SP7: Ensure security: Difference between revisions

From YaSM Service Management Wiki
No edit summary
No edit summary
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
<itpmch><title>SP7: Ensure security | YaSM Service Management Wiki</title>
<itpmch><title>SP7: Ensure security | YaSM Service Management Wiki</title>
<meta name="keywords" content="how to ensure security as a service provider, yasm ensure security, yasm security management, service management security process" />
<meta name="keywords" content="how to ensure security as a service provider, yasm ensure security, yasm security management, service management security process" />
<meta name="description" content="YaSM process: Ensure security (SP7). - Definition, sub-processes, process outputs, process metrics and roles." />
<meta name="description" content="The security management process in YaSM ensures the security of the service provider's range of services and aligns the security needs of the service provider with those of its customers. [...]" />
<meta property="og:url" content="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security" />
<meta property="og:url" content="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security" />
<meta property="og:title" content="SP7: Ensure security | YaSM Service Management Wiki" />
<meta property="og:title" content="SP7: Ensure security | YaSM Service Management Wiki" />
<meta property="og:description" content="YaSM process: Ensure security (SP7). - Definition, sub-processes, process outputs, process metrics and roles.imagei" />
<meta property="og:description" content="The security management process in YaSM ensures the security of the service provider's range of services and aligns the security needs of the service provider with those of its customers. [...]" />
<meta property="og:site_name" content="YaSM">
<meta property="og:site_name" content="YaSM Service Management">
<meta property="og:type" content="article" />
<meta property="og:type" content="article" />
<meta property="fb:admins" content="100002035253209" />
<meta property="og:image" content="https://yasm.com/wiki/en/img/yasm-process/16x9/Ensure-security-yasm-sp7.jpg" />
<meta property="fb:admins" content="100002592864414" />
<meta property="og:image:width" content="1200" />
<meta property="og:image" content="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" />
<meta property="og:image:height" content="675" />
<meta property="og:image:width" content="677" />
<meta property="og:image:height" content="424" />
<link href="https://plus.google.com/104150539756444616711/posts" rel="publisher" />
<link href="https://plus.google.com/104150539756444616711/posts" rel="publisher" />
</itpmch>
</itpmch>
<html><a href="https://yasm.com/wiki/de/index.php/SP7:_Gew%C3%A4hrleisten_der_Sicherheit"><img src="https://yasm.com/wiki/en/img/yasm-wiki/yasm-wiki-deutsch.png" width="48" height="30" style="float:right;" alt="auf Deutsch" title="diese Seite auf Deutsch" /></a><br style="clear:both;"/></html>
<html><div class="noresize"><a href="https://yasm.com/wiki/de/index.php/SP7:_Gew%C3%A4hrleisten_der_Sicherheit"><img src="https://yasm.com/wiki/en/img/yasm-wiki/YaSM-Wiki-Deutsch.png" width="140" height="36" style="float:right;" alt="auf Deutsch" title="This page in German" /></a></div><br style="clear:both;"/>
<p>&nbsp;</p>
<p>&nbsp;</p>


'''Process name:''' [[#Process_description|Ensure security]] - '''Part of:''' [[YaSM_Processes#supporting-service-management-processes|Supporting service management processes]]
<p><b>Process name:</b> <a href="#Process_description">Ensure security</a> - <b>Part of:</b> <a href="/wiki/en/index.php/Service_Management_Processes#Supporting_processes" title="The supporting processes in YaSM service management">Supporting processes</a>
</p><p><b>Previous process:</b> <a href="/wiki/en/index.php/SP6:_Manage_projects" title="SP6: Manage projects">Manage projects</a>
</p><p><b>Next process:</b> <a href="/wiki/en/index.php/SP8:_Ensure_continuity" title="SP8: Ensure continuity">Ensure continuity</a></html>
<p>&nbsp;</p>


'''Previous process:''' [[SP6: Manage projects|Manage projects]]
==Process description==
 
'''Next process:''' [[SP8: Prepare for disaster events|Prepare for disaster events]]


<html><span id="md-itempage-description" itemprop="description">The <b><span style="color:#465674;">security management process</span></b> in YaSM (<a href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" title="YaSM security management (SP7)">fig. 1</a>) ensures the security of the service provider's range of services and aligns the security needs of the service provider with those of its customers. This includes ensuring that systems and data are protected from intrusion and only accessed by authorized parties.</span></p>
<p>&nbsp;</p>
<p>&nbsp;</p>


==Process description==
<div itemid="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" itemscope itemtype="https://schema.org/ImageObject">
 
<meta itemprop="width" content="1200" />
<html><div itemid="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" itemscope itemtype="https://schema.org/ImageObject">
<meta itemprop="height" content="900" />
<a href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" title="Ensure security. - YaSM process SP7" itemprop="contentUrl">
<meta itemprop="width" content="677" />
<meta itemprop="height" content="424" />
<meta itemprop="keywords" content="yasm security management" />
<meta itemprop="keywords" content="yasm security management" />
<meta itemprop="keywords" content="service management security process" />
<meta itemprop="keywords" content="service management security process" />
<meta itemprop="keywords" content="IT security management" />
<meta itemprop="keywords" content="IT security management" />
<img style="margin:20px 0px 10px 0px; float:left;" src="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" width="677" height="424" title="Ensure security. - YaSM process SP7" alt="Fig. 1: Ensure security. - YaSM security process SP7." /></a><br style="clear:both;"/>
<meta itemprop="keywords" content="ITIL 4 information security management" />
<div class="thumbcaption"><span style="font-variant:small-caps;"><b>Figure 1:</b></span> <small><span itemprop="caption">"Ensure security". - YaSM supporting service management process SP7.</span></small></div></div><br style="clear:both;"/>
<meta itemprop="keywords" content="ITIL 4 risk management" />
<meta itemprop="representativeOfPage" content="true"/>
<meta itemprop="dateCreated" content="2014-05-02" />
<meta itemprop="datePublished" content="2014-05-08" />
<meta itemprop="dateModified" content="2024-05-20" />
<span itemprop="thumbnail" itemscope itemtype="https://schema.org/ImageObject">
  <meta itemprop="url" content="https://yasm.com/wiki/en/img/yasm-process/16x9/Ensure-security-yasm-sp7.jpg" />
  <meta itemprop="width" content="1200" />
  <meta itemprop="height" content="675" />
  <meta itemprop="dateCreated" content="2020-06-13" />
  <meta itemprop="datePublished" content="2020-06-15" />
  <meta itemprop="dateModified" content="2024-05-20" />
</span>
<span itemprop="thumbnail" itemscope itemtype="https://schema.org/ImageObject">
  <meta itemprop="url" content="https://yasm.com/wiki/en/img/yasm-process/800px/Ensure-security-yasm-sp7.jpg" />
  <meta itemprop="width" content="800" />
  <meta itemprop="height" content="600" />
  <meta itemprop="dateCreated" content="2024-05-23" />
  <meta itemprop="datePublished" content="2024-05-30" />
</span>
<span itemprop="thumbnail" itemscope itemtype="https://schema.org/ImageObject">
  <meta itemprop="url" content="https://yasm.com/wiki/en/img/yasm-process/480px/Ensure-security-yasm-sp7.jpg" />
  <meta itemprop="width" content="480" />
  <meta itemprop="height" content="360" />
  <meta itemprop="dateCreated" content="2024-05-23" />
  <meta itemprop="datePublished" content="2024-05-30" />
</span>
<figure class="mw-halign-left" typeof="mw:File/Thumb"><a itemprop="contentUrl" href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" title="Ensure security. - YaSM security management process SP7"><img srcset="https://yasm.com/wiki/en/img/yasm-process/480px/Ensure-security-yasm-sp7.jpg 480w, https://yasm.com/wiki/en/img/yasm-process/800px/Ensure-security-yasm-sp7.jpg 800w, https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg 1200w" sizes="100vw" src="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" fetchpriority="high" decoding="async" width="800" height="600" class="mw-file-element" alt="Fig. 1: Ensure security. - YaSM security management and risk management process SP7. - Related with: Practices of ITIL 4 information security management and ITIL 4 risk management." /></a><figcaption><span style="font-variant:small-caps;"><b>Fig. 1: 'Ensure security'</b><br /><a href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" title="YaSM security management SP7">YaSM security management process ('SP7')</a>.</span></figcaption></figure></div></html>
<br style="clear:both;"/>


