THE FOLLOWING ITIL INTERMEDIATE EXAM OBJECTIVES ARE DISCUSSED IN THIS CHAPTER:
The ITIL service design publication covers the managerial and supervisory aspects of service design processes. It excludes the day-to-day operation of each process and the details of the process activities, methods, and techniques as well as its information management. More detailed process operation guidance is covered in the service capability courses. Each process is considered from the management perspective. That means at the end of this chapter, you should understand those aspects that would be required to understand each process and its interfaces, oversee its implementation, and judge its effectiveness and efficiency.
Another of the key warranty aspects of a service is security, and it is this aspect that we will discuss in this part of the chapter. A service that is insecure will not deliver value to the customer and indeed may not be used by the customer at all.
ITIL defines information security as “the management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.”
Central to information security management (ISM) is the identification and mitigation of risks to the security of the organization’s information. The ISM process ensures that all security aspects are considered and managed throughout the service lifecycle.
Organizations operate under an overall corporate governance framework, and information security management forms part of this framework. In accordance with organizational-wide governance, ISM provides guidance as to what is required, ensuring that risks are managed and the objectives of the organization are achieved.
The purpose of the information security management process is to align IT security with business security. IT and business security requires that the confidentiality, integrity, and availability of the organization’s assets, information, data, and IT services always match the agreed needs of the business.
The objective of information security management is to protect the interests of those relying on information. It should also ensure that the systems and communications that deliver the information are protected from harm resulting from failures of confidentiality, integrity, and availability.
For most organizations, the security objective is met when the following terms are fulfilled:
The scope of ISM includes all aspects of information security that are important to the business. It is the responsibility of the business to define what requires protection and how strong this protection should be. Risks to security must be recognized, and appropriate countermeasures should be implemented. These may include physical aspects (restricting access to secure areas through swipe cards) as well as technical aspects (password policies, use of biometrics, and so on). Information security is an integral part of corporate governance.
The information security management process should be the focal point for all IT security issues. A key responsibility of the process is the production of an information security policy that is maintained and enforced and covers the use and misuse of all IT systems and services.
Information security management needs to understand the total IT and business security environment. Important aspects that must be included in the policy are the business security policy and plans along with the current business operation and its security requirements. Consideration must also be given to future business plans and requirements. External factors should also be included in the policy, such as legislative and regulatory requirements.
IT’s obligations and responsibilities with regard to security should be contained within the service level agreements with their customers. The policy should also include reference to the business and IT risks and their management.
The information security management process should include the production, maintenance, distribution, and enforcement of an information security policy and supporting security policies. This will include understanding the agreed current and future security requirements of the business and the existing business security policy and plans.
The process will be responsible for implementation of a set of security controls that support the information security policy. This will support the management of risks associated with access to services, information, and systems. Information security management is responsible for the documentation of all security controls together with the operation and maintenance of the controls and their associated risks.
In association with supplier management, the process will also address the management of suppliers and contracts regarding access to systems and services.
Operationally, information security management will be involved in the management of all security breaches, incidents, and problems associated with all systems and services. It will also be responsible for the proactive improvement of security controls and security risk management and the reduction of security risks.
Information security management is also responsible for the integration of security aspects within all other IT service management processes. In order to achieve effective information security governance, the process must establish and maintain an information security management system (ISMS).
Security has become a critical issue for organizations as their reliance on IT systems increases and more electronic media is used for confidential transactions within and between organizations.
Information security management ensures that an information security policy that fulfils the needs of the business security policy and the requirements of corporate governance is maintained and enforced. The information security policy provides assurance of business processes by enforcing appropriate security controls in all areas of IT. The process is responsible for the management of IT risk in line with business and corporate risk management processes and guidelines.
Information security management activities should be focused on and driven by an overall information security policy and a set of underpinning specific security policies.
The information security policy should have the full support of the top executive IT management. Ideally, the top executive business management should also be in support of and committed to the security policy. The policy should cover all areas of security, be appropriate, and meet the needs of the business.
