IT Service Management Report: Key Issues And Frameworks
Key Issues for Utilizing ITIL for Information Security Management
The ITIL is considered as the set practices related with the IT services management. The main focus of the ITIL is aligning the services of IT with business needs. In the present form the ITIL is published in the market consisting a series which is having five numbers of core volumes (Esteves & Alves, 2013). Each of this core volumes different lifecycle stage of the ITSM. This ITIL describes the procedures, process, checklists and the tasks which not specific with the technology nor specific with the organizations. Though it is not specific with them but still it can be used by various organizations for integration establishment with the strategy of the organization, minimum level of competency maintaining and with delivering value. This system allows the organization to create a baseline from which planning, implementation and the measurement can be done.
In this article utilization of the ITIL will be considered and by that its utilization in the information security management will be discussed in this case. To perform this discussion efficiently, key issues with utilizing the ITIL for the information security management will be discussed in this case. Following this discussion of the model or the framework of the information security management using the ITIL will be evaluated in this article. After that, primary content of the selected article will be evaluated properly. Further, the critical success factors of the ITIL utilization in the information security management will be evaluated. Finally, a conclusion will be given to summarize the whole discussion of this article.
In the implementation of the Information Technology Infrastructure Library or the ITIL for the Information Security Management there are various issues which can arise. Some of this issues are very much important to mitigate and thus this issues are considered as the key issues which this utilization technique is facing. In the below section the main key issues will be discussed and how this issues can be solved will be evaluated.
This policy related issue is one of the common key issue related with the information security management. These policies are some kind of guidelines or instructions which are set by the organizations to ensure that all the users of the information technology can use this technology without any type of security concern (Laudon & Laudon, 2016). This security concern is the security of the vital information of the organization which is stored within the organization digitally. The motto of every organization is to protect and control the confidential data of its. This means these type of data may be encrypted or authorised by some third party system which helps to protect the system. Thus, while utilizing the ITIL in the information security management the policy related issue of the organization can occur as new system is implemented which might can access those confidential data (Arasu et al., 2015). To mitigate this key issue the organization may need to revise the security policy or may be need to create completely new policy of the information security.
Policy-related Issue
Acceptance of the ITIL services in the businesses is a key issue. Many organizations or the businesses does not accept the implementation of the ITIL in their businesses which is also same for the implementation of the Information Technology Infrastructure Library in the information security management (Salcito, Wielga & Singer, 2015). This is not accepted by many organizations because of the reason that it is not transparent to the organizations or the businesses. The Information Technology Infrastructure Library is able to change the working way of the organization that it can make changes in the requests which as been made by the organization and can open the support tickets. Also, it is not accepted because many of the organization failed to determine what benefit is provided by the ITIL in the business. Thus the ITIL needs to show a strong support in the businesses from the very beginning. Otherwise this will be considered as a useless thing in the organisation.
For the implementation of the Information Technology Infrastructure Library in the information security management another key issue is the assessment and the classification of the information assets. The classification of the informational assets is very much important in the sense that it allow to identify every aspects of the information by using a standardized system. Thus it is required to brief assessment and the classification of all the documentations and information assets.
The technical implementation related issue of the ITIL in the information security management is a big issue. The organization need to focus on that for a successful implementation of the ITIL (Pillai, Pundir & Ganapathy, 2014). The main reason behind the occurrence of this issue is that the ITIL is not a technology itself. The ITIL itself is dependent on some other technology for its execution. This technological implementations are very much challenging in the organizations as it might be very much costly to implement or either it maybe not supported with the current framework of the organization. Thus this dependency is making the implementation of the ITIL in information security management very much challenging.
The commitment of the management is a big success factor for utilizing the ITIL in the information security management. Also, when the commitment of the management is not fulfilled then this success factor becomes a key issue for utilizing the ITIL in the information security management (Bucero & Englund, 2015). The main reason behind the occurrence of this issue is that initially the executive management approve the program of the ITIL but later the management failed to follow through the ITIL program due to the lack of sponsorship support. Thus the organization must pay attention to this issue in early stages to determine that the organization is capable of the maintaining the ITIL properly or not.
