IN THIS STORY
-What ITIL is and how it benefits information security
-Implementation advice from ITIL veterans
Until a few months back, the acronym ITIL didn't figure much in the day-to-day working life of David Monahan, network and information security manager at data storage and management company Network Appliance. Why would it? ITIL (the Information Technology Infrastructure Library) is, after all, a collection of best practices first developed by the British government almost 20 years ago. But ITIL is rapidly gaining ground as an IT governance model in businesses.
As Monahan explains, his own conversion came via a senior executive who joined Network Appliance in the summer of 2005 to head the company's global infrastructure function. Having had prior positive experience with ITIL, said executive formed the view that Network Appliance might also benefit from adopting ITIL, which promises operational improvements through more disciplined processes.
"The belief," says Monahan, "is that ITIL will add rigour to the way that we scale and add structure to our processes." In particular, he explains, Network Appliance is looking at problem management, change management and incident management - three of ITIL's 11 core process areas - and identifying gaps between what ITIL recommends and Network Appliance's current practice. Monahan says it's not an overnight job, but one that is already paying dividends: For a start, ITIL has been the focal point for several core process overhauls that have significantly improved areas of IT service delivery. "So far, we're very pleased," he sums up.
CIO (a sister publication to CSO) reports that ITIL is gaining steam in enterprises around the world, and that ITIL "helps IT departments improve their quality of service, including increased system uptime, faster problem resolution and better security". Partly fuelled by a tougher regulatory framework in the US - including Sarbanes-Oxley and the Federal Information Security Management Act of 2002 - IT vendors and service providers report they are now fielding more requests for information about their ITIL capability. "A year ago, we hadn't had a single ITIL request - now we're getting one a month, and the pace is accelerating," says Gretchen Hellman, senior manager of product marketing at security vendor ArcSight. In fact, the US and Canadian governments will soon require IT contractors to use ITIL, as will some big companies including General Motors. As IT in the commercial sector has grown to mirror the complexity and mission-critical nature of the public-sector IT applications that sparked ITIL in the first place, a growing number of CIOs and CISOs are seeing in it a ready-made governance framework that speaks their language.
Early private-sector ITIL adopters interviewed for this article indicate that the results are promising, though it is best that CISOs have the right expectations up front.
Future Shock
Those healthy up-front expectations include a small culture shock and a standard implementation path.On the culture front, don't expect to become certified as ITIL-compliant, at least not in the accepted sense. Having promulgated ITIL, the British government continues to support, develop and make it available to interested parties. However, it's largely up to individual businesses to choose how to actually apply ITIL. ITIL is not a standard, per se. Instead, it's a compilation of best practices - albeit one that is codified, well thought-out, and integrated together into a single framework. (In this regard it is reminiscent of control objectives for information and related technology, or Cobit.) Security isn't a separate book within ITIL - it's woven into the very fabric of it. And for many companies, that will mean security becomes more tightly integrated into IT operations and the business itself, rather than being set off in a guard/watchdog function. So ultimately, this culture shock is probably for the good.
"The culture shock to IT security practitioners from adopting ITIL will be much greater than that experienced by the IT operations people," notes Gene Kim, CTO and cofounder of Tripwire, and coauthor of The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps, published by the Information Technology Process Institute. "What ITIL does so well is to show how security doesn't live by itself; it lives within the overall IT operational context."
To Kim, one of ITIL's greatest strengths is that it forces security practitioners to seriously address issues such as change management (part of security's job being to help ensure that all changes are properly authorized). "A significant proportion of security-related Sarbanes-Oxley audit deficiencies relate to change control - yet for years, security practitioners have fought shy of the issue. With ITIL, the day of reckoning is here," says Kim.
Richard Starnes gives service delivery as another example. Starnes is the London-based president of the UK chapter of the Information Systems Security Association, and an American infosecurity professional formerly employed as director of incident response at a major British telecommunications company. "ITIL tells you how to run a service desk properly, which is useful for [preventing or dealing with] social engineering attacks," he says.
