security practices and risk management. One way of accomplishing this is to involve all teams in building information security practices into day-to-day activities so that working practices can both protect the organization from harm and support innovation.
Having a formal security incident process
One of the most important parts of the ITIL 4 information security practice is how organizations should respond to and manage security-related incidents. To help, the updated information security management guidance contains the following steps:
- Preparation – being appropriately prepared for security incidents. For example, having a policy in place, having a working communication plan, and identifying business-critical services.
- Detection and escalation – having the appropriate monitoring tools and escalation procedures in place to ensure that incidents are identified and acted on quickly and effectively.
- Triage and analysis – the ability to collect data for forensic analysis and being able to examine log files, endpoints, and system information.
- Containment and recovery – isolating affecting systems to contain the issue and recovering business services.
- Post-incident activity – root cause analysis activities, creating incident reports, and reviewing any lessons learned.
That’s our quick take on the new ITIL 4 information security management practice. What would you add to this? Please let us know in the comments.