Integrated Information Management Systems

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Integrated Information Management Systems"

Transcription

1 Integrated Information Management Systems Ludk Novák ANECT a.s. Brno, Czech Republic Abstract The article tries to find consensus in these tree different types of the systems the quality system, the IT service system and the information security system, which are frequently used for information. An aim is not to choose the best method, but to compose a complex framework based on advantages and synergies. The author describes his experience with integrations of the tree types of the systems into one consistent information framework. The integration is based on similarities of the systems especially on the PDCA Model, which is a key shared principle. The second principle is an effort to incorporate information risks into each type of systems. There is not possible to manage risk properly without close connection to realising information and communication technology benefits these days. Keywords: Information, Software quality, IT service, Information security, CobiT, ITIL, BS7799, PDCA model. 1 Introduction Wide using of information and communication technology (ICT) has a very serious consequence organizations are more and more dependent on quality, reliability and security of their information and communication systems including all related processes and activities. Provision of more effective and efficient services with appropriate reliability and security is an essential responsibility of people who are involved information. Information aims are also shifting. Increasing importance of ICT for organizations everyday life means it is not more acceptable just administrates and maintains ICT infrastructure. An information primer role is to manage and improve IT services, which are able to deliver defined and measurable added values for business units. So information gains an essential position in general business and strategy. There are several best practice methodologies or standards in the information and security world. CobiT (Control objectives for information and related technology), ISO 9000, ITIL (Information Technology Infrastructure Library), BS and/or ISO/IEC are the most general frameworks. New requirements on information have appeared recently (like Basel II, Sarbanes-Oxley Act, critical information infrastructure protection etc.) and emphases needs for information systems based on international standards and open methodologies. BASEL II the new capital accord establishes new requirements on operational risk control in banking. ICT is a key element of the operational risk and banks should adopt process driven approach to risk, information and operation. The Sarbanes-Oxley Act establishes new mandates for financial reporting based on internal control environment. Company s managers are fully responsible for the internal controls and should make statement about the internal control. Most financial reporting processes are driven by ICT, so strong information is also a key element. And information managers and other ICT professionals are held accountable for the quality and integrity of information produced by ICT. Security and Protection of Information

2 2 Starting points The regulation examples mentioned above present current situation in information. The new requirements do not distinguish among information, information risk, information security, ICT operations etc. There is just one control framework for information and the basic question is if any information is presented trustfully? 2.1 Information added value According to the current needs information has to find and defines an appropriate information added value (or ICT added value) much more extensively. There are tree general types of the added value connected with ICT: Increase automation an organization is able to align its business and information and enlarges its production and performance by using ICT the organization is effective (It does good thinks). Decrease costs an organization is able to use resources responsible and reduces costs and other expenses by using ICT the organization is efficient (It does thinks well). Manage risks an organization is able to adjust security measures and minimises security incidents, related risks and possible damages the organization is secure. Increase automation Decrease costs ICT added value Manage risks Figure 1: ICT added value The existing information needs and requirements stress all tree types of the information added value. There is an important issue to find a balance among all tree types, because it is not possible to realize ICT benefits without proper risk. On the other hand information risks should be in close connection to the ICT benefits and reflect them. This is a complex outlook on information sometimes called IT governance. 2.2 IT Governance and CobiT Methodology IT Governance is a structure of relationships and processes to direct and control the organization in order to achieve the organization s goals by adding value while balancing risk versus return over ICT and its processes. [1] CobiT (Control Objectives for Information and related Technology) [1] as an IT Governance model is a complex information framework and its basic idea says Information should reach effective balance between realising benefits by increase automation or decrease costs and managing risks. To accomplish this, information needs to identify most important activities to be performed, measure progress towards achieving goals and determine how well the ICT processes are performing. 84 Security and Protection of Information 2005

3 The COBIT concept is that control in ICT is approached by looking at information that is needed to support the business objectives or requirements, and by looking at information as being the result of the combined application of ICT resources that need to be managed by ICT processes. To satisfy business objectives, information needs to conform to certain criteria. The following tree basic elements form the CobiT framework: Information criteria present business goals and needs and their implications to information (effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability). ICT resources are available means which can be used by information (data, applications, technology, facilities, and people). ICT processes are all activities and tasks related to information form four broad domains (planning and organization, acquisition and implementation, delivery and support, and monitoring). In summary, in order to provide the information that the organisation needs to achieve its objectives, IT governance must be exercised by the organisation to ensure that ICT resources are managed by a set of naturally grouped ICT processes. CobiT as a useful tools calls attention to: Organization contribution ensuring effective IT governance and information, User orientation measuring up to business expectations, Operational excellence performing the ICT function with increasing credibility and impact, Future orientation building the foundation for future delivery and continuous learning and growth. CobiT methodology is ideal for establishing a complex and comprehensive control environment for information. But there is a significant shortage. The ICT processes are not defined so deeply in CobiT. It was not authors aim to describe all details, but it is better to use another guidance to implement information from the practical point of view. 2.3 Integrated information system requirements There are thee types of the ICT added value and successful information should integrate all aspects quality, reliability and security. This information system should be composed from the following: Good relationship with business and users of information and communication systems enhancing effectiveness is essential to a quality system; Effectiveness of all ICT operations based on proper IT service delivery and support reducing expenses is a main goal of an IT service system; Control and limitation of information security risks and possible damages is a key benefit of an information security system. Quality IT service CobiT Information security Figure 2: Integrated information system Security and Protection of Information

