Product Directory
Product Installation
Product Activation

Products > ITIL > Cram Notes

 ITIL (Foundation) Cram Notes

4.8.4 Information Security Management

Information security is the management process within the corporate governance framework, which provides the strategic direction for security activities and ensures objectives are achieved.

A) Purpose of Information Security Management
The purpose of the Information Security Management is to ensure that IT security meets the overall business security requirements through availability, integrity, and confidentiality.

B) Objectives of Information Security Management

1) Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures availability

2) Confidentiality: Information is observed by, or disclosed, to only those who have a right to know.

3) Integrity: Information is complete, accurate and protected against unauthorized modification 

4) Authenticity and Non-repudiation: Business transactions, as well as information exchanges between partners, can be trusted.

C) Scope of Information Security Management

1) Identifying information security needs.

2) Establishing security policies and methods.

3) Implementing security policies and methods.

4) Monitoring system access and needs.

D) Elements of Information Security Management Process:

There are five elements of Information Security Management Process they are:

1) Control: The objectives of control elements are:

a) Establish an organization structure to prepare, approve and implement the information security policy.

b) Establish a management framework to initiate and manage information security in the organization.

c) Allocate responsibilities establish and control documentation.

2) Plan: The objectives of Plan are:

a) Devise and recommend the appropriate security measures, based on an understanding of the requirements of the organization.

b) The requirements will be gathered from such sources as business and service risk, plans and strategies, SLAs and OLAs and the legal, moral and ethical responsibilities for information security.

3) Implement: The objective of the implementation element is to ensure that appropriate procedures, tools and controls are in place to underpin the Information Security Policy.

4) Evaluation: The objectives of Evaluation element are:

a) Supervise and check compliance with the security policy and security requirements in SLAs and OLAs.

b) Carry out regular audits of the technical security of IT systems.

c) Provide information to external auditors and regulators, if required.

5) Maintain: The objectives of Maintain element are:

a) Improve on security agreements as specified in, for example, SLAs and OLAs.

b) Improve the implementation of security measures and controls.

E) The Information Security Policy 

The policy must cover all areas of security, be appropriate, meet business needs and include:

1) An overall Information Security Policy

2) Use and misuse of IT assets policy

3) An access control policy

4) A password control policy

5) An e-mail policy

6) An internet policy

7) An anti-virus policy

8) An information classification policy

9) A document classification policy

10) A remote access policy

11) A policy with regard to supplier access of IT services, information and components

12) An asset disposal policy.

4.8.5 Supplier Management

The process responsible for getting value for money from suppliers, ensuring all supplier contracts and agreements support business needs, and all suppliers meet contractual commitments.

A) Purpose of Supplier Management Process 

The purpose of the supplier management process is to obtain value for money from suppliers and to ensure that suppliers perform to the targets contained within their contracts.

B) Objectives of Supplier Management Process

1) Obtain value for money from suppliers and contracts.

2) Work with SLM to ensure underpinning contracts support and are aligned with business needs, SLRs and SLAs.

3) Negotiate and agree underpinning contracts and manage through their lifecycle.

4) Manage supplier relationships and performance.

5) Maintain a supplier policy and a Supplier and Contract Database (SCD).

C) Scope of Supplier Management Process

1) Identifying qualified suppliers.

2) Negotiating with suppliers.

3) Establishing underpinning contracts.

4) Monitoring supplier performance.

D) Categories of Supplier Management Process

1) Strategic for significant partnering relationships that involve senior managers sharing confidential strategic information to facilitate long-term plans

2) Tactical relationships involving significant commercial activity and business interaction.

3) Operational for suppliers of operational products or services

4) Commodity for suppliers providing low-value and/or readily available products and services.

4.8.6 Capacity Management

Capacity management process is responsible for ensuring that the capacity of IT services and the IT infrastructure is able to meet agreed capacity- and performance-related requirements in a cost-effective and timely manner.

A) Purpose of Capacity Management Process

1) Ensure that the IT infrastructure and the capacity of IT services reach the agreed capacity and performance levels in a cost-effective and timely manner.

2) Capacity management process should to meet both the current and future capacity and very importantly the performance needs of a business.

