Luděk Novák

Ludek.Novak@anect.com May, 05, 2005

Integrated Information Management Systems

2

Scope

Information management requirementsInformation added value

Integrated management systemQuality Management System

IT Service Management System

Information Security Management System

Common principlesPDCA Model

New challenges to ISMS

3

ICT Management Requirements

Business is highly dependent on ICTICT should bring defined and measurable valuesDifferent methodologies based on best practiceNew approaches to control environment

BASEL II – regulation for banking and financial companies Sarbanes-Oxley – regulation for financial reporting of Joint Stock Companies

ICT is a key point for any success

4

Information added value

Increase automationAlign ICT with business to enlarge productionDo good things

Decrease costsUse resources responsibleDo things well

Manage risksMinimize incidents and damages Know risks

Manage risks

Increaseautomation

Decreasecosts

ICTaddedvalue

5

Information management components

Quality Management SystemISO 9001

ISO/IEC 90003

IT Service Management System

BS 15000

ISO/IEC 20000

Information Security Management System

BS 7799-2

ISO/IEC 17799

Information securitymanagement

Qualitymanagement

IT servicemanagement

CobiT

6

Quality management

Quality is the totality of characteristics of a product or service that bear on the ability to satisfy stated and implied needs. QMS is well-known process-based approach

Using existing principles and resources for ICT management Tools for communication with manages and usersBasic and general requirements on ICT management

ISO/IEC 90003 – Application of ISO 9001:2000 to software

ISO/IEC 90003Product

realizationResource

management

Measurement,analysis and

improvements

Qualitymanagement

system

Managementresponsibility

7

IT Service Management

IT service is a described set of facilities, IT and non-IT, supported by the IT service provider that fulfils one or more needs of the customer and that is perceived by the customer as a coherent whole.

ITSM standardsSystem requirements – BS 15000-1 (ISO 20000-1)

Code of practice – BS 15000-2 (ISO20000-2)

Other methodologiesITIL – IT Infrastructure Library

MOF – Microsoft Operations Framework

HP, IBM, SUN, …

8

IT Service Management

Service delivery processes

RealationshipProcesses

Resolution processes

Releaseprocess

Capacity management

Releasemanagement

Control processes

Suppliermanagement

Businessrelationshipmanagement

Configuration management

Problem management

Change management

Incident management

Information securitymanagementService level management

Service continuityand availability

management

Service reportingBudgeting and

accounting for ITservices

9

Information Security Management

Information security is preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.

Key element of any ISMS is a risk analysis and treatment process

ISMS standardsSystem requirements – BS 7799-2:2005 (ISO/IEC 24743)

Code of Practice – ISO/IEC 17799:2005

Metrics and Measurements – ISO/IEC 24742 (draft)

10

Information Security Management

ISO/IEC 17799:2005

Organizinginformation

security

Informationsystems

acquisition,development and

maintenance

Information security incident management

Access control

Businesscontinuity

management

Compliance

Humanresourcessecurity

Security policy

Asset management

Communicationsand operationsmanagement

Physical andenvironmental

security

11

Common principles

Key success factorsManagement responsibility

Management of resources, documents and records

Competence, awareness, training

Management reviews

Continual improvement

All systems follow PDCA cyclePlan – Do – Check – Act

12

PDCA Model

Requirements

Plan

Do

Check

Act

Satisfaction SatisfactionCu

stom

ers Requirements

Su

pp

lier

s

13

New challenges to ISMS

Quality management experiencesUsing existing culture, tools, procedures, etc.Using implementation know-how

IT service management frameworkIT services as a primary point for risk analysisITSM methods offer more details on ICT processesInformation security should be a part of service reportingAvailability and continuity is the same for bothHarmonize incident/problem management and security incident management (ISO/IEC TR 18044:2004)

14

Conclusions

Aim is to draw the attention on QMS, ITSM and ISMS as a tools for ICT management

There is a lot of shared features

There is a big place for synergies (ITSM – ISMS)

Its not possible to separate operations and security

There is necessary to have basic knowledge about all management systems to used their advantages

The aim was to brief you on security neighbourhood