Skip to content

Page079

ITIL®

ITIL® (Information Technology Infrastructure Library) is a framework for providing best services in IT Service Management (ITSM). More information about ITIL® is available at: https://www.itilibrary.org/.

ITIL® contains five “Service Management Practices—Core Guidance” publications:

  • Service Strategy
  • Service Design
  • Service Transition
  • Service Operation
  • Continual Service Improvement

Service Strategy helps IT provide services. Service Design details the infrastructure and architecture required to deliver IT services. Service transition describes taking new projects and making them operational. Service Operation covers IT operations controls. Finally, Continual Service Improvement describes ways to improve existing IT services.

Scoping and Tailoring

Scoping is the process of determining which portions of a standard will be employed by an organization. For example: an organization that does not employ wireless equipment may declare the wireless provisions of a standard are out of scope, and therefore do not apply.

Tailoring is the process of customizing a standard for an organization. It begins with controls selection, continues with scoping, and finishes with the application of compensating controls. NIST Special Publication 800-53B (Control Baselines for Information Systems and Organizations) describes the tailoring process:

  • Identifying and designating common controls
  • Applying scoping considerations
  • Selecting compensating controls
  • Assigning values to organization-defined control parameters via explicit assignment and selection operations
  • Supplementing baselines with additional controls and control enhancements
  • Providing specification information for control implementation [14]

The “parameters” mentioned include items such as password complexity policies.

Data States

There are three states of data: data in use, data in transit, and data at rest. Data in use is data that is actively being used in an application, such data being viewed by a user in an open spreadsheet. Data in transit (also called data in motion) is data that is being transferred across a network. Data at rest is stored data: residing on a disk and/or in a file. DLP may protect data in all three forms, and other controls can be used to protect data in each of its three states, which we will discuss next.

Protecting Data in Use

Protecting data in use requires protecting the end user and the system he or she is using. Protecting the end user requires providing proper training and security awareness. Protecting the system requires an array of physical and host-based controls that we will discuss across multiple domains: physical security, patching and hardening, use of login timeouts and screen locks, etc.