Acceptance of the Businesses
The least concerned issues but one of the most important issue is the ITIL resistances. In most of the cases for the utilization of the ITIL in the information security management faces various types of resistance in the implementation stage. This resistance occurs due to the broad organizational change. This organizational changes is required to successfully utilize the ITIL. In most of the cases the organization refuses to bring this kind of broad changes in the organisation as it can hamper the normal processes of the organization (Haag et al., 2013). Thus the resistances brought by the ITIL becomes a key issue in this segment.
The framework of utilizing the ITIL for the information security follows a basic structure. According to the ITIL the most important thing for designing the framework is the comprehensive and calculated approach of the designing, managing, implementing maintaining and enforcing controls and security enforces (Peltier, 2016). The ITIL suggest to use the Information Security Management System for the framework implementation and this Information Security Management System should address the process, peoples, products and technology and the partners and suppliers. Most of the information technology related companies seek for the global certification of the ISMS framework which has been implemented by them (Alavi, Islam & Mouratidis, 2014). This certification is done through ISO 27001. This suggested framework of the ITIL consists total five key elements which are the control, plan, implement, evaluate and maintain. In the following section this key elements will be described briefly.
The control element of this framework describes that a management framework needs to be established. This element of the ISMS framework will manage the information security (Brodin, 2015). With the management of the information security the control element should also prepare the policies of the for the information security and implement them in the system. Also, the control element should allocate the responsibilities and establish and control the documentation. A sub activity of the control is reporting. In the reporting process the whole process which has been targeted is documented in a specific type of way. In the control phase there is a concept of the document control which describes how the management of the security is organised and how it is managed efficiently.
In the phase of the planning of the ISMS framework the main responsibilities are understanding and gathering the requirements for the security of the organization. By gathering the requirements of the security, recommendations are given in this stage to take appropriate decisions based on the total allocated budget, corporate cultures and on other factors (Stoll, Felderer & Breu, 2013). In the process of the planning the goals of the sub-process are specified in the SLAs in a specific type of form. This form is known as the operational level agreements. For defining the security plans this operational level agreements can be used wisely but this operational level agreements can be used for specific type of organization. With the SLA’s input the sub process of the plans is fully functional with the policy statements of the service provide. These statements regarding the policies are defined in the sub process called control.
Assessment and Classification related Issues
The next phase after the planning phase is the implement phase of the ISMS framework. In this stage the whole determined plan is taken into the action. This process of the implement helps to ensure that proper safeguards has been taken in this case to properly execute the created information security policies in the progress (Ifinedo, 2014). In the phase of the plan the change of measures take place in the cooperation with the process of the change management.
This phase is another important phase of the ISMS framework. After successfully implementing the plans and the policies into the action, it is the time for overseeing the implemented plans and the policies whether that are working properly or not. This process will ensure that the systems are totally secure and all the processes of the organization is running successfully with the compliance of the determined SLAs, policies and with the other requirements of the security (D’Arcy, Herath & Shoss, 2014). In the phase of the evaluation there are total three sorts of evaluation. These evaluations are the external audits, internal audits and the self-assessment. While considering the implementations in an organization mainly the self-assessment processes has been implemented in the organizations. In the case of the internal audits, this is done by the IT auditors from the internal (Neu, Everett & Rahaman, 2013). Independent IT auditors and the external IT auditors take the responsibility of the external audits. Is has been assessed that most important aspect for the evaluation phase is verifying the security legislations, monitoring the security of the IT systems and implementation of the security plans.
The last phase of the ISMS framework is the maintain phase. If the implemented framework of the ISMS is effective enough that means the entire process will continuously improve with the time. In this phase chances of the improvement in the system will occur (Whitman & Mattord, 2013). This opportunities of improvement can be taken by revising the security agreements, SLAs and by improving the monitoring and the control process. This phase of the starts with service level maintenance agreements and the operational level maintenance agreements. After this process, the activity of the change request takes the place. There after the conclusion of the report activity starts in this case. During the maintenance phase the concept of the Meta data model are either adjusted or created.
