Secured by definition – integration with core business (ITSM)

Abstract

The starting point is the question, why IT security management and IT service management (ITSM) must be integrated at all? Reasons are provided and discussed. ITIL defines practices for the ITSM and is used as a reference. Fourteen ITIL core areas and processes are summarized and assigned to the ESARIS areas in order to provide a sound basis (Sect. 5.1). ITIL is security-aware and comprises a dedicated Information Security Management process. It is shown that more is required. The role of the Security Management organization requires a change. Based on this division of labor between Security Management and IT business departments a staged model for integrating IT security in IT service management activities is presented (Sect. 5.2). Two examples are used to show how the integration of IT security management on the one hand and IT service management (ITIL) on the other should actually be done. New activities need to be added to the ITIL processes or even to the process map in order to make sure that the specific requirements of managing security are met. The ITIL processes dominate the industrialized IT production. In this environment, processes are important elements that exactly specify all steps in advance which need to be carried out by employees. Security activities need to be integrated. The discussion of the two examples shows how this is accomplished in practice (Sect. 5.3).