4 Are these tree different information systems compatible each other or not? And can effective and efficient integration stand on advantages and synergies of the systems? You can hear similar questions quite often these days. 3 Information system basic components The quality has quality systems based on ISO 9000 (or ISO in IT). The reliability establishes an IT service system follows recommendations of BS 15000, which generalizes ITIL and the security stands for information security system, which applies controls from BS or ISO Each system and its contribution to the integrated information system are discussed in the next text. 3.1 Quality system Quality is the totality of characteristics of a product or service that bear on the ability to satisfy stated and implied needs. [ISO 8402] A Quality Management System (QMS) is a well-known system emphasises an importance of customers and their requirements for any business. ISO 9001:2000 [2] is a familiar example of a collection of quality best practices. The principles are valid for information too, so business unit and user requirements are seriously important issues. Excellent information should systematically discover user ideas and transform them properly to the real life. QMS s added value is to increase automation and partly to decrease costs. An suitable level of internal process formalism (like process definition, resources, document, record ) is another advantage of QMS. The guidance ISO/IEC 90003:2004 [3] covers all aspects of software quality, from acquisition to supply, including development, operation and maintenance of computer software, and providing guidance on how to implement highly successful ISO 9001:2000 process driven approach in a software environment. The structure of the standard demonstrates the comprehensiveness of the five perspectives (see the figure 3). Management responsibility Quality system ISO/IEC Resource Product realization Measurement, analysis and improvements Figure 3: Basic structure of quality system for software engineering A lot of organizations are running QMS, so information can use QMS s tools and rules as guidance for document, resource, record etc. There is also useful to add a concept of information into QMS framework not to establish any parallel structures. QMS s culture in the organization is a useful asset too, so it can be promoted to include information and/or information security issues. 3.2 IT service system IT service is a described set of facilities, IT and non-it, supported by the IT service provider that fulfils one or more needs of the customer and that is perceived by the customer as a coherent whole. [15] IT Service Management (ITSM) is relatively a new approach to information, which is concentrated on ICT operation processes. ISTM is primary known as the process and service-focused approach to information. ITSM addresses the provision and support of IT services tailored to the needs of the organization. ITSM offers a common framework for ICT activities, as part of the provision of services, based on ICT infrastructure. These activities are divided into processes (see figure 4), which when used together provide an 86 Security and Protection of Information 2005

5 effective ITSM framework for service delivery and service support. ITSM brinks decrease costs and partly increase automation for the organization. Service delivery processes Capacity Service continuity and availability Release process Release Service level Service reporting Control processes Change Configuration Resolution processes Incident Problem Information security Budgeting and accounting for IT services Realationship Processes Business relationship Supplier Figure 4: IT service processes ITSM concept is defined by two standards: the first BS :2002 [5] describes system specification and a code of practice is presented by the second BS :2003 [6]. There is a huge public interest consequently both standards are adopting as new international standards ISO/IEC IT Service Management in short way. ITSM concentrates on high reliability a transparency of ICT operations. A primary aim is to define operation processes including relationship and measurements, monitor and supervise process realizations and enhance operation effectiveness based on results and trends. ITSM is an ideal way, how to control, monitor and improve internal ICT operations. ITSM is not just about the standards. The philosophy comes from IT Infrastructure Library (ITIL) which is a complex set guidance, how to design, build and run ITSM. The documents describing service delivery and service support are a core the whole ITIL library. 3.3 Information security system Information security is preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved. [8] An Information Security Management System (ISMS) concentrates on definition of processes connected with information risk analysis and treatment and the ICT added value is to manage risks. The standard BS :2002 [11] defines ISMS requirements and specifies how to design, enforce, control and improve information security. There is a draft of a new international standard ISO/IEC [12] based on BS :2002 and a final version is expected at the end of A key element of any ISMS is an information risk and treatment process which concentrates on choosing proper security objectives and controls. Security and Protection of Information

6 A code of practice for information security and other ISMS best practice are described in ISO/IEC 17799:2000 [7]. A new version is ready to be published by summer Information security categories on the following figure present the basic extend of ISO/IEC 17799:2005 [8]. ISO/IEC 17799:2005 Security policy Asset Access control Organizing information security Human resources security Physical and environmental security Communications and operations Information systems acquisition, development and maintenance Business continuity Information security incident Compliance Figure 5: Information security categories A draft of ISO/IEC Information security metrics and measurements [13] is currently in progress. An aim is to add tools, how to define measures and indicators into ISMS and sometimes it is called the 3 rd part of BS Shared principles of systems 4.1 PDCA Model All presented systems have a vital shared principle called PDCA Model (Plan Do Check Act). The model defines a basic cycle for each system. The cycle starts with planning of activities and defining expected results. Implementation and running as the second part is followed by monitoring all defined activities to have appropriate information on success of implementation, its strengths and weaknesses. This outputs and realised experiences should be used to continual improvement of the system. Plan Customers Requirements Satisfaction Do Check Act Requirements Satisfaction Suppliers Figure 6: PDCA Model concept 88 Security and Protection of Information 2005