As for the implementation path, according to Robert Bowey, service delivery specialist at British IT consultancy Astech Consultants, ITIL implementations tend to proceed along a fairly standard adoption curve, which CISOs are well served to follow. "Most organizations look for where they can get the quick wins from ITIL first," he says. "That tends to be in areas like release management, incident management, problem management and change management. Configuration management, on the other hand, is a much more resource-intensive and time-consuming business." Knowing this up front can help save decision-making time and focus early efforts on those areas with the fastest payoff.
Small Disciplines
In this respect, suggests Bowey, the ITIL implementation at Thresher Group, an 1800-outlet liquor store chain headquartered north of London, is fairly typical. Change management was an early and obvious area of focus, says Debbie Homer, service delivery manager within Thresher's business systems group. "Businesswide changes such as implementing XP Service Pack 2 could have far-reaching implications if not carried out correctly," she notes. "We're a retail company with a lot of dial-in users, as well as customer-facing EPOS tills [a British phrase for cash registers], and it's vital to guard against something knocking out our firewalls, or leaving our systems open to viruses or abuse."Accordingly, says Homer, every change to Thresher's IT systems goes through the company's ITIL-compliant change management procedure, which calls for proposed changes - even security patches - to be documented, approved, tested and piloted. What's more, the IT vendors to which key aspects of Thresher's IT have been outsourced must also follow the procedure. Those outsourcers include EDS, which hosts the company's retail systems at an offsite data centre, and Dutch company Getronics, which handles Thresher's desktop management and help desk operations. (Getronics, Europe's largest IT service provider, is in fact the organization that first introduced Thresher Group to ITIL, says Homer.)
The integral security of the overall system is enhanced by a practice of prohibiting changes at critical sales periods. Weekends are the busiest time of the week, says Homer, explaining that changes are not allowed from Friday to Monday, inclusive. The Christmas holiday season is another "no change" period: from a certain point in December (the timing of which varies, but is essentially the point at which the shops are fully stocked and the Christmas "deals" are coded into the EPOS system), until early January, no changes take place.
"It's not quite true that no changes take place; we have a provision for what ITIL calls 'urgent changes'," adds Homer. "They have to be critical, though, and we have a higher security procedure for them. Essentially, more people have to approve them."
Enter the Matrix
Another benefit of ITIL, according to Tim Mathias, vice president of IT security and CISO at Thomson Financial (part of The Thomson Corporation), is the extent to which it forces businesses to focus on their organizational structures. When Thomson first implemented ITIL in late 2003 - having been introduced to it by the business's large presence in London - the organizational structure was very different from what it is now.Post-ITIL, Mathias says, security is very much a matrix function, relying on people recruited and trained into specific security-oriented positions within ITIL-centred units. Formerly separate functions, such as enterprise network administration and desktop support, now have been folded into the user support services function, with specific people tasked with carrying out the relevant security functions.
"Having these people actually embedded within the organization gives my team much greater visibility into what's actually going on - more so than we could achieve otherwise," says Mathias. "We've seen a significant shift of attitude within the various units: Security is now seen as a business enabler rather than as a bunch of people who just say no."
What's more, the move to an ITIL-centric structure has generated a significant productivity improvement. Immediately following the reorganization, relates Mathias, each unit created a "service catalogue" to clarify each organization's roles and responsibilities, and to drive ITIL adoption down one more layer in the company. "There was a lot of overlap and duplication," he says. "In short, we found we could reduce our cost and complexity by putting these people together."
To Mathias, at least, the benefits of ITIL are crystal clear: better governance, better security - and greater efficiency. And as CISOs across America contemplate following Thomson's lead, it's a useful example to be setting.