<p><span id="md-itempage-description" itemprop="description">YaSM's security process ("<strong class="selflink">SP7: Ensure security</strong>") ensures the security of the service provider's range of services and aligns the security needs of the service provider with those of its customers. This includes ensuring that systems and data are protected from intrusion and only accessed by authorized parties.</span></p>
Ensuring security starts with the compilation of a security risk register which lists the identified security risks and their properties, as well as suitable risk responses (security controls or other risk mitigation measures).


<p>Ensuring security starts with the compilation of a security risk register which lists the identified security risks and their properties, as well as suitable risk responses (security controls or other risk mitigation measures).</p>
The YaSM processes provide a number of ways for the security manager to exert influence. Most importantly, the security manager will be involved in the service design and build stages to ensure the security of new or updated services. Once it has been established during service design which security controls and mechanisms are required for a new service, these can be put in place, notably
* Through the service build process, by adding suitable security features to the service infrastructure that is to be created or updated
* Through the security process, by updating security policies as well as security mechanisms and controls which are operated under the responsibility of the security manager.


<p>The YaSM processes provide a number of ways for the security manager to exert influence. Most importantly, the security manager will be involved in the service design and build stages to ensure the security of new or updated services. Once it has been established during service design which security controls and mechanisms are required for a new service, these can be put in place, notably</p>
The security manager is also involved in service or process improvement initiatives if security is affected.
<ul>
<li>Through the service build process, by adding suitable security features to the service infrastructure that is to be created or updated</li>
<li>Through the security process, by updating security policies as well as security mechanisms and controls which are operated under the responsibility of the security manager.</li></ul>


<p>The security manager is also involved in service or process improvement initiatives if security is affected.</p>
If new security threats emerge or if the security controls need to be upgraded for other reasons, the security process is able to start security improvement initiatives on its own account. Such initiatives are managed through the security improvement plan.


<p>If new security threats emerge or if the security controls need to be upgraded for other reasons, the security process is able to start security improvement initiatives on its own account. Such initiatives are managed through the security improvement plan.</p>
Finally, the security manager will also ensure security by defining rules and providing information, for example in the form of underpinning security policies, incident and service request models, as well as security alerts.


<p>Finally, the security manager will also ensure security by defining rules and providing information, for example in the form of underpinning security policies, incident and service request models, as well as security alerts.</p>
<i><u>Note</u>: YaSM does not provide a detailed explanation of all aspects of security management, as there are dedicated and more detailed sources available (see, for example, ISO 27001). Rather, YaSM highlights the most important security management activities and describes the interfaces with other YaSM processes.</i>
 
<p>&nbsp;</p>
<p><i>Note: YaSM does not provide a detailed explanation of all aspects of security management, as there are dedicated and more detailed sources available (see, for example, ISO 27001). Rather, YaSM highlights the most important security management activities and describes the interfaces with other YaSM processes.</i></html>


<p>&nbsp;</p>
<html><i><u>Compatibility</u>: The YaSM security management process is <a href="/wiki/en/index.php/YaSM_and_ISO_20000#ISO_20000_requirements_and_related_service_management_processes" title="YaSM and ISO 20000">aligned with ISO 20000</a>, the international standard for service management (see ISO/IEC 20000-1:2018, <a href="/wiki/en/index.php/YaSM_and_ISO_20000#Service-assurance" title="ISO 20000 section 8.7: Service Assurance">section 8.7</a>), and it corresponds to the practices of '<a href="/wiki/en/index.php/YaSM_and_ITIL#ITIL-4-Information-security-management" title="ITIL 4 practices and YaSM processes: ITIL 4 information security management">ITIL 4 information security management</a>' and '<a href="/wiki/en/index.php/YaSM_and_ITIL#ITIL-4-Risk-management" title="ITIL 4 practices and YaSM processes: ITIL 4 risk management">ITIL 4 risk management</a>'.</i></html>


==Sub-processes==
==Sub-processes==


<html><!-- define schema.org/CreativeWork --><div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Sub-processes" itemscope="itemscope" itemtype="https://schema.org/CreativeWork">
<html>YaSM's security management process has the following sub-processes:</p>
<link itemprop="additionalType" href="http://www.productontology.org/id/Business_process" />
<meta itemprop="name" content="Security processes" />
<meta itemprop="alternateName" content="YaSM security management processes: definitions" />
<p><span itemprop="description">YaSM's security management process <i>'SP7: Ensure security'</i> has the following sub-processes:</span>
</p>
<p>&#160;</p>