7 PDCA Model external connections are important too. Customers (or users) are one side of externalities and suppliers are the other. The PDCA model requires a clear expression of customer requirements and proper monitoring their satisfaction. On the other hand the organization should define requirements to its suppliers and watch, how the suppliers fulfil the needs. PDCA Model is a key principle which makes possible to integrate tree systems concentrated on different topics. The other shared principles related to PDCA Model includes responsibility and commitment, resource, documentation and record control, awareness and training, reviews, continual improvement etc. 4.2 Standpoints to improve ISMS The conference main topic is information security and protection so we look at benefits of the information integration for ISMS. At first it is important to mentioned positive influence of QMS on ISMS. QMS is a well-known application of PDCA Model, so any good experience could be used for advocating ISMS. Using existing tools and following establish culture should be other preference for ISMS. Last but not least thing is share existing QMS structure in contradiction to create wholly new framework for ISMS. Relation between ITMS and ISMS contains more synergies. ITSM comprehends IT services as a fundament of information. Consequently it is advisable to apply this approach into ISMS. It means that IT services should be a starting point for risk analyses and risk treatment processes. This approach allows taking information security requirements as a part of IT service and including security into IT service reporting as a result. Change is other large room for collaboration ITSM and ISMS. ITSM offers deeper inspection and more detail description of change and related processes. ISMS can use this quite easy including configuration and release. Incident has a bit difficult situation, because ITSM recommendations should be join up with information security incident requirements defined by ISO/IEC TR 18044:2004 [9]. At the end it is necessary to warm, that availability and continuity have similar rules and residual problems are related to business comprehensions. 5 Conclusions It is not possible to discuss all information aspects and their information security consequences. The aim is to call attention to needs of joining different views. The integrated information system makes possible to take advantage of all existing similarities. It is clear that each discussed system stress its perspective, but there no barriers to improve each other. There are no limitations from this lookout. References [1] COBIT 3 rd Edition, Information Systems Audit and Control Foundation, ISACF [2] EN ISO 9001:2000 Quality systems Requirements. [3] ISO/IEC 90003:2004 Software engineering Guidelines for the application of ISO 9001:2000 to computer software. [4] Suryn, W., Hailey, V. A., and Coster, A.: Huge potential user base for ISO/IEC 90003, In ISO Focus, Volume 2, No.2, pp , February [5] BS :2002 IT Service Management Part 1: Specification for service. [6] BS :2003 IT Service Management Part 2: Code of practice for service. [7] ISO/IEC 17799:2000 Information Technology Security Techniques Code of practice for information security. [8] ISO/IEC FDIS 17799:2005 Information Technology Security Techniques Code of practice for information security. [9] ISO/IEC 18044:2004 Information Technology Security Techniques Information security incident. Security and Protection of Information

8 [10] Humphreys, T.: Being prepared to tackle threats to your business, In ISO Focus, Volume 2, No.2, pp , February [11] BS :2002 Information security systems Specification with guidance for use. [12] ISO/IEC FCD 24743:2004 Information Technology Security Techniques Information security systems requirements specification. [13] ISO/IEC 1 st WD 24742:2005 Information Technology Security Techniques Information security metrics and measurements. [14] [15] 90 Security and Protection of Information 2005

iso20000templates.com

iso20000templates.com iso20000templates.com Public IT Limited 2011 IT Service Policy Document Ref. ITSM01001 Version: 1.0 Draft 1 Document Author: Document Owner: V 1.0 Draft 1 Page 1 of 11 Revision History Version Date RFC

More information

ISO/IEC 27001 Informa2on Security Management System

ISO/IEC 27001 Informa2on Security Management System ISO/IEC 27001 Informa2on Security Management System Presented by Daminda Perera 26/07/2008 ISO/IEC 27001:2005 Informa@on technology Security techniques Informa@on security management systems Requirements

More information

White Paper. Continuous Process Improvement (CPI) Integrating Systems. Paper 2 of 2. Six Sigma Black Belt

White Paper. Continuous Process Improvement (CPI) Integrating Systems. Paper 2 of 2. Six Sigma Black Belt White Paper Continuous Process Improvement (CPI) Integrating Systems Paper 2 of 2 Authored by: Sam Conjardi Six Sigma Black Belt Contents Introduction... 3 Complementary Systems... 3 Integrating Systems...

More information

Recent Advances in Automatic Control, Information and Communications

Recent Advances in Automatic Control, Information and Communications Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards The implementation of IT Service Management frameworks and standards Anel Tanovic*,

More information

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

AN OVERVIEW OF INFORMATION SECURITY STANDARDS AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced

More information

November Version 01.3

November Version 01.3 November 2012 Version 01.3 The Experts in certifying Professionals e-mail: info@peoplecert.org, www.peoplecert.org Copyright 2012 PEOPLECERT International Ltd. All rights reserved. No part of this publication

More information

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9

More information

BADM 590 IT Governance, Information Trust, and Risk Management

BADM 590 IT Governance, Information Trust, and Risk Management BADM 590 IT Governance, Information Trust, and Risk Management Information Technology Infrastructure Library (ITIL) Spring 2007 By Po-Kun (Dennis), Tseng Abstract: This report is focusing on ITIL framework,

