Review

Title: Information Security Management with ITIL V3

ISBN: 978 90 8753 552 0

Reviewer: Dwight Kayto – PMP, FISM, ITIL Service Manager, ITIL V3 Expert

Security Management is ever more necessary in today’s world. Protection of the value of an organization’s information assets is often crucial to the organization’s success and even survival. This new Van Haren publication describes a systematic approach to implementing and establishing security management and how to measure, maintain and improve this key process. I found the book to be well organized, easy to read and full of good information.

In ITIL V2 OGC published a book specifically on Security Management. Back then Service Support and Service Delivery were the main focus and the Security Management book drew less attention. Van Haren’s new publication thankfully captures much of the knowledge from the previous OGC book and in fact specifically states it is an update reflecting ITIL V3 changes and new developments and changes in general regarding security management.

The books’ chapters are well organized and present a good flow of information:

Chapter 1: Introduction
Chapter 2: Fundamentals of Information Security
Chapter 3: Fundamentals of Management of Information Security
Chapter 4: ITIL V3 and Information Security
Chapter 5: Guidelines for implementing Information Security Management

So you can see that the topics provide good background, answer why security management is needed and finally, how to go about bringing it to your organization.

Chapter 2 describes security architectures. This is important in order to understand what needs to be protected and how to protect it. The book shows how security architecture fits within other architectures typically found within an organization. Business, customer and partner perspectives and a security management framework are described very well. This is very important because in order for security management to be effective and deliver value it must be positioned correctly in an organization, have governance, utilize risk management, identify controls and have evaluations and audits. These topics are well covered and written in a non-technical language.

Several references and connections are made to various ISO/IEC standards applicable to security management. Design principles and security services are also discussed.

Chapter 3 shows how to use Demings’ Plan-Do-Check-Act cycle with security management and emphasizes the importance of continuous improvement. Organizations following ITIL V3 will find this useful as CSI is a key part of the service lifecycle.

Chapter 4 goes into detail describing how security management fits into the ITIL V3 lifecycle phases and processes. There is substantial detail here which will be invaluable for anyone establishing, formalizing or improving lifecycle phases and/or specific processes. I am currently assisting a client to establish SLAs for incident management and will use the Service Operation and Incident Management section of this book to ensure we have appropriate elements in place for the handling of security incidents.

This chapter also delves into the 5 levels of maturity for ITIL processes. This is very similar to the maturity levels found in CMMI and several other frameworks. Specific details pertaining to security management requirements or attributes for the 5 levels is covered which will be useful for continuous improvement in determining current state and selecting potential future states.

Chapter 5 utilizes the CSI model for implementing and improving a process providing details of the 6 steps, organizing the security process, roles and descriptions, governance and considerably more detail on the maturity levels for process improvement. I particularly appreciated the (short but very valuable) section covering pitfalls. Partnerships and outsourcing are also discussed which is important given those are so much more prevalent today.

The appendices cover ISO/IEC standards and other frameworks and include cross references and tables. I thought the Cobit/ITIL cross reference was quite useful. The PCI/DSS section was perhaps a tad short.

In summary, this book is useful to understand the overall scope of Information Security Management. It provides sufficient depth and details to implement and formalize security management considering other IT processes and activities. The connection and value to business is also well described and guidance on the actual implementation is provided. As has always been with ITIL and related books, the specific technologies are not covered. You will not learn how to configure a firewall from this book but you should gain an understanding of when and why this would be done.

The quality of writing, amount of information and structure of the book make it invaluable, in my opinion, for anyone responsible for security management. It is also useful for management to better understand and assess their organization’s security capabilities.

The fact that this book brings important updates from the V2 book and describes in detail the placement of Security Management within the ITIL V3 framework make this a must-have book.

Dwight is President of Art of Change www.artofchange.ca, has been an accredited trainer for nearly 10 years and an ITSM consultant for nearly 20 years. He holds the ITIL V2 Service Manager, ITIL V3 Expert, all ITIL V3 Intermediate certificates, Cobit and ISO/IEC 20000 consultant certifications.

distributors

Find a distributor local to you

shop

Browse the shop and make a purchase.

clients & partners

Find out why they choose to work with us.

news

Stay up-to-date with Van Haren Publishing.