?
Segregation of duties
ITIL
ITIL is growing in popularity among financial institutions seeking to improve service quality and to align IT with larger business objectives. It is an IT management approach that bridges tools and standards with business processes. As one of the three compliance structures of the Joint EU Framework, ITIL will only increase in importance. It was developed in England in the 1980s for the Central Computer and Telecommunications Agency (CCTA), and is a set of documents focused on best-practice processes for IT service management. ITIL is technology neutral and focuses on processes. Unlike ISO 17799, ITIL security management describes \be implemented.
The ITIL book has five chapters along with annexes at the end of the book. The first two chapters consist of an introduction, a section on the fundamentals of information security, and a section on the links between information security and IT processes. The first two chapters primarily deal with basic security management information, including the importance of upper management
commitment and the view of information security being a business enabler instead of a cost. These are important concepts worthy of being reviewed and discussed to help identity stewards look at information security from a business perspective as opposed to a technical product perspective. The next three chapters discuss security management for a number of key security processes. In the third chapter, there is a discussion about determining the security-related service-level requirements for various business processes. The service-level requirements help determine key operational areas that must be in place before effective security management can take place. The operational areas include
? ? ? ? ?
Configuration and asset management Incident control and help desk Problem management Change management Release management
The final two chapters provide best-practice processes for some key information security areas, including
? ? ? ? ?
Asset classification Personnel security
Communications and operations management Access control
Auditing and evaluation
ITIL Process Description
? ? ?
Configuration management: Creation and maintenance of a database of all IT configuration items, their relationship with other items, and their proper state. Incident management: Receiving, recording, and classifying user reports of malfunctions, primarily received through the help desk.
Problem management: Analysis of incidents to uncover patterns of repetition that might indicate a common root cause. Positive conclusion results in a request for change (RFC), and the cycle repeats.
?
Change management: Response to and action on requests for change. The process includes solution evaluation and design, risk analysis, prioritization, approvals, and feasibility testing.
?
Release management: Sequence of events for rolling out a change to the user
environment in order to minimize disruption, prevent errors and loss of data, and maintain proper documentation.
Terms and Definitions Associated with ITIL
? ? ? ? ? ? ? ? ?
SLM (service-level management)—The monitoring of required service levels.
SLA (service-level agreement)—Specific targets identified by SLM for each unit within the IT organization.
SLC (service-level contract)—Specific targets identified by SLM for each unit within an external IT supplier.
OLA (operation-level agreement)—Specific targets for the service being supplied by internal service providers (network services, LAN services, and so on).
UC (underpinning contract)—Specific targets for the service being supplied by an external service provider (such as GE Capital, Decision One).
Service catalogue—A collection of all the services being provided and the customers of each.
SLR (service-level requirements)—SLM will ask each IT customer what his or her requirements are. This will be embedded into the SLA.
SIP (service improvement program)—After the review of an SLA, service improvements may be necessary. A service improvement plan will be designed and acted on.
CI (configuration item)—Anything within IT that is decided to be within scope and can be changed should be considered a CI. This could be hardware, software, an SLM, a job description, and so on.
? ?
CMDB (configuration management database)—The CMDB holds all details, and relationship information of all CIs, associated with the IT infrastructure.
SCOPE (scope)—The activities of configuration management include identification, control, status accounting, and auditing.
Control Mapping—ITIL
ITIL addresses the domain control requirements of
? ? ? ? ?
Change management
Business continuity and availability Operational monitoring Records management Operational controls
The standard concedes as out of its scope the control areas of
? ? ? ?
Trusted access
Audit and risk management Operational transparency Segregation of duties
BSI IT-Grundschutz Methodology
The IT-Grundschutz methodology is a procedure for IT security management that can be adapted to the situation of a specific institution. It is described in BSI Standard 100-1 MSIS. This document describes the steps required by the IT-Grundschutz methodology. It represents a standard for establishing and maintaining the appropriate level of IT security in an institution. The method, which was introduced by BSI in 1994, has been developed to provide a methodology for setting up an information security management system for establishing a comprehensive basis for assessing risk, monitoring the existing IT security level, and implementing appropriate IT security. One of the most important objectives of IT-Grundschutz is to reduce the expense of the IT security process by providing established procedures to improve information security. The methodology describes an efficient management system for information security and how the IT-Grundschutz catalogues can be used for this task. Each of the documents focuses on a differing area:
? ? ?
The BSI Standard 100-1 MSIS describes the general methods for the initiation and management of information security in an institution.
The BSI Standard 100-2 provides a summary of the important steps in introducing an ISMS and the approach to producing an IT security concept.
The BSI Standard 100-3 describes how the fundamental phase in initiating the IT security process could look, and which organizational structures are appropriate for it. In addition, a systematic path is shown for setting up functional IT security management and for developing it further in ongoing operations.
?
The BSI Standard 100-4 describes the IT-Grundschutz methodology for producing an IT security concept. This first lists how the basic information on IT assets can be collected and simplified by forming groups.
The IT-Grundschutz catalogues describe how to produce and monitor IT security concepts on the basis of standard security measures. Modules of standard security measures are available for common IT processes, applications, and components. The modules are classified into five layers according to their focus:
? ? ? ? ?
Layer 1 covers all the generic IT security issues. Layer 2 covers all the physical, technical issues. Layer 3 relates to individual IT systems.
Layer 4 concerns the issues relating to networking IT systems. Layer 5 handles the actual IT applications.
Control Mapping—BSI IT-Grundschutz Methodology
The BSI IT-Grundschutz methodology addresses the domain control requirements of
? ? ? ? ? ? ? ?
Trusted access Change management
Business continuity and availability Operational monitoring Records management Audit and risk management Operational transparency Operational controls
The methodology only concedes as out of its scope the control areas of
?
Segregation of duties
CMMI-SEI
Capability Maturity Model Integration (CMMI) is a process improvement approach that provides organizations with the essential elements of effective processes. It is used to guide process improvement across projects, divisions, and entire organizations. CMMI helps integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and afford a point of reference for appraising current processes. Although it is not a specific compliance methodology, its use in conjunction with other compliance methodologies in remediation efforts may serve as proof of intent to comply.
The Carnegie Mellon Software Engineering Institute (SEI) is a federally funded research and development center in the United States. Its core purpose is to help organizations improve their software engineering capabilities.
Control Mapping—CMMI-SEI
The CMMI methodology addresses the domain control requirements of
? ? ? ? ?
Trusted access Change management
Business continuity and availability Operational monitoring Records management
The methodology only concedes as out of scope of the standard the control areas of
? ? ? ?
Audit and risk management Operational transparency Segregation of duties Operational controls
SoGP
In 1998, the Information Security Forum (ISF) developed a comprehensive list of best practices for information security, the Standard of Good Practice (SoGP). The foundation offers an assessment to identify benchmark environments and measure compliance with the SoGP. The SoGP provides a biannual review cycle during which existing sections are revised and new sections are added according to ISF member information and best-practices research.
The standard is developed from research based on practices of and incidents in major corporations. The standard is used as the default governing document for information security behavior by many major organizations, by itself or in conjunction with other standards such as ISO 17799 or COBIT.
The standard is divided into five aspects:
? ?
Security management (SM): Aligns business risks associated with information with senior management.
Systems development (SD): Builds security into every component from inception at each stage of the cycle. This approach proves more cost effective and efficient than grafting it on after development. SD encourages a coherent approach to systems development and sound discipline throughout the development cycle, ensuring that information security is addressed.