Security, service management style
August 13th, 2003 by jiri
One of the two challenges in enterprise security is how to integrate security management integrates with other managerial aspects of IT.
The usual way of throwing BS7799 with some additional security procedures on the table saying ‘thou shall comply’ does bring you success. If security was a house, security policy would be the frame, roof, walls and ceilings. They need to be in place, but on their own they don’t guarantee that the people will actually like the house and that they will like to live in the house. What is needed is some painting, doors and all the furniture, fixtures and equipment. In the same way security policy needs to be refined into more detailed implementation model.
So now, when we have hear about what is wrong, you may wonder how the right way of doing things look like.
A model I have explored recently, and which looks quite looks promising, is aligning security management with service management. What is this Service Management, you may ask.
The short answer is that IT service management is about managing provision of IT department in the way that ensures IT services delivered meet business requirements and expectation. The longer answer is that the IT service management is about how you manage capacity, continuity and availability, service levels, change, configuration and releases IT relationships and how you budget and account for IT services. If you are looking for the long answer, have a look here, here, or here.
Although security touches all disciplines of service management, the most important concepts from the service management toolset that IMHO needs to be applied to security management, especially where parts of IT are outsourced, are service levels and relationship management.
Service level management concerns with definition and measurement of required parameteres of IT service from the viewpoint of business users. Because security is primarily abour lack of incidents rather than how quickly they are resolved, service level agreements need to be extended by operational level agreements that define ‘how’ to ‘what’ of SLAs.
Relationship management is about managing requirements and expectations on interfaces between business, IT organisations and IT suppliers.
How these two service management concepts work and how they tie in to security management is illustrated in the following diagram.
