Commonwealth of Massachusetts
Statewide Strategic IT Consolidation (ITC) Initiative
ITIL v3 and ISO 27001 Overview Workshop
Deloitte Consulting LLP
August 26, 2009
DRAFT – FOR DISCUSSION PURPOSES ONLY
Agenda
ITIL v3
Introduction to Service
Management and ITIL
• Why do we care?
• What is it? (i.e. ITIL is a framework
for service management…)
ISO/IEC 27000
Introduction to ISO/IEC 27000
•
•
•
What is the ISO/IEC 27000 series?
What models does ISO/IEC 27001 use?
What are the benefits of ISO/IEC 27001?
Implementation of ISO/IEC 27001
Key Components of ITIL
•
•
•
•
•
•
Service desk
Incident management
Request fulfillment
Change management
Asset/configuration management
Problem management
Next Steps with ITIL (in the
context of IT Consolidation)
• Scope of IT Consolidation
• Integration points with ITD
•
Implementing ISO/IEC 27000 Clauses 4-8
for the Enterprise
ISO/IEC 27000 for the Commonwealth
of Massachusetts
•
How does ISO/IEC 27000 apply to the IT
Consolidation?
• Asset Management
• Physical and Environmental
Security
• Establishing a Management
Framework
Next Steps for the Secretariats?
DRAFT FOR DISCUSSION PURPOSES ONLY
-1-
Components of ITIL: Service Desk
Introduction to Service Management and ITIL
DRAFT FOR DISCUSSION PURPOSES ONLY
-2-
Concept of Value
Value is not derived from the elements of a product or a service
Value is derived from the processes with which a product or a service is put together and
offered to the customer
DRAFT FOR DISCUSSION PURPOSES ONLY
-3-
The primary driver … Architectural complexity reduces IT efficiency and effectiveness
* An actual application architecture for a consumer electronics company
DRAFT FOR DISCUSSION PURPOSES ONLY
-4-
The Need For IT Service Management (ITSM)
•
IT (Information Technology) is now a essential part of delivering the key business processes
and results.
•
IT is increasingly being expected to deliver the same or better quality of service to the
business that the business delivers to their customers.
Increasing visibility of IT
Increasing demands from the business to deliver effective IT solutions
Increasing complexity of IT infrastructure processes
Increasing need for service standards and repeatable processes
Increasing pressure to realize a return on IT investments
DRAFT FOR DISCUSSION PURPOSES ONLY
-5-
What is ITIL?
ITIL (the IT Infrastructure Library) is a set of books and documents that are used to aid the
implementation of IT Service Management. It provides a comprehensive framework of
processes and best practice advice for IT Service Management.
ITIL is…
What does that mean?
A set of industry “Best Practices”
(e.g., need for discipline around changes; need to
link capacity planning and budgeting)
Identify and reuse what has worked best in the
past and currently at other organizations
A framework, not a methodology
Provides a body of concepts and resources to
draw from, not specific required steps
Adoptable and adaptable
Select applicable parts of the framework and
adapt them to fit local needs
Not a standard
ISO/IEC 20000 is a standard aligned
with ITIL
Scalable to the organization’s
size and need
Can be adapted to fit an organization’s specific
size and situation
Platform independent
Flexible to all development and service efforts;
not tied to any particular tool
DRAFT FOR DISCUSSION PURPOSES ONLY
-6-
ITIL Version 3: Service Lifecycle Model
The IT Infrastructure Library is a definitive industry resource focused on recommended
practices for the management of Information Technology services
 7 Step Improvement Process
 Service Reporting
 Service Measurement
 Strategy Generation
 Financial Management
 Service Portfolio Management
 Demand Management
 Service Catalogue Management
 Service Level Management
 Capacity Management
 Availability Management
 IT Service Continuity Management
 Information Security Management
 Supplier Management
 Service Desk
 Incident Management
 Event Management
 Request Fulfilment
 Problem Management
 Access Management
 Technical Management
 IT Operations Management
 Application Management
DRAFT FOR DISCUSSION PURPOSES ONLY
 Transition Planning & Support
 Change Management
 Service Asset & Configuration
Management
 Release & Deployment Management
 Service Validation & Testing
 Evaluation
 Knowledge Management
-7-
What are the benefits of ITIL?
