IT Services Security IT Enviroment Management Faculty of Electronics and Informatics Technical university in Košice • Ing. Ivan Makatura (imakatura@vub.sk) Introduction to ITSM/ITIL FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 2 What is ITSM? • In order for the companies in a competitive environment to achieve the objectives set by corporate strategy, they have to perform quality business processes. • Modern business processes require high quality services for their functioning. • Condition for the proper functioning of IT services is a high quality ICT infrastructure. • High quality ICT infrastructure is not sufficient condition for the proper functionality of IT sevices. It is necessary to also manage the way of providing IT services • IT service management is called The IT Service Managment(ITSM). • ITSM Content= definition of processes, which should be implemented in the enterprise in order to ensure continuous supply of quality IT services at optimal cost expenditure. FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 3 What is ITIL? ITIL „IT Infrastructure Library“: • Comprehensive set of „best practices“ for IT services • Contains a series of books, intending to help organizations to develop quality IT services • ITIL is owned and maintained by OGC (UK Office of Government Commerce) • Not a methodology, neither a methodology to IT service management or its implementation methodology in the organization • Is a global de-facto framework for ITSM • ITIL framework for proposal of ITSM processes leaves much discretion in the implementation process • ITIL does not say „HOW“ but „WHAT“ is recommended to perform in ITSM FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 4 ITIL characteristics • Process Management – ITIL uses a process-oriented approach to IT service management (as opposed to the traditional management of functional). – Process is a logical sequence of tasks transforming input to a particular output, the performance of individual tasks is ensured by challenges with clearly defined responsibilities. – The whole process is controlled, monitored, measured, evaluated and continuously improved. • Customer-oriented approach – All processes are designed within customer needs, – ie. Every activity, every action in every process has to bring some added value to the customer. • Clear terminology – Clear terminology is sometimes a less appreciated or entirely skipped characteristic of ITIL, but only until we firstly try to address misunderstandings resulting from the fact that someone uses the same term in another sense than we expect. • Platform independence – The framework of ITSM processes according toITIL is independent of any platform. • Public Domain – The library is freely available, meaning that anyone can buy books of ITIL and ITSM processes according to ITIL to implement in your business. – The free availability of the ITIL library, among other things contributed to the rapid worldwide spread of ITIL. FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 5 ITIL advantages • IT services are becoming more customer-oriented • The quality of IT services is improved • The cost of IT services are more manageable • IT organizations are evolving into manageable structures and become more efficient • Changes in ICT are simpler and clearer • There is a unified framework for internal communication with the IT organization • ICT processes are standardized and integrated • Defined is auditable and verifiable performance metrics and quality IT services FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 6 Standardization framework FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 7 IT Security standardization • ISO/IEC 20000: IT service management - Specification for service management • ISO/IEC 17799: Code of Practice for Information Security Management • ISO/IEC 27001: Information technology - Security techniques - Information security management systems: Code of Best Practices for Information Security Management • ISO/IEC 27003: Information technology - Security techniques - Information security risk management • ISO/IEC 15408: Information technology - Security techniques - Evaluation criteria for IT security FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 8 Relation between ITIL a ISO 20000 (a) JTC1 – Information Technology Subcommittee Title JTC 1/SWG JTC 1/SC 2 Accessibility (SWG-A) The convener can be reached through the secretariat Coded character sets JTC 1/SC 6 Telecommunications and information exchange between systems JTC 1/SC 7 JTC 1/SC 17 Software and systems engineering Cards and personal identification JTC 1/SC 22 Programming languages, their environments and system software interfaces JTC 1/SC 23 Digitally Recorded Media for Information Interchange and Storage JTC 1/SC 24 Computer graphics, image processing and environmental data representation JTC 1/SC 25 Interconnection of information technology equipment JTC 1/SC 27 JTC 1/SC 28 IT Security techniques Office equipment JTC 1/SC 29 Coding of audio, picture, multimedia and hypermedia information JTC 1/SC 31 JTC 1/SC 32 JTC 1/SC 34 JTC 1/SC 35 Automatic identification and data capture techniques Data management and interchange Document description and processing languages User interfaces JTC 1/SC 36 Information technology for learning, education and training JTC 1/SC 37 Biometrics FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 9 Relation between ITIL a ISO 20000JTC1 (b) SC7 – Software and Systems Engineering JTC1 SC7 WG20 WG1A WG21 WG2 WG22 WG4 WG23 WG6 WG24 WG7 WG26 WG10 WG42 WG19 WG25 IT Governance ISO 38500 SW Life-Cycle Processes IT Service Management FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb ISO 12 207, ISO 15 288 ISO 20000-1, ISO 20000-2 10 Vzťah ITIL a ISO 20000 (c) JTC1 SC27 – IT Security Techniques JTC1 SC27 ISO 27001, ISO 27002 WG1 ISMS WG2 Cryptography and Security Mechanisms WG3 Security Evaluation Criteria WG4 Security controls and services WG5 Identity management and privacy technologies FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 11 Scope of ISO/IEC JTC1 / SC 27 (IT Security techniques) Assessment WG 3 „Security Evaluation“ WG 1 „ISMS“ WG 4 „Security Controls & Services“ Guidelines WG 2 „Cryptography & Security Mechanisms“ WG 5 „Privacy, Identity & Biometric Security“ Techniques Product System Process Environment • ISO/IEC JTC1 / SC 27 = SÚTN TK37 / SK02 • Subcommission distribution TK37 / SK02 is identical to JTC1 / SC 27 FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 12 IT infrastructure library v.2 FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 13 ITIL v2 Library structure • Mutual relation of ITIL publications • Relations of specific pubications with business processes and ICT infrastructure Service Management Service support IT Infrastructure Management The Business Perspective Service delivery Security Management The Technology The Business Planning to implement Service Management Application Management © OGC FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 14 Operational discipline according to ITIL v2 • Operational ITSM disciplines described in the Service Support book: : • Service Desk (function) – SD is to provide the user with a focal point for addressing the requirements – his chapter describes how to create and perform SD as an effective communication channel between users and providers of IT services – Configuration Management – provides a logical model of infrastructure or services through the identification, management, administration and verification of all configuration items that are implemented – Incident Management – process that ensures the fastest delivery of service restoration and minimizing the consequences of failure of services to business – Problem Management – the process of discovering the underlying causes of incidents. Problem Management initiates security bug fixes in ICT infrastructure and implement a proactive and prevent problems – Change Management – process that uses standardized methods and procedures to effectively and quickly implement the changes. The purpose is to minimize the formation of incidents due to changes – Release Management – process that ensures successful deployment and distribution of changes in ICT infrastructure. It ensures that both aspects of the deployment(technical and organizational) will be consistent. FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 15 Tactical disciplines according to ITIL v2 • Tactical processes ITSM described in Service Delivery book: • Service Level Management – deals with planning, coordinating, designing, closing, monitoring and evaluation of contracts for service support (SLA) with customers and subcontractors with contracts (OLA and UC). The aim is to manage and improve service quality and customer relationships • Capacity Management – responsible for ensuring a permanent infrastructure of sufficient capacity so that they always met all business requirements, both current and future • Availability Management – responsible for achieving a level of availability of IT services, which corresponds to the business requirements. Achieves this by measuring and monitoring the availability of IT Services, comparing these values with business requirements for availability and then initiating steps leading to the attainment of desired state IT Service Continuity Management – process management capabilities to provide the defined service levels for system failure (failure of the application components to the complete loss of the conditions necessary for business) • Financial Management for IT Services – responsible for recording the cost of IT services, evaluating return on investment in IT services and costs for all aspects of the restoration operation. Provides documentation to establish the ICT budgets and price list FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 16 ITIL v2 Library – brief summary(a) • Service Support – Description of the processes at the operational management – Processes predominate character of daily, routine operation – Summary The process described in the book of daily service support can support users of IT services • Service Delivery – Description of the processes at the tactical management. – Predominant character of long-term planning processes – Summary of processes described in the book – Service delivery is building relationships with customers and achieve their long-term satisfaction with the provision of IT services • ICT Infrastructure Management – Description of the processes relating to the management of ICT infrastructure – The book addresses all aspects of ICT to identify business requirements through – Bidding to testing, installation, implementation and maintenance of components in support of ICT services • Application Management – Description of life cycle processes of application software – The book deals with the processes from initial feasibility studies through development, testing, creating documentation, user training, implementation into the production environment, run applications, change control management to the end use application FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 17 ITIL v2 Library – brief summary(b) • The Business Perspective – Books for business managers. – Presents the basic principles of ICT infrastructure needed to support business processes (eg, IT Service Management) – The book also includes ITIL publication Quality Management for IT Services, which describes the correlation ITSM processes with the provisions of quality management standards (ISO 9000) • Planning to Implement Service Management – The book is intended for members of implementation teams – It describes the processes, tasks and problems associated with planning, implementing and improving processes, IT Service Management • Security Management – The book describes the organization and management of ICT security infrastructure from the perspective of IT managers – Describes the process of planning and managing a defined level of