<div itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-SP7.1" itemscope itemtype="https://schema.org/CreativeWork">
<!-- define schema.org/CreativeWork -->
<link id="md-type-subProcess" itemprop="additionalType" href="http://www.productontology.org/id/Procedure_(business)" />
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.1" itemscope itemtype="https://schema.org/CreativeWork" itemref="md-type-subProcess">
<meta itemprop="alternateName" content="YaSM security management process SP7.1" />
<meta itemprop="alternateName" content="YaSM security management process SP7.1" />
<dl id="SP7.1"><dt itemprop="name">SP7.1: Assess security risks</dt>
<dl id="SP7.1"><dt itemprop="name">SP7.1: Assess security risks</dt>
<dd itemprop="description">Process objective: To identify the security risks which need to be managed by the service provider, and to define appropriate risk responses.</dd></dl>
<dd itemprop="description">Process objective: To identify the security risks which need to be managed by the service provider, and to define appropriate risk responses.</dd></dl>
</div>
</div>
<p><br /></p>
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.2" itemscope itemtype="https://schema.org/CreativeWork" itemref="md-type-subProcess">
<div itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-SP7.2" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="alternateName" content="YaSM security management process SP7.2" />
<meta itemprop="alternateName" content="YaSM security management process SP7.2" />
<dl id="SP7.2"><dt itemprop="name">SP7.2: Define security improvements</dt>
<dl id="SP7.2"><dt itemprop="name">SP7.2: Define security improvements</dt>
<dd itemprop="description">Process objective: To define the objectives of security improvement initiatives and the approach for their implementation. This includes creating business cases for the initiatives.</dd></dl>
<dd itemprop="description">Process objective: To define the objectives of security improvement initiatives and the approach for their implementation. This includes creating business cases for the initiatives.</dd></dl>
</div>
</div>
<p><br /></p>
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.3" itemscope itemtype="https://schema.org/CreativeWork" itemref="md-type-subProcess">
<div itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-SP7.3" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="alternateName" content="YaSM security management process SP7.3" />
<meta itemprop="alternateName" content="YaSM security management process SP7.3" />
<dl id="SP7.3"><dt itemprop="name">SP7.3: Start up security improvement initiatives</dt>
<dl id="SP7.3"><dt itemprop="name">SP7.3: Start up security improvement initiatives</dt>
<dd itemprop="description">Process objective: To launch security improvement initiatives. This includes obtaining authorization by requesting a budget and submitting a request for change.</dd></dl>
<dd itemprop="description">Process objective: To launch security improvement initiatives. This includes obtaining authorization by requesting a budget and submitting a request for change.</dd></dl>
</div>
</div>
<p><br /></p>
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.4" itemscope itemtype="https://schema.org/CreativeWork" itemref="md-type-subProcess">
<div itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-SP7.4" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="alternateName" content="YaSM security management process SP7.4" />
<meta itemprop="alternateName" content="YaSM security management process SP7.4" />
<dl id="SP7.4"><dt itemprop="name">SP7.4: Implement security controls</dt>
<dl id="SP7.4"><dt itemprop="name">SP7.4: Implement security controls</dt>
<dd itemprop="description">Process objective: To implement, test and deploy new or improved security controls and mechanisms.</dd></dl>
<dd itemprop="description">Process objective: To implement, test and deploy new or improved security controls and mechanisms.</dd></dl>
</div>
</div>
<p><br /></p>
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.5" itemscope itemtype="https://schema.org/CreativeWork" itemref="md-type-subProcess">
<div itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-SP7.5" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="alternateName" content="YaSM security management process SP7.5" />
<meta itemprop="alternateName" content="YaSM security management process SP7.5" />
<dl id="SP7.5"><dt itemprop="name">SP7.5: Operate the security controls</dt>
<dl id="SP7.5"><dt itemprop="name">SP7.5: Operate the security controls</dt>
<dd itemprop="description">Process objective: To arrange adequate security training for the service provider's staff and customers, and to ensure regular maintenance and testing of the security mechanisms and controls.</dd></dl>
<dd itemprop="description">Process objective: To arrange adequate security training for the service provider's staff and customers, and to ensure regular maintenance and testing of the security mechanisms and controls.</dd></dl>
</div>
</div>
<p><br /></p>
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.6" itemscope itemtype="https://schema.org/CreativeWork" itemref="md-type-subProcess">
<div itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-SP7.6" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="alternateName" content="YaSM security management process SP7.6" />
<meta itemprop="alternateName" content="YaSM security management process SP7.6" />
<dl id="SP7.6"><dt itemprop="name">SP7.6: Review the security controls</dt>
<dl id="SP7.6"><dt itemprop="name">SP7.6: Review the security controls</dt>
<dd itemprop="description">Process objective: To submit the security controls and mechanisms to regular reviews, in order to identify potentials for improvement to be addressed by security improvement initiatives.</dd></dl>
<dd itemprop="description">Process objective: To submit the security controls and mechanisms to regular reviews, in order to identify potentials for improvement to be addressed by security improvement initiatives.</dd></dl>
</div>
</div><!-- end of schema.org/CreativeWork --><p></html>
</div><!-- end of schema.org/CreativeWork --><p></html>
<p>&nbsp;</p>


==Process outputs==
==Process outputs==


<html><div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_outputs" itemscope="itemscope" itemtype="https://schema.org/CreativeWork"><!-- define schema.org/CreativeWork -->
<html><!-- define schema.org/DefinedTermSet -->
<div itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-inputs-outputs" itemscope="itemscope" itemtype="https://schema.org/DefinedTermSet">
<link itemprop="additionalType" href="http://www.productontology.org/id/Input/output" />
<meta itemprop="name" content="YaSM process SP7: documents and records" />
<meta itemprop="name" content="YaSM process SP7: documents and records" />
<meta itemprop="alternateName" content="Security management process outputs" />
<meta itemprop="alternateName" content="Security management process outputs" />
<meta itemprop="alternateName" content="Security management data objects" />
<meta itemprop="alternateName" content="Security management data objects" />
<p><span itemprop="description">This section lists the documents and records produced by <i>'Ensure security'</i>.</span> YaSM data objects <a href="#ydo" title="YaSM data object">[*]</a> are marked with an asterisk, while other objects are displayed in gray.</p>
<p><span itemprop="description">This section lists the documents and records produced by 'security management'.</span> YaSM data objects <a href="#ydo" title="YaSM data object">[*]</a> are marked with an asterisk, while other objects are displayed in gray.</p>
<p>&#160;</p>