Provides a common vocabulary and allows IT personnel in different groups
to communicate more efficiently
Provides a set of principles and processes that can be adapted
to suit any IT environment
Clearly identifies roles and responsibilities for IT infrastructure and
operations, and establishes accountability
Supports the ability of IT to measure and improve internal performance and
service provisioning, to increase the value provided to the business
Defines IT in terms of “services” (focusing on the value to the business),
rather than “systems” (focusing on IT components)
Improves the relationship of IT with the business by matching the
expectations of the business with the service levels provided
Improves the ability of IT to adjust as needs
and legislative mandates change
DRAFT FOR DISCUSSION PURPOSES ONLY
-8-
Components of ITIL: Service Desk
Components of ITIL: Service Desk
DRAFT FOR DISCUSSION PURPOSES ONLY
-9-
Service Desk: Overview
The Service Desk (or Helpdesk) is a Function, not a Process. Its role is crucial and central to the
whole concept of Service Management.
What is a
“Service Desk?”
The point of contact between the customer/user and the IT service,
responsible for service requests as well as incident control.
What is the
PURPOSE of the
Service Desk?
• Provides a single point of contact for customers
• Facilitates the restoration of normal operational service with minimal
business impact on the customer within agreed service levels and
business priorities
• Manages each user contact/interaction with the IT Service provider
throughout its lifecycle
What are the
OBJECTIVES of
the Service
Desk?
DRAFT FOR DISCUSSION PURPOSES ONLY
•
•
•
•
To promote customer satisfaction
To restore normal service as quickly as possible when there is a fault
To attain service level targets for user contact responsiveness and quality
To articulate and route requests to the service provider accurately and
appropriately
• To ensure accurate and timely communication of status
• To act as a strategic function to identify and lower the cost of ownership
for supporting the computing and support infrastructure
• To reduce costs by the efficient use of resource and technology
- 10 -
Service Desk: Structure
DRAFT FOR DISCUSSION PURPOSES ONLY
- 11 -
Service Desk: Benefits
The value of an effective Service Desk should not be underrated – a good Service Desk can often
compensate for deficiencies elsewhere in the IT organization; but a poor Service Desk (or the lack
of a Service Desk) can give a poor impression of an otherwise very effective IT organization!
Specific Benefits include:
• Improved customer understanding and satisfaction with IT Services
• With what the Services are, and how to obtain them
• With status on Incidents and Requests
• Lower costs to the business through faster resolution of incidents and fulfillment of requests
• Improved ability to attain service level targets through the management of the flow of work
• Reduced costs by the efficient use of resources and technology – simpler work can be done
by Service Desk Analysts rather than by the senior technical staff
DRAFT FOR DISCUSSION PURPOSES ONLY
- 12 -
Components of ITIL: Incident Management
DRAFT FOR DISCUSSION PURPOSES ONLY
- 13 -
Incident Management: Overview
What is an
“Incident?”
• An incident is an unplanned interruption of a Service, or a reduction in
the agreed-to quality of an IT Service.
What is the
PURPOSE of
Incident
Management?
• The Incident Management process strives to restore normal service
operation as quickly as possible and minimize the impact on business
operations.
What are the
OBJECTIVES of
Incident
Management?
DRAFT FOR DISCUSSION PURPOSES ONLY
• Restore services as quickly as possible following a deviation from agreed
upon service levels
• Log, track, capture and process all incidents in the IT environment
according to existing SLAs and defined interfaces with other processes
and based on defined fault-specifications
- 14 -
Incident Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 15 -
Incident Management: Benefits
Incident Management is highly visible to the business when it is needed. How well incidents are
resolved has a major impact on Customer Satisfaction with IT support.
Benefits from the process include:
• The ability to detect and resolve Incidents quickly, resulting in shorter downtime to the
business, and hence less impact
• The ability to align IT activity to real-time business priorities: Urgency and Impact = Priority
• The ability to identify potential improvements to services: the data collected helps to identify
where to focus to prevent future incidents
• The Service Desk can, during its handling of Incidents, identify additional service or training
requirements
DRAFT FOR DISCUSSION PURPOSES ONLY
- 16 -
Components of ITIL: Request Fulfillment
DRAFT FOR DISCUSSION PURPOSES ONLY
- 17 -
Request Fulfillment: Overview
What is a
“Request?”
What is the
PURPOSE of
Request
Fulfillment?
What are the
OBJECTIVES of
Request
Fulfillment?
DRAFT FOR DISCUSSION PURPOSES ONLY
• A Request is any type of demand that is placed upon the IT Department
by the users. Many of these are actually small changes: low risk,
frequently occurring, or low cost, whose fulfillment can be standardized.
