Information Security Management (ITIL 4)

Parent Process Reference Framework: ITIL 4

Service Value Stream Activities

Highly impacted Service Value System(SVS) Activities:

• Plan
• Engage
• Obtain/build
• Design and transition
• Deliver and Support
• Improve 

Description

The purpose of the information security management practice is to protect the information needed by the organization to conduct its business. This includes understanding and managing risks to the confidentiality, integrity, and availability of information, as well as other aspects of information security such as authentication (ensuring someone is who they claim to be) and non-repudiation (ensuring that someone can’t deny that they took an action). 

The required security is established by means of policies, processes, behaviours, risk management, and controls, which must maintain a balance between: 

• Prevention Ensuring that security incidents don’t occur 
• Detection Rapidly and reliably detecting incidents that can’t be prevented 

• Correction Recovering from incidents after they are detected. 

It is also important to achieve a balance between protecting the organization from harm and allowing it to innovate. Information security controls that are too restrictive may do more harm than good, or may be circumvented by people trying to do work more easily. Information security controls should consider all aspects of the organization and align with its risk appetite. 

Information security management interacts with every other practice. It creates controls that each practice must consider when planning how work will be done. It also depends on other practices to help protect information. 

Information security management must be driven from the most senior level in the organization, based on clearly understood governance requirements and organizational policies. Most organizations have a dedicated information security team, which carries out risk assessments and defines policies, procedures, and controls. In high-velocity environments, information security is integrated as much as possible into the daily work of development and operations, shifting the reliance on control of process towards verification of preconditions such as expertise and integrity. 

Information security is critically dependent on the behaviour of people throughout the organization. Staff who have been trained well and pay attention to information security policies and other controls can help to detect, prevent, and correct information security incidents. Poorly trained or insufficiently motivated staff can be a major vulnerability. 

Many processes and procedures are required to support information security management. These include: 

• an information security incident management process 
• a risk management process 
• a control review and audit process 
• an identity and access management process 

• event management 
• procedures for penetration testing, vulnerability scanning, etc. 
• procedures for managing information security related changes, such as firewall configuration changes.