Email usage policies, antivirus policies, and remote access policies are examples of specific security policies.
The information security process is responsible for creating, managing, and maintaining an information security management system. The elements of the management system are shown in Figure 15.1. It begins with the identification of the customer requirements and business needs.
Planning the system incorporates use of the details and targets captured in the various agreements and contracts. It also covers use of the various policies agreed between the business and IT.
Implementation of the system requires awareness of the policies and the systems by all who are affected by them. This will need the engagement of all parts of the organization because the policies will cover everything from personnel security to the procedures for security incidents.
The next stage is evaluation, which requires internal and external audits of the state of system security, but there may also be self-assessments. Security incidents will also be evaluated as part of this stage of the management of the system.
Maintaining the system requires that the information security process captures the lessons learned so that improvements can be planned and implemented.
The overall approach is designed to maintain control and establish a framework for managing security throughout the organization. Part of this will be to allocate appropriate responsibilities for ensuring that the information security management system is maintained, within both the IT department and the rest of the organization.
We are not going to explore the process in detail, but you should make sure you are familiar with all the aspects of the process and the management requirements for each.
In Figure 15.2, you can see the full scope of the information security management process and its techniques and activities.
The information security management process ensures that the security aspects are appropriately managed and controlled in line with business needs and risks.
A key activity within the information security management process is the production and maintenance of an overall information security policy and a set of supporting specific policies. The process is also responsible for the communication, implementation, and enforcement of the security policies, including the provision of advice and guidance to all other areas of the business and IT on all issues related to information security.
Information security management is responsible for the assessment and classification of all information assets and documentation. The process covers the implementation, review, revision, and improvement of a set of security controls as well as risk assessment and responses, including assessment of the impact of all changes on information security policies, controls, and measures. Where possible, if it is in the business interest and the cost is justifiable, the process should implement proactive measures to improve information security.
Monitoring and management of all security breaches and major security incidents is a key part of the information security management process. This includes the analysis, reporting, and reduction of the volume and impact of security breaches and incidents.
The process is also responsible for scheduling and completing security reviews, audits, and penetration tests. The outputs from the process will be captured and recorded in the security management information system.
Let’s consider the triggers, inputs, and outputs for the information security management process. Information security management is a process that has many active connections throughout the organization and its processes. It is important that the triggers, inputs, outputs, and interfaces be clearly defined to avoid duplicated effort or gaps in workflow.
Information security management activity can be triggered by many events, including these:
Information security management will need to obtain input from many areas:
The following outputs are produced by the information security management process and used in all areas:
The key interfaces that information security management has with other processes are as follows:
The following list includes some sample critical success factors for information security management.
One of the biggest challenges is to ensure that there is adequate support from the business, business security, and senior management. It is pointless to implement security policies, procedures, and controls in IT if they cannot be enforced throughout the business. The major use of IT services and assets is outside of IT, and so are the majority of security threats and risks.
If there is a business security process established, then the challenge becomes alignment and integration. Once there is alignment, the challenge becomes keeping them aligned by management and control of changes to business methods and IT systems using strict change management and service asset and configuration management control. Again, this requires support and commitment from the business and from senior management.
Information systems can generate many direct and indirect benefits—and as many direct and indirect risks. This means that there are new risk areas that could have a significant impact on critical business operations:
ITIL defines supplier management as the process responsible for obtaining value for money from suppliers, ensuring that all contracts and agreements with suppliers support the needs of the business and that all suppliers meet their contractual commitments.
The supplier management process describes best practices in managing suppliers to ensure that the services they provide meet expectations. It is included in the design phase of the service lifecycle because it is important that this aspect is considered while the service is being designed. The type of supplier relationship will be part of the strategy phase, and a close relationship with suppliers will be required for a successful service transition. Once the service is operational, the day-to-day delivery against the contract must be monitored and managed, and should there be any issues, the improvement plan will be the responsibility of continual service improvement.