• E.G., a request to change a password
• The Request Fulfillment process seeks to manage the Lifecycle of all
Service Requests to provide the prompt, complete, and cost effective
provision of the Request.
• To provide a channel for users to request and receive standard services
for which a pre-defined approval and qualification process exists
• To provide information to users and customers about the availability of
services and the procedure for obtaining them
• To source and deliver the components of requested standard services
• To assist with general information, complaints or comments
- 18 -
Request Fulfillment: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 19 -
Request Fulfillment: Benefits
The primary benefit of Request Fulfillment is to provide quick and effective access to standard
services which business staff can use to improve their productivity or the quality of business
services and products.
Specific benefits include:
• Reducing the bureaucracy involved in requesting and receiving access to existing or new
services, thus also reducing the cost of providing these services.
• Through centralizing fulfillment, Request Fulfillment also increases the level of control over
these services. This facilitates aggregating demand for suppliers and can result in reduced
costs through centralized negotiation.
• Repeatable workflows for fulfilling requests can result in faster performance, fewer errors,
and a lower cost to provision.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 20 -
Components of ITIL: Change Management
DRAFT FOR DISCUSSION PURPOSES ONLY
- 21 -
Change Management: Overview
What is a
“Change?”
What is the
PURPOSE of
Change
Management?
What are the
OBJECTIVES of
Change
Management?
DRAFT FOR DISCUSSION PURPOSES ONLY
• ITIL defines a Change as the addition, modification or removal of
anything that could have an effect on IT services, usually stated as a
change to a configurable item or CI.
• Respond to changing customer and IT requirements, providing a
structured avenue for implementing Change while minimizing risk,
reducing incidents, and avoiding disruption and re-work
• Record changes and then evaluate, authorize, test, implement,
document, and review results in a controlled manner
• Manage and minimize the risk of disruption to the business from the
implementation of Changes
- 22 -
Change Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 23 -
Change Management: Benefits
Reliability and business continuity are essential for the success and survival of any
organization. Service and infrastructure changes can have a negative impact on the business
through service disruption.
Change Management controls the risk and reality of disruption, through requiring all changes
to be thoroughly analyzed, planned, tested, authorized, communicated, and implemented with
appropriate back-out steps planned.
Key benefits are:
• Implementing changes that meet the customers’ agreed service requirements while
optimizing costs
• Reducing failed changes and therefore service disruption, defects and re-work
• Delivering change promptly to meet business timescales
• Aiding productivity of staff through minimizing disruptions due to high levels of
unplanned or ‘emergency’ change and hence maximizing service availability
DRAFT FOR DISCUSSION PURPOSES ONLY
- 24 -
Components of ITIL: Asset and
Configuration Management
DRAFT FOR DISCUSSION PURPOSES ONLY
- 25 -
Service Asset and Configuration Management: Overview
What is an
“Asset?”
• The hardware and software that IT uses to provide service to end
users, in support of business functions and applications
What is a
“Configuration?”
• The set of “items” (CIs) and their relationships that comprises IT
services and is the object of most IT tasks
What is the
PURPOSE of
Asset and
Configuration
Management?
What are the
OBJECTIVES of
Asset and
Configuration
Management?
DRAFT FOR DISCUSSION PURPOSES ONLY
• Identify, control, record, report, audit and verify service assets and
configuration items, including versions, baselines, constituent
components, their attributes, and relationships
• Ensure the integrity of the assets and configurations required to
control the services and IT infrastructure by establishing and
maintaining an accurate and complete Configuration Management
System
• Support efficient and effective Service Management processes by
providing accurate configuration information to enable people to
make decisions at the right time, with accurate information: to plan
and authorize change and releases, resolve incidents and problems
faster, etc.
• Provide management with the information required to optimize IT
resources
- 26 -
Service Asset and Configuration Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 27 -
Service Asset and Configuration Management: Benefits
Having complete and accurate information about IT assets and services enables effective
management of those resources
Benefits include:
• Faster and less costly resolution of Incidents and Problems, through having
configuration information available to support analysis and planning
• Less costly forecasting and planning of Changes and Releases
• Full enterprise-wide lifecycle management of IT assets, from specification of need,
through procurement and installation, through disposal
• Support for Supplier management, with regard to leases and warrantees, as well as
software licenses
• Appropriate protection of organizational information upon asset disposal
• Better adherence to standards, legal and regulatory obligations (less nonconformances)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 28 -
Components of ITIL: Problem Management
DRAFT FOR DISCUSSION PURPOSES ONLY
- 29 -
Problem Management: Overview
What is a
“Problem?”