SIDEBAR: ITIL's Scope
ITIL covers 11 areas, which are broken into two documentation setsITIL's Service Delivery Areas
• Capacity management
• Availability management
• Financial management for IT services
• Service-level management
• IT service continuity management
ITIL's Service Support Areas
• Incident management
• Problem management
• Configuration management
• Change management
• Release management
• Service desk function
SIDEBAR: Alphabet Soup: Cobit, ITIL and ISO
Expert says ITIL plays well with othersCape Town, South Africa-based Gary Hardy is coauthor of Aligning Cobit, ITIL and ISO 17799 for Business Benefit: A Management Summary, which was jointly published by the IT Governance Institute and the UK Office of Government Commerce (the "owners" of ITIL). Hardy is an adviser to both the IT Governance Institute and the Information Systems Audit and Control Association (ISACA), having been a member of the latter for more than 25 years.
CSO: How do Cobit and ITIL differ?
Gary Hardy: Cobit [control objectives for information and related technology], which as of November 2005 is now in its fourth release, is a high-level set of objectives with management and assurance tools for overall IT governance. People call it a standard, but it isn't: It's a framework - and, like ITIL, a set of best practices. ITIL, on the other hand, is mostly focused on service delivery and service management, and on the delivery of IT services in terms of the processes that should be followed. In plain English, people say that Cobit is what you should do, and ITIL is how you should go about doing it - accepting that ITIL has a narrower scope.
How would you describe ITIL's approach to security issues?
ITIL talks about security, but mostly in the context of service delivery. Frankly, security isn't really what ITIL is focused on, it's not its core strength, and it's not what people go to ITIL for.
And Cobit?
Cobit has always been security-oriented, and at a high level sets out what should be done about security - the things that security should focus on, in other words. It provides a set of objectives and guiding principles. More recently, a "Cobit security baseline" has supplemented this - it's an assessment tool, freely downloadable from ISACA ( www.isaca.org).
SIDEBAR: ISO Evolves
The long-standing best practices set is headed for an update; additional standards are also on the horizonISO 17799, the international standard Code of Practice for Information Security Management, has its roots in two standards developed and published by the British Standards Institution: BS7799-1:1999 ("Part 1"), and BS7799-2:1999 ("Part 2"). Part 1 is concerned with general principles of information security management, while Part 2 contains specifications and guidance for use. First published in 2000, ISO 17799 was updated in June 2005, while the original BS7799-2 was revised and reissued in September 2002.
Although not quite in lockstep with ISO 17799, the root British standards continue to point the road ahead for it, thanks to close cooperation between the relevant technical committees. According to Jimmy Heschl, information risk manager with KPMG in Vienna, Austria - who follows the work closely - the road map looks something like this.
ISO 27001 is the number given to a revision of the current BS7799-2 standard. In essence, this is the requirements document for an information security management system, he explains. (As with all ISO standards, the full document can be purchased at www.iso.org.)
ISO 27002 is earmarked for the present ISO 17799 itself - possibly with a revision, according to Heschl. ISO 17799 will simply become ISO 27002. "The change is not imminent", is Heschl's best guess at the timescale. While ISO 27003 is the number set aside for a new standard on information risk management, ISO 27004 will be assigned to a standard on information security management and metrics - in other words, "how, what and when to measure infosec processes and controls", as Heschl puts it. Publication won't be sooner than 2007.
Finally, ISO 27005 should provide guidance on implementation. Heschl explains that British standard BS7799-3 does address implementation issues; it is expected that BS7799-3 will evolve into ISO 27005. - M Wheatley
SIDEBAR: Pioneering a Path to ITIL
Australian ITIL veterans speak outby Rodney Gedda
Talent2: Adaptable & Secure When Carlos Ramirez, IT manager at Australian recruitment consultancy Talent2, wanted to improve his company's processes for incident response and change management, he chose to go with ITIL because of its flexibility. Ramirez didn't want to reinvent the wheel and found ITIL easily adaptable to almost anywhere you find IT-based services.
"We're not a large company and everyone knows everyone," Ramirez says. "What was happening was that people were discussing all aspects of problems face-to-face and no documentation or records were being kept."
