ITIL foundation certification training teaches that services are developed using a five-step ITIL Lifecycle. Service Design is the second stage in the ITIL lifecycle. The ITIL Service Design stage, as we discussed in our online ITIL training, has many processes that must be completed for the stage’s success. Information Security Management is one of the most important processes in the Service Design stage.
Information Security Management is the goal
This process aims to align IT Security with business security, and ensure that information security is effectively managed. An IT service provider may be processing or using confidential information of a company, depending on the industry.
Let’s say, for example, that an IT service provider uses data from the finance or human resources department of a company. All employee records, including compensation and benefit details, are confidential data of human resources. Similar to transactions, details of accounts, etc. These are confidential data of finance department. These types of confidential and corporate data must be protected by the IT Service Provider.
Information Security Management’s objectives
This activity is part of a corporate governance framework. Corporate governance is the process of preparing, declaring and dictating policies for a set of activities that must be performed in a company. Information security management is also covered in this context.
Information Security Management provides strategic direction for security activities and ensures that goals are achieved. Plans and actions are created based on the company’s security strategies and policies. These plans and activities are then managed and monitored.
Another goal is to ensure that information security risks are properly managed. Information security can be compromised. These risks must be managed by the IT service provider. These risks must be minimized over the long-term.
The final objective is ensuring the confidentiality, integrity, availability and authenticity/non-repudiation.
Let’s explain each item in detail here
Confidentiality refers to the security of data. As we have already explained, confidential data can include account details, transaction details, and employee details. The Information Security Management process is designed to protect these data.
Integrity is the coherence of all data. For example, an employee’s address is only meaningful if it is associated in the database with their ID and employee name. A transaction detail is only meaningful if it can be associated with the bank or customer in the database. Integrity must also be maintained while data security is ensured.
The availability of the information or data required ensures that it can be reached at any time.
Finally, confidentiality is protected by the non-repudiation and authenticity of the information security management. Consider the employee data. Should all employees have access to all company employee details? No. Because employee details include confidential information such as salary and bonus information. These data should not be visible to employees of the company. Information Security Management processes ensures that confidential data is authenticated.
The Information Security Management Framework
The following items will make up the information security management process and security framework:
A security policy for information and security policies.
Information security policies or information security policies are designed to ensure that data is protected within a company. For example, prompting password changes every 3 months and requiring a new password