More information

Moving from ISO 9001:2008 to ISO 9001:2015

Moving from ISO 9001:2008 to ISO 9001:2015 ISO 9001 Transition guide ISO Revisions Moving from ISO 9001:2008 to ISO 9001:2015 The new international standard for quality management systems ISO 9001 - Quality Management System - Transition Guide

More information

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies Owner / Principal Advance Profitplan Understanding Principles & Concepts Page 1 of 10 Revision

More information

ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping

ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping White paper March 14, 2014 Scope of this document This document is intended for IT Professionals who are deciding on how to implement

More information

De Nieuwe Code voor Informatiebeveiliging

De Nieuwe Code voor Informatiebeveiliging De Nieuwe Code voor Informatiebeveiliging Piet Donga, ING Voorzitter NEN NC 27 - IT Security 1 Agenda Standardisation of Information security The new Code of Practice for Information Security The Code

More information

Practical IT Service Management: Rapid ITIL Without Compromise

Practical IT Service Management: Rapid ITIL Without Compromise W H I T E P A P E R Practical IT Service : Rapid ITIL Without Compromise John Custy IT Service Consultant and Managing Consutant JPC Group Executive Summary All businesses face challenges providing the

More information

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com

Information Technology Governance. Steve Crutchley CEO - Consult2Comply www.consult2comply.com Information Technology Governance Steve Crutchley CEO - Consult2Comply www.consult2comply.com What is IT Governance? Information Technology Governance, IT Governance is a subset discipline of Corporate

More information

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3 Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3 Outline What is IT Service Management What is ISO 20000 Step by step implementation

More information

IRCA Briefing note ISO/IEC 20000-1: 2011

IRCA Briefing note ISO/IEC 20000-1: 2011 IRCA Briefing note ISO/IEC 20000-1: 2011 How to apply for and maintain Training Organization Approval and Training Course Certification IRCA 3000 Contents Introduction 3 Summary of the changes within ISO/IEC

More information

EXIN Foundation in IT Service Management based on ISO/IEC 20000

EXIN Foundation in IT Service Management based on ISO/IEC 20000 Preparation Guide EXIN Foundation in IT Service Management based on ISO/IEC 20000 Edition June 2015 Copyright 2015 EXIN All rights reserved. No part of this publication may be published, reproduced, copied

More information

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49. Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n...... F l O m T F O Security

More information

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance Applying Integrated Risk Management Scenarios for Improving Enterprise Governance János Ivanyos Trusted Business Partners Ltd, Budapest, Hungary, ivanyos@trusted.hu Abstract: The term of scenario is used

More information

Software Quality. Unit9. Software Quality Standards

Software Quality. Unit9. Software Quality Standards Software Quality Unit9. Software Quality Standards 1 Standards A Standard is a document of voluntary application, containing technical specifications based on experience and technological development results.

More information

Security metrics to improve information security management

Security metrics to improve information security management Security metrics to improve information security management Igli TASHI, Solange GHERNAOUTIHÉLIE HEC Business School University of Lausanne Switzerland Abstract The concept of security metrics is a very

More information

Management of Information Systems. Certification of Secure Systems and Processes

Management of Information Systems. Certification of Secure Systems and Processes Management of Information Systems Certification of Secure Systems and Processes Information Security Management System (ISMS) ISO 27001 Protecting valuable information Information is an asset whose loss,

More information

ITIL's IT Service Lifecycle - The Five New Silos of IT

ITIL's IT Service Lifecycle - The Five New Silos of IT The workable, practical guide to Do IT Yourself Vol. 4.01 January 1, 2008 ITIL's IT Service Lifecycle - The Five New Silos of IT By Rick Lemieux In my last article I spoke about IT s evolution from its

More information

16) QUALITY MANAGEMENT SYSTEMS

16) QUALITY MANAGEMENT SYSTEMS INTRODUCTION 16) QUALITY MANAGEMENT SYSTEMS The aim of this paper is to give a brief introduction to the idea of a quality management system and specifically in ISO 9001:2000: Quality Management System.

More information

Benchmark of controls over IT activities. 2011 Report. ABC Ltd

Benchmark of controls over IT activities. 2011 Report. ABC Ltd www.pwc.com/cy Benchmark of controls over IT activities 2011 Report ABC Ltd... 2012 Scope and approach We wish to provide you with our IT Benchmarking report over IT activities at ABC Ltd (the Company)

More information

IT Service Management ITIL, COBIT

IT Service Management ITIL, COBIT IT Service Management ITIL, COBIT Bülent Ekuklu Business Development Executive IBM Global Services Global Conditions are Changing 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% Agriculture Manufacturing Service

More information

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre SITA Service Management Strategy Implementation Presented by: SITA Service Management Centre Contents What is a Service? What is Service Management? SITA Service Management Strategy Methodology Service

More information

Understanding Management Systems Concepts

Understanding Management Systems Concepts Understanding Management Systems Concepts Boğaç ÖZGEN Lead Auditor 1 管 理 计 划 初 始 化 做 实 施 检 查 控 制 过 程 行 动 改 善 活 动 系 统 监 视 2 Management (PLAN) Planning and Organizing (DO) Implementing and realization of