What is the
PURPOSE of
Problem
Management?
What are the
OBJECTIVES of
Problem
Management?
DRAFT FOR DISCUSSION PURPOSES ONLY
• The unknown cause of one or more incidents
•
•
•
•
Reduce the number and impact of Incidents
Identify the Root Cause of Incidents or faults in the IT environment
Prevent incidents from re-occurring
Record information that will improve the way in which IT deals with
problems
•
•
•
•
Find the root causes of errors
Develop solutions to resolve known errors
Plan and request changes to implement the solutions
Prevent future incidents and problems
- 30 -
Problem Management: Process Diagram
DRAFT FOR DISCUSSION PURPOSES ONLY
- 31 -
Problem Management: Benefits
Problem Management is directed toward the stabilization and improvement of service availability
and quality
Benefits include:
• Reduction in the number of Incidents due to more effective and efficient incident handling
• Increase in user productivity and service quality
• Improved reputation of IT Organization due to decrease in the repetition of incidents.
• Increase in productivity of Support staff
• Ability to proactively identify beneficial system enhancements, amendments and business
opportunities
• Improved resolution rates at the Service Desk
• Increase in the availability of business-focused management information related to SLAs
DRAFT FOR DISCUSSION PURPOSES ONLY
- 32 -
Next Steps with ITIL
DRAFT FOR DISCUSSION PURPOSES ONLY
- 33 -
Scope of IT Consolidation – Executive Order 510
• Agency specific applications
•
•
•
•
Helpdesk services
Desktop & LAN services
Website information architecture services
Application services (as proposed by SCIO)
•
•
•
•
Data and telecom network services
Data center services
Website hosting and portal services
Shared enterprise services
(including e-mail and directory)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 34 -
Process Integration points with Agencies, Secretariats, and ITD
Service Desk
•
•
•
•
Incident
Management
• Coordination of communications and notifications
• Coordination of Incident resolution actions
Request
Fulfillment
Coordinate on incidents involving more than one organization
Leverage shared tools
Leverage shared knowledge
Redirect callers to appropriate resources (ITD vs. Secretariat vs. Agency)
• Calls to one organizaton for services that are the responsibility of another
organization
Change
Management
• Coordinate change planning and approval for resources hosted or
managed by ITD
Asset and
Configuration
Management
• Ownership vs. custodianship (e.g., ITD hosts a server owned by
Secretariat)
Problem
Management
• Leverage knowledge beneficial to all: share Known Errors
• Share responsibility for Root Cause Analysis and Problem elimination
(e.g., application support and server management)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 35 -
Components of ITIL: Service Desk
ISO/IEC 27000 Series
DRAFT FOR DISCUSSION PURPOSES ONLY
- 36 -
Components of ITIL: Service Desk
Introduction to ISO/IEC 27000
DRAFT FOR DISCUSSION PURPOSES ONLY
- 37 -
ISO/IEC 27000 Series Standard Definition
An Information Management System (ISMS), based on a business risk approach,
that standardizes the establishment, implementation, operation, monitoring,
review, maintenance and improvement of information security
Additionally, ISO/IEC 27000 is:
• Systematic approach to manage risk and provide a consolidated view to management
• Auditing guide and details what organizations ‘shall’ do – indicates provisions that reflect the
requirements of the ISO 27001 standard which are mandatory
For an organization to be on the road to certification, they must implement all of the
mandatory clauses 4,5,6,7 and 8 of ISO 27001:2005
• Annex A – Non-mandatory controls found within ISO 27002
Definitions:
ISMS = Information Security Management System
ISO = International Standards Organization
IEC = International Electrotechnical Commission
What gets monitored gets measured, what gets measured gets managed.
DRAFT FOR DISCUSSION PURPOSES ONLY
- 38 -
ISO/IEC 27001 Structure
IEEE/EIA 12207.0-1996
(A Joint Standard Developed by IEEE and EIA)
Reproduced by GLOBAL
ENGINEERING DOCUMENTS
With The Permission of IEEE
Under Royalty Agreement
IEEE/EIA Standard
Industry Implementation of
International Standard
ISO/IEC 12207 : 1995
(ISO/IEC 12207) Standard for Information
TechnologySoftware life cycle processes
March 1998
THE INSTITUTE OF ELECTRICAL
AND ELECTRONICS
ENGINEERS, INC.
ELECTRONIC INDUSTRIES ASSOCIATION
ENGINEERING DEPARTMENT
DRAFT FOR DISCUSSION PURPOSES ONLY
1.
