ITMAGAZINE

Aligning Information Security Incident Management

with ITIL V3
2.September2012-By Andres Maurer

CompaniesimplementinganinformationsecurityprogramthatalreadyhaveITILprocessesinplacemayconsiderleveraging
theirexistingITILIncidentandProblemManagementprocessestoincludeinformationsecurityincidentmanagement
activities.

Themyriadofstandards,modelsandindustrybestpracticeavailabletodayleavesmanycompanieswiththedilemmaof
choosingwhichpathtotake.Tofurthercomplicatethesituation,manyindividualinitiativesarestartedwithaspecifictargetin
mind.Often,astronggoal-drivenapproachunfortunatelymayalsoresultinatunnelvision.Andmanyofthesestandards
oftenaddressthesameconcernfromadifferentperspective.Thiswillprobablyresultinthecompanyhavingseveraldifferent
waysofdoingthesamething,whichis,ofcourse,notatallefficient.
ThisarticlepresentsapossiblemappingoftherespectiveITILprocessestotheinformationsecurityincidentmanagement
tasksmentionedindomain4ofCISMJobPractice(seeFigure1).TheoverallgoalofInformationSecurityIncident
Managementistolimittheimpactofincidentsonbusinessoperationsandrestoringnormaloperationaccordingtoexisting
servicelevelagreements(SLAs),whichissimilartoITILsgoal.Inthiscase,wecanexpectboththeITILandCISMprocesses
tobesimilar.IftheITILprocessesarealreadyinplace,thenwewillonlyneedtoextendcertainactivitiestocoverinformation
securityneeds.
Sincemostcompanieshavetheirown(andnormallyunique)processes,themappingdescribedhererepresentsonlyan
approximation.

ITIL Incident Management

TheobjectiveofthisITILprocessistorecord,prioritizeandmanageallincidentswiththepurposeofsolvingthemasfastas
possible.
Anincidentisdefinedasanunplannedoccurrencethatinfluencesthestandardoperationofaservicebyeitherdisruptingor
degradingthequalityofthisservice.
Inputtothisprocess:TheIncidentManagementprocessisstartedbecauseofnotificationbyauser,atriggerfromEvent
Managementorthroughothersourcesofdisturbance.

Thetypicalprocessstepsare:
-Incidentidentification
-Recording
-Categorization
-Prioritization
-Investigation&diagnosis
-Resolution&recovery
-Incidentclosure

ThefollowingInformationSecurityIncidentManagementtasksfromCISMJobPracticecanbemappedtothisprocess:
T4.1Establishandmaintainanorganizationaldefinitionof,andseverityhierarchyfor,informationsecurityincidentstoallow
accurateidentificationofandresponsetoincidents.
T4.2Establishandmaintainanincidentresponseplantoensureaneffectiveandtimelyresponsetoinformationsecurity
incidents.
T4.3Developandimplementprocessestoensurethetimelyidentificationofinformationsecurityincidents.
T4.6Organize,trainandequipteamstoeffectivelyrespondtoinformationsecurityincidentsinatimelymanner.
T4.8Establishandmaintaincommunicationplansandprocessestomanagecommunicationwithinternalandexternalentities.
InformationsecurityextensionofthisITILprocess:TheIncidentManagementteamneedstobetrainedtorecognize
informationsecurityincidents,knowhowtoclassifythemandlearntosecureforensicevidenceforlateranalysis.

ITIL Problem Management

TheobjectiveofthisITILprocessistheultimateresolutionofproblems,whichincludestheproactiveanalysisofallincidents
withthegoalofidentifyingtheirrootcauses.
Aproblemisdefinedastheunknowncauseofoneormoreincidents.
InputtothisITILprocess:TheProblemManagementprocessisstartedbecauseofnotificationbyauserorsupplierora
triggerfromEventManagement,ServiceDesk,IncidentManagement.

Thetypicalprocessstepsare:
-Problemidentification
-Recording
-Categorization
-Prioritization
-Investigation&diagnosis
-Solution
-Problemclosure

ThefollowingInformationSecurityIncidentManagementtasksfromCISMJobPracticecanbemappedtothisprocess.
T4.4Establishandmaintainprocessestoinvestigateanddocumentinformationsecurityincidentstobeabletorespond
appropriatelyanddeterminetheircauseswhileadheringtolegal,regulatoryandorganizationalrequirements.
T4.5Establishandmaintainincidentescalationandnotificationprocessestoensurethattheappropriatestakeholdersare
involvedinincidentresponsemanagement.
T4.6Organize,trainandequipteamstoeffectivelyrespondtoinformationsecurityincidentsinatimelymanner.
InformationsecurityextensionofthisITILprocess:TheProblemManagementteamneedstobeextendedwithspecialistswho
candiagnoseandsolveinformationsecurityproblemswhileensuringthatforensicevidenceremainsuncontaminated.

