Servicing ICT – Merging Security and Service Management

A broad range of ISO/IEC (International Electrotechnical Commission) standards are addressing key issues faced by the world’s fast- growing information and communications technology (ICT) industry. These include preventing cyber attacks, ensuring information security and maintaining business continuity.

A common business tool in most organizations, ICT serves many business purposes and is used in a wide range of business applications and processes. Their use requires associated services provided within an organization, for example through an internal ICT services department, or through a third party.

 Up and running

Over recent years, cloud computing has become a fashionable term for the delivery of services such as applications as a service, software as a service and infrastructure as service.

An example is data storage in a third- party cloud server. This can reduce an organization’s costs as it does not need to manage and maintain its own server. There is a possible downside too: can the cloud provider manage the ICT and data storage service efficiently, securely and effectively?

This raises issues of how to provide effective ICT service management and information security. For example, if the cloud service provider is in one country and the provider of personal data is in another, how does the cloud provider protect its customers? In addition, how does the cloud provider conform to national laws when its clients are geographically dispersed around the world?

ICT services management also has a key role in the delivery of ICT services. If these are implemented properly it can increase efficiency and cost-effectiveness, increase flexibility in the use of ICT resources and applications, reduce response times and improve quality of service. To achieve these benefits, information security plays a key role in ensuring effective service delivery.

In the case of critical national infrastructure, service provision needs to be carefully considered. Appropriate solutions and controls are necessary for ICT service management, ICT readiness and preparedness for dealing with disasters and continuity issues, incident handling and information security.

To guarantee delivery, critical infrastructure requires many services to be able to work together. Examples include medical, food, energy, utility and emergency services. Most of these rely on ICT-based systems to keep services up and running.

In cyber attacks or other disasters, it is essential to be able to recover ICT systems to restore services quickly. Before an incident occurs, it is also necessary to have effective early warning, detection and monitoring systems in place.

 Best practice guidelines

The delivery of effective ICT service management is being addressed by the ISO/IEC 20000 (Information technology – Service management) family of standards; and information security issues are being addressed by the ISO/IEC 27000 (Information technology – Security techniques) family of standards.

There are also sector and application specific information security standards such as ISO/IEC 27011 for telecom services; ISO/IEC 27017 and ISO/IEC 27018 for cloud computing; and a standard for integrating information security with ICT service management, ISO/IEC 27013.

One area covered by ISO/IEC 20000 is service availability and continuity management. This addresses key questions such as:

What level of customer service does the service level agreement guarantee?

What does the service provider need to do to deliver this level of service?

What does the service provider need to do to withstand an online denial-of- service attack?

What if the service provider experiences a malware attack on its systems?

Does the service provider have the information security controls in place to deal with these cyber attacks and maintain its services?

ISO/IEC 20000 features several processes to maintain service availability while tackling problems such as cyber attacks and system failures. These processes include service continuity and availability monitoring and testing, incident handling and problem management, capacity management and information security management.

In the case of information security, ISO/IEC 20000 is linked with the information security management system standard ISO/IEC 27001, which provides a full range of solutions to assist service providers with protecting their systems.

One of the important aspects of system protection is to understand the risks the service provider faces. A risk-based process, ISO/IEC 27001 requires the service provider to undertake a risk assessment to help it decide what information security controls should be implemented to ensure service availability and continuity.

ISO/IEC 27005 provides guidance on risk management for service providers that implement ISO/IEC 27001.

Given the importance of information security to the provision of ICT services, ISO/IEC 27013 is being developed to consider the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000.

The “ other ” business options

Additional standards in the ISO/IEC 27000 series provide guidance and service and application specific controls to support service providers. For example, ISO/IEC 27031 applies to any organization developing its ICT readiness to deal with incidents or threats, therefore ensuring business continuity.

ISO/IEC 27035 provides organizations with guidance on information security incident management. This standard describes a basic set of documents, processes and routines. It also gives guidance to external organizations supplying information security incident management services.

ISO/IEC 24762 gives guidelines on the provision of ICT disaster recovery (ICT DR) services as part of business continuity management. This applies to both in-house and outsourced ICT DR service providers of physical facilities and services.