<dl><dt>Budget request</dt>
<dl>
<dd>A budget request is typically issued to obtain funding for setting up, improving or operating a service or process. An approved budget request means that the required financial resources have been allocated by the financial manager. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Budget request</dt>
<dl><dt>Change record</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A budget request is typically issued to obtain funding for setting up, improving or operating a service or process. An approved budget request means that the required financial resources have been allocated by the financial manager. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>A change record contains all details of a change, documenting the lifecycle of a single change. In its initial state, a change record describes a request for change (RFC) which is to be assessed and authorized prior to implementing the change. Further information is added as the change progresses through its lifecycle. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Change record</dt>
<dl style="color:#636363"><dt>Change status information</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A change record contains all details of a change, documenting the lifecycle of a single change. In its initial state, a change record describes a request for change (RFC) which is to be assessed and authorized prior to implementing the change. Further information is added as the change progresses through its lifecycle. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>Current status information related to the implementation of a change. This information is sent to the change manager from the various processes that implement authorized changes. It is used by the change manager to keep the change records and the change schedule up-to-date.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Change status information</dt>
<dl><dt>CI record</dt>
<dd itemprop="description" style="margin-bottom: 1em;">Current status information related to the implementation of a change. This information is sent to the change manager from the various processes that implement authorized changes. It is used by the change manager to keep the change records and the change schedule up-to-date.</dd></div>
<dd>Configuration information is maintained in CI records for all configuration items (CIs) under the control of the configuration manager. In this context, CIs can be of various types: Applications, systems and other infrastructure components are treated as CIs, but often also services, policies, project documentation, employees, suppliers, etc. Configuration information is stored in the configuration management system (CMS). <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">CI record</dt>
<dl style="color:#636363"><dt>Data for project plan update</dt>
<dd itemprop="description" style="margin-bottom: 1em;">Configuration information is maintained in CI records for all configuration items (CIs) under the control of the configuration manager. In this context, CIs can be of various types: Applications, systems and other infrastructure components are treated as CIs, but often also services, policies, project documentation, employees, suppliers, etc. Configuration information is stored in the configuration management system (CMS). <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>Current information related to project progress and resource consumption. This information is sent from various service management processes to the project manager as input for project control.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Data for project plan update</dt>
<dl><dt>Incident model</dt>
<dd itemprop="description" style="margin-bottom: 1em;">Current information related to project progress and resource consumption. This information is sent from various service management processes to the project manager as input for project control.</dd></div>
<dd>An incident model contains the pre-defined steps that should be taken for dealing with a particular type of incident. The aim of providing incident models is to ensure that recurring incidents are handled efficiently and effectively. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Incident model</dt>
<dl style="color:#636363"><dt>Purchase request</dt>
<dd itemprop="description" style="margin-bottom: 1em;">An incident model contains the pre-defined steps that should be taken for dealing with a particular type of incident. The aim of providing incident models is to ensure that recurring incidents are handled efficiently and effectively. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>A request to procure goods or services from an external supplier. Purchasing requests are typically sent to the supplier manager, for example if applications, systems or other infrastructure components are needed for setting up a new service, or if standard infrastructure components and consumables are required for service operation.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Purchase request</dt>
<dl id="Register-of-security-risks"><dt>Register of security risks</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A request to procure goods or services from an external supplier. Purchasing requests are typically sent to the supplier manager, for example if applications, systems or other infrastructure components are needed for setting up a new service, or if standard infrastructure components and consumables are required for service operation.</dd></div>
<dd>The register of security risks is a tool used by the security manager to keep an overview of all security risks to be managed. The register of security risks also specifies the responses to the identified risks, in particular security controls and mechanisms to mitigate the risks. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name" id="Register-of-security-risks">Register of security risks</dt>
<dl style="color:#636363"><dt>Request to assess compliance implications</dt>
<dd itemprop="description" style="margin-bottom: 1em;">The register of security risks is a tool used by the security manager to keep an overview of all security risks to be managed. The register of security risks also specifies the responses to the identified risks, in particular security controls and mechanisms to mitigate the risks. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>A request to assess which compliance requirements are relevant for a new or changed service, typically issued during service design.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Request to assess compliance implications</dt>
<dl style="color:#636363"><dt>Request to assess continuity risks</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A request to assess which compliance requirements are relevant for a new or changed service, typically issued during service design.</dd></div>
<dd>A request to assess risks associated with disaster events, typically issued during service design if new or changed service continuity arrangements are likely to be needed for a new or improved service.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Request to assess continuity risks</dt>
<dl id="Security-alert" style="color:#636363"><dt>Security alert</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A request to assess risks associated with critical events, typically issued during service design if new or changed service continuity arrangements are likely to be needed for a new or improved service.</dd></div>
<dd>A security alert is typically issued by the security manager when outbreaks of security threats are foreseeable or already under way. Security alerts aim to ensure that users and staff are able to identify any attacks and take appropriate precautions.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name" id="Security-alert">Security alert</dt>
<dl id="Security-improvement-plan"><dt>Security improvement plan</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A security alert is typically issued by the security manager when outbreaks of security threats are foreseeable or already under way. Security alerts aim to ensure that users and staff are able to identify any attacks and take appropriate precautions.</dd></div>
<dd>Items in the security improvement plan are used by the security manager to record and manage security improvement initiatives throughout their lifecycle. Initiatives in the security improvement plan may aim to implement proactive measures to enhance security or to put mechanisms in place which allow responding effectively to any security breaches. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name" id="Security-improvement-plan">Security improvement plan</dt>
<dl id="Security-operation-manual"><dt>Security operation manual</dt>
<dd itemprop="description" style="margin-bottom: 1em;">Items in the security improvement plan are used by the security manager to record and manage security improvement initiatives throughout their lifecycle. Initiatives in the security improvement plan may aim to implement proactive measures to enhance security or to put mechanisms in place which allow responding effectively to any security breaches. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>The security operation manual specifies the activities required for the operation of the security controls and mechanisms operated under the responsibility of the security manager. Some instructions related to the operation of particular security systems may be documented in separate technical manuals or 'standard operating procedures (SOPs)'. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name" id="Security-operation-manual">Security operation manual</dt>
<dl id="Security-review-report"><dt>Security review report</dt>
<dd itemprop="description" style="margin-bottom: 1em;">The security operation manual specifies the activities required for the operation of the security controls and mechanisms operated under the responsibility of the security manager. Some instructions related to the operation of particular security systems may be documented in separate technical manuals or 'standard operating procedures (SOPs)'. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>A security review report records the details and findings from a security review. This report is an important input for the definition of security improvement initiatives. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name" id="Security-review-report">Security review report</dt>
<dl><dt>Service request model</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A security review report records the details and findings from a security review. This report is an important input for the definition of security improvement initiatives. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>Service request models contain the pre-defined steps that should be taken for dealing with a particular type of service request. The aim of providing service request models is to ensure that routinely occurring requests are handled efficiently and effectively. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Service request model</dt>
<dl style="color:#636363"><dt>Suggested process modification</dt>
<dd itemprop="description" style="margin-bottom: 1em;">Service request models contain the pre-defined steps that should be taken for dealing with a particular type of service request. The aim of providing service request models is to ensure that routinely occurring requests are handled efficiently and effectively. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>A suggestion for modifying one or several service management processes. Suggestions for process modifications or improvements may originate from anywhere within the organization.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Suggested process modification</dt>
<dl id="Suggested-security-improvement" style="color:#636363"><dt>Suggested security improvement</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A suggestion for modifying one or several service management processes. Suggestions for process modifications or improvements may originate from anywhere within the organization.</dd></div>
<dd>A suggestion for improving service security. Suggestions for security improvements may originate from anywhere within the organization.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name" id="Suggested-security-improvement">Suggested security improvement</dt>
<dl style="color:#636363"><dt>Suggested service modification</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A suggestion for improving service security. Suggestions for security improvements may originate from anywhere within the organization.</dd></div>
<dd>A suggestion for modifying a service, for example to improve service quality or economics. Suggestions may originate from anywhere within or outside of the service provider organization.</dd></dl>
<div style="color:#636363" itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Suggested service modification</dt>
<dl><dt>Test report</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A suggestion for modifying a service, for example to improve service quality or economics. Suggestions may originate from anywhere within or outside of the service provider organization.</dd></div>
<dd>A test report provides a detailed account of testing activities. A test report is created for example during tests of new or changed service components, or during tests of security or service continuity mechanisms. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Test report</dt>
<dl><dt>Test script</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A test report provides a detailed account of testing activities. A test report is created for example during tests of new or changed service components, or during tests of security or service continuity mechanisms. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>A test script specifies a set of test cases including their expected outcomes. The nature of the test cases will vary depending on what is to be tested. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
<p><br /></p>
<dt itemprop="name">Test script</dt>
<dl id="Underpinning-security-policy"><dt>Underpinning security policy</dt>
<dd itemprop="description" style="margin-bottom: 1em;">A test script specifies a set of test cases including their expected outcomes. The nature of the test cases will vary depending on what is to be tested. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
<dd>Underpinning security policies are specific policies complementing the main security policy by setting binding rules, for example for the use of systems and information or the use and delivery of services. <a href="#ydo" title="YaSM data object">[*]</a></dd></dl>
<div itemprop="hasDefinedTerm" itemscope itemtype="https://schema.org/DefinedTerm">
</div><!-- end of schema.org/CreativeWork --><p>
<dt itemprop="name" id="Underpinning-security-policy">Underpinning security policy</dt>
<dd itemprop="description" style="margin-bottom: 1em;">Underpinning security policies are specific policies complementing the main security policy by setting binding rules, for example for the use of systems and information or the use and delivery of services. <a href="#ydo" title="YaSM data object">[*]</a></dd></div>
</dl>
</div><!-- end of schema.org/DefinedTermSet --><p>