The Information Security Management or the ISM is one of the profound techniques of management of information in the domain of Information Technology and Information Systems (Dotcenko, Vladyko & Letenko, 2014). Management of information by the application of the best methods and activities is one of the key aspects that determines the wellbeing of an organisation in the corporate sector. Secured Managing of the Information takes place with the help of a system known as the Information Security Management System or the ISMS (Soomro, Shah & Ahmed, 2016). The ISMS is a comprehensive set of specific measures and requirements necessary in assuring the safeguarding and security of the valuable information, how to do it and the various assets of the company or the organisation in both the public and the private sector.
Technical issues
According to Information Technology Infrastructure Library, there are six sets of service management. These six sets can be aligned in the form of service support, service delivery, plan to implement ISM, ICT infrastructure management, applications management and the business perspective. Among all the six sets of the service, management only the first two items that are the service support and the service delivery. The other sets does not exist at the moment. Application of ITIL in the in the Information Security Management consists of ten disciplines that are responsible for the management and the provision of the beneficial services of Information Technology (Iden & Eikebrokk, 2014). The method of utilizing ITIL in ISM does not completely signify entirely a brand new approach of thinking and acting and prefers focussing on the best practice that can be used in diverse ways according to the requirements such that of placing the existing methods and the activities in the in a structural form as well as establishing a strong connection between the processes avoiding the lack of communication and interaction in between the several IT organisations (Cox, 2013).
As per the notion of Information Technology Infrastructure Library, the ISMS is beneficial for the development of the information security program that is cost effective in nature for meeting the objectives of the business organisation. This entire set includes the combination of the people, processes, products and technologies, partners and the suppliers for ensuring the high levels of security. As stated in the previous section the ITIL uses a basic framework for the security management of the valuable information within the organisations. The basic framework of the ITIL includes of five phases. These five phases include the controlling, planning, implementing, evaluating and maintaining of the various areas in the organisation. In the controlling phase, the goal is to establish a management framework in initiating with the process of information security and the structure of the organisation for the preparation, acceptance and the implementation and the creation of the control of necessary documentation (Peltier, 2016). The next phase of the framework includes the planning phase. In this phase the planning mainly focuses mainly on the design and the recommendation of appropriate security according to the requirements of the organisation. These needs of the organisation are procured from the various types of sources such as the sales of the company in a particular period of time, the associated service risks that the organisation has faced in the recent past or about to face in the upcoming days, the different forms of plans and strategies for the concerned organisation. These needs of the company proves to be critical for the company in the long term success of the organisation. Along with all these mentioned, the requirements of the company are also procured from several other sources such as the Service Level Agreements or the SLA and the Operational Level Agreements or the OLA, the licit, moral and the ethical responsibility for the secure management of the information of the concerned organisation. The next phase of the framework of the ITIL for the information security management is the Implementation phase. In this phase, appropriate processes, tools and control mechanisms are the main objectives for the implementation of the ISMS to efficiently support the policy of security. The next phase of the ISM framework is the evaluation phase. In this phase, the analysis of the strategies applied in the implementation of the security management for the safeguard off the information of the organisation is done. It mainly involves the surveillance and control of compliance in respect to the security policies and security requirements of the accounting of the technical security of the information systems. There are several cases in the corporate world where the evaluation phase is capable of providing valuable information to the external regulators and the external auditors who look after the regular audits of the concerned organisation (Disterer, 2013). The ultimate phase of the security management framework that is applied by ITIL for securing the information vaults of the concerned organisation is the maintenance phase. This section of the security framework aims at trying to improve the security agreement and improving the application of the various forms of security and controls.
Commitment of the Management
Any organisation is extremely benefitted from the utilization of ITIL in the information security management by strictly abiding by the ITIL roadmap. There are certain steps to the roadmap. The first step to the roadmap is the management and employee commitment. The next step of the roadmap involves election of the consultants. The next step to that involves understanding the processes, roles and the functions that are taking place currently taking place in the system. The step that follow this step is the identification and understanding of the key customers concerned with the organisation. To be successful in the implementation of the process of ITIL it is important to construct a project plan that will be beneficial for the organisation (Miller et al., 2013). The seventh step of the ITIL roadmap involves redesigning of the processes to stick to the standards of the ITIL. The eighth step of the process includes the appropriate selection of the ITIL tool. The next two steps of the roadmap involves the training of the employees in regard to the transition plan and designing. The penultimate step of the roadmap involves the implementation of the ITIL processes and the technology in respect to the Information Security Management (Ahmad et al., 2013). An ITIL implementation in the organisation is only successful with the evaluation of the implementation. The ultimate step of the roadmap includes evaluation of the whole process and improve accordingly.
