ICT Operational Management
The operational functions performed by an ICT team are part of a large body of processes and procedures relating to how technology services are delivered to the organisation. Many ICT teams choose to align with a recognised standard or framework to define how they operate in different situations. This may include guidelines on how the ICT team handles different support matters, how change in the technology environment is managed and how and when it is appropriate to perform system maintenance, etc.
There are several well known standards that can be used to apply structure in this area, such as ITIL, ISO/IEC 20000-1, COBIT, TOGAF, etc. These standards all involve implementing a framework of best practices for delivering efficient ICT support services and their aim is to enable the efficient, cost-effective delivery of technology service management.
While formal service management is considered useful to help businesses achieve their mission and vision with the right mix of ‘people, process and technology’, there is also a need to highlight the security processes carried out by the ICT team in the execution of their operational duties.
To complement whichever operational standards are in place, an ISMS should include a section on ICT Operational Management that focuses specifically on the security aspects of those operational practices. As a minimum, it should include guidelines on:
- Operating Procedures
- Asset Management
- Protection of Production Environments
- Backup and Restore
- General Housekeeping
- Monitoring and Auditing
- Vulnerability and Patch Management
Several of the ISMS topics in this section recommend policies that will influence technology user activity, with governance applied by the ICT function, eg monitoring adherence to the ‘Acceptable Use’ policies outlined earlier. However, much of what is included in this section deliberately concentrates on the ICT team’s own activity.
System administrators and others in the ICT team will often have elevated access privileges to allow them to carry out special maintenance functions. These privileges present additional risk if security implications are not fully understood and appropriate preventive measures not implemented.
The inclusion of relevant ICT operational management details in an ISMS ensures a security perspective is applied to routine activity carried out by the organisation’s technology service provider. Importantly, by including these responsibilities in the ISMS, there is greater visibility of exactly what practices are carried out by ICT with reference to the protection of the company’s technology assets. This will serve to emphasis the importance of security to all parts of the organisation and ensure that ICT operational activity receives the necessary focus in the effort to maintain a safe and secure environment.
In some cases, the ISMS will expand on the common-sense approach prescribed by the operational management standard by taking a security specific stance, eg by insisting that encryption be used in the backup of sensitive or confidential data.
In other cases the ISMS will create new procedures that may otherwise by excluded from the standard ICT operating procedures, eg by specifying the need for a particular type of audit log review to ensure security incidents can be detected as early as possible.
Note that this section of the ISMS is not intended to be a replacement for a comprehensive ICT service management framework; it is expected to both complement and supplement the operational work done by the ICT team and to ensure security receives appropriate emphasis at all times.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.