In cloud computing, ISO/IEC JTC 1/SC 27, IT Security techniques, is developing two new standards: ISO/IEC 27017 covers cloud-specific information security controls; and ISO/IEC 27018 considers controls for personal data. Both of these standards are being designed and developed to work alongside ISO/IEC 27001.

This article was originally published in ISO Focus  by Edward Humphreys.

IT and Millennials – Pros and Cons

With their desire for quick answers, use of personal smartphones in the office, and yen to solve problems on their own, millennial workers are a boon to the IT departments that serve them. Pro or con?

PRO: IF YOU CAN’T BEAT ‘EM, JOIN ‘EM

The Millennial generation—those born in the 1980s and later—were raised in a world where answers were available with just a few thumb clicks. Now those Millennials are bringing similar expectations into the workplace, wanting near-instant responses and resolutions to tech issues. While this may seem daunting, IT should view it as an opportunity to rethink the traditional support model and build more efficient and effective support centers for everyone.

Millennials are in the forefront of the mobile trend, but they’re not the only employees bringing in their own mobile devices and working outside the office. By adopting multi-platform support tools that allow IT to remotely manage and fix nearly any type of device, no matter where it is, IT departments can better prepare themselves to support all the smartphones and tablets flooding the market.

CON: IT SUPPORT IS LEFT OUT OF THE EQUATION

Millennial employees have a different way of operating, which often creates friction with current IT policies. Although they don’t intentionally circumvent or reject IT policies, their habits often work against the way IT needs to operate to keep the business productive and the company’s data and systems secure.

While their self-sufficient nature is commendable, the Millennials’ tendency to turn to outside sources to solve tech problems leaves IT in the dark about individual issues, making it nearly impossible to identify systemic problems. Essentially, if IT doesn’t know the symptoms, it encounters difficulty diagnosing the disease. This leads to slower discovery and resolution of major problems, which could cause employees more problems and ultimately extend the time to final resolution.

By engineering self-help centers to behave more like the search engines, social networks, and forums to which Millennials gravitate, IT can increase self-help and reduce calls to the support department. IT should also leverage screen-sharing technology that allows end users to watch IT professionals fix their computers or mobile devices and thereby learn how to do so themselves.

While there are always opportunities for IT to improve operations, in some cases Millennials will have to reset their expectations. IT can help do this by providing better explanations and training around IT policies, from videos for new employees to monthly tips via e-mail. If each group respects the other’s needs and learns to bend a bit, IT and Millennials can bridge the divide.

View the full article at www.businessweek.com

APEX Global launches its 2012 Public Training Calendar

Expect more REAL learning experiences from APEX Global with its roster of training offerings for 2012. With its aim to promote performance excellence among professionals, APEX Global further expands it course offerings adding fourteen new programs in partnership with various accreditation and learning organizations.

APEX Global is the first in the Philippines to offer Certified SOA Architect where IT professionals can learn the fundamentals of SOA and gain a solid understanding of the service-orientation design, eventually leading to being a Certified SOA Architect.

Certified Scrum Master, accredited by the Scrum Alliance is also one of the latest training for IT and Business Process Excellence. Scrum is the leading agile development methodology, used by Fortune 500 companies around the world. It was originally was formalized for software development projects, but works well for any complex, innovative scope of work.

Furthermore, Software Quality Management Professional (SQM), Software Testing Professional – QTP and Load Runner, and the Fagan Inspection Method are also among the new programs being offered for software testing and quality excellence.

Under its BEX Behavioral Excellence umbrella, human resources practitioners will greatly benefit from the Professional in Human Resources (PHR) and Senior Professional in Human Resources (SPHR).

And with the increasing awareness and promotion of corporate social responsibility, APEX Global introduces Carbon Footprint and Reaping Returns: Measure Success of CSR & Sustainability Initiatives. Very soon, a graduate certificate program on sustainable business will be launched in partnership with one of the leading universities in Australia.

For more information and complete listing of classes and schedule, please contact APEX Global at +6324038668 or send an email to info@eccigroup.com.