© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management December 19, :00pm EST, 11:00am PST Speaker: George Spafford, Principal Consultant, Pepperweed Consulting

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Housekeeping Submitting questions to speaker –Submit question at any time by using “Ask a question” section located on lower left-hand side of your console. –Questions about presentation content will be answered during 10 minute Q&A session at end of webcast. Technical difficulties? –Click on “Help” link –Use “Ask a question” interface

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Main Presentation

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Agenda How to view security in the world of ITSM Risk Management and Controls Why security plays an important role in Service Delivery and Service Support Where there are resources to learn more

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management The Goal

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management What ITIL Represents ITIL is the de facto standard approach towards IT Service Management (ITSM) It is about IT delivering quality services that meet the needs of the organization IT services enable business processes that, in turn, enable the business to meet goals The management of risk to attain goals is essential Security is a key stakeholder in requirements definition Security requirements are business requirements! –Security in support of X service –Security in support of the enterprise

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Each Functional Area Has Objectives that Support the Goal Examples: A1 – “Provide accurate and timely financial reporting data for the public and internal decision making.” A2 – “HR will track timely and accurate vital information about employees including key dates, training, performance, skills, and benefits. ” A3 – “Customer service will ensure that all customer master profiles are current and accurate.”

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management IT Provisions Services That Add Value and/or Mitigate Risks IT in support of X business service …

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management Why is risk management so important? Limited Resources and Seemingly Unlimited Risks! US companies are adopting a risk based approach and going after what matters most in order to be sustainable. It makes sense to spend $1,000 to safeguard $1Billion but not to safeguard $100. Understand and prioritize risks to focus compliance efforts.

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Formal Risk Management Formal risk management needs to be implemented, ideally at the enterprise level, to ensure that organizational risks are identified and properly managed. –IT needs risk management to prioritize mitigation efforts and to help facilitate discussions with senior management –Senior management can use risk management to understand risks to objectives, the current risk levels and prioritize investments intended to mitigate risks

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management If a risk doesn’t map to objectives and goals, then does it matter? NO

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management One challenge is how to prioritize hundreds, if not thousands, of risks. Risks need to be quantified to facilitate ranking.

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Quantifying Risk Simple approach is to use Likert (1-5) scales to develop ordinal ranking Inherent Risk Score = Probability x Impact Residual Risk Score = IRS x (100% - % Mitigated) If nothing has been mitigated, RRS = IRS Management defines what level of RRS is acceptable How do you factor risks to objectives with varying importance? One method is multivariate risk models. –Weighted Average IRS = Probability x (Risk 1 weight x impact) x (Risk 2 weight x impact) x …. Note – Risk Management is an exercise in objective subjectivity hence the need to get buy-in on the model and scores/values used

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management A Spreadsheet-based ERM Model Note, this spreadsheet model is at

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management In response to risks we implement controls

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management What Are Controls? Controls limit variation around the attainment of objectives. In the case of SOX, we need controls that reasonably assure the integrity of the financial reports. All processes contain an inherent level of variation that can not be eliminated. Only put in enough controls to lower the residual risk to a level that is acceptable to management. Controls can be –Manual – Meaning they take a person to perform without automation. –Automated – Meaning that technology is used to enable the process partially or entirely. –Important Note – In accounting terminology, an automated control is a control that is embedded in a system such as bounds checking, audit trails, workflow, etc. Three broad types –Preventive Controls – Intended to stop a future transgression. Examples – policies and procedures –Detective Controls – Attempt to find out about an event that has already happened. Example – Log review –Corrective Controls – Aimed at restoring the last known good state. Example – Restore from tape

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Use Controls to Manage Risk to Objectives and Goals Risks cause variation around the achievement of objectives and goals Some variation is always present and inevitable By implementing processes with adequate controls, we strive to create a reasonable assurance that we can attain our objective Controls are found in –The services IT maintains and provisions –Within the applications users access Examples: Unique user IDs and passwords, password complexity, scheduled account reviews, firewalls, IPS/IDS, antivirus, generators, UPS, Security Event Management tools, etc.

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Control Objectives for Information and related Technologies (COBIT) Maintained by the IT Governance Institute (ITGI), which is part of the Information Systems Audit and Control Association ( ISACA started in 1967, has over 50,000 members in over 140 countries. Essentially, COBIT is the de facto reference for IT Controls. Nothing else quite like it exists. Four domains –Plan and Organize – Strategy, Tactics, Vision –Acquire and Implement – Identification, Development, Purchase, Implementation –Deliver and Support – Security, Continuity, Management of Data, Operations –Monitor and Evaluate – Assessments and Audit 34 High-Level Control Objectives Over 300 Detailed Control Objectives Example: –Domain: Deliver and Support High Level Control Objective – “DS5 Ensure Systems Security” –Detailed Control Objective – “DS5.1 Management of IT Security” –Detailed Control Objective – “DS5.2 IT Security Plan” –Detailed Control Objective – “DS5.6 Security Event Definition” –…and so on

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management Security is a Risk Mitigation Process We implement security controls commensurate with risk to safeguard objectives and goals

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Appropriate PPT Blending A process is a course of action with an intended result Technology has been the mainstay of Information Technology –Technology can’t fix all of our problems! The need to find and retain qualified people is known, but not always stressed enough –They need adequate training –Segregation of Duties –Cross-training/backups What hasn’t received as much attention are the processes –Leveraging best practices –A focus on quality management –Continuous Improvement Processes Any technology can be rendered ineffectual by poor personnel and process choices –Very true for security as well as other processes Our results will depend on our ability to properly blend people, processes and technology into the required solution based on the needs of the business and tied to supporting/protecting functional area objectives and organizational goals People Processes Technology Outcomes

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management You can have processes without adequate controls, but you can not have an effective and efficient control environment without good processes.

