The Standard

Service Management

This chapter provides details on the areas in the cluster “Service Management” of the taxonomy, by providing a more in-depth profile for each IT Security Standard. The profiles spell out the challenges as regards information security and sum up major security objectives. In addition, other area dependencies are briefly explained.

Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Release Management and Acceptance Testing
RMARelease Management plans, tests, communicates, implements and monitors the implementation of a release into the IT service environment and ensures that all technical and non-technical aspects are considered.
A release is considered as a set of pre-approved changes of the IT service environment (i.e., IT systems and components used by the IT service provider to provide IT services).

Scope and Content:

  • IT systems and components used by the IT service provider for the provision of IT services are subject to changes. Changes arise from the extension and optimization of business or are the result of technical progress. Changes are required in order to react to problems or incidents. – A Release is a collection of hardware, software, documentation, processes and other components that implements the approved changes.
  • Release Management is closely related to Change Management in that the latter is often the source of a new release. The changes are planned, the risk assessed and the approval made by the Change Management and will be executed by the Release Management.
  • Each new release has to undergo Acceptance Testing. This testing contains user acceptance testing, operational acceptance testing, contract and regulation acceptance testing and alpha and beta testing, if required.

Goals and Objectives:

  • Changes are preliminarily approved (as part of the Change Management process), which includes the assessment of quality, gain as well as impacts such as risks. A release goes beyond this phase and is of a different scope. Hence, the release is to be re-assessed for minimizing the impact on the business service.
  • Content and quality shall be evaluated to minimize the impacts. This includes security testing.
  • Generation and implementation of a new release shall follow a defined process to ensure quality and integrity, prevent manipulation and ensure that all changes are authorized before becoming effective.

Primary External Support:

Regardless of the original intention or source, a new release is always initiated by a formal Change.

  • Release Management and Acceptance Testing uses the services and the results from “Change and Problem Management (CPM)” since (single) changes are pre-approved, which includes the assessment of quality, gain as well as impacts such as risks.

A Release integrates IT systems and components such as software developed by an IT service provider department or one of its subsidiaries.

  • Release Management and Acceptance Testing uses the services and the results from “System Development Life-Cycle (SDL)” in the event the developed IT systems and components (especially software) become part of a new release since these are pre-approved for quality.

A Release will, in most cases, integrate IT components purchased from third parties (vendors or manufacturers).

  • Release Management and Acceptance Testing uses the services and the results from “Systems Acquisition and Contracting (SAC)” whenever IT systems or components become part of a new release since the respective manufacturer or distributor and its product are approved for reliability, quality and the like.
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
System Development Life-Cycle
SDLThe System Develop¬ment Life-Cycle is a process for developing demonstrably reliable and secure IT systems. It includes activities performed with the aim that IT systems respond to needs by providing the functionality according to the requirements. This means the requirements be implemented properly, leaving no opportunity for vulnerabilities.

Scope and Content:

  • The IT service provider’s operational units (production) provide IT services for customers’ employing hardware and software systems developed by and purchased from a different organization (manufacturer, distributor, development or engineering department of the IT service provider). Obviously, the use of such systems (hardware and software) can have negative consequences and cause risks, which should be kept at a minimum.
  • This holds true for both for more complex IT systems and software, which are both taken into account.

Goals and Objectives:

  • Definition of requirements: the discussion and comprehension of requirements should optimally be done before the appropriate management decisions and plans be made.
  • Risks shall continuously be analyzed so that security design issues can be detected and fixed before coding is committed, if possible. Processes and plans should be established to tackle new security vulnerabilities or critical situations.
  • The design and implementation shall be effected in a structured way for ensuring that requirements are met and flaws prevented. Secure-coding best practices should be applied as well as proven testing processes and procedures.
  • A final security review and testing shall be conducted before delivery. Instructions for customers shall be included in the service package, which should facilitate the secure configuration and deployment of the software.
  • The development (and the production) environment are to be protected and appropriate tools shall be used in order to prevent manipulation, espionage or any other adverse impact on the manufacturing process and its results.
  • Particularly in the event of systems and components (with hardware), such requirements should be adapted as appropriate. Support can be acquired from ISO 15408 (Common Criteria).