information security and IT services including all aspects related to the response to security incidents • Software Asset Management – The book describes the process for management, control and protection of software assets in all stages of its life cycle FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 18 IT infrastructure library v.3 FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 19 ITIL v3 core Continual service improvement ice n v r Se sitio n tr a Service operation Service strategy Se r de vice sig n © OGC FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 20 ITIL v3 library structure Service strategy Service design Service transition Service operation Strategy generation Service catalogue management Service Asset & Configuration Mgt. Event Management Service portfolio management Service level management Knowledge Mgt. Incident Management Demand management Supplier management Change Mgt. Access Management Financial management Supplier management Release & Deployment Mgt. Problem Management Availability management Transition Planning & Support Service desk IT Service continuity management Service Validation & Testing Apps Mgt. Information security management Evaluation Tech. Mgt. IT Ops. Mgt. Continual Service Improvement Service Measurement Service Reporting 7 Step Impovement Process © OGC FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 21 Basic differences between ITIL v2 and ITIL v3 (a) • Changes in concept– dominant life-cycle • Changes in range– added new processes: "Demand Management", "Test Management", "Supplier Management", "Event Management„ and others. • Changes in terminology– service definition, process definition of „Service Management“, new terms Cataloque/Portfolio of services, DSL/DML • Changes in position of IT services – traceability in business • Changes in structure– individual position of CSI process • Good Practice instead of Best Practice ITIL v3 • New understanding in terms of customer service: a combination of "utility" (utility) and "guarantees"(warrants) Service support IT Infrastructure Management The Business Perspective Service delivery Security Management ce rvi n Se sitio n tr a Service strategy Service operation Service Management The Technology ITIL v2 The Business Planning to implement Service Management Continual service improvement Se r de vice sig n Application Management FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 22 Relations of ITSM processes and IT security processes FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 23 Security process • Security = maintaining an acceptable level of identified risk – Complex of processes and activities to avert or reduce the identified risks, respectively manifestations of threats that affect information assets. – Security is not closing, nor product. Safety is an ongoing continuous process Reaction Detection FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb Evaluation Protection 24 Basic goals of IT security Confidentiality – (Authorized personnel access only) C I A A Integrity (Data protection against modification) Availability – (Reliable and prompt access to data) Accountability – (unambiguous identifiability of data access...) FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 25 Príklady incidentov v jednotlivých kategóriách FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 26 Vrstvový model ochrany informácií Firewalling VPN’s Intrusion detection Security program Internet / exterior Perimeter Network Host Application Monitoring procedures Reporting and escalation Incident management Forensic evidence Data Premises Routing Entrance Extranets LAN/WAN traffic Intranets OS monitoring Vulnerability checking Application controls Database monitoring FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb Information assets 27 Restrictive policy Non-restrictive policy Security levels Everything is allowed, including that which should be not Everything is allowed except activities, which are explicitly disabled Benevolent Liberal Everything is disabled except activities, which are explicitly allowed Careful Everything is disabled including activities, which shoud be allowed Paranoid FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 28 Relations between security attributes acc. to ISO/IEC 15408 Relations between basic terms in IT security according to Common Criteria: © Common Criteria for Information Technology Security Evaluation: Security concepts and relationships FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 29 IT security according to ITIL • ITIL requires effective information security measures implemented at the strategic, tactical and operational level • Information security is considered to be an iterative process that must be controlled, planned, implemented, tested and maintained • ITIL divides information security into separate parts: Policy - the overall objectives which the organization wants to achieve Processes - what should be done to achieve the objectives Procedures - who does what and when to perform to achieve the objectives Work instructions - instructions for specific activities • ITIL defines information security as a complex, cyclical process of continuous review and improvement FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 30 IT security according to ITIL FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 31 IT security according to ITIL 1. Recipients of ICT services through a risk analysis to identify their security requirements 2. IT department will assess the suitability requirements and compare them with the minimum requirements for information security 3. Recipients of ICT services and IT department together define formally agreed service levels(Service Level Agreement - SLA): 1. SLA contains a definition of requirements for information security in clear measurable terms and values 2. SLA specifies how it can be proven to meet the agreed level of information security 4. Within the IT department and the organization of the contractors