Capability Pattern: Security Management

Read the Security Management Key Concepts.

Important links

Outcomes

As a result of the successful implementation of the Security Management process:

The confidentiality, integrity, and accessibility of information meets agreed requirements:
- Information is available for approved purposes
- Accessors (whether internal or external) for protected items can be validated and tracked
- Information and systems are protected from unauthorized access and any attacks
IT services and infrastructure meet external security requirements from service level agreements, contracts, and legislative dictates
IT security aligns with the business' overall security requirements
The reputation of the business as secure and trustworthy is protected

Scope

The process covers the life cycle of security concerns, including planning, operational measures, evaluation, and audit. It will identify IT security threats, vulnerabilities, and risks in order to develop an overall approach to counter and handle them that is aligned with business security requirements. It will operate security protections and mechanisms which meet the desired level of confidentiality, availability and integrity for information and IT services.

Includes

Information security policy

Specification of information security controls including asset use, access, documentation, and information controls and overseeing their establishment

Operation of controls and measures such as:

Credential operations

Perimeter defense

Intrusion detection

Secure coding standards

Key and encryption management

Separation of duties

Application isolation

Identification of IT security incidents

Management of supplier and partner access to services and systems

Compliance enforcement measures (related to security)

Excludes

Establishment and maintenance of identities and access rights (Identity and Access Management)

Health and safety (Business responsibility, with contribution from Facilities Management)

Business security management, including trust management as it relates to business processes (Business responsibility)

Identification of privacy requirements (within the scope of Compliance Management)

Key performance indicators

Number of known security requirements. This includes security requirements from:
- Service level agreements and operating level agreements
- Contracts
- Applicable legislation in each geography
- Corporate requirements
- Business unit (customer) objectives
Number of known security requirements for which compliance is validated or not validated
Incident management metrics for security. See the KPI for Incident Management

Relation to other processes

Security Management supports Availability Management by making sure all service components are accessible to the appropriate users.
Proposed change requests (Change Management) are typically assessed by Security Management to determine their impact on IT security.
All configuration items in Configuration Management are assigned a security classification.
Financial Management provides insight into the costs of various security measures.
Security Management supports Incident Management and Request Fulfillment by handling security-related incidents and service requests, respectively.
Problem Management may uncover security issues as the root cause of problems.
Release Management deploys security solutions.
Service Level Management relies on Security Management to provide security requirements for IT services.

For more information

For more information, see Security Management in the ITIL® documentation.

In addition, see the IBM® Service Management Web page.

² ISO 17799 is broader than ITIL, so the scope will be broader. For instance, physical security is specifically not covered by ITIL, but is covered by ISO 17799.