What is ITIL Security Management?

The process of ITIL Security Management describes the structure model of security in the management organization. It is based on the Code of Practice for Information Security Management that is also often known as ISO/IEC 17799. Security Management is basically information security.

Primarily, the goal of information security is to guarantee the safety of an organization’s information. When the security of the information is in place, the value of the information is what must be protected. Values are predetermined by the confidentiality, the integrity, and the availability. The secondary aspects include privacy, anonymity and verifiability.

What is the goal of Security Management?

Security Management has one goal that is actually split into two separate parts. The first part is the realization of the security requirements that are defined in the Security Level Agreement (SLA) and other externally requirements which are usually specified in supporting contracts, legislation, and possible internal or external obligatory policies.

The second part of this goal is the realization of a basic level of security. This is necessary in order to guarantee the continuity of the management organization. It is also needed to reach a simplified Service Level Management for the information security; interestingly enough it is actually less complicated to manage a limited amount of SLAs rather then to manage a large amount of them.

The actual input if the Security Management Process is formed by the SLAs with specific security requirements, legislation documents and other supporting contracts. These requirements can also have a double use as Key Performance Indicators (KPIs).

A KPI is often used to indicate key goals related to performance that are being met within an organization that show that they are in fact headed in the correct direction in order to meet their organizational goals. KPIs can also be used for the process management, as well as for the validation of the results of the Security Management Process.

What is the Security Management Process?

The Security Management Process is made up of activities that are performed by the Security Management or the activities that are controlled by the Security Management. The fact that organizations and the information systems within them are constantly changing means that the activities that are present within the Security Management Process must be continually revised so that they can remain up to date and effective. It is important to understand that Security Management is a constant process.

Inputs are the requirements that are created by the client. These requirements are then translated into the security services, such as the security quality that should be provided in the security area of the Service Level Agreements.

Both the client and the plan sub-process have inputs in an SLA and the SLA can be an input for both as well. Then security plans for the organization should be developed. The plans should contain the security policies and the Operational Level Agreements.

Following that the security plans should then be implemented and the implementation should be evaluated. Following that evaluation the plans and the implementation of the plan should be well maintained.

So, knowing this, it is clear now that the activities, products, and the process are documented. Any external reports will be written and then sent to the client. The client with then be able to adapt their own requirements based on the information they have received in the reports. More so, the service provider can also adjust their plan or the implementation based on their own findings in order to satisfy the requirements that are stated in the SLA.

Next Page: ITIL Security Management Activities