jointly define and agree a formal Operational Level Agreement (OLA) 5. OLA specifies in detail how to ensure information security services SLA and OLA are continuously monitored and implemented 6. Subscribers receive regular ICT service reports on the effectiveness of state services and information security 7. SLA and OLA are continuously adjusted, if necessary FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 32 IT security ITIL v2 vs. ITIL v3 Common features of the process of information security according to ITIL v2 and ITIL v3: Information security processes are based on standards: - ISO / IEC 17799 - Code of Practice for Information Security Management - ISO / IEC 27001 - Information Security Management Systems standard Security incident is seen as a subset of the Incident Management process Vulnerability management is viewed as a subset of the Problem Management process Differences in the processes of information security according to ITIL v2 and ITIL v3: ITIL v2 ITIL v3 „Information security management“ Does not exist as an individual discipline of ITSM „Information security management“ Is understood as an individual discipline of ITSM Processes related to information security are described in a book: Security Management Processes related to information security are integrated into most processes Information security processes are divided into two main segments: Setting the base level of security by SLA Implementation of the security requirements defined in the SLA Information security processes are incorporated into all parts of the Service Design book: Service Catalogue Management (Section 4.1 pg.60) Service Level Management (Section 4.2 pg. 65) Capacity management (Section 4.3 pg. 79) Availability management (Section 4.4 pg. 97) IT Service Continuity Management (Section 4.5pg. 125) Information security management (Section 4.6 pg.141) FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 33 IT Service continuity management – ITSCM (ITIL v3) • The main goal of the course ITSCM: – Total support Business Continuity Management process, ensuring the required replacement of equipment in the required and agreed timescales – The "IT Service Continuity" is related to the management organization's ability to continuously provide a predetermined and agreed minimum level of ICT services to ensure business processes in the event of failure of current ICT services. • In the process ITSCM includes: • Ensuring the sustainability of business processes by reducing the impact of large-scale emergency outages or errors • Reducing vulnerability and risk through effective risk analysis using risk management • Prevention of loss of customer confidence • Development of recovery plans for ICT equipment, suitably harmonized with the plans of business continuity processes of customer FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 34 Information Security Management - IsM (ITIL v3) • The main objective of the ISM process: Align information security with business security and ensure that information security is managed effectively across all service areas and in all activities of ITSM • IsM process includes: – Information security policy and specific security policies that are aimed at all aspects of strategy, control and regulation – The ISMS (Information Security Management System - ISMS), containing the standards, procedures and guidelines for policy support – Comprehensive security strategy, linked with the commercial objectives, strategies and plans – Effective organizational structure of security – Set of control mechanisms to support security policy – Management of security risks – Monitoring processes to ensure compliance and providing feedback – Communication strategy and security plan – Plan training and awareness of users FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 35 IsM process according to Service Design book(a) • Development and maintenance of an information security policy and supporting specific policies • Ensuring proper authorization, a formal expression of commitment and approval by senior IT management and business management • Notification of information security policies applicable to all stakeholders • Ensuring that information security policy is enforced and observed • Identification and classification of information assets (configuration items Configuration Items)and their desired level of control, management and protection • Implementation of the BIA (Business Impact Analyses) • Implementation of security risk analysis, risk management and linking them to Availability Management and IT Service Continuity Management • Design and development of security plans • Design and documentation of procedures for the operation and maintenance of safety • Monitoring and management of all security breaches, incident management (incident handling) including corrective actions to prevent recurrence of the incident ITIL V3 Pre Reading Notes V1.60 - 36 - Copyright of Purple Griffon 2007 © FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 36 IsM process according to Service Design book (b) • Reporting, Analysis and minimization of the impact and extent of any security incidents, together with the Problem Management process • A model for how education and awareness of users • Security control and monitoring of safety documentation • Review and auditing of all processes • Ensuring that all changes are reviewed for their impact on information security, including information security policy, and the convening of the CAB (Change Advisory Board) meetings whenever necessary • Implementation of safety tests • Strict compliance with the additional security checks in the Action Plan for the previous violation of safety rules • Ensuring the confidentiality, integrity and availability of services is maintained at a level agreed in the SLA and their adaptation to all relevant legislative requirements • Ensuring that all third party access as well as suppliers of ICT services are appropriate and contractually