ITIL and IT Security Architecture

IST 725 Case Study 3 – ITIL® and IT Security Architecture April 8, 2012

Leo de Sousa

ITIL® and IT Security Architecture

Leo de Sousa – IST 725

Abstract This paper describes the interaction between the IT Infrastructure Library (ITIL®) and IT Security Architecture (ITSA) within the overall context of Enterprise Architecture (EA). Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology. IT Security Architecture is a component of Enterprise Architecture. The EA3 Cube Framework shows how ITSA fits in a documented enterprise architecture. IT Security is considered a planning thread that is a “common activity that is present in all levels of the framework.” (Bernard, 2005, p. 42) ITIL® specifically addresses the IT service component of Enterprise Architecture. ITIL® is an approach to IT Service Management “to drive consistency, efficiency and excellence into the business of managing IT services.” (itSMF Ltd, UK Chapter, 2007, p. 3) ITIL® contains five components built around a Service Lifecycle. The components are Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. The sections of this paper are: (a) Introduction, (b) Relations between ITIL®, IT Security Architecture and Enterprise Architecture (c) Interactions of ITIL® and ITSA and (d) Conclusion. After reading this paper, the reader should have a clear understanding of how ITIL® interacts with IT Security Architecture practices within Enterprise Architecture.

Introduction This paper uses Enterprise Architecture as the overarching framework to model and understand how ITIL® and IT Security Architecture interact together. Enterprise Architecture provides a holistic approach to the integration and management of an organization’s strategy, business and technology. EA addresses “policy, planning, decision-making and resource development that is useful to executives, line managers, and support staff.” (Bernard, 2005, p. 33) IT Infrastructure Library (ITIL®) was developed by the UK Office of Government Commerce in the 1980’s. The current version is ITIL® V3 and is a major rewrite from ITIL® V2. IT Infrastructure Library (ITIL®) “provides a framework of Best Practice guidance for IT Service Management and since its creation, ITIL® has grown to become the most widely accepted approach to IT Service Management in the world.” (itSMF Ltd, UK Chapter, 2007, p. 2) ITIL® suggests organizations take a holistic approach to IT service management with a focus on value to customers. Services have two value measures:

• Utility – is the service delivering the required functionality? “fit for purpose” • Warranty – is the service delivered in the expected timeframe, in a secure manner and

available for customers when necessary? “fit for use”


Leo de Sousa

ITIL® contains five components built around a Service Lifecycle. The components are Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement. IT Security Architecture “is the art and science of designing and supervising the construction of business systems, usually business information systems, which are: free from danger, damage, etc.; free from fear, care, etc.; in safe custody; not likely to fail; able to be relied upon; safe from attack.” (Sherwood, Clark, & Lynas, 2005, p. 2) The SABSA® Model captures IT Security Architecture in six layers: Contextual Security Architecture, Conceptual Security Architecture, Logical Security Architecture, Physical Security Architecture, Component Architecture and Operational Security Architecture. (Sherwood, Clark, & Lynas, 2005, p. 34) (SABSA, 2012) Components of IT Security Architecture reside within parts of the ITIL® Service Lifecycle and both reside in the Enterprise Architecture framework which encompasses the entire business.

Relations between ITIL®, IT Security Architecture and Enterprise Architecture

The EA3 Cube Documentation Framework (Bernard, 2005, p. 38) provides an excellent framework for understanding the interactions between ITIL® and ITSA. The EA3 Cube describes an Enterprise Architecture by documenting the current state and future state of an enterprise as well as creating a management plan for change. Here is an image of the EA3 Cube Documentation Framework and the ITIL® V3 Framework:

Looking at the EA3 Cube, we can see how each component interacts when modeling an organization. ITIL® suggests IT Service Management best practices for the Service Lifecycle for Services, Data and Information, Systems and Applications, Networks and Infrastructure and Security/Standards in the EA framework. IT Security Architecture (ITSA) is one of the planning threads in the EA3 Cube framework. IT Security Architecture helps identify issues and the risks that could impact a company and its partners. ITSA also provides a framework for planning and implementing secure business practices. Integrating ITSA and ITIL® enables a business to focus on best practices in security and IT service management to deliver value.


Leo de Sousa

The diagram below represents the relationships between EAITILITSA.