The ITIL has become an important standard in the field of the IT services. It is agreed by most of the companies that the implementation and management of the ITIL in their organization was very much challenging and not all the processes of the ITIL provide equal value to them. Thus it has become very much important for the organizations to determine that which factors will help them to understand whether the managing of the ITIL will be successful or not. In the following section the critical success factors for the IITL management will be evaluated.
The management support is a crucial success factor for the management of ITIL in the organization for the information security management. The management support holds some crucial significance. The management support guarantees the funding adjustment for training (Vassilev et al., 2014), tools and consultancy. It also helps to trigger the communication among the stakeholders. Thus by proper communication it ensures the success factor for the ITIL management.
The training on the ITIL and the awareness about the ITIL is another critical success factor for the ITIL management (Salas et al., 2017). Knowledge about the ITIL documentation can effectively help the employees to manage the ITIL in the organisation and the awareness will reduce the resistance among the employees.
Resistance of the ITIL
The interdepartmental collaboration is another critical success factor as this maximizes the communication and the knowledge sharing in the organization for better management of the ITIL for information security management (Von Solms & Van Niekerk, 2013). This is also able to minimize the project implementation risks due to running overtime.
The proper tool selection can help the organization to manage the ITIL effectively in their organization for the information security management. The proper tools can make the management process of the ITIL easier. Thus selection of the proper tool is very much important and a critical success factor for the management of ITIL in the organization.
Customer orientation delivers proactive processes of the IT (Korschun, Bhattacharya & Swain, 2014). This processes are very much effective for managing the ITIL for the information security management.
For managing the ITIL system in the organization first the implementation of this system must be effective so that it becomes easy to handle and manage (Rubin, 2017). This design and implementation strategy delivers proper applications for an effective implementation of the ITIL within the organization.
Quality is an important factor for the management of the ITIL. Improving the quality of the IT staffs allocated for the ITIL will positively impact the collaboration and the communication (Makarios et al., 2016). Thus it will smoother the management of the ITIL in the organization and for this reason quality of the IT staffs is a crucial success factor.
This factor of the evaluation and monitoring of the ITIL management is another crucial factor because it can affect the attitude towards the usage of the ITIL (Willcocks, 2013). Also, it is very much essential for the organization to bring continuous improvement program which is very much needed for the effective management of the ITIL.
Conclusion:
From the above discussion it can be concluded that the ITIL is very much effective in improving the efficiency of the information security management. The measures of the information security are increasing steadily in the aspect of the complexity, importance and the scope. It becomes very much risky, inefficient and expensive for the organizations to depend on the home-grown processes and on the cobbled together for their system of information security. In such of the cases the ITIL can replace this processes with integrated and standardised process which are based on the best practices. Some of the external effort is required in this case to improve the process how the organizations will manage and implement the information security. It has been assessed from the article that ITIL breaks the whole structure of the information security in four sub categories. These are the policies, processes, procedures and the instructions for competition of the work. Polices describes the general objective that the organization is trying to achieve. Processes described what need to be done for achieving the objectives. Procedures described the responsibilities of the individuals and when the objectives will be achieved. The instructions for the work provided instruction for successful completion of the work.
Framework of Utilizing ITIL for Information Security Management
Critical factors for getting the success in the ITIL utilization for information security management has been discussed thoroughly in this paper. In this paper there are total number of eight numbers of critical success factors has been addressed properly. This eight critical success factors were identified by the synthesization of the ITIL. The organizations needed to approach the initiative of the ITIL with understanding that clears the operation methods of the organization. This understanding is required because the implementation technique of the ITIL requires more skills than only having the knowledge about the ITIL. The involvement of the ITIL with every individual and organization requires the change in the culture of the organization.