Primary External Support:

  • None
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Systems Acquisition and Contracting
SACChoosing the right supplier is critical when purchasing IT systems and components (or services) that are reliable, secure, and so forth.
Properties and other characteristics, the possibility for making corrections and the process for achieving them are all examples of crucial areas that need to be stipulated in a contract. Otherwise, difficulties may arise on having these operations conducted.

Scope and Content:

  • The IT service provider provides IT services for customers, using IT systems and components possibly purchased from third parties (the manufacturer, the distributor). Obviously, the use of a wrong supplier can have a negative impact and generate risks, which should be minimized at any rate. Moreover, third party systems, components and services may provide inappropriate security features and vulnerabilities.

Goals and Objectives:

  • The IT service provider has to be familiar with the market and is thus able to identify and assess which suppliers, goods, and services are suitable.
  • Security features of goods and services purchased should be clear when making a decision on purchasing a system, product or component. Security acceptance testing and other types of analyses offer proof that the system, product or component have the features to be expected. Services utilized by the IT service provider for IT service delivery for its customers are monitored with a view to the right features, which serve to avoid an abuse of the IT service provider’s security or of any of its customers. Security is to be maintained continuously. Corrections are made for flaws occurring in development or manufacturing and for reacting to changes in the environment. The latter may include, for instance, new attack methods or usage scenarios.
  • The responsibilities and the division of labor between the supplier and the IT service provider shall be clear, transparent and adhered to at all times. This also requires a description of the product or service purchased from a third party and used by the IT service provider. A description of the information to be made available along with its security classification shall also be required and include verifiable quality or performance criteria. The liability issue should be clarified.
  • Specific agreements are required if suppliers are involved in accessing, processing and managing data or information of the IT service provider and/or data and information accessed, processed and managed by the IT service provider on behalf of its customers. Access to IT systems and components shall be limited and monitored appropriately.
  • Specific agreements are required if suppliers are involved in the installation, operation, provisioning, management or maintenance of systems and components used by the IT service provider for the provision of IT services to its customers.
  • Suppliers should be co-operative and obliged to report on observed or suspected security vulnerabilities of the systems, components or services they provide.
  • Suppliers should contractually be bound to fix security vulnerabilities or at least offer support to do so.
  • Binding non-disclosure agreements shall be signed, if required. Confidentiality and specific controls to ensure enforcement can be agreed on.
  • The process and treatment of changes shall be settled. An escalation process for problem resolution shall be established, as appropriate. The definition of conditions for the renegotiation and termination of agreements is to be required.

Primary External Support:

  • None
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Change and Problem Management
CPMChanges are alterations to IT components. They are requested mainly due to orders, requests, incidents or problems. Change Management is the life-cycle process from request and analysis to implementation and final verification. Problems are the cause of any failure of or incidents in IT service delivery.
Problem management is the life-cycle process from occurrence, notification, analysis and identification of causes to the planning of workarounds and changes.

Scope and Content:

  • Change can broadly be defined as the process of requesting, analyzing, approving, developing, implementing and reviewing a planned or unplanned change within the IT infrastructure. Changes arise as a result of problems or incidents, but many changes can come from proactively seeking business benefits such as reducing costs or improving services.
  • Problem management is another key process that interacts with change management as changes are often required to implement workarounds and to fix known errors. Problem management is a major source of requests for change.

Goals and Objectives:

  • The goal of the Change Management process is to ensure that standardized methods and procedures are used for efficient and prompt handling of all changes, in order to minimize the impact of change-related incidents on service quality, and consequently to improve the day-to-day operations of the organization.
  • A risk assessment is mandatory within the Change Management process to minimize negative impacts. The focus should be on identifying the factors that may disrupt the business, impede the delivery of service warranties or impact corporate objectives and policies.
  • Changes require formal request and approval before being implemented. Hereby the extent of the change and its impact need to be estimated and documented. Precautions for Planned Service Outage (Downtime) and Back-Out need to be considered as appropriate. The result of a change is verified and also documented (refer to Asset and Configuration Management (ACM)).
  • The goal of the Problem Management process is to prevent problems and resulting incidents from happening, to eliminate recurring incidents and to minimize the impact of incidents that cannot be prevented.
  • Problem management shall learn from experience. Hence a record of known errors, causes and resolutions is kept. Actions such as the analysis of trends and correlations shall be taken in order to minimize response time and increase the quality of the result.

