Integrated Information Management Systems



Similar documents
iso20000templates.com

How To Implement An Information Security Management System

Recent Advances in Automatic Control, Information and Communications

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

White Paper. Continuous Process Improvement (CPI) Integrating Systems. Paper 2 of 2. Six Sigma Black Belt

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Moving from ISO 9001:2008 to ISO 9001:2015

ITIL vs. ISO/IEC 20000: Similarities and Differences & Process Mapping

Information Technology Governance. Steve Crutchley CEO - Consult2Comply

BADM 590 IT Governance, Information Trust, and Risk Management

Understanding Principles and Concepts of Quality, Safety and Environmental Management System Graham Caddies

IRCA Briefing note ISO/IEC : 2011

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

EXIN Foundation in IT Service Management based on ISO/IEC 20000

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Security metrics to improve information security management

ITIL's IT Service Lifecycle - The Five New Silos of IT

Practical IT Service Management: Rapid ITIL Without Compromise

Software Quality. Unit9. Software Quality Standards

Benchmark of controls over IT activities Report. ABC Ltd

Understanding Management Systems Concepts

ISO/IEC Part 1 the next edition. Lynda Cooper project editor for ISO20000 part 1

ISO Information Security Management Systems Foundation

What s New In ITIL V3?

SITA Service Management Strategy Implementation. Presented by: SITA Service Management Centre

Management of Information Systems. Certification of Secure Systems and Processes

16) QUALITY MANAGEMENT SYSTEMS

How To Compare Itil To Togaf

Preparation Guide. EXIN IT Service Management Associate Bridge based on ISO/IEC 20000

Trustworthy Computing Spring 2006

Enabling Compliance Requirements using ISMS Framework (ISO27001)

University of Sunderland Business Assurance Information Security Policy

Preparation Guide. EXIN IT Service Management Associate based on ISO/IEC 20000

The Information Security Management System According ISO The Value for Services

Managing e-health data: Security management. Marc Nyssen Medical Informatics VUB Master in Health Telematics KIST

White Paper. Comparison of ISO/IEC with ASL and BiSL

INTERMEDIATE QUALIFICATION

List of courses offered by Marc Taillefer

Hong Kong Information Security Group TRAINING AGENDA

IT Service Management ITIL, COBIT

Information technology Security techniques Information security management systems Overview and vocabulary

WHITE PAPER. iet ITSM Enables Enhanced Service Management

IMPLEMENTATION OF SECURITY CONTROLS ACCORDING TO ISO/IEC IN A SMALL ORGANISATION

Measuring the level of quality of IT Service Management

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Name: Lynda Cooper Date: November 24th. Revising ISO/IEC to fit the future of service management

IT and Business Process Performance Management: Case Study of ITIL Implementation in Finance Service Industry

Course: Information Security Management in e-governance. Day 1. Session 3: Models and Frameworks for Information Security Management

Service Management Policy

ISO/IEC 20000: 2011 IT Service Management. Tying together all your IT processes Product Guide

RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA

Preparation Guide. IT Service Management Foundation Bridge based on ISO/IEC 20000

SC7-ISO20000 Alignment issues Aligning ITIL to existing ISO JTC1- SC7 Software Engineering Standards

Selection and use of the ISO 9000 family of standards

GOVERNING INFORMATION SECURITY IN CONJUNCTION WITH COBIT AND ISO 27001

ISO 9001 : 2000 Quality Management Systems Requirements

Security Standards BS7799 and ISO17799

An Overview of ISO/IEC family of Information Security Management System Standards

ITIL. Lifecycle. ITIL Intermediate: Continual Service Improvement. Service Strategy. Service Design. Service Transition

Introduction to ITIL for Project Managers

Geoff Harmer PhD, CEng, FBCS, CITP, CGEIT Maat Consulting Reading, UK

D5.1: Process Implementation and Maturity Baseline Assessment Framework

Methods Commission CLUB DE LA SECURITE DE L INFORMATION FRANÇAIS. 30, rue Pierre Semard, PARIS