2.
3.
4.
Scope
Normative References
Terms & Definitions
Information security management system
4.1 General requirements
4.2 Establishing and managing ISMS
4.3 Documentation requirements
4.3.2 Control of documents
4.3.3 Control of records
5. Management responsibility
5.1 Management commitment
5.2 Resource management
6. Internal ISMS audits
7. Management review of the ISMS
8. ISMS improvement
8.1 Continual improvement
8.2 Corrective actions
8.3 Preventive actions
Annex A (normative), B & C
(informative)
- 39 -
The Plan – Do – Check – Act (PDCA) model is used in ISO/IEC 27001
The model is used as the basis for establishing, implementing, operating, monitoring, reviewing,
maintaining and improving the ISMS
Plan (Establish the ISMS & Risk Assessment)
Establish security policy, objectives, targets, processes and procedures relevant to
managing risk to information assets and improving information security to deliver results
in accordance with an organization’s accordance with an organization overall policies
Plan
Establish ISMS
Context & Risk
Assessment
Interested
Parties
Interested
Parties
Enterprise
Security
Architecture
Requirements
Do
Business
Strategy
Do (Design and Implement the ISMS)
Implement and operate the security policy,
controls, processes and procedures.
DRAFT FOR DISCUSSION PURPOSES ONLY
Design and
Implement
ISMS
Development,
Maintenance,
And
Improvement
Cycle
Maintain &
Improve ISMS
Monitor
&
Review ISMS
Check
Check (Monitor & Review the ISMS)
Assess results of detective controls to measure
performance and effectiveness.
Act
Established
ISMS
Qualitative ROI
Regulatory /
Legislative
Compliance
Act (Maintain and Improve the ISMS)
Take corrective and preventative actions,
based on the results of the performance and
effectiveness metrics to achieve continual
improvement of the ISMS.
- 40 -
ISO/IEC 27001: Control objectives and controls
39 Control
Objectives
Satisfies
Objectives
Specifies
Requirements
133 Controls
11 Domains
DRAFT FOR DISCUSSION PURPOSES ONLY
- 41 -
11 Security Domains of ISO/IEC 27001
A.5 Security policy (1/2)*
A.6 Organization of information security (2/11)*
A.7 Asset management (2/5)*
A.8 Human
resources
security (3/9) *
A.9
Physical
& environmental
security (2/13)*
A.10 Communications &
operations
management (10/ 32)*
A.12 Information
systems acquisition,
development &
maintenance (6/16) *
A.11 Access control (7/25)*
A.13 Information security incident management (2/5)*
A.14 Business continuity management (1/5)*
A.15 Compliance (3/10)*
* (control objectives / controls)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 42 -
Advantages of Implementing the ISO/IEC 27000 Series
•
A single reference point for identifying a range of controls needed for most situations where
information systems are used
•
Facilitation of trading in trusted environment
•
An internationally recognized structured methodology
•
A defined process to evaluate, implement, maintain and manage information security
•
A set of tailored policy, standards, procedures and guidelines
•
The standard provides a yardstick against which security can be judged
DRAFT FOR DISCUSSION PURPOSES ONLY
- 43 -
Components of ITIL: Service Desk
ISO/IEC 27000 Implementation Overview
DRAFT FOR DISCUSSION PURPOSES ONLY
- 44 -
Clause 4.0: Information Security Management System (ISMS) Overview
The fundamental concept behind the ISMS is the implementation and management of a set of
systems processes to help achieve effective information security
Policy
Planning
Implementation and
Operation
• Demonstration of commitment and principles for action
• Identification of needs, resources, structure and responsibilities
• Awareness building and training
Performance
Assessment
• Monitoring and measuring, handling non-conformities and audits
Improvement
• Corrective and preventative action, and continual improvement
Management
Review
• Management’s awareness, acknowledgement and acceptance of risk
DRAFT FOR DISCUSSION PURPOSES ONLY
- 45 -
Clause 5.0 and 6.0: Management Responsibility and Internal ISMS Audit
Clause 5.0: Management Responsibility
Management
Commitment
Resource
Management
• Evidence of upper management’s commitment to information security is critical
• Training, awareness and competency
Clause 6.0: Internal ISMS Audit
• Conduct internal ISMS audit at planned intervals to determine whether the control objectives, controls,
processes and procedures of ISMS:
• Conform to requirements of standard
• Conform to identified security requirements
• Effectively implemented and maintained and perform as expected
