2
Scope
Information management requirementsInformation added value
Integrated management systemQuality Management System
IT Service Management System
Information Security Management System
Common principlesPDCA Model
New challenges to ISMS
3
ICT Management Requirements
Business is highly dependent on ICTICT should bring defined and measurable valuesDifferent methodologies based on best practiceNew approaches to control environment
BASEL II – regulation for banking and financial companies Sarbanes-Oxley – regulation for financial reporting of Joint Stock Companies
ICT is a key point for any success
4
Information added value
Increase automationAlign ICT with business to enlarge productionDo good things
Decrease costsUse resources responsibleDo things well
Manage risksMinimize incidents and damages Know risks
Manage risks
Increaseautomation
Decreasecosts
ICTaddedvalue
5
Information management components
Quality Management SystemISO 9001
ISO/IEC 90003
IT Service Management System
BS 15000
ISO/IEC 20000
Information Security Management System
BS 7799-2
ISO/IEC 17799
Information securitymanagement
Qualitymanagement
IT servicemanagement
CobiT
6
Quality management
Quality is the totality of characteristics of a product or service that bear on the ability to satisfy stated and implied needs. QMS is well-known process-based approach
Using existing principles and resources for ICT management Tools for communication with manages and usersBasic and general requirements on ICT management
ISO/IEC 90003 – Application of ISO 9001:2000 to software
ISO/IEC 90003Product
realizationResource
management
Measurement,analysis and
improvements
Qualitymanagement
system
Managementresponsibility
7
IT Service Management
IT service is a described set of facilities, IT and non-IT, supported by the IT service provider that fulfils one or more needs of the customer and that is perceived by the customer as a coherent whole.
ITSM standardsSystem requirements – BS 15000-1 (ISO 20000-1)
Code of practice – BS 15000-2 (ISO20000-2)
Other methodologiesITIL – IT Infrastructure Library
MOF – Microsoft Operations Framework
HP, IBM, SUN, …
8
IT Service Management
Service delivery processes
RealationshipProcesses
Resolution processes
Releaseprocess
Capacity management
Releasemanagement
Control processes
Suppliermanagement
Businessrelationshipmanagement
Configuration management
Problem management
Change management
Incident management
Information securitymanagementService level management
Service continuityand availability
management
Service reportingBudgeting and
accounting for ITservices
9
Information Security Management
Information security is preservation of confidentiality, integrity and availability of information; in addition, other properties, such as authenticity, accountability, non-repudiation, and reliability can also be involved.
Key element of any ISMS is a risk analysis and treatment process
ISMS standardsSystem requirements – BS 7799-2:2005 (ISO/IEC 24743)
Code of Practice – ISO/IEC 17799:2005
Metrics and Measurements – ISO/IEC 24742 (draft)
10
Information Security Management
ISO/IEC 17799:2005
Organizinginformation
security
Informationsystems
acquisition,development and
maintenance
Information security incident management
Access control
Businesscontinuity
management
Compliance
Humanresourcessecurity
Security policy
Asset management
Communicationsand operationsmanagement
Physical andenvironmental
security
11
Common principles
Key success factorsManagement responsibility
Management of resources, documents and records
Competence, awareness, training
Management reviews
Continual improvement
All systems follow PDCA cyclePlan – Do – Check – Act
12
PDCA Model
Requirements
Plan
Do
Check
Act
Satisfaction SatisfactionCu
stom
ers Requirements
Su
pp
lier
s
13
New challenges to ISMS
Quality management experiencesUsing existing culture, tools, procedures, etc.Using implementation know-how
IT service management frameworkIT services as a primary point for risk analysisITSM methods offer more details on ICT processesInformation security should be a part of service reportingAvailability and continuity is the same for bothHarmonize incident/problem management and security incident management (ISO/IEC TR 18044:2004)
14
Conclusions
Aim is to draw the attention on QMS, ITSM and ISMS as a tools for ICT management
There is a lot of shared features
There is a big place for synergies (ITSM – ISMS)
Its not possible to separate operations and security
There is necessary to have basic knowledge about all management systems to used their advantages
The aim was to brief you on security neighbourhood