Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Perspectives: ITIL has application in security

The Information Technology Infrastructure Library (ITIL) is a set of best practices and guidelines for managing IT services can be applied to information security.

This article can also be found in the Premium Editorial Download: Information Security magazine: Comparing five of the top network-based inline IPS appliances

You're overworked, underfunded, poorly appreciated and spend too much of your time trying to convince your organization--particularly...

management--that information security is important and best practices should be followed. Too often, your arguments and pleas are followed halfheartedly, if at all.

In other words, you're a typical infosecurity professional. Wouldn't it be great if there was a proven framework--understood by and popular with management--that you could use to bolster your information security efforts? Well, such a system does exist, and it's being successfully adopted by many organizations throughout the world. The Information Technology Infrastructure Library (ITIL) is a set of best practices and guidelines for managing IT services.

I know what you're thinking: "Not another boring, theoretical methodology. I don't have time for it; I have to deal with issues in the real world." In the real world, however, managers are implementing ITIL because it aligns IT services with the needs of their organizations, improves the quality of IT services, and decreases the cost of IT service delivery and support.

How can ITIL help the information security professional? Here are just some of the ways:

  • Business process owners and information security staff negotiate information security services; this ensures services are aligned with business needs.
  • ITIL provides a foundation upon which information security can build. It requires the adoption of a number of best practices (e.g., change management, configuration management and incident management) significantly improving information security.
  • ITIL establishes documented IT processes and standards that can be audited and monitored. This helps an organization understand the effectiveness of its information security program and comply with regulatory requirements.
  • ITIL reporting keeps managers informed about the effectiveness of their organization's information security processes, helping them make knowledgeable decisions about the organization's risks.
  • ITIL's requirement for continuous review can ensure that information security measures maintain their effectiveness as requirements, environments and threats change.
Information security professionals can change the perception that they're hindrances and cost centers to being regarded as key players in meeting ITIL--and organizational--objectives, which can lead to increased recognition and funding for security efforts.

How can you take advantage of ITIL? Take the time to learn about it--a lot of information is readily available (www.itil.co.uk). If ITIL is already in place at your organization, integrate the methodology into your security processes and controls. If ITIL is being implemented at your organization, become involved and provide support for the effort; also, make sure information security has a place at the ITIL table. If your organization has not yet adopted ITIL, recommend it to management.

Yes, all these steps will take time and effort, but you'll be rewarded for it. Information security professionals are not often presented with an opportunity to piggyback a popular, proven framework that is highly regarded by management and will improve information security. Don't miss out on your opportunity.

This was last published in October 2005

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.