| As information technology increasingly falls within the | | | | various organizations. ISO/IEC 20000, the IT service |
| scope of corporate governance, so management | | | | management standard, provides a best-practice |
| must increasingly focus on the management of risk | | | | specification that sits on top of the ITIL. |
| to the achievement of its business objectives. | | | | Regulatory and Compliance Risk |
| There are two fundamental components of effective | | | | All organizations are subject to a range of |
| management of risk in information and information | | | | information-related national and international legislation |
| technology: the first relates to an organization's | | | | and regulatory requirements. These range from broad |
| strategic deployment of information technology in | | | | corporate governance guidelines to the detailed |
| order to achieve its corporate goals, the second | | | | requirements of specific regulations. UK organizations |
| relates to risks to those assets themselves. | | | | are subject to some, or all, of: |
| IT systems usually represent significant investments | | | | Combined Code and Turnbull Guidance (UK) |
| of financial and executive resources. The way in | | | | Basel2 |
| which they are planned, managed and measured | | | | EU data protection, privacy regimes |
| should therefore be a key management | | | | Sectoral regulation: FSA (1) , MiFID (2) , AML (3) |
| accountability, as should the way in which risks | | | | Human Rights Act, Regulatation of Investigatory |
| associated with information assets themselves are | | | | Powers Act |
| managed. | | | | Computer misuse regulation |
| Clearly, well managed information technology is a | | | | Those organizations with US operations may also be |
| business enabler. Every deployment of information | | | | subject to US regulations such as Sarbanes Oxley |
| technology brings with it immediate risks to the | | | | and SEC regulations, as well as sectoral regulation |
| organization and, therefore, every director or | | | | such as GLBA (4), HIPAA (5) and USA PATRIOT |
| executive who deploys, or manager who makes any | | | | Act. Most organizations are possibly also subject to |
| use of, information technology needs to understand | | | | US state laws that appear to have wider applicability, |
| these risks and the steps that should be taken to | | | | including SB 1386 (California Information Practice Act) |
| counter them. | | | | and OPPA (6). |
| ITIL, the Information Technology Infrastructure | | | | Compliance depends as much on information security |
| Library, has long provided an extensive collection of | | | | as on IT processes and services. Many of these |
| best practice IT management processes and | | | | regulations have emerged only recently and most |
| guidance. In spite of an extensive range of | | | | have not yet been adequately tested in the courts. |
| practitioner-orientated certified qualifications, it is not | | | | There has been no co-ordinated national or |
| possible for any organization to prove - to its | | | | international effort to ensure that many of these |
| management, let alone an external third party - that | | | | regulations - particularly those around personal privacy |
| it has taken the risk-reduction step of implementing | | | | and data protection - are effectively co-ordinated. |
| best practice. | | | | As a result, there are overlaps and conflicts between |
| More than that, ITIL is particularly weak where | | | | many of these regulations and, while this is of little |
| information security management is concerned - the | | | | importance to organizations trading exclusively within |
| ITIL book on information security really does no | | | | one jurisdiction, the reality is that many enterprises |
| more than refer to a now very out-of-date version | | | | today are trading on an international basis, particularly |
| of ISO 17799, the information security code of | | | | if they have a website or are connected to the |
| practice. | | | | Internet. |
| The emergence of the international IT Service | | | | Management Systems |
| Management (ISO 27001) and Information Security | | | | A management system is a formal, organized |
| Management (ISO20000) standards changes all this. | | | | approach used by an organization to manage one or |
| They make it possible for organizations that have | | | | more components of their business, including quality, |
| successfully implemented an ITIL environment to be | | | | the environment and occupational health and safety, |
| externally certificated as having information security | | | | information security and IT service management. |
| and IT service management processes that meet an | | | | Most organizations - particularly younger, less mature |
| international standard; organizations that demonstrate | | | | ones, have some form of management system in |
| - to customers and potential customers - the quality | | | | place, even if they're not aware of it. More |
| and security of their IT services and information | | | | developed organizations use formal management |
| security processes achieve significant competitive | | | | systems which they have certified by a third party |
| advantages. | | | | for conformance to a management system standard. |
| Information Security Risk | | | | Organizations that use formal management systems |
| The value of an independent information security | | | | today include corporations, medium- and small-sized |
| standard may be more immediately obvious to the | | | | businesses, government agencies, and |
| ITIL practitioner than an IT service management one. | | | | non-governmental organizations (NGOs). |
| The proliferation of increasingly complex, | | | | Standards and Certifications |
| sophisticated and global threats to information | | | | Formal standards provide a specification against which |
| security, in combination with the compliance | | | | aspects of an organization's management sytsem can |
| requirements of a flood of computer- and | | | | be independently audited by an accredited |
| privacy-related regulation around the world, is driving | | | | certification body and, if the management system is |
| organizations to take a more strategic view of | | | | found to conform to the specification, the |
| information security. | | | | organization can be issued with a formal certificate |
| It has become clear that hardware-, software- or | | | | confirming this. Organizations that are certificated to |
| vendor-driven solutions to individual information | | | | ISO 9000 will already be familiar with the certification |
| security challenges are, on their own, dangerously | | | | process. |
| inadequate. ISO/IEC 27001 (what was BS7799) helps | | | | Integrated Management Systems |
| organizations make the step to sytematically | | | | Organizations can choose to certify their |
| managing and controlling risk to their information | | | | management systems to more than one standard. |
| assets. | | | | This enables them to integrate the processes that |
| IT Process Risk | | | | are common - management review, corrective and |
| IT must be managed systematically to support the | | | | preventative action, control of documents and |
| organization in achieving its business objectives, or it | | | | records, and internal quality audits - to each of the |
| will disrupt business processes and undermine | | | | standards in which they are interested. |
| business activity. IT management, of course, has its | | | | There is already an alignment of clauses in ISO 9000, |
| own processes - and many of these processes are | | | | ISO 14001 (the environmental management system |
| common across organizations of all sizes and in many | | | | standard) and OHSAS 18001 (the health and safety |
| sectors. | | | | management standard) that supports this integration, |
| Processes deployed to manage the IT organization | | | | and which enables organizations to benefit from |
| itself need both to be effective and to ensure that | | | | lower cost initial audits, fewer surveillance visits and |
| the IT organization delivers against business needs. IT | | | | which, most importantly, allows organizations to 'join |
| service management is a concept that embraces the | | | | up' their management systems. |
| notion that the IT organization (known, in ISO/IEC | | | | The emergence of these international standards now |
| 20000 as in ITIL, as the "service provider") exists to | | | | enables organizations to develop an integrated IT |
| deliver services to business users, in line with business | | | | management system that is capable of multiple |
| needs, and to ensure the most cost-effective use of | | | | certification and of external, third party audit, while |
| IT assets within that overall context. | | | | drawing simultaneously on the deeper best-practice |
| ITIL, the IT Infrastructure Library, emerged as a | | | | contained in ITIL. This is a huge step forward for the |
| collection of best practices that could be used in | | | | ITIL world. |