SM Solution Processes

Below is a list of processes that can be considered when designing a SM solution:

Activities Sub-Activities Descriptions
Control Implement policies Specific requirements and rules that have to be met in order to implement SM. Ends with policy statement.
Set up the security organization Sets up the organization for IS. Includes the set up of structure of responsibilities. Ends with SM framework.
Reporting The whole targeting process is documented. Ends with reports.

 

Concept Description
Control Documents How SM is organized and how it is managed.
Policy Statements Specific requirements or rules that must be met. Policies are usually point-specific, covering a single area (i.e. “acceptable use” policies cover the rules and regulations for appropriate use of the computing facilities.
Security Management Framework Established to initiate and control the implementation of IS within an organization and to manage ongoing provision.

 

Activities Sub-Activities Descriptions
Plan Create Security section for SLA Contains activities that lead to the security agreements paragraph in the SLAs. At the end the Security section of the SLA is created.
Create underpinning Contracts Contains activities that lead to Underpinning Contracts, specific for security.
Create Operational Level Agreements (OLAs) The general formulated goals in the SLA are specified in OLAs, that can be seen as security plans for specific organization units.
Reporting The whole Create plan process is documented. Ends with Reports.

 

Concept Description
Plan Formulated schemes for the security agreements.
Security section of the security level agreements The security agreements paragraph in the written agreements between a Service Provider and the customer(s) that documents agreed Service Levels for a service.
Underpinning Contracts Contract with an external supplier covering delivery of services that support the IT organisation in their delivery of services.
OLAs Internal agreement covering the delivery of services which support the IT organization in their delivery of services.

 

Activities Sub-Activities Descriptions
Implement Classifying and managing of IT applications Formally grouping configuration items by type (i.e. software, hardware, documentation, environment and application). Formally identifying changes by type (i.e. project scope change request, validation change request, infrastructure change request). Leads to asset classification and control documents.
Implement personnel security Measures are adopted to give personnel safety and confidence and measures to prevent a crime / fraud. Ends with personnel security.
Implement SM Specific security requirements and / or security rules that must be met are outlined and documented. Ends with security policies.
Implement access control Specific access security requirements and / or access security rules that must be met are outlined and documented. Ends with access control.
Reporting The whole implement as planned process is documented. Ends with reports.

 

Concept Description
Implementation Accomplished SM according to the SM plan.
Asset classification and control documents A comprehensive inventory of assets with responsibility assigned to ensure that effective security protection is maintained.
Personnel security Well defined job descriptions for all staff outlining security roles and responsibilities.
Security policies Documents that outline specific security requirements or security rules that must be met.
Access control Network management to ensure that only those with the appropriate responsibility have access to information in the networks and the protection of the supporting infrastructure.

 

Activities Sub-Activities Descriptions
Evaluate Self-assessment Examine implemented security agreements. Ends with self-assessment documents.
Internal Audit Examine implemented security agreements by an internal electronic data processing (EDP) auditor. Ends with internal audit.
External audit Examine implemented security agreements by an external EDP auditor. Ends with external audit.
Evaluation based on security incidents Examine implemented security agreements based on security events that are not part of the standard operation of a service and which cause, or may cause, an interruption to, or a reduction in, the quality of that service. Ends with security incidents.
Reporting Document the Evaluate implementation process. Ends with reports.

 

Concept Description
Evaluation Evaluated / checked implementation.
Results The outcome of the evaluated implementation.
Self Assessment Documents Result of the examination of the SM by the organization of the process itself.
Internal Audit Result of the examination of the security management by the internal EDP auditor.
External Audit Result of the examination of the security management by the external EDP auditor.
Security Incidents Documents Results of evaluating security events which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service.

 

Activities Sub-Activities Descriptions
Maintain Maintenance of SLAs Keeps the SLAs in proper condition. Ends with maintained SLAs.
Maintenance of OLAs Keeps the OLAs in proper condition. Ends with maintained OLAs.
Request for change to SLA and / or OLA Request for a change to the SLA and / or OLA is formulated. Ends with a request for change.
Reporting Implemented security policies process is documented. Ends with reports.

 

Concept Description
Maintenance Documents Agreements kept in proper condition.
Maintained SLAs SLAs (security paragraph) kept in proper condition.
Maintained OLAs OLAs kept in proper condition.
Request for Change Form, or screen, used to record details of a request for a change to the SLA / OLA.

 

The image below is an example of a complete SM process-data model:

process_data_model_security_management

 

Advertisements