Preparation Guide. Side entry to the EXIN Expert in IT Service Management based on ISO/IEC 20000

EVALUATION FRAMEWORK FOR SERVICE CATALOG MATURITY IN INFORMATION TECHNOLOGY ORGANIZATIONS

Information Technology Auditing for Non-IT Specialist

Benefits to the Quality Management System in implementing an IT Service Management Standard ISO/IEC

ISO/IEC 27001:2013 webinar

-Blue Print- The Quality Approach towards IT Service Management

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Information and Communication Technology. Helpdesk Support Procedure

ISO Gap Analysis - Case Study

Revision of ISO 9001 Quality Management Systems Requirements

IT Governance: The benefits of an Information Security Management System

ISO 9000 Introduction and Support Package: Guidance on the Documentation Requirements of ISO 9001:2008

ITIL: What it is What it Can Do For You V2.1

The new Family of Standards & ISO/IEC 27001

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

Information Security Management System Policy

An Implementation Roadmap

CHArTECH BOOkS MANAgEMENT SErIES INTrODuCINg ITSM AND ITIL A guide TO IT SErvICE MANAgEMENT

Information Security Measurement Roles and Responsibilities

A Review ISO 9001:2015 Draft

ISO/IEC IT Service Management - Benefits and Requirements for Service Providers and Customers

Policy Title: Information and Communication Technologies (ICT) Service Management Policy. Policy Number: P60122

For the latest information on VHP publications, visit our website:

Information Security Management System Information Security Policy

Information Security Management Systems

2005 Kasse Initiatives, LLC version 1.2. ITIL Overview - 1

Transcription:

Integrated Information Management Systems Ludk Novák ludek.novak@anect.com ANECT a.s. Brno, Czech Republic Abstract The article tries to find consensus in these tree different types of the systems the quality system, the IT service system and the information security system, which are frequently used for information. An aim is not to choose the best method, but to compose a complex framework based on advantages and synergies. The author describes his experience with integrations of the tree types of the systems into one consistent information framework. The integration is based on similarities of the systems especially on the PDCA Model, which is a key shared principle. The second principle is an effort to incorporate information risks into each type of systems. There is not possible to manage risk properly without close connection to realising information and communication technology benefits these days. Keywords: Information, Software quality, IT service, Information security, CobiT, ITIL, BS7799, PDCA model. 1 Introduction Wide using of information and communication technology (ICT) has a very serious consequence organizations are more and more dependent on quality, reliability and security of their information and communication systems including all related processes and activities. Provision of more effective and efficient services with appropriate reliability and security is an essential responsibility of people who are involved information. Information aims are also shifting. Increasing importance of ICT for organizations everyday life means it is not more acceptable just administrates and maintains ICT infrastructure. An information primer role is to manage and improve IT services, which are able to deliver defined and measurable added values for business units. So information gains an essential position in general business and strategy. There are several best practice methodologies or standards in the information and security world. CobiT (Control objectives for information and related technology), ISO 9000, ITIL (Information Technology Infrastructure Library), BS 7799-2 and/or ISO/IEC 17799 are the most general frameworks. New requirements on information have appeared recently (like Basel II, Sarbanes-Oxley Act, critical information infrastructure protection etc.) and emphases needs for information systems based on international standards and open methodologies. BASEL II the new capital accord establishes new requirements on operational risk control in banking. ICT is a key element of the operational risk and banks should adopt process driven approach to risk, information and operation. The Sarbanes-Oxley Act establishes new mandates for financial reporting based on internal control environment. Company s managers are fully responsible for the internal controls and should make statement about the internal control. Most financial reporting processes are driven by ICT, so strong information is also a key element. And information managers and other ICT professionals are held accountable for the quality and integrity of information produced by ICT. Security and Protection of Information 2005 83

