How to Get ITSM and Security to Play Nice

Two years ago, he was anonymous beyond his circle of family, friends, and co-workers. Today, Edward Snowden is known around the world for disclosing massive amounts of CIA classified information.

Such high-profile information breaches bring data security to the forefront of news, but security is a daily concern for technology professionals. It is a struggle to balance data security with streamlining and enhancing ease-of-use.

In my world, it’s ensuring that the principals and processes of an ITIL framework are maintained while conforming to the security constraints of the organization. The following bullet points from an article published at outlines the relationship between these perceived “opposite sides of the house”. 

  • Security management requires an incident category specifically for security related incidents. The ITIL Incident Management process provides the control and flexibility required to manage security incidents quickly and efficiently without a duplicate organization.
  • Security Incidents require review by security management. Having a single point of contact for all matters relating to IT – the ITIL Service Desk – provides a single reporting source for all Incidents, including those pertaining to security.
  • ITIL focuses security where needed based on business requirements, not technology. This is important since most security operations today do what they feel is best for the business instead of just what the business required. This “gold plating” carries a high cost and keeps IT from being seen by the business as a partner.
  • Since ITIL is all about organizational best practices, the security management process itself can operate in a process-driven, methodical manner. This is absolutely critical to success with security.
  • ITIL requires continuous review, audit, and reporting of processes activities. Security requires continuous reviews to remain vigilant.
  • Availability Management describes a centralized engineering and architecture that always takes into account the Confidentiality, Integrity, and Availability of data (CIA).
  • The Service Level Management process sets up, monitors, reports on, and administers agreements with customers (SLA), suppliers (UC), and other IT functional departments (OLA). These contracts and agreements all require security sections.
  • Establish a link between Problem Management and security alert channels. Relevant security issues should be documented and added to the knowledge base for use by Incident Management and the service desk as well as other IT functional groups. 

Essentially, establishing an effective security process and methodology by incorporating ITSM process/tools enables a more secure environment throughout the IT infrastructure. Bottom line, IT Leaders who understand how different “sides of the house” must co-exist and interact will be able to deploy better security for all the environments.

Jon Martin

Mid Atlantic Territory Manager