The purpose of supplier management is to ensure that suppliers provide value for money. By managing suppliers, the service provider can ensure the best delivery of service to its customer. Managing suppliers ensures that the necessary contracts are in place and enforced.
The main objectives of the supplier management process are to obtain value for money from suppliers and contracts and ensure that contracts with suppliers are aligned to business needs. These contracts should support and align with agreed targets in service level requirements and service level agreements in conjunction with service level management.
The supplier management process should include the management of all suppliers and contracts needed to support the provision of IT services to the business. Each service provider should have formal processes for the management of all suppliers and contracts.
The supplier management process should include implementation and enforcement of the supplier policy, including maintenance of a supplier and contract management information system (SCMIS). It is important to ensure that suppliers and contracts are categorized and a risk assessment is carried out. Suppliers and contracts need to be evaluated and selected so that the appropriate suppliers are engaged.
A key part of the process is developing, negotiating, and agreeing of contracts, including contract review, renewal, and termination. This is part of the management of suppliers and supplier performance.
The process will also identify improvement opportunities for inclusion in the CSI register and the implementation of service and supplier improvement plans.
Supplier management will also manage the maintenance of standard contracts, terms and conditions, contractual dispute resolution, and, where applicable, the engagement of subcontracted suppliers.
IT supplier management often has to comply with organizational or corporate standards, guidelines, and requirements, particularly those of corporate legal, finance, and purchasing.
The process will manage relationships with suppliers and monitor and manage supplier performance. Supplier management is responsible for the negotiation and agreement of contracts with suppliers and managing them through their lifecycle. This is assisted by the development and maintenance of a supplier policy and a supporting supplier and contract management information system (SCMIS).
This is to ensure the delivery to the business of end-to-end, seamless, quality IT services that are aligned to the business’s expectations. The supplier management process should align with all corporate requirements and the requirements of all other IT and service management processes, particularly information security management and IT service continuity management. This ensures that the business obtains value from supporting supplier services and that they are aligned with business needs.
The supplier management process attempts to ensure that suppliers meet the terms, conditions, and targets of their contracts while trying to increase the value for money obtained from suppliers and the services they provide.
All supplier management process activity should be driven by a supplier strategy and policy from service strategy. The supplier strategy, sometimes called the sourcing strategy, defines the service provider’s plan for how it will leverage the contribution of suppliers in the achievement of the overall service strategy. Some organizations might adopt a strategy that dictates the use of suppliers only in very specific and limited circumstances, while other organizations might choose to make extensive use of suppliers in IT service provision. In Figure 15.3, you can see the engagement of the process with the contracts manager and the various supplier managers in the organization.
You can also see the interaction with finance and purchasing and the legal department, all of which are important when engaging with third parties outside of the main organization.
You can see the management of the services provided by or supported by the suppliers and their subcontracted partners.
The process should be subject to the corporate supplier management policy, but an IT supplier strategy should be developed to manage the specific requirements for IT service delivery. Figure 15.4 shows the main activities of the supplier management process.
Once the requirements for suppliers have been defined as part of the overall approach to the delivery of a service, the supplier management process needs to evaluate the appropriate suppliers and ensure that the contracts are fit for purpose and use. It is important to establish relationships with new suppliers and ensure that there are the appropriate measures and management in place to monitor supplier performance. All contracts should have references to renewal and termination, which should be included in regular reviews of the contract.
All information, reports, and measures should be stored in the supplier and contract management information system (SCMIS).
It is important for the supplier management process to understand the importance of the suppliers to the organization. This requires that the suppliers are categorized according to their value and importance and according to the risk of the supplier not performing as contracted and the impact to the organization if that happens. There are four layers of categorization:
Strategic For significant “partnering” relationships that involve senior managers sharing confidential strategic information to facilitate long-term plans. These relationships would normally be managed and owned at a senior management level within the service provider organization and would involve regular and frequent contact and performance reviews.