More information

ISO 27000 Information Security Management Systems Foundation

ISO 27000 Information Security Management Systems Foundation ISO 27000 Information Security Management Systems Foundation Professional Certifications Sample Questions Sample Questions 1. is one of the industry standards/best practices in Service Management and Quality

More information

Frequency Asked Questions Information Security Management System (ISMS) Standards Version 3.0 May 2005

Frequency Asked Questions Information Security Management System (ISMS) Standards Version 3.0 May 2005 Frequency Asked Questions Information Security Management System (ISMS) Standards Version 3.0 May 2005 The following are a set of frequently asked questions that relate to new developments regarding ISO/IEC

More information

ISO/IEC 20000 Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

ISO/IEC 20000 Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1 ISO/IEC 20000 Part 1 the next edition Lynda Cooper project editor for ISO20000 part 1 Agenda The ISO20000 series Why has it changed Changes ITIL3 impact New requirements Changed requirements How to prepare

More information

What s New In ITIL V3?

What s New In ITIL V3? What s New In ITIL V3? George Spalding VP, Global Events Pink Elephant Pink Elephant Leading The Way In IT Management Best Practices The ITIL Books (V2) T h e B u s i n e s s Planning To Implement Service

More information

ISO/IEC 20000: 2011 IT Service Management. Tying together all your IT processes Product Guide

ISO/IEC 20000: 2011 IT Service Management. Tying together all your IT processes Product Guide ISO/IEC 20000: 2011 IT Service Management Tying together all your IT processes Product Guide What is ISO/IEC 20000 IT Service Management? ISO/IEC 20000 is the first internationally recognized standard

More information

ITSM vs EA KAOS 10.3.2014

ITSM vs EA KAOS 10.3.2014 ITSM vs EA KAOS ITSM vs EA SH Needs Business Goals 2 GOVERNANCE EVALUATE PLANNING ITSM IMPROVING OPERATING Business Programs Projects DEVELOPING EA IMPLEMENTING IT service - ITIL 3 Lifecycle approach Service

More information

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000 Preparation Guide EXIN IT Service Management Associate Bridge based on ISO/IEC 20000 Edition January 2014 Copyright 2014 EXIN All rights reserved. No part of this publication may be published, reproduced,

More information

Trustworthy Computing Spring 2006

Trustworthy Computing Spring 2006 Trustworthy Computing Spring 2006 Project Topic: Risk Management of Information Technology Outsourcing under ITIL ITSM framework By: (Mina) Szu-Chia Cheng 1 pages of 19 Table of Content Abstract...3 Why

More information

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000 Preparation Guide EXIN IT Service Management Associate based on ISO/IEC 20000 Edition January 2014 Copyright 2014 EXIN All rights reserved. No part of this publication may be published, reproduced, copied

More information

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Enabling Compliance Requirements using ISMS Framework (ISO27001) Enabling Compliance Requirements using ISMS Framework (ISO27001) Shankar Subramaniyan Manager (GRC) Wipro Consulting Services Shankar.subramaniyan@wipro.com 10/21/09 1 Key Objectives Overview on ISO27001

More information

Standardising privacy and security for the cloud

Standardising privacy and security for the cloud Standardising privacy and security for the cloud Chris Mitchell Royal Holloway, University of London www.chrismitchell.net 1 Acknowledgements Like to thank organisers of event for inviting me to contribute.

More information

The Information Security Management System According ISO 27.001 The Value for Services

The Information Security Management System According ISO 27.001 The Value for Services I T S e r v i c e M a n a g e m e n t W h i t e P a p e r The Information Security Management System According ISO 27.001 The Value for Services Author: Julio José Ballesteros Garcia Introduction Evolution

More information

Security Standards. 17.1 BS7799 and ISO17799

Security Standards. 17.1 BS7799 and ISO17799 17 Security Standards Over the past 10 years security standards have come a long way from the original Rainbow Book series that was created by the US Department of Defense and used to define an information

More information

List of courses offered by Marc Taillefer

List of courses offered by Marc Taillefer ISO/IEC 20000 Foundation (IS20F.EN) List of courses offered by Marc Taillefer Designed to provide knowledge of what an IT service management system is and the minimum requirements that service providers

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST E-mail: mnyssen@vub.ac.

Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST E-mail: mnyssen@vub.ac. Managing e-health data: Security management Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST E-mail: mnyssen@vub.ac.be Structure of the presentation Data management: need for a clear

More information

Hong Kong Information Security Group TRAINING AGENDA

Hong Kong Information Security Group TRAINING AGENDA TRAINING AGENDA THE ITIL FOUNDATION CERTIFICATE IN IT SEVICE MANAGEMENT The purpose of the ITIL Foundation certificate in IT Service Management is to certify that the candidate has gained knowledge of

More information

INTERMEDIATE QUALIFICATION

INTERMEDIATE QUALIFICATION PROFESSIONAL QUALIFICATION SCHEME INTERMEDIATE QUALIFICATION SERVICE CAPABILITY PLANNING, PROTECTION AND OPTIMIZATION CERTIFICATE SYLLABUS The Swirl logo is a trade mark of the Cabinet Office ITIL is a

More information

Logging the Pillar of Compliance

Logging the Pillar of Compliance WHITEPAPER Logging the Pillar of Compliance Copyright 2000-2011 BalaBit IT Security All rights reserved. www.balabit.com 1 Table of Content Introduction 3 Open-eyed management 4 ISO 27001 5 PCI DSS 5 Sarbanes

