How Best Practices deal with IT-security

Date: 18/05/2021| Category: IT Governance & Service Management| Tags: ,

In his previous interview, Xavier Van Lindt explained how Best Practices prevent communication problems encountered by IT. In this second article, Xavier presents how Best Practices help to avoid IT security problems.

Indeed, the second problem observed which joins the first point on the lack of communication is security. Security is the result of effective communication between business management and IT. IT security is only an alignment with the security needs mentioned by the business. Here too, the impact is spread over the 3 hierarchical levels of the company (strategic / tactical / operational). It is therefore governance that will make it possible to know what the needs and requirements of the businesses are with regard to security.

Several Best Practices address the topic of IT security. In the ITIL 4 framework, security is studied in the strategic modules ITIL 4 DPI and ITIL 4 DITS. In DevOps, there is a module dedicated to security, which is one of its fundamental principles, DevSecOps.

Contrary to popular belief, IT security is not just a design concern. It is not enough to put passwords, firewalls or ISPs. DevOps modules teach that security is present in everyday life when you are in the RUN (production). During a run, the overarching concept of safety is called observability.

It is often forgotten that it is essential to observe everything that is happening in order not to miss anything in terms of safety. IT Security is not just about hacking, phishing, or spamming. IT Security is also about the availability of data, in addition to confidentiality and integrity. DevOps, through its SRE, Continuous Delivery and DevSecOps modules, focuses on measuring everything that happens in production to be sure to guarantee availability.

IT security incorporated in Best Practices

The master benchmark for security remains the ISO 27000 series. ITIL mentions security as a practice, but DevOps, in a very operational way, focuses on observability and culture. In DevOps Foundation and DevSecOps security is not just the role of the CISO but the concern of ALL members of the organiSation, which makes it a cultural phenomenon. Safety is not technical, it is above all cultural and comes from the profession. Everyone needs to be involved, which is well mentioned by DevOps.

Thus, what we will expect from the CISO (Chief information security officer) is not simply to evoke security policies (as mentioned in the ITIL 4 training) but also an evangelization of the entire IT department. As well as of users and customers at the level of different security aspects (strategic or operational tactics). Safety is everywhere and concerns everyone. Since security is not just a matter of politics, mechanisms or systems must be designed, tested and supervised in operation. In order to keep Safety in line, we must communicate!

There are 5 universal concepts found in DevOps, ISO and ITIL repositories, to protect the information the organisation needs to run its business:

  • Confidentiality: access to data limited to authorized persons
  • Integrity: accuracy throughout the system
  • Availability: data available when, where and for whom.
  • Authentication: ensure the identity of the requester
  • Non-repudiation: being able to prove the action carried out.

However, the DevSecOps framework broadens the topic, makes security a cultural aspect in addition to being technological, and places a huge focus on observability. Knowing everything that goes on in day-to-day production is an integral part of safety.

Unfortunately, even though almost all companies have observability tools, there is not always someone in front of the screens to see what is going on. Or you do not really get to see what you should see, so the issue returns. ITIL calls this practice “event management”; DevOps, “observability” but above all DevOps focuses on the criticality of security and event management.

For a professional who would like to run security, I recommend ISO 27000 training and for the professional who wants to understand the security issue as a whole, I recommend DevSecOps training instead.

Xavier van Lindt

Xavier van Lindt

Xavier is Senior Consultant and accredited trainer ITIL 4 Foundation & Intermediate, ITIL v3 Foundation, Practitioner & Intermediate, ITIL MALC, ITIL Expert, DevOps Foundation, ISO20000 Foundation, Lean IT Foundation, Lean, Kaizen, Scrum Master, DevOps Leader, DevOps SRE, DevOps continuous delivery, Integrated Service Management (ISM).

Newsletter

Subscribe to the QRP International neswletter and get all the news on trends, useful contents and invitations to our upcoming events.

QRP International will use the information you provide on this form to be in touch with you. We'd like to continue keeping you up-to-date with all our latest news and exclusive content that's designed to help you to be more effective in your role, and keep your professional skills current.

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at marketing@qrpinternational.com. We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.