ITIL Continual Service Improvement

TheobjectiveofthisITILprocessistomaintainandimprovethequalityofservicesoastomaximizecustomersatisfaction.

Thetypicalprocessstepsare:
-Definewhatshouldbemeasured
-Definewhatcanactuallybemeasured
-Measurement
-Dataprocessing/consolidation
-Analysis
-Resultspresentation
-Identifycorrectivemeasures

ThefollowingInformationSecurityIncidentManagementtasksfromCISMJobPracticecanbemappedtothisprocess.
T4.7Testandreviewtheincidentresponseplanperiodicallytoensureaneffectiveresponsetoinformationsecurityincidents
andtoimproveresponsecapabilities.
T4.9Conductpostincidentreviewstodeterminetherootcauseofinformationsecurityincidents,developcorrectiveactions,
reassessrisk,evaluateresponseeffectivenessandtakeappropriateremedialactions.
T4.10Establishandmaintainintegrationamongtheincidentresponseplan,disasterrecoveryplanandbusinesscontinuity
plan.
InformationsecurityextensionofthisITILprocess:Theinformationsecurityprocedureswillalsohavetoberegularly
reviewed.Additionally,regularpost-incidentreviewsneedtobeestablished.

Variations

Inthemappingshown,itisassumedthattheIncidentManagementteamdoesnotpossessenoughin-depthknowledge.
Hencethetaskofincidentmanagementwouldbefocusedonproperlyidentifyinganinformationsecurityincidentandthen
forwardingittothespecialistsinProblemManagement.
ShouldtheIncidentManagementteamalsobecapableofhandlingcertaincommoninformationsecurityincidents,itmight
alsoexecuteinvestigativetasks(T4.4andT4.5)insomecases.
AnotherpossiblevariationwouldbethattheServiceDeskactsastheinputchannel(T4.1)andthenforwardstheincidents
directlytoProblemManagementwhichwillthenresponsetotheincident(T4.2T4.5).
IftheITILprocessarebeingdefinedorwhenmajorchangestoexistingprocessesareneeded(eg.integrationofanew
SecurityIncidentEventManagementSIEMTool),theestablishanddeveloppartsoftheCISMtasks(T4.16,T4.8,
T4.10)shouldfollowthestandardapproach(Figure2,1.Standardinsteadofpreviouslydescribed2.Extend)andbe
definedintheITILServiceDesignphasebecauseInformationSecurityManagementisaprocesshere(pleaseseethe
recommendedreadingformoreinformation).

ITIL Event Management

TheobjectiveofthisITILprocessistosystematicallydetecteventsthatwillpotentiallyleadtodisruptionofservices.This
processprovidesthebasisforoperationalmonitoring.
AlthoughthereisnodirectlinkfromEventtoInformationSecurityIncidentManagementtasks,thisprocessservesasthe
communicationchannelforeventstriggeredbyIntrusionDetectionSystems(IDS).
Onceaneventistriggered,itisfirstfilteredandprioritized.Dependingonthecriticality,theeventisthenroutedasaninput
toeithertheIncidentorProblemManagementprocess.

Summary

WhenimplementinganewprocesslikeInformationSecurityIncidentManagement,itoftenhelpstohaveaholisticview.Since
mostcompaniesalreadyhaveoneormorestandardsinplace,itisworthwhiletofirstanalyzetheexistinglandscapeandlook
forexistingprocessesandstructures.Inthemajorityofcases,itismuchfasterandlessexpensivetoextendorre-design
existingprocessesthanstartingfromscratch.
Moststandardsoffermappingdocumentstootherstandardsortheremayalsobethird-partywhitepapersorresearchpapers
aboutthetopic:Thiscouldalsohelptoidentifypotentialsynergies.Thesedocumentsmayprovideanadditionalmarginas
wellaspointingoutpotentialpitfalls,andwouldthereforefurtherincreasebothspeedandqualityoftheimplementation.

References

CISMReviewManual2012,
ISBN-13:978-1604202137

ITILServiceOperation,ISBN:9780113313075
ITILContinualServiceImprovement,
ISBN:9780113313082

Recommended further reading

MappingITILV3withCOBIT4.1
http://www.isaca.org/Knowledge-Center/Research/Documents/Mapping-ITILV3-With-COBIT-4.pdf

COBITUserGuideforServiceManager
http://www.isaca.org/Knowledge-Center/Research/Documents/COBIT-User-Guide-for-Service-Managers-01April2009-Research.pdf
(DownloadisfreeforISACAMembers)

PostyourcommentsintheLinkedInGroupISACASwitzerland

CopyrightbySwissITMedia2017