Talent2 struggled with providing a cohesive and consistent customer experience as each team member had "their own way" of doing things. Adopting ITIL liberated the company's more senior technical staff to concentrate on issue resolution without interruptions. It also gave the service desk greater exposure to common issues, which broadened their view and moulded their skill sets accordingly.
In addition to business process improvements, ITIL guidelines helped to clarify Talent2's security practices, says Ramirez, a former security specialist.
"They reminded me to look at the wider picture and not simply the data that I need to keep secure," he says. "ITIL tightened up the physical security in place, and we implemented much broader procedures to reflect this. There's more to security than making sure the data is only accessible from point A to B."
While the local industry is becoming increasingly aware of ITIL, Ramirez claims that many IT execs still haven't been exposed to it. "This isn't as big a problem as it seems," he says. "Anyone with a strong background in IT service management will fit into an ITIL environment quickly. The most important attribute for success is good old common sense."
Ramirez believes the key to using ITIL guidelines successfully is not to be "rigid" in the implementation, but to take a cautious "step-by-step" approach instead. "ITIL's greatest strength is its flexibility and adaptability," he says. "Take it slowly, one bit at a time, with plenty of senior management support."
Corporate Express: Fast Tracking ITIL
Another early adopter of the ITIL framework is Sydney-based business equipment supplier Corporate Express (CE). According to infrastructure manager Mark Jones, CE's ITIL roadmap is progressing well with its change management implementation now complete and incident and configuration management "well down the track".
Jones says that while the ROI metrics for an ITIL implementation are difficult to quantify, the organization has experienced a large reduction in incidents relating to changes in its production environment. "This has resulted in less time and effort applied to fixing issues resulting from change, and therefore resources are more productive in moving us forward," he says.
"ITIL makes sense," Jones says. "It's a simple, common sense approach that everyone can get their heads around. ITIL is becoming a standard worldwide and will be the de facto service support and delivery model in the near future."
While ITIL doesn't directly deal with security, Jones says its principles of incident, problem, and change support an underpinning framework and facilitate a process approach to security.
Jones believes the main challenge ITIL faces is a dearth of suitable skills in the wake of its surging adoption.
"Support for ITIL is growing rapidly and the skills within the market are growing in line with the popularity; however, it's still not easy to recruit people who are competent with the ITIL framework," he says. "I see this changing over the next couple of years, with ITIL being a mandatory skill for operational IT roles."
Jones offers this advice to ITIL debutantes: focus on the processes and don't be too distracted by the tools. To improve the existing ITIL framework, Jones recommends rewriting the ITIL manuals - first produced in the mid-80s - to keep in line with changes in technology, as well as developing a "fast track" program to hasten implementation so the organization can gain immediate benefits.
ANL: Ship Shape
Another local beneficiary of ITIL is shipping company ANL, which began using ITIL (via HP's OpenView IT service management software) to transform its business processes last year. IT operations manager John Hatz says the organization now has a dedicated change coordinator and a formal change control board.
"Progress has been very good and all IT staff have a better understanding of the virtues and benefits of ITIL," Hatz says. "Before OpenView, the metrics were well below par. ROI is now extremely good, as procedures and processes are well defined."
Hatz says another positive outcome of adopting ITIL has been an increase in IT's accountability. "If ITIL is implemented correctly, the framework should be in place to ensure that aspects such as security are never compromised or ill considered," he says. "For example, proper processes and controls should be in place through the different phases, such as incident, problem and change."
To increase the likelihood of ITIL success, Hatz recommends obtaining as much senior management support as possible, to the point that senior executives - especially non-IT - are prepared to champion the way forward.
"ITIL can mean a change in organizational culture, so buy-in from all business units and stakeholders is essential," Hatz says. "ITIL's profile still needs some work to convince non-IT professionals, so the business benefits need to be highlighted, as opposed to the focus on IT methodology."