<p>&nbsp;</p>
<p>&nbsp;</p>
<hr />
<hr />
<p><i><b>Notes:</b></i>
<p><i><u>Notes</u>:</i>
</p><p><span id="ydo"><strong>[*]</strong> <i>"YaSM data objects"</i> are those documents or records for which the YaSM model provides detailed recommendations: Every YaSM object has an associated checklist (see <a href="https://yasm.com/wiki/en/index.php/Service_Management_Checklists" title="Example: YaSM checklists and document templates">example</a>) describing its typical contents, and an associated lifecycle diagram depicting how the status of the object changes as it is created, updated, read and archived by various YaSM processes (see <a href="https://yasm.com/wiki/en/img/yasm-project/Yasm-object-lifecycle-diagram.jpg" title="Example: YaSM object lifecycle diagram (.JPG)">example</a>).</span>
</p><p><span id="ydo"><strong>[*]</strong> <i>"YaSM data objects"</i> are those documents or records for which the YaSM model provides detailed recommendations: Every YaSM object has an associated checklist (see <a href="https://yasm.com/wiki/en/index.php/Service_Management_Checklists" title="Example: YaSM service management checklists and document templates">example</a>) describing its typical contents, and an associated lifecycle diagram depicting how the status of the object changes as it is created, updated, read and archived by various YaSM processes (see <a href="https://yasm.com/wiki/en/img/yasm-project/Yasm-object-lifecycle-diagram.jpg" title="Example: YaSM object lifecycle diagram (.JPG)">example</a>).</span>
</p><p><i>"Other objects"</i> are mostly informal data or information where YaSM has less strong views about their contents. There are no associated lifecycle diagrams or checklists.</html>
</p><p><i>"Other objects"</i> are mostly informal data or information where YaSM has less strong views about their contents. There are no associated lifecycle diagrams or checklists.</html>
<p>&nbsp;</p>


==Process metrics==
==Process metrics==


<html><p>Process metrics are used, for example, to assess if the service management processes are running according to expectations.</p>
Process metrics are used, for example, to assess if the service management processes are running according to expectations.
<p>For suggestions of <a href="https://yasm.com/wiki/en/index.php/YaSM_Metrics" title="How to measure the performance of the YaSM processes - Process metrics">suitable metrics</a>, please refer to the <a href="https://yasm.com/wiki/en/index.php/YaSM_Metrics/_Supporting_Service_Management_Processes#metrics-sp7" title="Metrics for the YaSM process SP7: Ensure security.">list of metrics for the YaSM security process</a>.</html>


<p>&nbsp;</p>
For suggestions of [[Service Management Metrics|suitable metrics]], please refer to the [[Service_Management_Metrics#Metrics_for_the_security_process|list of metrics for the YaSM security process]].


==Roles and responsibilities==
==Roles and responsibilities==


'''<span id="responsible">Process owner: Security manager</span>'''
<span id="responsible">Process owner: The ''security manager'' is responsible for the service provider's and its customers' security. This includes responsibility for the security of information and data being processed by the service provider.</span>
*The security manager is responsible for the service provider's and its customers' security. This includes responsibility for the security of information and data being processed by the service provider.
 
<p>&nbsp;</p>
<p>&nbsp;</p>


{| class="wikitable sortable" style="background: white; text-align:center; vertical-align:top; font-size: 90%; line-height: 1.3em;"
{| class="wikitable" style="background: white; font-size: 95%"
|+<span style="font-size: 120%; line-height: 2.3em;">Responsibility matrix: "SP7: Ensure security"</span>
|+style="background:#465674; color:#ffffff; font-size: 110%"|Responsibility matrix: 'SP7: Ensure security'
|- style="vertical-align:top"
|- style="vertical-align:top"
! colspan="2"| YaSM role / sub-process
! colspan="2"| YaSM role / sub-process
Line 223: Line 233:
|- style="text-align:center"
|- style="text-align:center"
|SP7.2
|SP7.2
| style="text-align:left"|[[#SP7.2|Define security improvements]]
| style="text-align:left"|[[#SP7.2|Define security improve&shy;ments]]
| R
| R
| -
| -
Line 276: Line 286:


== Notes ==
== Notes ==
Is based on: The security management process from the [https://yasm.com/en/products/yasm-process-map YaSM Process Map].