2 Starting points The regulation examples mentioned above present current situation in information. The new requirements do not distinguish among information, information risk, information security, ICT operations etc. There is just one control framework for information and the basic question is if any information is presented trustfully? 2.1 Information added value According to the current needs information has to find and defines an appropriate information added value (or ICT added value) much more extensively. There are tree general types of the added value connected with ICT: Increase automation an organization is able to align its business and information and enlarges its production and performance by using ICT the organization is effective (It does good thinks). Decrease costs an organization is able to use resources responsible and reduces costs and other expenses by using ICT the organization is efficient (It does thinks well). Manage risks an organization is able to adjust security measures and minimises security incidents, related risks and possible damages the organization is secure. Increase automation Decrease costs ICT added value Manage risks Figure 1: ICT added value The existing information needs and requirements stress all tree types of the information added value. There is an important issue to find a balance among all tree types, because it is not possible to realize ICT benefits without proper risk. On the other hand information risks should be in close connection to the ICT benefits and reflect them. This is a complex outlook on information sometimes called IT governance. 2.2 IT Governance and CobiT Methodology IT Governance is a structure of relationships and processes to direct and control the organization in order to achieve the organization s goals by adding value while balancing risk versus return over ICT and its processes. [1] CobiT (Control Objectives for Information and related Technology) [1] as an IT Governance model is a complex information framework and its basic idea says Information should reach effective balance between realising benefits by increase automation or decrease costs and managing risks. To accomplish this, information needs to identify most important activities to be performed, measure progress towards achieving goals and determine how well the ICT processes are performing. 84 Security and Protection of Information 2005

The COBIT concept is that control in ICT is approached by looking at information that is needed to support the business objectives or requirements, and by looking at information as being the result of the combined application of ICT resources that need to be managed by ICT processes. To satisfy business objectives, information needs to conform to certain criteria. The following tree basic elements form the CobiT framework: Information criteria present business goals and needs and their implications to information (effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability). ICT resources are available means which can be used by information (data, applications, technology, facilities, and people). ICT processes are all activities and tasks related to information form four broad domains (planning and organization, acquisition and implementation, delivery and support, and monitoring). In summary, in order to provide the information that the organisation needs to achieve its objectives, IT governance must be exercised by the organisation to ensure that ICT resources are managed by a set of naturally grouped ICT processes. CobiT as a useful tools calls attention to: Organization contribution ensuring effective IT governance and information, User orientation measuring up to business expectations, Operational excellence performing the ICT function with increasing credibility and impact, Future orientation building the foundation for future delivery and continuous learning and growth. CobiT methodology is ideal for establishing a complex and comprehensive control environment for information. But there is a significant shortage. The ICT processes are not defined so deeply in CobiT. It was not authors aim to describe all details, but it is better to use another guidance to implement information from the practical point of view. 2.3 Integrated information system requirements There are thee types of the ICT added value and successful information should integrate all aspects quality, reliability and security. This information system should be composed from the following: Good relationship with business and users of information and communication systems enhancing effectiveness is essential to a quality system; Effectiveness of all ICT operations based on proper IT service delivery and support reducing expenses is a main goal of an IT service system; Control and limitation of information security risks and possible damages is a key benefit of an information security system. Quality IT service CobiT Information security Figure 2: Integrated information system Security and Protection of Information 2005 85