More information

GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001

GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001 1 GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001 Tolga MATARACIOGLU 1 and Sevgi OZKAN 2 1 TUBITAK National Research Institute of Electronics and Cryptology (UEKAE), Department of

More information

White Paper. Comparison of ISO/IEC 20000 with ASL and BiSL

White Paper. Comparison of ISO/IEC 20000 with ASL and BiSL White Paper Comparison of ISO/IEC 20000 with ASL and BiSL Both ISO/IEC 20000 and ASL offer guidance for IT Service Providers, ISO/IEC 20000 giving broad guidance for IT Service Management and ASL focusing

More information

Hence to overcome these challenges, it has become imperative to learn these topics and create awareness amongst the employees.

Hence to overcome these challenges, it has become imperative to learn these topics and create awareness amongst the employees. IT Service Management Trainings for Bank Konark Solutions and Services (KS&S) is an organization with Industry expert trainers and consultants. KS&S provides a wide range of Industry specific trainings

More information

IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC 27002 IN A SMALL ORGANISATION

IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC 27002 IN A SMALL ORGANISATION 48 IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC 27002 IN A SMALL ORGANISATION MATÚŠ HORVÁTH, MARTIN JAKUB 1 INTRODUCTION Managerial work is directly dependent on information, it is therefore

More information

Measuring the level of quality of IT Service Management

Measuring the level of quality of IT Service Management Central Page 176 of 344 Measuring the level of quality of IT Service Management Melita Kozina, Lucija Horvat Faculty of Organization and Informatics University of Zagreb Pavlinska 2, 42000 {melita.kozina,

More information

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, 75009 PARIS

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, 75009 PARIS MEHARI 2007 Overview Methods Commission Mehari is a trademark registered by the Clusif CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS 30, rue Pierre Semard, 75009 PARIS Tél.: +33 153 25 08 80 - Fax: +33

More information

Information technology Security techniques Information security management systems Overview and vocabulary

Information technology Security techniques Information security management systems Overview and vocabulary INTERNATIONAL STANDARD ISO/IEC 27000 Third edition 2014-01-15 Information technology Security techniques Information security management systems Overview and vocabulary Technologies de l information Techniques

More information

WHITE PAPER. iet ITSM Enables Enhanced Service Management

WHITE PAPER. iet ITSM Enables Enhanced Service Management iet ITSM Enables Enhanced Service Management iet ITSM Enables Enhanced Service Management Need for IT Service Management The focus within the vast majority of large and medium-size companies has shifted

More information

Service Management Policy

Service Management Policy Service Management Policy XIT-POL-006 Policy - PUBLIC- Author Jan Pavel Version 1.4 Status Reviewed by Approved by Responsible Final Tomas Kucera Tomas Kucera Pavel JANÁK Valid from 9.6.2010 Scope Whole

More information

Business Excellence and ROI based process maturity

Business Excellence and ROI based process maturity Business Excellence and ROI based process maturity SPEG North America 2014 KK Raman, KPMG 6th of May 2014 2014 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms

More information

ITSM Governance In the world of cloud computing

ITSM Governance In the world of cloud computing ITSM Governance In the world of cloud computing Housekeeping Welcome to the Webinar Use the control panel to ask questions Can you see & hear us? enter your name & city to confirm Type Your Questions Here

More information

Bundesamt für Sicherheit in der Informationstechnik

Bundesamt für Sicherheit in der Informationstechnik Nachweis der erreichten Sicherheit durch Prüfungen nach Standards?! DECUS Rheinlandtreffen St. Augustin, 18.11.2004 Bundesamt für Sicherheit in der Informationstechnik ISO/IEC nicht ISO/IEC 2. Standards

More information

Revision of ISO 9001 Quality Management Systems Requirements

Revision of ISO 9001 Quality Management Systems Requirements Revision of ISO 9001 Quality Management Systems Requirements Frequently Asked Questions When will the new ISO 9001 be published? The international standard ISO 9001:2008 Quality management systems Requirements

More information

Name: Lynda Cooper Date: November 24th. Revising ISO/IEC 20000 to fit the future of service management

Name: Lynda Cooper Date: November 24th. Revising ISO/IEC 20000 to fit the future of service management Name: Lynda Cooper Date: November 24th Revising ISO/IEC 20000 to fit the future of service management Agenda Brief overview of ISO20000 Changes Why and How What Your views and how you can influence the

More information

Information Security Management System Policy

Information Security Management System Policy Information Security Management System Policy Public Version 3.3 Issued Document Name Owner P079A ISMS Security Policy Information Security Security Policies, Standards and Procedures emanate from the

More information

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA

More information

ISO/IEC present and future - applicable to all IT enabled services Lynda Cooper BCS SMSG July 2015

ISO/IEC present and future - applicable to all IT enabled services Lynda Cooper BCS SMSG July 2015 ISO/IEC 20000 present and future - applicable to all IT enabled services Lynda Cooper BCS SMSG July 2015 Service 20000 Ltd 2015 8/14/2015 1 Lynda Cooper Project editor ISO/IEC 20000-1 Chair of BSI committee