Tactical For relationships involving significant commercial activity and business interaction. These relationships would normally be managed by middle management and would involve regular contact and performance reviews, often including an ongoing improvement program.
Operational For suppliers of operational products or services. These relationships would normally be managed by junior operational management and would involve infrequent but regular contact and performance reviews.
Commodity For suppliers providing low-value and/or readily available products and services, which could be alternatively sourced relatively easily.
We will now review the triggers, inputs, and outputs of supplier management.
There are many events that could trigger supplier management activity:
There are numerous inputs to the supplier management process:
The outputs of supplier management are used within all other parts of the process, by many other processes, and by other parts of the organization.
The information provided by supplier management is as follows:
The following list includes the key interfaces that supplier management has with other processes:
Service Level Management Supplier management provides assistance with determining targets, requirements, and responsibilities for suppliers. SLM assists supplier management in the investigation of SLA and SLR breaches caused by poor supplier performance. SLM also provides invaluable input into the supplier management review process.
Change Management Contractual documents should be managed through change control.
Information Security Management Information security management relies on supplier management for the management of suppliers and their access to services and systems as well as their responsibilities with regard to conformance to the service provider’s ISM policies and requirements.
Financial Management for IT Services This process provides adequate funds to finance supplier management requirements and contracts and provides financial advice and guidance on purchase and procurement matters.
Service Portfolio Management This process looks to supplier management input to ensure that all supporting services and their details and relationships are accurately reflected within the service portfolio.
IT Service Continuity Management This process works with supplier management with regard to the management of continuity service suppliers.
The information required by supplier management should be stored in the supplier and contract management information system (SCMIS).
All information relating to suppliers and contracts as well as all information relating to the operation of the supporting services provided by suppliers should be held in the system. Information relating to these supporting services should also be contained within the service portfolio, together with information on their relationships to all other services and components. This information should be integrated and maintained in alignment with all other IT management information systems, particularly the service portfolio and the CMS.
The following list includes some sample critical success factors for supplier management.
We’ll begin by looking at the key challenges for the process.
Supplier management faces many challenges, which could include the following examples:
The major areas of risk associated with supplier management are as follows:
This chapter explored the next two processes in the service design stage, information security management and supplier management. It covered the purpose and objectives for the processes and their scope.
We looked at the value of the processes. Then we reviewed the policies for each process and the activities, methods, and techniques.
Last, we reviewed triggers, inputs, outputs, and interfaces for each process and the information management associated with it. We also considered the critical success factors and key performance indicators, challenges, and risks for the processes.
We examined how each of these processes supports the other and the importance of these processes to the business and the IT service provider.
Understand the purpose and objectives of information security management and supplier management. It is important for you to be able to explain the purpose and objectives of the information security management and supplier management processes.
Information security management is concerned with the protection of information and data according to the security requirements of the business.
Supplier management should ensure that value for money is obtained from all contractual relationships with external organizations.
Understand the approach to security management. Plan, implement, evaluate, maintain, and control—ensure that you can explain how each of these stages supports the approach to the management of information security.
Understand the process of information security management. Ensure that you are able to explain the various steps of the process and their relationship to the information security management system.
Explain and differentiate between the different stages of supplier management. Understand the importance of contract negotiation and the implementation of the supplier policy.
Understand the critical success factors and key performance indicators for the processes. Measurement of the processes is an important part of understanding their success. You should be familiar with the CSFs and KPIs for both information security management and supplier management.
You can find the answers to the review questions in the appendix. Which of the following are responsibilities of information security management? Where does information security management keep information about security? Which of the following are responsibilities of supplier management? Which of the following are categories of suppliers described in ITIL? Which of these is the key purpose of the information security management process? To demonstrate their priority, suppliers are categorized according to which factors? Which of these statements is/are correct? True or False? Supplier management has a significant relationship with service level management. Which of these statements is incorrect about supplier management? Which of these statements is/are correct?Review Questions