Are these tree different information systems compatible each other or not? And can effective and efficient integration stand on advantages and synergies of the systems? You can hear similar questions quite often these days. 3 Information system basic components The quality has quality systems based on ISO 9000 (or ISO 90003 in IT). The reliability establishes an IT service system follows recommendations of BS 15000, which generalizes ITIL and the security stands for information security system, which applies controls from BS7799-2 or ISO 17799. Each system and its contribution to the integrated information system are discussed in the next text. 3.1 Quality system Quality is the totality of characteristics of a product or service that bear on the ability to satisfy stated and implied needs. [ISO 8402] A Quality Management System (QMS) is a well-known system emphasises an importance of customers and their requirements for any business. ISO 9001:2000 [2] is a familiar example of a collection of quality best practices. The principles are valid for information too, so business unit and user requirements are seriously important issues. Excellent information should systematically discover user ideas and transform them properly to the real life. QMS s added value is to increase automation and partly to decrease costs. An suitable level of internal process formalism (like process definition, resources, document, record ) is another advantage of QMS. The guidance ISO/IEC 90003:2004 [3] covers all aspects of software quality, from acquisition to supply, including development, operation and maintenance of computer software, and providing guidance on how to implement highly successful ISO 9001:2000 process driven approach in a software environment. The structure of the standard demonstrates the comprehensiveness of the five perspectives (see the figure 3). Management responsibility Quality system ISO/IEC 90003 Resource Product realization Measurement, analysis and improvements Figure 3: Basic structure of quality system for software engineering A lot of organizations are running QMS, so information can use QMS s tools and rules as guidance for document, resource, record etc. There is also useful to add a concept of information into QMS framework not to establish any parallel structures. QMS s culture in the organization is a useful asset too, so it can be promoted to include information and/or information security issues. 3.2 IT service system IT service is a described set of facilities, IT and non-it, supported by the IT service provider that fulfils one or more needs of the customer and that is perceived by the customer as a coherent whole. [15] IT Service Management (ITSM) is relatively a new approach to information, which is concentrated on ICT operation processes. ISTM is primary known as the process and service-focused approach to information. ITSM addresses the provision and support of IT services tailored to the needs of the organization. ITSM offers a common framework for ICT activities, as part of the provision of services, based on ICT infrastructure. These activities are divided into processes (see figure 4), which when used together provide an 86 Security and Protection of Information 2005

effective ITSM framework for service delivery and service support. ITSM brinks decrease costs and partly increase automation for the organization. Service delivery processes Capacity Service continuity and availability Release process Release Service level Service reporting Control processes Change Configuration Resolution processes Incident Problem Information security Budgeting and accounting for IT services Realationship Processes Business relationship Supplier Figure 4: IT service processes ITSM concept is defined by two standards: the first BS 15000-1:2002 [5] describes system specification and a code of practice is presented by the second BS15000-2:2003 [6]. There is a huge public interest consequently both standards are adopting as new international standards ISO/IEC 20000 - IT Service Management in short way. ITSM concentrates on high reliability a transparency of ICT operations. A primary aim is to define operation processes including relationship and measurements, monitor and supervise process realizations and enhance operation effectiveness based on results and trends. ITSM is an ideal way, how to control, monitor and improve internal ICT operations. ITSM is not just about the standards. The philosophy comes from IT Infrastructure Library (ITIL) which is a complex set guidance, how to design, build and run ITSM. The documents describing service delivery and service support are a core the whole ITIL library. 3.3 Information security system Information security is preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved. [8] An Information Security Management System (ISMS) concentrates on definition of processes connected with information risk analysis and treatment and the ICT added value is to manage risks. The standard BS 7799-2:2002 [11] defines ISMS requirements and specifies how to design, enforce, control and improve information security. There is a draft of a new international standard ISO/IEC 24743 [12] based on BS 7799-2:2002 and a final version is expected at the end of 2005. A key element of any ISMS is an information risk and treatment process which concentrates on choosing proper security objectives and controls. Security and Protection of Information 2005 87

A code of practice for information security and other ISMS best practice are described in ISO/IEC 17799:2000 [7]. A new version is ready to be published by summer 2005. Information security categories on the following figure present the basic extend of ISO/IEC 17799:2005 [8]. ISO/IEC 17799:2005 Security policy Asset Access control Organizing information security Human resources security Physical and environmental security Communications and operations Information systems acquisition, development and maintenance Business continuity Information security incident Compliance Figure 5: Information security categories A draft of ISO/IEC 24742 Information security metrics and measurements [13] is currently in progress. An aim is to add tools, how to define measures and indicators into ISMS and sometimes it is called the 3 rd part of BS 7799. 4 Shared principles of systems 4.1 PDCA Model All presented systems have a vital shared principle called PDCA Model (Plan Do Check Act). The model defines a basic cycle for each system. The cycle starts with planning of activities and defining expected results. Implementation and running as the second part is followed by monitoring all defined activities to have appropriate information on success of implementation, its strengths and weaknesses. This outputs and realised experiences should be used to continual improvement of the system. Plan Customers Requirements Satisfaction Do Check Act Requirements Satisfaction Suppliers Figure 6: PDCA Model concept 88 Security and Protection of Information 2005