More information

Information Security Management System Information Security Policy

Information Security Management System Information Security Policy Management System Policy Version: 3.4 Issued Document Name: Owner: P079A - ISMS Security Policy Classification: Public Security Policies, Standards and Procedures emanate from the Policy which has been

More information

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management Course: Information Security Management in e-governance Day 1 Session 3: Models and Frameworks for Information Security Management Agenda Introduction to Enterprise Security framework Overview of security

More information

An Implementation Roadmap

An Implementation Roadmap An Implementation Roadmap The 2nd Abu Dhabi IT s Forum P J Corum, CSQA, CSTE, ITSM Managing Director Quality Assurance Institute Middle East and Africa Dubai, UAE Quality Assurance Institute Middle East

More information

2.1 MBI Framework 2.2 ITIL 2.3 COBIT

2.1 MBI Framework 2.2 ITIL 2.3 COBIT Extending MBI Model using ITIL and COBIT Processes DOI: 10.20470/jsi.v6i4.244 Sona Karkoskova 1, George Feuerlicht 1,2 1 Faculty of Informatics and Statistics University of Economics, Prague 2 Unicorn

More information

Information Security Management Systems

Information Security Management Systems Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector

More information

RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA

RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA 2012 Special Number QUALITY IN SERVICE MANAGEMENT SYSTEM ACCORDING TO ISO 20000 Ružena

More information

Preparation Guide. IT Service Management Foundation Bridge based on ISO/IEC 20000

Preparation Guide. IT Service Management Foundation Bridge based on ISO/IEC 20000 Preparation Guide IT Service Management Foundation Bridge based on ISO/IEC 20000 Edition April 2011 Copyright 2011 EXIN All rights reserved. No part of this publication may be published, reproduced, copied

More information

COBIT & ITIL usage for SOX current and future

COBIT & ITIL usage for SOX current and future COBIT & ITIL usage for SOX current and future Robert E Stroud International Vice President ISACA Evangelist ITSM & IT Governance CA, Inc. Japan, November 8, 2007 Trademark Notice ITIL is a registered trademark

More information

Introduction to ITIL for Project Managers

Introduction to ITIL for Project Managers CSC NORTH AMERICAN PUBLIC SECTOR Introduction to ITIL for Project Managers May Chantilly Luncheon Linda Budiman, PMP ITILv2 & ITILv3 Process Architect ITIL Service Manager, CobiT certified 5/13/2008 8:08:45

More information

SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards

SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards Dr. A.April ETS University Table of Contents Objectives Audience Current clash An ITIL overview ISO

More information

D5.1: Process Implementation and Maturity Baseline Assessment Framework

D5.1: Process Implementation and Maturity Baseline Assessment Framework D5.1: Process Implementation and Maturity Baseline Assessment Framework Internal Deliverable Document ID Status Version Author(s) Due FedSM- D5.1 Final 1.1 Javier Rubio- Loyola M7 (30 March 2013) Abstract

More information

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com COBIT 5 All together now! Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK www.maatconsulting.com 1 Copyright Notice COBIT is 1996, 1998, 2000, 2005 2012 ISACA and IT Governance Institute.

More information

How to gain and maintain ISO 27001 certification

How to gain and maintain ISO 27001 certification Public How to gain and maintain ISO 27001 certification Urpo Kaila, Head of Security CSC IT Center for Science ltd. urpo.kaila@csc.fi, security@csc.fi GÉANT SIG ISM 1 st Workshop, 2015-05-12, imperial.ac.uk

More information

Selection and use of the ISO 9000 family of standards

Selection and use of the ISO 9000 family of standards Selection and use of the ISO 9000 family of standards ISO and international standardization ISO/TC 176, Quality management and quality assurance ISO is the International Organization for Standardization.

More information

ITIL. Lifecycle. www.alctraining.com.my. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

ITIL. Lifecycle. www.alctraining.com.my. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition Take your ITIL skills to the next level ITIL Lifecycle ITIL Intermediate: Part of the complete ITIL Education Program Advance your career Add value to your organisation Gain credits towards ITIL Expert

More information

ISO 9001 : 2000 Quality Management Systems Requirements

ISO 9001 : 2000 Quality Management Systems Requirements A guide to the contents of ISO 9001 : 2000 Quality Management Systems Requirements BSIA Form No. 137 February 2001 This document is the copyright of the BSIA and is not to be reproduced without the written

More information

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000 Preparation Guide Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000 Edition June 2015 Copyright 2015 EXIN All rights reserved. No part of this publication may be published,

More information

EVALUATION FRAMEWORK FOR SERVICE CATALOG MATURITY IN INFORMATION TECHNOLOGY ORGANIZATIONS

EVALUATION FRAMEWORK FOR SERVICE CATALOG MATURITY IN INFORMATION TECHNOLOGY ORGANIZATIONS EVALUATION FRAMEWORK FOR SERVICE CATALOG MATURITY IN INFORMATION TECHNOLOGY ORGANIZATIONS Carlos Moreno Martínez Information Systems Department, Universidad Europea de Madrid Spain Email: 20839394@live.uem.es

More information

ETICS Service Management Framework

ETICS Service Management Framework ETICS Service Management Framework Business Objectives and Best Practice Guidance ETICS2 All Hands Meeting Uwe Mueller-Wilm VEGA GmbH Palermo, Oct. 2008 Customer Feedback Transcriptions of ETICS Feedback

More information

ITIL: What is it? How does ITIL link to COBIT and ISO 17799?