Interactions of ITIL® and ITSA This section explores the impacts of ITIL® on ITSA. The table below lists all the ITIL processes by component type - interactions with ITSA are bolded. (Clinch, 2009, pp. 16-17)

Service Strategy Service Design Service Transition

Service Operations

Continual Service Improvement

Demand Mgmt Service Catalogue Mgmt

Knowledge Mgmt Incident Mgmt Service Measurement

Financial Mgmt Service Level Mgmt

Change Mgmt Problem Mgmt Service Reporting

Strategy Generation

Capacity Mgmt Asset and Configuration Mgmt

Event Mgmt Service Improvement

Service Portfolio Mgmt

Availability Mgmt

Release and Deployment Mgmt

Request Fulfillment

Service Continuity Mgmt

Transition Planning and Support

Access Mgmt

Information Security Mgmt

Service Validation and Testing

Operations Mgmt

Supplier Mgmt Evaluation Service Desk Application Mgmt Technical Mgmt IT Operations

EA (S+B+T)

ITIL (ITSM)

ITSA (CIA)

•Assets (What) •Process (How) •Location (Where) •People (Who) •Time (When) •Motivation (Why)

•Service Strategy •Service Design •Service Transition •Service Operation •Continual Service Improvement

•Contextual Security Architecture •Conceptual Security Architecture •Logical Security Architecture •Physical Security Architecture •Component Architecture •Operational Security Architecture


Leo de Sousa

Service Strategy

ITIL® defines Service Strategy as “collaboration between business strategists and IT to develop IT service strategies that support the business strategy.” (Kneller, 2010, p. 3) This section of ITIL® only has generalized references to IT security architecture. There is one specific reference to in the Service Value section: “Service Warranty: how the service is delivered and its fitness for use, in terms of availability, capacity, continuity and security.” (itSMF Ltd, UK Chapter, 2007, p. 14) The intent is security is considered a part of the strategy for creating valuable services for the organization.

Service Design

ITIL® defines Service Design as “designing the overarching IT architecture and each IT service to meet customers’ business objectives by being both fit for purpose (utility) and fit for use (warranty).” (Kneller, 2010, p. 4) Availability Management, IT Service Continuity Management and Information Security Management processes in ITIL® all provide guidance for implementing security practices.

• Availability Management – considers both reactive and proactive activities to ensure services are available for use. IT security architecture provides proactive guidance to protect services as well as responding to security attacks or breaches that compromise a service (e.g. Denial of Service attacks)

• IT Service Continuity Management – considers ongoing recovery capabilities for services. IT security architecture guides the design of recovery capabilities and infrastructures to ensure that services can be recovered and delivered securely

• Information Security Management – is the main ITIL® process for IT security architecture. This process seeks to align IT security with business security and protect the information assets for all services. This process uses the CIA (confidentiality, integrity, availability) model to suggest best practices of IT security in services.

Service Transition

ITIL® defines Service Transition as “managing and controlling changes into the live IT operational environment, including the development and transition of new or changed IT services.” (Kneller, 2010, p. 4) Knowledge Management, Change Management, Asset and Configuration Management, Release and Deployment Management and Service Validation and Testing processes all have IT security architecture components.

• Knowledge Management – ensures that the correct person has access to the right knowledge, at the correct time to deliver and support business services. This process uses the IT Security Architecture CIA (confidentiality, integrity, availability) model to suggest best practices for information security

• Change Management – delivers standard and secure methods to manage change to services. IT security architecture should be integrated with Change Management processes to ensure that introduction of new configuration items do not increase the risk to the services they support. IT security reviews are also important for reviewing


Leo de Sousa

changes to existing services to maintain the agreed upon security levels. IT security architecture must be considered for all levels of change from strategic to tactical to operational. Effective implementation of this process limits unauthorized changes that could create security risks.

• Asset and Configuration Management – accounts for service assets and configuration items to protect their integrity for the service lifecycle. IT Security architecture integrates with this process especially when considering Data and Information Architecture, Systems and Application Architecture and Networks and Infrastructure Architecture segments. Being able to identify, control and account for corporate information assets protects companies from security breaches, data leakage and information security compliance failures. Creating a Configuration Management System to record and track all configuration items used to deliver services is a key function for security.

• Release and Deployment Management – ensures that changes are securely released into the production environment that supports business services. Implementing auditing and release controls following IT security best practices align this ITIL® process with ITSA. Effective implementation of this process limits unauthorized changes that could create security risks.

• Service Validation and Testing – provides objective evidence that services are meeting their established service level agreements for functionality, availability, continuity, security and usability. Conducting security audits including penetration tests are examples of how ITSA and this ITIL® process interact.

Service Operations

ITIL® defines Service Operations as “delivering and supporting operational IT services in such a way that they meet business needs and expectations and deliver forecasted business benefits.” (Kneller, 2010, p. 4) Incident Management, Problem Management, Event Management and Access Management processes in ITIL® all use guidance from information security practices.

• Incident Management – restores normal service as quickly as possible so that business impacts are minimized. Incidents can come from any part of the business. When they are IT security related, the IT service desk and security teams initiate an incident response process: identification, containment, eradication and recovery. (Killmeyer, 2006, p. 215) Security incidents can range from external attacks, data breaches (e.g. FIPPA and HIPPA compliance), internal attacks and copyright violations.