PDCA Model external connections are important too. Customers (or users) are one side of externalities and suppliers are the other. The PDCA model requires a clear expression of customer requirements and proper monitoring their satisfaction. On the other hand the organization should define requirements to its suppliers and watch, how the suppliers fulfil the needs. PDCA Model is a key principle which makes possible to integrate tree systems concentrated on different topics. The other shared principles related to PDCA Model includes responsibility and commitment, resource, documentation and record control, awareness and training, reviews, continual improvement etc. 4.2 Standpoints to improve ISMS The conference main topic is information security and protection so we look at benefits of the information integration for ISMS. At first it is important to mentioned positive influence of QMS on ISMS. QMS is a well-known application of PDCA Model, so any good experience could be used for advocating ISMS. Using existing tools and following establish culture should be other preference for ISMS. Last but not least thing is share existing QMS structure in contradiction to create wholly new framework for ISMS. Relation between ITMS and ISMS contains more synergies. ITSM comprehends IT services as a fundament of information. Consequently it is advisable to apply this approach into ISMS. It means that IT services should be a starting point for risk analyses and risk treatment processes. This approach allows taking information security requirements as a part of IT service and including security into IT service reporting as a result. Change is other large room for collaboration ITSM and ISMS. ITSM offers deeper inspection and more detail description of change and related processes. ISMS can use this quite easy including configuration and release. Incident has a bit difficult situation, because ITSM recommendations should be join up with information security incident requirements defined by ISO/IEC TR 18044:2004 [9]. At the end it is necessary to warm, that availability and continuity have similar rules and residual problems are related to business comprehensions. 5 Conclusions It is not possible to discuss all information aspects and their information security consequences. The aim is to call attention to needs of joining different views. The integrated information system makes possible to take advantage of all existing similarities. It is clear that each discussed system stress its perspective, but there no barriers to improve each other. There are no limitations from this lookout. References [1] COBIT 3 rd Edition, Information Systems Audit and Control Foundation, ISACF 2000. [2] EN ISO 9001:2000 Quality systems Requirements. [3] ISO/IEC 90003:2004 Software engineering Guidelines for the application of ISO 9001:2000 to computer software. [4] Suryn, W., Hailey, V. A., and Coster, A.: Huge potential user base for ISO/IEC 90003, In ISO Focus, Volume 2, No.2, pp. 26-30, February 2005. [5] BS 15000-1:2002 IT Service Management Part 1: Specification for service. [6] BS 15000-2:2003 IT Service Management Part 2: Code of practice for service. [7] ISO/IEC 17799:2000 Information Technology Security Techniques Code of practice for information security. [8] ISO/IEC FDIS 17799:2005 Information Technology Security Techniques Code of practice for information security. [9] ISO/IEC 18044:2004 Information Technology Security Techniques Information security incident. Security and Protection of Information 2005 89

[10] Humphreys, T.: Being prepared to tackle threats to your business, In ISO Focus, Volume 2, No.2, pp. 13-15, February 2005. [11] BS 7799-2:2002 Information security systems Specification with guidance for use. [12] ISO/IEC FCD 24743:2004 Information Technology Security Techniques Information security systems requirements specification. [13] ISO/IEC 1 st WD 24742:2005 Information Technology Security Techniques Information security metrics and measurements. [14] http://www.iso.ch/ [15] http://www.ogc.gov.uk/ 90 Security and Protection of Information 2005

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information