References:
Ahmad, N., Tarek Amer, N., Qutaifan, F., & Alhilali, A. (2013). Technology adoption model and a road map to successful implementation of ITIL. Journal of Enterprise Information Management, 26(5), 553-576.
Alavi, R., Islam, S., & Mouratidis, H. (2014, June). A conceptual framework to analyze human factors of information security management system (ISMS) in organizations. In International Conference on Human Aspects of Information Security, Privacy, and Trust (pp. 297-305). Springer, Cham.
Arasu, A., Eguro, K., Joglekar, M., Kaushik, R., Kossmann, D., & Ramamurthy, R. (2015, April). Transaction processing on confidential data using cipherbase. In Data Engineering (ICDE), 2015 IEEE 31st International Conference on (pp. 435-446). IEEE.
Brodin, M. (2015). Combining ISMS with strategic management: the case of BYOD. In 8th IADIS International Conference on Information Systems 2015, 14–16 March, Madeira, Portugal (pp. 161-168). IADIS Press.
Bucero, A., & Englund, R. L. (2015, October). Project sponsorship: Achieving management commitment for project success. Project Management Institute.
Cox, D. S. (2013). Factors Influencing Adoption of Information Technology Infrastructure Library: Utilizing the Technology Acceptance Model (TAM). ProQuest LLC.
D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285-318.
Disterer, G. (2013). ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), 92.
Dotcenko, S., Vladyko, A., & Letenko, I. (2014, February). A fuzzy logic-based information security management for software-defined networks. In Advanced Communication Technology (ICACT), 2014 16th International Conference on(pp. 167-171). IEEE.
Esteves, R., & Alves, P. (2013). Implementation of an information technology infrastructure library process–the resistance to change. Procedia Technology, 9, 505-510.
Haag, S., Born, F., Kreuzer, S., & Bernius, S. (2013, September). Organizational resistance to e-invoicing–Results from an empirical investigation among SMEs. In International Conference on Electronic Government (pp. 286-297). Springer, Berlin, Heidelberg.
Iden, J., & Eikebrokk, T. R. (2014). Exploring the relationship between information technology infrastructure library and process management: theory development and empirical testing. Knowledge and Process Management, 21(4), 292-306.
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.
Korschun, D., Bhattacharya, C. B., & Swain, S. D. (2014). Corporate social responsibility, customer orientation, and the job performance of frontline employees. Journal of Marketing, 78(3), 20-37.
Laudon, K. C., & Laudon, J. P. (2016). Management information system. Pearson Education India.
Makarios, M., Lovins, L., Latessa, E., & Smith, P. (2016). Staff quality and treatment effectiveness: An examination of the relationship between staff factors and the effectiveness of correctional programs. Justice Quarterly, 33(2), 348-367.
Miller, A., Campos-Nanez, E., Fomin, P., & Wasek, J. (2013). An IT Infrastructure Library (ITIL) Maturity Strategy for Private Cloud Sourcing Models: A Literature Review and Research Methodology Formation. ISICO 2013, 2013.
Neu, D., Everett, J., & Rahaman, A. S. (2013). Internal auditing and corruption within government: The case of the Canadian Sponsorship Program. Contemporary Accounting Research, 30(3), 1223-1250.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Pillai, A. K. R., Pundir, A. K., & Ganapathy, L. (2014). Improving information technology infrastructure library service delivery using an integrated lean six sigma framework: A case study in a software application support scenario. Journal of Software Engineering and Applications, 7(06), 483.
Rubin, R. E. (2017). Foundations of library and information science. American Library Association.
Salas, E., Prince, C., Baker, D. P., & Shrestha, L. (2017). Situation awareness in team performance: Implications for measurement and training. In Situational Awareness (pp. 63-76). Routledge.
Salcito, K., Wielga, C., & Singer, B. H. (2015). Corporate human rights commitments and the psychology of business acceptance of human rights duties: A multi-industry analysis. The International Journal of Human Rights, 19(6), 673-696.