• Problem Management – determines the root causes of incidents, recommends changes to resolve the issue and provides workarounds if a resolution cannot be found. The IT security team takes a lead in this process for security problems. The focus in this process is the eradication of the problem by implementing new security practises and technology. This process initiates the Change Management process when resolutions need to put into production.

• Event Management – depends on monitoring of configuration items and services. The process generates notifications about changes and initiates the Incident Management process. This process relates to proactive security monitoring and logging. If a monitored security alert is triggered, the IT service desk and security team initiate the Incident Management process for a security incident.


Leo de Sousa

• Access Management – provides the access rights for people to use services while blocking non-authorized access. Specifically, this ITIL® process manages privileges using the CIA model – confidentiality, integrity, availability to protect data and assets. Other IT security practices like auditing and logging access are practiced in this process.

Continual Service Improvement

ITIL® defines Continual Service Improvement as “learning from experience and adopting an approach which ensures continual improvement of IT services.” (Kneller, 2010, p. 4) This component of ITIL® focuses on continual evaluation and improvement of services and value to customers. ITIL® suggests a 7-Step Improvement Process to “collect meaningful data, analyze this data to identify trends and issues, present the information to management for their prioritization and agreement and implement improvements.” (itSMF Ltd, UK Chapter, 2007, p. 36) This approach could be taken to continuously improve IT security architecture practices.

The Continual Service Improvement component of ITIL® only has generalized references to IT security architecture. There is a section that advocates the use of Standards. There are a series of Security standards that ITIL relates with the main standards family being ISO/IEC 27000 Information Security Management. Here are some of the related standards that ITIL® leverages: (Clinch, 2009, pp. 18-19)

• ISO/IEC 27001:2005 Information Security Management Systems – Requirements • ISO/IEC 27002:2005 Code of Practice for Information Security Management • ISO/IEC 27005:2008 Information Security Risk Management • ISO/IEC 27006:2007 Requirements for Bodies Providing Audit and Certification of

Information Security Management Systems • ISO/IEC 27799:2008 Health Informatics – Information Security Management in Health

Using ISO/IEC 27002

Conclusion Enterprise Architecture models and documents all the parts of an organization not just the IT components. As such, it provides a guiding framework for understanding the interactions between the various components of an organization, how IT service management is implemented (ITIL®) and how IT security architecture is deployed. Many organizations see IT security as purely an IT function and the result is a failure to adequately implement a holistic approach to securing the business.

“If we take to heart ITIL’s message that a service is something that delivers business value by improving customer outcomes, we should be seeking to position ISM (information security management) as a business activity that directly contributes towards the delivery of enhanced business value to customers.” (Clinch, 2009, p. 8)


Leo de Sousa

ITIL® interacts effectively with IT Security Architecture in Service Design, Service Transition and Service Operations and has some influence in Service Strategy and Continual Service Improvement. Here are the ITIL® processes with strong IT security architecture interactions.

Service Design Service Transition Service Operations Availability Mgmt Knowledge Mgmt Incident Mgmt Service Continuity Mgmt Change Mgmt Problem Mgmt Information Security Mgmt Asset and Configuration Mgmt Event Mgmt Release and Deployment Mgmt Access Mgmt Service Validation and Testing

ITIL® leverages many of the existing and evolving IT Security standards particularly from the ISO/IEC 27k family.

“Awareness and consideration of security risks and issues are background obligations for every step of successful IT Service Management under ITIL®.” (Clinch, 2009, p. 20)

References Bernard, S. A. (2005). An Introduction to Enterprise Architecture 2nd Edition. Bloomington, IL:

AuthorHouse. Clinch, J. (2009, May). ITIL V3 and Information Security. Retrieved from Best Management

Practice: http://www.best-management-practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf

itSMF Ltd, UK Chapter. (2007). An Introductory Overview of ITIL V3. Retrieved from Best Management Practice: http://www.best-management-practice.com/gempdf/itSMF_An_Introductory_Overview_of_ITIL_V3.pdf

Killmeyer, J. (2006). Information Security Architecture 2nd Edition. Boca Raton: Auerbach Publications.

Kneller, M. (2010, Sept). Executive Briefing: The Benefits of ITIL. Retrieved from Best Management Practice: http://www.best-management-practice.com/gempdf/OGC_Executive_Briefing_Benefits_of_ITIL.pdf

SABSA. (2012). SABSA Matrix. Retrieved from SABSA: http://www.sabsa.org/the-sabsa-method/the-sabsa-matrix.aspx

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven Approach. San Francisco: CMP Books.

ITIL and IT Security Architecture

Business

Transcript of ITIL and IT Security Architecture