B) Objectives of Capacity Management Process

1) Providing guidance and suggestions to other areas of the business and IT on all capacity and performance related issues

2) Making sure that service performance achievements reach their agreed targets by managing the capacity and performance of both resources and services

3) Helps with the diagnosis and resolution of capacity and performance related issues

4) Estimating the impact of all changes on the capacity plan.

5) Making sure that proactive measures are taken to improve the performance of services.

C) Scope of Capacity Management Process

1) Accounting for data storage, concurrency, and service data.

2) Establishing and implementing capacity designs.

3) Analyzing and assessing capacity performance.

D) Activities of Capacity Management

There are mainly three activities of Capacity Management Process they are:

1) Business Capacity Management: Translates business needs and plans into requirements for service and IT infrastructure, ensuring that the future business requirements for IT services are quantified, designed, planned and implemented in a timely fashion.

2) Service Capacity Management: Focuses on the management, control and prediction of the end-to-end performance and capacity of the live, operational IT services usage and workloads.

3) Component Capacity Management: Focuses on the management, control and prediction of the performance, utilization and capacity of individual IT technology components.

4.8.7 The IT Service Continuity Management

IT service continuity management (ITSCM) is responsible for the continuity of the IT services required by the business in times of disasters or extreme events to recover the IT services. (Less significant incidents are dealt with by Incident Management Process). ITSCM is one of the elements of business continuity plan (BCM).

A) Purpose of IT Service Continuity Management Process

1) Identify and manage the risks to the IT services.

2) Agree with the business for the minimum requirement of service in case of a disaster

B) Objectives of IT Service Continuity Management Process

1) Maintain a set of IT Service Continuity Plans and IT recovery plans that support the overall Business Continuity Plans (BCPs) of the organization.

2) Complete regular Business Impact Analysis (BIA) exercises to ensure that all continuity plans are maintained in line with changing business impacts and requirements.

3) Conduct regular risk assessment and management exercises in conjunction particularly with the business and the Availability Management and Security Management processes that manages IT services within an agreed level of business risk.

4) Provide advice and guidance to all other areas of the business and IT on all continuity- and recovery-related issues.

5) Ensure that appropriate continuity and recovery mechanisms are put in place to meet or exceed the agreed business continuity targets.

6) Assess the impact of all changes on the IT Service Continuity Plans and IT recovery plans

7) Ensure that proactive measures to improve the availability of services are implemented wherever it is cost-justifiable to do so.

8) Negotiate and agree the necessary contracts with suppliers for the provision of the necessary recovery capability to support all continuity plans in conjunction with the Supplier Management process.

C) Scope of IT Service Continuity Management Process

1) Defining continuity needs

2) Establishing Continuity Plans

3) Implementing Continuity Plans

4) Periodically Testing Continuity Plans.

D) Activities of IT Service Continuity Management Process

There are four stages of ITSCM, incorporating each of the activities that take place to ensure that IT organizations are as prepared and organized as possible in the event of a disaster situation. The stages are as follows: 

1) Initiation defines policy, scope, allocate resources and set up project organization.

2) Requirements and strategy will need to be defined. 

a) A business impact analysis (BIA) has to be done. 

b) Service analysis will also have to be done. this will analyze essential IT services based on the SLA. Dependencies must be assessed also.

c) Risks affecting the business will then have to be analyzed. The ITSC manager also has to identify the threats and vulnerabilities.

d) ITSCM strategy must then be defined. The strategy can be risk reduction or recovery planning.

3) The next step is to implement the plan. This includes setting up the organization, developing the plan and testing it. 

4) Operation management requires training non-IT staff on the DRP. It requires regular review and testing. Any improvements or changes have to go through the Change management process. 

Figure: Activities of an IT Service Continuity Management Process

E) Sub-process of IT Service Continuity Management Process

1) Business Impact Analysis identify key services that need continuity at different time of the day/month/year and clarify relative importance of individual services

2) Risk Assessment to compile a list of evaluated risks and propose counter measures. These will ensure the provision of IT service continuity in a cost-effective way

Previous               Next

Contact Us