based • Operating in the role of a local point of contact forall security incidents ITIL V3 Pre Reading Notes V1.60 - 36 - Copyright of Purple Griffon 2007 © FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 37 Service level agreement - SLA - SLA is a formal, written agreement, which documents the level of services, including information security services. - SLA is a key part of the process of information security framework, ITIL - SLA should include performance indicators (Key Performance Indicators KPI) and performance criteria • A typical SLA contract should include: - Permitted methods of access to information assets - Agreement on how auditing and log management - The level of physical security - Method of training and user awareness of information security - General description of the life cycle of identities, authentication methods and authentication procedures - Agreement on the mode of operation of security incidents - The requirements for audit and reporting FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 38 Security documentation according to ITIL Documentation requirements for information security in accordance with ITIL: • Service Level Agreement (SLA) - A formal agreement on the level of services, including information security • Operational Level Agreement (OLA) - Detailed specification of how to ensure information security services • Information security policy: - Objectives and scope of information security for the organization - The objectives and management principles for information security management - Definition of roles and responsibilities of information security • The security policy should be issued by senior management organization Plans Information Security: - Description of how to implement policies in specific information systems, processes and organizational units • Handbook of information security: - working documents for everyday use - specific, detailed work instructions FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 39 How ITIL can improve the level of information security(a) • ITIL keeps information security continually focused on business and services - Information security is often perceived as just another cost barrier to entry or business functions - with the help of the owners of ITIL business processes and IT service providers agree on the level of information security - to ensure that services are aligned with business needs • ITIL allows organizations to develop and implement information security in a structured manner, based on best practice (good practice) - Information security is shifting from reactive to proactive and preventive process • Its requirement for continuous assessment of ITIL provides a continuous review of the effectiveness of changes in terms of reducing the level of risk and threat • ITIL establishes documented processes and standards (eg SLA and OLA), which can be effectively monitored and audited - It helps an organization's own perceived effectiveness of information security program and compare it with the regulatory requirements (such as NBS, NSA, ÚOOÚ, Basel II, SOX) • ITIL provides the foundation upon which can be built in information security - Many ITIL disciplines (eg Change Management, Configuration Management and Incident - Management) can substantially increase the level way limit the information security (eg, a significant number of incidents are caused by inadequate management of change) FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 40 How ITIL can improve the level of information security(b) • The organized ITIL framework prevents subjective, natural and chaotic implementation of information security processes - ITIL requires the design and build a consistent, measurable information security processes in ICT services before an incident occurs. This really saves time, money and effort. • Reporting required within ITIL provides management with valuable information about the effectiveness of their organization's information security - Reporting allows management to make informed decisions regarding the management of operational risk • ITIL defines roles and responsibilities in information security - During any incident is then clear who is responsible for what and who has done what - ITIL establishes a common language for discussion of information security personnel, which can more effectively communicate with internal and external professional partners - security personnel can easily understand discussion of information security with other groups of employees • ITIL helps managers understand that information security is a key part of successful business processes, well-functioning organization FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 41 Summary • Requirements for information security are increasingly growing in scope, complexity and importance • The organization is risky, costly and inefficient to have information security based on subjective solutions developed • The ITIL is possible to replace these processes standardized, integrated processes based on best practice (good practice) • Although it takes time and effort, ITIL can improve how the organization implements and manages information security FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 42 itSMF • itSMF (IT Service Management Forum) is an international nonprofit and independentorganization of professionals dedicated to all aspects of services in information andcommunication technologies • itSMF is perceived as a professional association of users ITIL standard, which significantly affects the development of the industry • itSMF Slovakia is a fully-fledged part of a worldwide network of itSMF International • Secetary: itSMF Slovensko, Dlhá 2/B, 900 31 Stupava • E-mail: itsmf@itsmf.sk • Web (Slovensko): www.itsmf.sk • Web (International): www.itsmf.org FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 43 Ivan Makatura Chief security officer VÚB Banka a.s. imakatura@vub.sk FEI TUKE - Riadenie IT služieb – Bezpečnosť IT služieb 44