ITIL: What is it? How does ITIL link to COBIT and ISO 17799? ITIL: What is it? How does ITIL link to COBIT and ISO 17799? 1 What is ITIL? The IT Infrastructure Library A set of books comprising an IT service management Best Practices framework An industry of products,

More information

ISO 27001 Gap Analysis - Case Study

ISO 27001 Gap Analysis - Case Study ISO 27001 Gap Analysis - Case Study Ibrahim Al-Mayahi, Sa ad P. Mansoor School of Computer Science, Bangor University, Bangor, Gwynedd, UK Abstract This work describes the initial steps taken toward the

More information

An Overview of ISO/IEC 27000 family of Information Security Management System Standards

An Overview of ISO/IEC 27000 family of Information Security Management System Standards What is ISO/IEC 27001? The ISO/IEC 27001 standard, published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is known as Information

More information

Information and Communication Technology. Helpdesk Support Procedure

Information and Communication Technology. Helpdesk Support Procedure BELA-BELA LOCAL MUNICIPALITY Chris Hani Drive, Bela- Bela, Limpopo. Private Bag x 1609 BELA-BELA 0480 Tel: 014 736 8000 Fax: 014 736 3288 Website: www.belabela.gov.za OFFICE OF THE MUNICIPAL MANAGER Information

More information

ISO/IEC 27001:2013 webinar

ISO/IEC 27001:2013 webinar ISO/IEC 27001:2013 webinar 11 June 2014 Dr. Mike Nash Gamma Secure Systems Limited UK Head of Delegation, ISO/IEC JTC 1/SC 27 Introducing ISO/IEC 27001:2013 and ISO/IEC 27002:2013 New versions of the Information

More information

Benefits to the Quality Management System in implementing an IT Service Management Standard ISO/IEC 20000-1

Benefits to the Quality Management System in implementing an IT Service Management Standard ISO/IEC 20000-1 Benefits to the Quality System in implementing an IT Standard ISO/IEC 20000-1 Presentation to: ASQ North Jersey September 15, 2010 Subrata Guha Director IT s UL DQS Inc. A New Global Alliance for Systems

More information

IT and Business Process Performance Management: Case Study of ITIL Implementation in Finance Service Industry

IT and Business Process Performance Management: Case Study of ITIL Implementation in Finance Service Industry IT and Business Process Performance Management: Case Study of Implementation in Finance Service Industry M S Faculty of Economics and Business Zagreb, University of Zagreb Kennedy s sq 6, 10000 Zagreb,

More information

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and

More information

ITIL: What it is What it Can Do For You V2.1

ITIL: What it is What it Can Do For You V2.1 ITIL: What it is What it Can Do For You V2.1 Service Solution Company Facilitated by: Patrick Musto Agenda Answer the questions what? and how? Historical Background Fundamental Principles 5 Lifecycle Phases

More information

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 2 Today s Reality Is Deep & Complex Global ICT Supply Chains IT and Communications

More information

-Blue Print- The Quality Approach towards IT Service Management

-Blue Print- The Quality Approach towards IT Service Management -Blue Print- The Quality Approach towards IT Service Management The Qualification and Certification Program in IT Service Management according to ISO/IEC 20000 TÜV SÜD Akademie GmbH Certification Body

More information

D4.3 Professional training material foundation level

D4.3 Professional training material foundation level D4.3 Professional training material foundation level Internal Deliverable Document ID FedSM- D4.3 Status Deliverable Version Version 1.01 Author(s) Michael Brenner, Stefanie Grois Due M10 (30 Jun 2013)

More information

Future of CMM and Quality Improvement. Roy Ko Hong Kong Productivity Council

Future of CMM and Quality Improvement. Roy Ko Hong Kong Productivity Council Future of CMM and Quality Improvement Roy Ko Hong Kong Productivity Council 1 Agenda Future Development of CMMI CMMI and Small Organizations CMMI and Agile Development Good Enough Quality CMMI and Other

More information

Sarbanes Oxley Act Statement of Ability. An AdRem Software White Paper

Sarbanes Oxley Act Statement of Ability. An AdRem Software White Paper Sarbanes Oxley Act Statement of Ability An AdRem Software White Paper 2009 AdRem Software, Inc. This document is written by AdRem Software and represents the views and opinions of AdRem Software regarding

More information

ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2008

ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2008 Document: ISO/TC 176/SC 2/N 525R2 ISO 9000 Introduction and Support Package: 1 Introduction Two of the most important objectives in the revision of the ISO 9000 series of standards have been a) to develop

More information

IT Governance: The benefits of an Information Security Management System

IT Governance: The benefits of an Information Security Management System IT Governance: The benefits of an Information Security Management System Katerina Cai, CISSP Hewlett-Packard 2004 Hewlett-Packard Development Company, L.P. The information contained herein is subject to

More information

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained The Future of Best Practices in IT Service Management - ITIL Version 3 Explained Reg Harbeck CA Monday, August 13, 2007 Session 1455 ITIL V3: The Processes Governance Processes: Service Measurement Service

More information