Primary External Support:

The Change and Problem Management requires information about the IT systems for analysis and planning of appropriate remediation activities. Such information is provided from the Asset and Configuration Management.

  • Change and Problem Management can be seen to use services and results of “Asset and Configuration Management (ACM)” since changes manifest in changes of configuration data and the corresponding configuration items are under the control of Change Management.
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Asset and Configuration Management
ACMAsset Management is the process responsible for tracking and reporting the value and ownership of IT systems and components throughout their life-cycle. Configuration Management is the process responsible for maintaining information about any component required to deliver an IT Service, including their relationships.

Scope and Content:

  • Configuration Management provides a logical model of the IT infrastructure. It contains all Configuration Items (CI) as an inventory with identification, definition and status and is used to control and monitor all changes by means of a Configuration Management Data Base (CMDB). Configuration Management provides up-to-date information about all CI. This information is managed throughout the life-cycle of the CI. Assets need to be identified and kept in an inventory in order to manage any change of configuration due to acquisition or change.

Goals and Objectives:

  • The configuration of all critical IT systems and components must be documented or appropriately kept available (outside that system or component). This requires keeping an inventory of IT components. Other material required for IT service delivery and maintenance is also subject to inventory and configuration control as appropriate.
  • The modification of CMDB content is to be approved, limited to authorized operations personnel, and reflect the actual status of the corresponding IT components and other material required for IT service delivery and maintenance.
  • Requests primarily originate from “Change and Problem Management (CPM)” where a large amount of information about configurations is generated by “Hardening, Provisioning and Maintenance (HPM)” and “Security Patch Management (SPM)”. The requests and the data should be validated and integrity must be ensured. Typical data to be tracked may include identifier, description, category and type, product and manufacturer, version, location and relevant person, change history, relation to other Configuration Item (CI), licenses, settings, and records.

Primary External Support:

  • None
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Hardening, Provisioning and Maintenance
HPMHardening comprises all methods applied to IT systems, software and components that reduce the possibility of vulnerabilities and susceptibility to attacks. Provisioning comprises all methods of deployment and activation of IT service including conception, installation, configuration, and approval. Maintenance comprises technical support for ensuring continuous operations and updatedness, incorporating the help desk.

Scope and Content:

  • The IT service provider provides IT services using systems which reside in a data center operated by the IT service provider or at the client’s premises. Other systems and components are used to establish and maintain communication over networks. Third, there are workplaces and other systems at the users’ premises or on the way. All this information processing equipment is prepared for installation, then set up, and finally supported during operation.
  • The operations personnel (administrators and other technical staff) require technical and detailed guidance regarding hardening, provisioning and maintenance in addition to the information about the general organization and the design of processes, which are the subject of other standards.

Goals and Objectives:

  • Only those versions of IT systems and components should be used which are approved for IT production (at least by the manufacturer). They should only be used within the period of the active manufacturer support.
  • Test data sets, software components installed for testing, default data sets and default (or initial) accounts or passwords and the like shall be removed from IT systems before switching to IT service delivery for customers. Such software or data may remain on the IT systems if necessary for a (power-on or regular) self-test.
  • IT systems, software and components should be configured in a way that reduces the possibility of vulnerabilities and susceptibility to attacks. One means to achieve this is the so-called system hardening, in which, for example, software components or services that are not required or never to be used are removed. IT systems should be assigned to classes which express different levels of control, trustworthiness and attack potential, depending on the network zone in which they are operated. For instance, IT systems in the DMZ and in the Data Center LAN may belong to different classes and may be treated differently.
  • IT systems, software and components shall be configured in a way that applicable security policies are met. IT systems and components shall run with the least possible privileges as appropriate.
  • Provisioning comprises all methods of deployment of IT systems and components and the activation of service. This may include conception, installation, configuration, and approval. Such tasks shall be organized in a way that there are no configurations which may compromise security. Example measures for reaching this objective are: Personnel engaged in such tasks should be trained and certified in order to ensure that the likelihood of flaws that could have a negative impact on security are minimized. Consequently, appropriate tools should be used for the same reason. Methods and processes should be approved before they become standardized.
  • Maintenance comprises technical support aimed at ensuring that operations remain functional and are updated. Help desk services frequently are the access point for standard maintenance. Maintenance-related tasks shall be organized in a way that the overall state of security is upheld and no configurations exist that compromise security.
  • Maintenance shall be performed in a manner that the confidentiality, the integrity and the availability of user data is ensured.

