Aligning Information Security Incident Management with ITIL V3

By Andres Maurer

Companies implementing an information security program that already have ITIL processes in place may consider leveraging their existing ITIL Incident and Problem Management processes to include information security incident management activities.

Artikel erschienen in Swiss IT Magazine 2012/09

     

T he myriad of standards, models and industry best practice available today leaves many companies with the dilemma of choosing which path to take. To further complicate the situation, many individual initiatives are started with a specific target in mind. Often, a strong goal-driven approach unfortunately may also result in a tunnel vision. And many of these standards often address the same concern from a different perspective. This will probably result in the company having several different ways of doing the same thing, which is, of course, not at all efficient.
This article presents a possible mapping of the respective ITIL processes to the information security incident management tasks mentioned in domain 4 of CISM Job Practice (see Figure 1). The overall goal of Information Security Incident Management is to limit the impact of incidents on business operations and restoring normal operation according to existing service level agreements (SLAs), which is similar to ITIL’s goal. In this case, we can expect both the ITIL and CISM processes to be similar. If the ITIL processes are already in place, then we will only need to extend certain activities to cover information security needs.
Since most companies have their own (and normally unique) processes, the mapping described here represents only an approximation.

ITIL Incident Management

The objective of this ITIL process is to record, prioritize and manage all incidents with the purpose of solving them as fast as possible.
An incident is defined as an unplanned occurrence that influences the standard operation of a service by either disrupting or degrading the quality of this service.
Input to this process: The Incident Management process is started because of notification by a user, a trigger from Event Management or through other sources of disturbance.

The typical process steps are:
- Incident identification
- Recording
- Categorization
- Prioritization
- Investigation & diagnosis
- Resolution & recovery
- Incident closure


The following Information Security Incident Management tasks from CISM Job Practice can be mapped to this process:
T4.1 Establish and maintain an organizational definition of, and severity hierarchy for, information security incidents to allow accurate identification of and response to incidents.
T4.2 Establish and maintain an incident response plan to ensure an effective and timely response to information security incidents.
T4.3 Develop and implement processes to ensure the timely identification of information security incidents.
T4.6 Organize, train and equip teams to effectively respond to information security incidents in a timely manner.
T4.8 Establish and maintain communication plans and processes to manage communication with internal and external entities.
Information security extension of this ITIL process: The Incident Management team needs to be trained to recognize information security incidents, know how to classify them and learn to secure forensic evidence for later analysis.

ITIL Problem Management

The objective of this ITIL process is the ultimate resolution of problems, which includes the proactive analysis of all incidents with the goal of identifying their root causes.
A problem is defined as the unknown cause of one or more incidents.
Input to this ITIL process: The Problem Management process is started because of notification by a user or supplier or a trigger from Event Management, Service Desk, Incident Management.

The typical process steps are:
- Problem identification
- Recording
- Categorization
- Prioritization
- Investigation & diagnosis
- Solution
- Problem closure


The following Information Security Incident Management tasks from CISM Job Practice can be mapped to this process.
T4.4 Establish and maintain processes to investigate and document information security incidents to be able to respond appropriately and determine their causes while adhering to legal, regulatory and organizational requirements.
T4.5 Establish and maintain incident escalation and notification processes to ensure that the appropriate stakeholders are involved in incident response management.
T4.6 Organize, train and equip teams to effectively respond to information security incidents in a timely manner.
Information security extension of this ITIL process: The Problem Management team needs to be extended with specialists who can diagnose and solve information security problems while ensuring that forensic evidence remains uncontaminated.

ITIL Continual Service Improvement

The objective of this ITIL process is to maintain and improve the quality of service so as to maximize customer satisfaction.

The typical process steps are:
- Define what should be measured
- Define what can actually be measured
- Measurement
- Data processing/consolidation
- Analysis
- Results presentation
- Identify corrective measures

The following Information Security Incident Management tasks from CISM Job Practice can be mapped to this process.
T4.7 Test and review the incident response plan periodically to ensure an effective response to information security incidents and to improve response capabilities.
T4.9 Conduct postincident reviews to determine the root cause of information security incidents, develop corrective actions, reassess risk, evaluate response effectiveness and take appropriate remedial actions.
T4.10 Establish and maintain integration among the incident response plan, disaster recovery plan and business continuity plan.
Information security extension of this ITIL process: The information security procedures will also have to be regularly reviewed. Additionally, regular post-incident reviews need to be established.

Variations

In the mapping shown, it is assumed that the Incident Management team does not possess enough in-depth knowledge. Hence the task of incident management would be focused on properly identifying an information security incident and then forwarding it to the specialists in Problem Management.
Should the Incident Management team also be capable of handling certain common information security incidents, it might also execute investigative tasks (T4.4 and T4.5) in some cases.
Another possible variation would be that the Service Desk acts as the input channel (T4.1) and then forwards the incidents directly to Problem Management which will then response to the incident (T4.2 – T4.5).
If the ITIL process are being defined or when major changes to existing processes are needed (eg. integration of a new Security Incident Event Management SIEM Tool), the «establish» and «develop» parts of the CISM tasks (T4.1 – 6, T4.8, T4.10) should follow the standard approach (Figure 2, «1. Standard» – instead of previously described «2. Extend») and be defined in the ITIL Service Design phase because Information Security Management is a process here (please see the recommended reading for more information).

ITIL Event Management

The objective of this ITIL process is to systematically detect events that will potentially lead to disruption of services. This process provides the basis for operational monitoring.
Although there is no direct link from Event to Information Security Incident Management tasks, this process serves as the communication channel for events triggered by Intrusion Detection Systems (IDS).
Once an event is triggered, it is first filtered and prioritized. Depending on the criticality, the event is then routed as an input to either the Incident or Problem Management process.

Summary

When implementing a new process like Information Security Incident Management, it often helps to have a holistic view. Since most companies already have one or more standards in place, it is worthwhile to first analyze the existing landscape and look for existing processes and structures. In the majority of cases, it is much faster and less expensive to extend or re-design existing processes than starting from scratch.
Most standards offer mapping documents to other standards or there may also be third-party white papers or research papers about the topic: This could also help to identify potential synergies. These documents may provide an additional margin as well as pointing out potential pitfalls, and would therefore further increase both speed and quality of the implementation.

References

CISM Review Manual 2012,
ISBN-13: 978-1604202137

ITIL Service Operation, ISBN: 9780113313075
ITIL Continual Service Improvement,
ISBN: 9780113313082

Recommended further reading
Mapping ITIL® V3 with COBIT® 4.1
http://www.isaca.org/Knowledge-Center/Research/Documents/Mapping-ITILV3-With-COBIT-4.pdf

COBIT® User Guide for Service Manager
http://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-User-Guide-for-Service-Managers-01April2009-Research.pdf
(Download is free for ISACA Members)

Post your comments in the LinkedIn Group «ISACA Switzerland»



Artikel kommentieren
Kommentare werden vor der Freischaltung durch die Redaktion geprüft.

Anti-Spam-Frage: Welche Farbe hatte Rotkäppchens Kappe?
GOLD SPONSOREN
SPONSOREN & PARTNER