<html>By:&#160;&#160;Stefan Kempter&#160;<a rel="author" href="https://plus.google.com/111925560448291102517/about"><img style="margin:0px 0px 0px 0px;" src="/wiki/en/img/yasm-wiki/bookmarking/google.jpg" width="16" height="16" title="By: Stefan Kempter | Profile on Google+" alt="Author: Stefan Kempter, IT Process Maps GbR" /></a>&#160;&#160;and&#160;&#160;Andrea Kempter&#160;<a href="https://plus.google.com/113316270668629760475/about"><img style="margin:0px 0px 0px 0px;" src="/wiki/en/img/yasm-wiki/bookmarking/google.jpg" width="16" height="16" title="By: Andrea Kempter | Profile on Google+" alt="Contributor: Andrea Kempter, IT Process Maps GbR" /></a>, IT Process Maps.
<html><div itemid="https://yasm.com/wiki/en/img/yasm-process/goal-definition/yasm-security-management-process.jpg" itemscope itemtype="https://schema.org/ImageObject">
<meta itemprop="caption" content="Process objective: YaSM security Management - Ensure security (SP7)." />
<meta itemprop="width" content="1200" />
<meta itemprop="height" content="627" />
<meta itemprop="dateCreated" content="2021-09-21" />
<meta itemprop="datePublished" content="2021-09-22" />
<span itemprop="thumbnail" itemscope itemtype="https://schema.org/ImageObject">
  <meta itemprop="url" content="https://yasm.com/wiki/en/img/yasm-process/goal-definition/400px/yasm-security-management-process.jpg" />
  <meta itemprop="width" content="400" />
  <meta itemprop="height" content="209" />
  <meta itemprop="dateCreated" content="2023-12-12" />
  <meta itemprop="datePublished" content="2023-12-29" />
</span>
<meta itemprop="keywords" content="Security management process objective" />
<figure class="mw-halign-left" typeof="mw:File/Thumb"><a itemprop="contentUrl" href="https://yasm.com/wiki/en/img/yasm-process/goal-definition/yasm-security-management-process.jpg" title="Security management: process objective"><img srcset="https://yasm.com/wiki/en/img/yasm-process/goal-definition/400px/yasm-security-management-process.jpg 400w, https://yasm.com/wiki/en/img/yasm-process/goal-definition/yasm-security-management-process.jpg 1200w" sizes="100vw" src="https://yasm.com/wiki/en/img/yasm-process/goal-definition/yasm-security-management-process.jpg" decoding="async" width="400" height="209" class="mw-file-element" alt="The security management process in YaSM ensures the security of the service provider's range of services, and to align the security needs of the service provider with those of its customers. This includes ensuring that systems and data are protected from intrusion and only accessed by authorized parties." /></a><figcaption><span style="font-variant:small-caps;">Security management process: Objectives</span></figcaption></figure></div>


<p>Is based on: The security management process from the <a href="https://yasm.com/en/products/yasm-process-map" title="YaSM Process Map">YaSM Process Map</a>.</p>
<p>By:&#160;&#160;Stefan Kempter&#160;<a href="https://www.linkedin.com/in/stefankempter"><img style="margin:0px 0px 0px 0px;" src="/wiki/en/img/yasm-wiki/bookmarking/linkedin.jpg" width="16" height="16" title="By: Stefan Kempter | Profile on LinkedIn" alt="Author: Stefan Kempter, IT Process Maps GbR" /></a>&#160;&#160;and&#160;&#160;Andrea Kempter&#160;<a href="https://www.linkedin.com/in/andreakempter"><img style="margin:0px 0px 0px 0px;" src="/wiki/en/img/yasm-wiki/bookmarking/linkedin.jpg" width="16" height="16" title="By: Andrea Kempter | Profile on LinkedIn" alt="Contributor: Andrea Kempter, IT Process Maps GbR" /></a>, IT Process Maps.<br style="clear:both;"/><p>
<p>&nbsp;</p>
<p>&nbsp;</p>


<p><small>
<p><small>
<span itemscope="itemscope" itemtype="http://data-vocabulary.org/Breadcrumb">
<span itemprop="breadcrumb" itemscope itemtype="https://schema.org/BreadcrumbList">
<a href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_description" itemprop="url"><span itemprop="title">Process description</span></a>
<span itemprop="itemListElement" itemscope itemtype="https://schema.org/ListItem">
</span>
<a itemprop="item" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_description">
<span itemscope="itemscope" itemtype="http://data-vocabulary.org/Breadcrumb">
<span itemprop="name">Process description</span></a>
<a href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Sub-processes" itemprop="url"><span itemprop="title">Sub-processes</span></a>
<meta itemprop="position" content="1" /></span>
</span>
<span itemprop="itemListElement" itemscope itemtype="https://schema.org/ListItem">
<span itemscope="itemscope" itemtype="http://data-vocabulary.org/Breadcrumb">
<a itemprop="item" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Sub-processes">
<a href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_outputs" itemprop="url"><span itemprop="title">Process outputs</span></a>
<span itemprop="name">Sub-processes</span></a>
</span>
<meta itemprop="position" content="2" /></span>
<span itemscope="itemscope" itemtype="http://data-vocabulary.org/Breadcrumb">
<span itemprop="itemListElement" itemscope itemtype="https://schema.org/ListItem">
<a href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_metrics" itemprop="url"><span itemprop="title">Metrics</span></a>
<a itemprop="item" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_outputs">
</span>
<span itemprop="name">Process outputs</span></a>
<span itemscope="itemscope" itemtype="http://data-vocabulary.org/Breadcrumb">
<meta itemprop="position" content="3" /></span>
<a href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Roles_and_responsibilities" itemprop="url"><span itemprop="title">Roles</span></a>
<span itemprop="itemListElement" itemscope itemtype="https://schema.org/ListItem">
<a itemprop="item" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_metrics">
<span itemprop="name">Metrics</span></a>
<meta itemprop="position" content="4" /></span>
<span itemprop="itemListElement" itemscope itemtype="https://schema.org/ListItem">
<a itemprop="item" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Roles_and_responsibilities">
<span itemprop="name">Roles</span></a>
<meta itemprop="position" content="5" /></span>
</span>
</span>
</small></p>
</small></p>