DRAFT FOR DISCUSSION PURPOSES ONLY
- 46 -
Clause 7.0 and 8.0: Management Review and Improvement of ISMS
Clause 7.0 Management Review of ISMS
Review Input
Review Output
Review Internal
Audit Findings
• Review ISMS at planned intervals to ensure its continuing suitability, adequacy
and effectiveness
• Assessing opportunities for improvement and the need for changes to the
ISMS, including the security policy and security objectives
Clause 8.0: Improvement of ISMS
Continual
Improvement
Corrective Action
Preventive Action
DRAFT FOR DISCUSSION PURPOSES ONLY
• Continually improve the effectiveness of the ISMS through the use of:
• The information security policy
• Security objectives
• Audit results
• Analysis of monitored events
• Corrective and preventive actions
• Management review
• Take action to eliminate cause of nonconformities with the ISMS requirements
to prevent reoccurrence
• Determine and eliminate cause of potential non conformities with ISMS
requirements
- 47 -
Annex A: Non-Mandatory Controls
Annex A
Control
Areas
•
•
•
•
•
•
A5: Security Policy
A6: Organization of IS
A7: Asset Management
A8: Human Resources Security
A9: Physical and Environmental Security
A10: Communications and Operations Management
•
•
•
•
•
A11: Access Control
A12: Information Systems Acquisition, Development and Maintenance
A13: Information Security Incident Management
A14: Business Continuity Management
A15: Compliance
DRAFT FOR DISCUSSION PURPOSES ONLY
- 48 -
Components of ITIL: Service Desk
ISO/IEC 27000 for the Commonwealth of MA
DRAFT FOR DISCUSSION PURPOSES ONLY
- 49 -
Controls Overview: Responsibility for Assets
Topic
Control Objective
Responsibility
for Assets
To achieve and maintain appropriate
protection of the organizational assets.
Control
• Inventory of assets
• Ownership of assets
• Acceptable use of assets
How could this control apply at the Commonwealth?:
• Develop policy regarding asset management
• Documented list of all agency assets, (i.e., through an asset management system)
• Documented processes and procedures discussing ownership of assets
• Documented Acceptable Use Policy for Assets at an Agency
• Documented process which categorizes the importance of different assets to an agency, (i.e., office
supplies vs. production computers)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 50 -
Controls Overview: Information Classification
Topic
Control Objective
Information
Classification
To ensure that Information Assets
receive appropriate level of protection.
Control
•Classification guidelines
•Information labeling and handling
How could this control apply at the Commonwealth?:
• Implement an information classification system (manual or automated) that segregates information:
For example: Top Secret
Secret
Confidential
Restricted
Public
DRAFT FOR DISCUSSION PURPOSES ONLY
- 51 -
Controls Overview: Equipment Security
Topic
Equipment
Security
Control Objective
Control
To prevent loss, damage or
compromise of assets and interruption
to business activities.
•Equipment protection
•Supporting utilities
•Cabling security
•Equipment maintenance
•Security of off-equipment
•Secure disposal or re-use of equipment
•Removal of property
How could this control apply at the Commonwealth?:
• Data Center policies and procedures specifically around equipment usage
• Documented procedures for equipment disposal (clearing hard drives, etc)
• Equipment labeling (barcoding, RFID, etc)
• Equipment maintenance schedules
DRAFT FOR DISCUSSION PURPOSES ONLY
- 52 -
Components of ITIL: Service Desk
ISO/IEC 27000 for the Commonwealth of MA
DRAFT FOR DISCUSSION PURPOSES ONLY
- 53 -
Next Steps for Secretariats
ITIL v3 and ISO 27001 provide a framework for Secretariats as they continue their
process of IT service consolidation
•
Review ITIL processes and apply them to meet Secretariat requirements
•
Leverage and apply the Helpdesk Strategy and Desktop/LAN Strategy Documents,
which will provide additional guidance on application of relevant ITIL processes and
functions
•
Promote open communication between Secretariat IT service leads and Service
Management Working Group leads to facilitate knowledge sharing between Secretariat
and ITD applications of ITIL and ISO standards
Commonwealth ITIL and ISO Point of Contact
ITIL: John Letchford (John.Letchford@state.ma.us)
ISO: Dan Walsh (Dan.Walsh@MassMail.State.MA.US)
Supported by: Jeff Tarbox (jtarbox@deloitte.com)
DRAFT FOR DISCUSSION PURPOSES ONLY
- 54 -
DRAFT FOR DISCUSSION PURPOSES ONLY
© 2008 Deloitte Touche Tohmatsu
- 55 -