IT service management supports IT security

Over the last decade, higher education has realized that it cannot ignore IT security. Institutions have improved IT security through hiring Chief Information Security Officers (or CISOs), building security incident response procedures, creating device management and password security policies, and conducting education. When institutions pursue IT security but not IT service management, IT security’s job becomes much more difficult. ITSM and ITIL help IT security by freeing IT security to focus more specifically on IT security concerns.

ITIL processes that IT security often owns

ITIL calls out IT security management as one of the four “warranty” processes in Service Design. Here are all four–if you’re an IT security officer, see whether you notice anything familiar:

  • IT security management
  • IT service continuity management (i.e. IT disaster recovery)
  • IT capacity management (including the ability to meet current demand)
  • IT availability management

I will bet you your IT security team owns these processes if you do not have an IT service management capability. “Availability” is even part of IT security’s “CIA triad” of Confidentiality, Integrity, and Availability (although IT security’s focus tends to be preventing denial-of-service attacks, rather than ITSM’s larger focus on understanding and meeting current- and future-state component and service level availability targets).

IT service continuity management includes major incident response and how to deal with catastrophic threats–similar to how IT security develops processes to deal with large-scale security compromises or data breaches. IT capacity management is less closely connected to IT security, but is related insofar as we want to prevent disks from filling up and systems from being overrun.

In fact, as I’ve reflected on my presentation “IT Project Management: the Process of Last Resort,” I’ve realized that one could give a similar argument for IT security. IT security often is the process of last resort and ends up owning all warranty-related IT processes.

If you are able to address capacity management, availability management, and IT service continuity management processes as separate from IT security, you have freed up IT security to focus on their core competency while giving them ways to support IT service quality.

Other ways that ITSM helps IT security

In addition to ITSM freeing up IT security, other IT service management processes and functions can help IT security:

  • IT supplier management (in Service Design) is about managing third-party vendors. This process can take guidance from IT security management to ensure that vendors meet security requirements: for example, IT supplier management can gather vendor data for IT security management, or they can ensure there are contractual penalties for vendor IT security issues.
  • Service level management (in Service Design) can help communicate the level of IT security that users should expect in a system. For example, service level management can reinforce that email is not a good tool for classified data.
  • Knowledge management can help support IT security’s need to educate campus.
  • Access management (in Service Operations) is how access is granted in a consistent way per IT security policy. This process can help free up IT security staff who might be involved in operational access requests, and it can help with responding to IT security audit.
  • Event management (in Service Operations) is about automated alerting. This process arguably supports IT security’s need for logging and can ensure appropriate events are captured.
  • The Service Desk (in Service Operations) can have mechanisms to trigger the security incident process if a security incident is identified.

Notes about performing ITSM and IT security in tandem

I will not make the argument that ITSM helps with the actual process of IT security management. ITIL provides little help for IT security management itself. Other frameworks such as NIST’s or ISO27001 are much more thorough, as are certifications such as the CISSP.

You will need to decide what language you want to use for security incidents. The term “security incident” is similar enough to ITIL’s “incident management” that you may want to choose a different term.

ITIL’s major incident management for large, production-down issues can learn a lot from the Incident Command System, which is sometimes more familiar for IT security staff if they have experience working with law enforcement.

ITSM can raise another issue that IT security may find uncomfortable: ITSM is going to want to balance IT value, risk, and cost, rather than eliminate all risks. This means that ITSM may want the organization to accept some risks. IT security will need a good way to understand who is accepting these risks and what their ongoing responsibility is for ensuring that these risks are visible and their impact understood.