<!-- define schema.org/ItemPage --> <span itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security" itemscope itemtype="https://schema.org/ItemPage" itemref="md-itempage-description">
<!-- define schema.org/ItemPage -->
  <link itemprop="additionalType" href="http://www.productontology.org/id/Business_process" />
<meta itemprop="name Headline" content="SP7: Ensure security" />
  <meta itemprop="name Headline" content="SP7: Ensure security" />
<meta itemprop="alternativeHeadline" content="YaSM security management process" />
  <meta itemprop="alternativeHeadline" content="YaSM's security process" />
<div itemscope itemtype="https://schema.org/ItemPage">
  <link itemprop="url" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security" />
<link itemprop="primaryImageOfPage" href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" />
  <span itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Sub-processes" itemscope itemtype="https://schema.org/CreativeWork">
<meta itemprop="significantLinks" content="https://yasm.com/wiki/en/index.php/YaSM_Metrics" />
  </span>
<meta itemprop="significantLinks" content="https://yasm.com/wiki/en/index.php/YaSM_Metrics/_Supporting_Service_Management_Processes#metrics-sp7" />
  <span itemprop="hasPart" itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#Process_outputs" itemscope itemtype="https://schema.org/CreativeWork">
</div>
  </span>
 
  <link itemprop="primaryImageOfPage" href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" />
<!-- define schema.org/CreativeWork -->
  <link itemprop="image" href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" />
<div itemscope itemtype="https://schema.org/CreativeWork">
  <meta itemprop="significantLinks" content="https://yasm.com/wiki/en/index.php/YaSM_Metrics" />
<link id="md-type-process" itemprop="additionalType" href="http://www.productontology.org/id/Business_process" />
  <meta itemprop="significantLinks" content="https://yasm.com/wiki/en/index.php/YaSM_Metrics/_Supporting_Service_Management_Processes#metrics-sp7" />
<meta itemscope itemprop="mainEntityOfPage" itemType="https://schema.org/ItemPage"
   <link itemprop="isPartOf" href="https://yasm.com/wiki/en/index.php/YaSM_Processes#supporting-service-management-processes" />
itemid="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security" itemref="md-itempage-description">
  <meta itemprop="isBasedOnUrl" content="https://yasm.com/en/products/yasm-process-map" />
<meta itemprop="name" content="SP7: Ensure security" />
  <meta itemprop="inLanguage" content="en" />
<meta itemprop="alternateName" content="YaSM security management process" />
  <link itemprop="citation" href="https://yasm.com/wiki/de/index.php/SP7:_Gew%C3%A4hrleisten_der_Sicherheit" />
<meta itemprop="alternateName" content="Security management process" />
  <link itemprop="publisher" href="https://yasm.com/en/#YaSMBrand" />
<link itemprop="url" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security" />
  <link itemprop="copyrightHolder creator" href="https://yasm.com/en/contact#ITProcessMapsOrg" />
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.1">
  <link itemprop="author" href="https://yasm.com/en/misc/team#StefanKempter" />
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.2">
  <link itemprop="contributor" href="https://yasm.com/en/misc/team#AndreaKempter" />
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.3">
</span><p></html>
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.4">
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.5">
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#SP7.6">
<link itemprop="hasPart" href="https://yasm.com/wiki/en/index.php/SP7:_Ensure_security#process-inputs-outputs">
<link itemprop="image" href="https://yasm.com/wiki/en/img/yasm-process/Ensure-security-yasm-sp7.jpg" />
<link itemprop="image" href="https://yasm.com/wiki/en/img/yasm-process/goal-definition/yasm-security-management-process.jpg" />
<link itemprop="isPartOf" href="https://yasm.com/wiki/en/index.php/Service_Management_Processes#supporting-processes" />
   <meta itemprop="mentions" content="ITIL 4 information security management" />
  <meta itemprop="mentions" content="ITIL 4 risk management" />
<meta itemprop="isBasedOnUrl" content="https://yasm.com/en/products/yasm-process-map" />
<meta itemprop="inLanguage" content="en" />
<link itemprop="citation" href="https://yasm.com/wiki/de/index.php/SP7:_Gew%C3%A4hrleisten_der_Sicherheit" />
<link itemprop="publisher" href="https://yasm.com/en/#YaSMBrand" />
<link itemprop="copyrightHolder creator" href="https://yasm.com/en/contact#ITProcessMapsOrg" />
<link itemprop="author" href="https://yasm.com/en/misc/team#StefanKempter" />
<link itemprop="contributor" href="https://yasm.com/en/misc/team#AndreaKempter" />
</div><p></html>


<!-- This page is assigned to the following categories: -->
<!-- This page is assigned to the following categories: -->
[[Category:YaSM process]]
[[Category:YaSM process]]
<!-- --- -->
<!-- --- -->

Latest revision as of 17:24, 12 October 2024

auf Deutsch


 

Process name: Ensure security - Part of: Supporting processes

Previous process: Manage projects

Next process: Ensure continuity

 

Process description

The security management process in YaSM (fig. 1) ensures the security of the service provider's range of services and aligns the security needs of the service provider with those of its customers. This includes ensuring that systems and data are protected from intrusion and only accessed by authorized parties.

 

Fig. 1: Ensure security. - YaSM security management and risk management process SP7. - Related with: Practices of ITIL 4 information security management and ITIL 4 risk management.
Fig. 1: 'Ensure security'
YaSM security management process ('SP7').


Ensuring security starts with the compilation of a security risk register which lists the identified security risks and their properties, as well as suitable risk responses (security controls or other risk mitigation measures).

The YaSM processes provide a number of ways for the security manager to exert influence. Most importantly, the security manager will be involved in the service design and build stages to ensure the security of new or updated services. Once it has been established during service design which security controls and mechanisms are required for a new service, these can be put in place, notably

  • Through the service build process, by adding suitable security features to the service infrastructure that is to be created or updated
  • Through the security process, by updating security policies as well as security mechanisms and controls which are operated under the responsibility of the security manager.

The security manager is also involved in service or process improvement initiatives if security is affected.

If new security threats emerge or if the security controls need to be upgraded for other reasons, the security process is able to start security improvement initiatives on its own account. Such initiatives are managed through the security improvement plan.

Finally, the security manager will also ensure security by defining rules and providing information, for example in the form of underpinning security policies, incident and service request models, as well as security alerts.

Note: YaSM does not provide a detailed explanation of all aspects of security management, as there are dedicated and more detailed sources available (see, for example, ISO 27001). Rather, YaSM highlights the most important security management activities and describes the interfaces with other YaSM processes.

 

Compatibility: The YaSM security management process is aligned with ISO 20000, the international standard for service management (see ISO/IEC 20000-1:2018, section 8.7), and it corresponds to the practices of 'ITIL 4 information security management' and 'ITIL 4 risk management'.

