In other words, you're a typical infosecurity professional. Wouldn't it be great if there was a proven framework...
-- understood by and popular with management -- that you could use to bolster your information security efforts? Well, such a system does exist, and it's being successfully adopted by many organizations throughout the world. The Information Technology Infrastructure Library (ITIL) is a set of best practices and guidelines for managing IT services.
I know what you're thinking: "Not another boring, theoretical methodology. I don't have time for it; I have to deal with issues in the real world." In the real world, however, managers are implementing ITIL because it aligns IT services with the needs of their organizations, improves the quality of IT services, and decreases the cost of IT service delivery and support.
How can ITIL help the information security professional? Here are just some of the ways:
- Business process owners and information security staff negotiate information security services; this ensures services are aligned with business needs.
- ITIL provides a foundation upon which information security can build. It requires the adoption of a number of best practices (e.g., change management, configuration management and incident management) significantly improving information security.
- ITIL establishes documented IT processes and standards that can be audited and monitored. This helps an organization understand the effectiveness of its information security program and comply with regulatory requirements.
- ITIL reporting keeps managers informed about the effectiveness of their organization's information security processes, helping them make knowledgeable decisions about the organization's risks.
- ITIL's requirement for continuous review can ensure that information security measures maintain their effectiveness as requirements, environments and threats change.
Information security professionals can change the perception that they're hindrances and cost centers to being regarded as key players in meeting ITIL--and organizational--objectives, which can lead to increased recognition and funding for security efforts.
How can you take advantage of ITIL? Take the time to learn about it -- a lot of information is readily available (www.itil.co.uk). If ITIL is already in place at your organization, integrate the methodology into your security processes and controls. If ITIL is being implemented at your organization, become involved and provide support for the effort; also, make sure information security has a place at the ITIL table. If your organization has not yet adopted ITIL, recommend it to management.
Yes, all these steps will take time and effort, but you'll be rewarded for it. Information security professionals are not often presented with an opportunity to piggyback a popular, proven framework that is highly regarded by management and will improve information security. Don't miss out on your opportunity.
This column originally appeared in the November issue of InformationSecurity magazine.