Partners in IT - Leaders in IT Service Management
Contact    |    Site Map
Home   Services   Service Management on Demand   Training   Partners   Resources   About Us
Services

Webinars

White Papers

Case Studies

Articles »

IT Vision Newsletter

IT Service Management - Is It Worth the Money? - Read the PiIT Report

» Other Events

HP OpenView Training Courses
March 2008 - Issue 6
Is IT Safe?

Telling people that you work in IT has never been a good conversation topic at parties.  You’re either instantly engaged in a conversation about PC problems, or ignored for the rest of the evening.  And telling people you work in information security is even worse – have you heard the story about lost CD’s more than once recently?

Security is taken for granted until something goes wrong, when visibility goes through the roof and management start to look for someone to blame.    Whilst this is understandable, it is easily recognised that exactly the same characteristic applies to service delivery as well.  Information Security is a topic that has its own terminology, standards and champions and is either given too much prominence or not enough, depending on who is involved.  However, we use information more today than at any time in our collective past and access to – and the accuracy of – that information is an assumed right.  So what is Information Security and why is it relevant to the discipline of Service Delivery?

Definition of Security
Information is an asset which, like any other business asset, has value to an organisation and so needs protecting.  Whether that information is in paper or electronic format doesn’t matter, although our main interest level is clearly in the electronic format since this is what IT deals with everyday.  Information Security is defined as representing the preservation of:

  • Confidentiality – ensuring that information is accessible only to those authorised to access it
  • Integrity – safeguarding the accuracy & completeness of information and its processing
  • Availability – ensuring that users can get access to information and any associated assets when required

There is a strong correlation between the objectives of information security management and what service managers do everyday. For instance, good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support – exactly how service management disciplines work and hence security management can be a natural extension to the scope of a services team. 

Security controls and regulation
There are few formal controls governing service management in isolation but there are many concerning security management.  These determine what security controls should exist and to what level of compliance with rules, statutes, regulations and industry standards.  There are several control regimes governing security, with the most obvious one being British Standard BS7799-3:2006 and its international equivalent ISO 17799.  These provide guidance to support the requirements documented in BS ISO/IEC 27001:2005, the international standard for security management.  It is ISO 27001 that the BSI advise organisations should implement to reassure customers and suppliers that information security is taken seriously and that recognised processes exist to deal with threats and issues.  Interestingly, it is marketed as being as applicable to government agencies as to commercial enterprises, which is logical – but not evidenced by recent practice.  

Whilst we do not want just anyone to be able to see our bank accounts, the protection needed over, say, address details may be less important and so the controls need to be different.  It is this aspect of security which is confusing, because an element of judgement is required and this is exercised by means of Risk Assessments, which will return different results for different types of enterprise.  But there are themes common to every organisation, below, along with some of the underlying legal requirements.

  • Data Protection – all organisations have to comply with the 1998 Data Protection Act, which came into effect in 2000. Into this category also comes the Regulation of Investigatory Powers Act 2000 which specifies who can take responsibility for the interception, monitoring and investigation of incidents and this is of particular relevance to organisations who need to determine who had access to information held or processed electronically.  Use of Email and telephone call monitoring procedures by an employer of its staff is covered by this RIP legislation.
  • Business Continuity – all organisations need to protect their equipment, software and data from intentional or unintentional loss. Business continuity in a 24x7x52 business environment is far more complex than having a Disaster Recovery plan involving cold standby facilities – for if you are on online retailer handling £2500 revenue a minute, can the business cash flow survive a 36 hour restoration period?  And will your customers accept this even if the business did?
  • Internet Threats – anyone with PC’s and/or internet access is vulnerable to information being lost or rendered inaccessible by a virus.  This can also seriously affect service stability – it is estimated that 1 in every 212 emails are affected.  And if this wasn’t bad enough, the percentage of spam handed by ISP’s grew from 2.3% in 2002 to 55% in 2003 and to 80% by 2007. We can see that the email is often more deadly than the mail!
  • Theft and Loss of Assets – the growth in the number of laptops means that both the hardware and information contained on them can and do go missing.  Would you be happy if it was your medical records that were left behind on the train?  Security is a personal issue as well as one of corporate embarrassment – witness the recent high profile data losses.

Limp Security - Laptop computers worth nearly £326,000 have been lost or stolen from the Health Department in the past eight years. In a Commons written reply, David Lammy, a junior minister, said a total of 174 laptops had disappeared - 26 alone in the current financial year. - As reported in The Times Newspaper

The way ahead for organisations
There are a number of ways that an appropriate security management regime for your organisation can be determined and a survey, taking no more than a day to assess conformance to ISO 17799, is a very good start.  Management of security can be made cost effective if taken alongside a service improvement programme where any changes can be dovetailed together and this approach works in practice.  Consider the gauge below – might this represent your service as well as your security status?

Gauge diagram - Your security appears to be deficient > Needs Improvement > Your security appears to be sufficient - With acknowledgements to UK Online for Business

An organisation having accreditation to ISO 17799 and/or ISO 27001 is deemed to have fully satisfied ISO 20000 requirements in this regard, thus proving the management link between Security Management and Service Delivery.

 

Back to the Articles page >

 

» Read Our Customer
Success Stories

» White Paper:
Managing your IT Assets
[ PDF 408 KB ]

» Subscription Services
Delivering Service
Management
[ PDF 219 KB ]


Services|Training|Partners|News & Events|Resources|Careers|AboutPartners in IT Ltd 2008