Sub-processes

YaSM's security management process has the following sub-processes:

SP7.1: Assess security risks
Process objective: To identify the security risks which need to be managed by the service provider, and to define appropriate risk responses.
SP7.2: Define security improvements
Process objective: To define the objectives of security improvement initiatives and the approach for their implementation. This includes creating business cases for the initiatives.
SP7.3: Start up security improvement initiatives
Process objective: To launch security improvement initiatives. This includes obtaining authorization by requesting a budget and submitting a request for change.
SP7.4: Implement security controls
Process objective: To implement, test and deploy new or improved security controls and mechanisms.
SP7.5: Operate the security controls
Process objective: To arrange adequate security training for the service provider's staff and customers, and to ensure regular maintenance and testing of the security mechanisms and controls.
SP7.6: Review the security controls
Process objective: To submit the security controls and mechanisms to regular reviews, in order to identify potentials for improvement to be addressed by security improvement initiatives.

Process outputs

This section lists the documents and records produced by 'security management'. YaSM data objects [*] are marked with an asterisk, while other objects are displayed in gray.

Budget request
A budget request is typically issued to obtain funding for setting up, improving or operating a service or process. An approved budget request means that the required financial resources have been allocated by the financial manager. [*]
Change record
A change record contains all details of a change, documenting the lifecycle of a single change. In its initial state, a change record describes a request for change (RFC) which is to be assessed and authorized prior to implementing the change. Further information is added as the change progresses through its lifecycle. [*]
Change status information
Current status information related to the implementation of a change. This information is sent to the change manager from the various processes that implement authorized changes. It is used by the change manager to keep the change records and the change schedule up-to-date.
CI record
Configuration information is maintained in CI records for all configuration items (CIs) under the control of the configuration manager. In this context, CIs can be of various types: Applications, systems and other infrastructure components are treated as CIs, but often also services, policies, project documentation, employees, suppliers, etc. Configuration information is stored in the configuration management system (CMS). [*]
Data for project plan update
Current information related to project progress and resource consumption. This information is sent from various service management processes to the project manager as input for project control.
Incident model
An incident model contains the pre-defined steps that should be taken for dealing with a particular type of incident. The aim of providing incident models is to ensure that recurring incidents are handled efficiently and effectively. [*]
Purchase request
A request to procure goods or services from an external supplier. Purchasing requests are typically sent to the supplier manager, for example if applications, systems or other infrastructure components are needed for setting up a new service, or if standard infrastructure components and consumables are required for service operation.
Register of security risks
The register of security risks is a tool used by the security manager to keep an overview of all security risks to be managed. The register of security risks also specifies the responses to the identified risks, in particular security controls and mechanisms to mitigate the risks. [*]
Request to assess compliance implications
A request to assess which compliance requirements are relevant for a new or changed service, typically issued during service design.
Request to assess continuity risks
A request to assess risks associated with critical events, typically issued during service design if new or changed service continuity arrangements are likely to be needed for a new or improved service.
Security alert
A security alert is typically issued by the security manager when outbreaks of security threats are foreseeable or already under way. Security alerts aim to ensure that users and staff are able to identify any attacks and take appropriate precautions.
Security improvement plan
Items in the security improvement plan are used by the security manager to record and manage security improvement initiatives throughout their lifecycle. Initiatives in the security improvement plan may aim to implement proactive measures to enhance security or to put mechanisms in place which allow responding effectively to any security breaches. [*]
Security operation manual
The security operation manual specifies the activities required for the operation of the security controls and mechanisms operated under the responsibility of the security manager. Some instructions related to the operation of particular security systems may be documented in separate technical manuals or 'standard operating procedures (SOPs)'. [*]
Security review report
A security review report records the details and findings from a security review. This report is an important input for the definition of security improvement initiatives. [*]
Service request model
Service request models contain the pre-defined steps that should be taken for dealing with a particular type of service request. The aim of providing service request models is to ensure that routinely occurring requests are handled efficiently and effectively. [*]
Suggested process modification
A suggestion for modifying one or several service management processes. Suggestions for process modifications or improvements may originate from anywhere within the organization.
Suggested security improvement
A suggestion for improving service security. Suggestions for security improvements may originate from anywhere within the organization.
Suggested service modification
A suggestion for modifying a service, for example to improve service quality or economics. Suggestions may originate from anywhere within or outside of the service provider organization.
Test report
A test report provides a detailed account of testing activities. A test report is created for example during tests of new or changed service components, or during tests of security or service continuity mechanisms. [*]
Test script
A test script specifies a set of test cases including their expected outcomes. The nature of the test cases will vary depending on what is to be tested. [*]
Underpinning security policy
Underpinning security policies are specific policies complementing the main security policy by setting binding rules, for example for the use of systems and information or the use and delivery of services. [*]

 


Notes:

[*] "YaSM data objects" are those documents or records for which the YaSM model provides detailed recommendations: Every YaSM object has an associated checklist (see example) describing its typical contents, and an associated lifecycle diagram depicting how the status of the object changes as it is created, updated, read and archived by various YaSM processes (see example).

"Other objects" are mostly informal data or information where YaSM has less strong views about their contents. There are no associated lifecycle diagrams or checklists.

Process metrics

Process metrics are used, for example, to assess if the service management processes are running according to expectations.

For suggestions of suitable metrics, please refer to the list of metrics for the YaSM security process.

Roles and responsibilities

Process owner: The security manager is responsible for the service provider's and its customers' security. This includes responsibility for the security of information and data being processed by the service provider.

 

Responsibility matrix: 'SP7: Ensure security'
YaSM role / sub-process Compli. mgr. Oper. Proc. owner Secur. mgr. Serv. contin. mgr. Serv. owner Techn. domain expert
SP7.1 Assess security risks - - R AR - R -
SP7.2 Define security improve­ments R - - AR R - -
SP7.3 Start up security improvement initiatives - - - AR - - -
SP7.4 Implement security controls - R - AR - - R
SP7.5 Operate the security controls - R - AR - - -
SP7.6 Review the security controls - - - AR - - -

 

Notes

The security management process in YaSM ensures the security of the service provider's range of services, and to align the security needs of the service provider with those of its customers. This includes ensuring that systems and data are protected from intrusion and only accessed by authorized parties.
Security management process: Objectives

Is based on: The security management process from the YaSM Process Map.

By:  Stefan Kempter Author: Stefan Kempter, IT Process Maps GbR  and  Andrea Kempter Contributor: Andrea Kempter, IT Process Maps GbR, IT Process Maps.

 

Process description  › Sub-processes  › Process outputs  › Metrics  › Roles