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Service Support, Delivery & Security

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Change Management IDC – 80% of network availability issues caused by human error CompTIA – 60% of breaches are caused by human error Change management is a risk management function that assesses the potential impacts of a change to the organization Security should: –Sit on the Change Advisory Board (CAB) –Review change requests –Review changes that are rolled back –Review unauthorized changes for security events Security must work through Change Management and not around it –Ideally through operations and not direct –Quis custodiet ipsos custodes – Who will guard the guards? –Never forget about human error!

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Configuration Management Focuses on tracking and documenting configurations and then providing this information to other areas Configuration tracks relationships to understand who is affected and assesses impact. Enables the control of configuration items by monitoring, maintaining and verifying –Resources –Status –Relationships Security is a consumer of Configuration Management –Infrastructure details Relationships IT and Business Owner Contact information –User profiles –Incident records (alerts + manually logged) –License information (if tasked with tracking down unlicensed information) –Reviewing security configurations –Security logs / records –Review of CMDB access levels

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Service Level Management “The goal for SLM is to maintain and improve IT Service quality, through a constant cycle of agreeing, monitoring and reporting upon IT Service achievements and instigation of actions to eradicate poor service – in line with business or cost justification.” – ITIL Service Support Concerned with understanding the customer/organization’s security requirements for each service – SLM negotiates service security levels based on input from the security function The SLA defines security requirements

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Incident Management / Service Desk Concerned with restoring service as quickly as possible Alerts should route into Incident Management, not pagers –Key is to manage alerts, not fire and forget –Need consistent handling Security needs to help IM with –The development of incident call scripts and workflow –The identification and proper coding of security incidents –Processing of security related Incidents

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Problem Management Determination of root cause of actual and potential incidents and, where it makes business sense, eliminate it. Security involved with problem teams to establish solid solutions –Working on security related problem ticket –Ensuring that proposed solution doesn’t compromise security Security opens problem tickets for Problems

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Release Management Ensures the quality of releases into production via formal checks. Spans from development through testing to operations Security will define what the security requirements of releases will be –Controls in a service –Testing of controls –Documentation of controls Security will check on the contents and security of the Definitive Software Library (DSL)

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Capacity Management Tasked with translating business capacity requirements into IT service and then Configuration Item (CI) resource requirements Ensure that security is factored into capacity requirements Ensure that capacity constraints don’t cause vulnerabilities –Out of disk space errors causing untrapped script failures, etc.

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Availability Management To understand the Availability needs of the business and to continuously strive to improve Availability is a/the key element of Customer satisfaction You can not have sustainable high-availability without fundamentally sound security Availability Management contributes to the Security Policy Availability Management advises SLM on all Confidentiality, Integrity, and Availability (CIA) issues

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management IT Financial Management Budgeting, Costing, Charge backs and Value for IT services Security measures need proper budgeting, costing, etc. –ROI is often ex post facto – in the value is often only “provable” after an event –Security of the ITFM services

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management IT Service Continuity Management Defines how IT will support the Business Continuity Plans (BCP) of the organization A disaster may create/exacerbate vulnerabilities Security needs to understand and approve the security implications of the ITSCM plans

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Are compliance, security and operations mutually exclusive? Of Course Not! Operations Compliance Security

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Continuous Improvement Is Key Like any process, you must pick a place to start and begin As you gain more experience, evolve the various aspects of security as the organization matures Be sure to tie security activities to functional area objectives and organizational goals * Adapted from ITIL Service Support Graphic

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management Additional Resources

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management IT Infrastructure Library (ITIL) Office of Government Commerce British Educational Communications and Technology Agency (BECTA) ITIL Open Guide Microsoft’s Operations Framework (MOF) IT Service Management Forum

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management The IT Process Institute Maintained by the Information Technology Process Institute ( Visible Ops leverages ITIL and is prescriptive –Change Management is key, as is reduction in variation and integration of process areas –It is split into three project phases to start Phase 1 – Stabilize the Patient Phase 2 – Catch & Release and Find Fragile Artifacts Phase 3 – Create a Repeatable Build Library –Phase 4 – Continual Improvement – is the start of a process. –Published June 2004 –Over 50,000 copies sold primarily by word-of-mouth recommendations ITPI Controls Benchmark Study –Scientific study of what controls really matter –From 300 to 68 to a core 21 foundation controls –Highly recommended!!

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Other Best Practice Sources Australia Standard 4360 Risk Management British Standards Institute (BSI) - Carnegie Mellon’s Software Engineering Institute (SEI) Computer Emergency Response Team (CERT) - COSO ERM - Federal Financial Institutions Examination Council (FFIEC) – International Organization for Standardization (ISO) – (ISO and for security) - ISACA – COBIT- OECD Guidelines on Information Security The Systems Security Engineering Capability Maturity Model – (SSE-CMM) - The Institute of Internal Auditors - US General Accounting Office (GAO) – US National Institute of Standards (NIST) -

© 2006 Jupitermedia Corporation Webcast TitleThe Role of Security in IT Service Management Thank you for the privilege of facilitating this webcast George Spafford Daily News Archive and Subscription Instructions

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Questions?

© 2006 Jupitermedia Corporation The Role of Security in IT Service Management Thank you for attending If you have any further questions,