Primary External Support:

  • None
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Security Patch Management
SPMSecurity Patch Management is the process responsible for the consolidated proactive update of IT systems for which new potential vulnerabilities are discovered and their fixes are available. It is applicable to all IT systems, both customer specific installations and general infrastructure.

Scope and Content:

  • Security Patch Management covers all IT systems and components used by the IT service provider for the provision of IT services to customers. This includes office work-stations (e.g., Windows desktops, laptops) and related central services (e.g., file servers, mail servers, domain controllers) on the one hand and equipment for central IT services (e.g., Unix/Windows servers, web and application servers, data bases) and networking (e.g., firewalls, routers or switches) on the other hand.
  • Security vulnerabilities in any IT systems and components can be exploited by attackers in order to penetrate the corresponding target system and thereby cause a security breach. Software updates (patches) remove many of these vulnerabilities.
  • The notification and analysis of vulnerabilities and planning of reactive measures are not covered here. This is subject to “Vulnerability Assessment and Mitigation Planning (VAM)”. Furthermore, the treatment of security incidents and related analysis is not covered here.

Goals and Objectives:

  • Manufacturers can fix vulnerabilities by providing software updates (patches). The proactive installation of critical security patches within a specified period considerably reduces the likelihood that a known vulnerability is exploited. Hence, security patch management contributes to effectively guaranteeing the operational availability, confidentiality and integrity of IT systems.
  • Security Patch management shall ensure that all systems have the right security level at the right time.
  • The process shall be simple and standardized as much as possible for all systems, using the standard Change and Problem Management (CPM) processes that trigger the application of security patches. The patch levels of all systems shall be evident at all times (refer to Asset and Configu­ration Management (ACM)). The reporting of patch levels is part of Logging, Monitoring and Security Reporting (LMR).
  • Business impact caused by system downtime shall be minimized.
  • Necessary patches not installed for any reason shall be identified and treated as risks.

  • Security Patch Management primarily builds on the change process described in “Change and Problem Management (CPM)” that triggers the application of security patches. Regular patches should be implemented as standard changes, and emergency patches as emergency changes.
Service Management Life-cycle issues and general aspects of operations security
IT Security StandardAbbr. IT components and major areas
Business Continuity Management
BCMBusiness Continuity Management provides precautions that minimize the impact of possible disruptions to IT service provisioning or of loss of data, which includes a timely and full recovery of service and data.
Note: This standard relates to IT service provisioning by the IT service provider only. No other business of the IT service provider or any business of the customer is considered. Refer to the scope of ESARIS in general.

Scope and Content:

  • IT systems may fail and data may be lost as the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions. What follows is that a recovery of the loss of information is called for. A combination of preventive and recovery controls is required for minimizing the impact of possible disruptions or loss of data.

Goals and Objectives:

  • The design of any precaution requires the understanding of the subject and the priority. Hence, critical business processes shall be identified and known, along with the IT systems, components, and other resources necessary for them. The criticality of the processes, services, and resources needs to be assessed in terms of the business impact. This requires identification of reasons for discontinuity and the analysis of the consequences of disasters, security failures, loss of service, and service availability.
  • A plan should be developed and implemented for ensuring that the timely resumption of essential operations. Information security should be an integral part of the overall business continuity process and other management processes within the organization.
  • The plan should consider management requirements and resource and capacity planning relating to operations, staffing, materials, transport and facilities. The plan should also identify controls for identifying and proactively reducing risks or mitigating the impact of harmful incidents.
  • A process should be implemented, trained and tested for counteracting disruptions and recovering from the effects of major failures of information systems or disasters.

Primary External Support:

  • None