ICT Operational Management
The operational functions performed by an ICT team are part of a large body of processes and procedures relating to how technology services are delivered to the organisation. Many ICT teams choose to align with a recognised standard or framework to define how they operate in different situations. This usually includes guidelines on how the ICT team handles different support matters. It will also manage how change is implemented in the technology environment. There would also be guidelines on when it is appropriate to perform system maintenance, etc.
Several well-known standards exist that can be used to apply structure in this area. This includes: ITIL, ISO/IEC 20000-1, COBIT, TOGAF, etc. These standards all involve implementing a framework of best practices for delivering efficient ICT support services. Their aim is to enable the efficient, cost-effective delivery of technology service management.
Formal service management is considered useful to help businesses achieve their mission and vision with the right mix of ‘people, process and technology’. There is also a need to highlight the security processes carried out by the ICT team in the execution of their operational duties.
To complement whichever operational standards are in place, an ISMS should include a section on ICT Operational Management. This would focus specifically on the security aspects of those operational practices. As a minimum, it should include guidelines on:
- Operating Procedures
- Asset Management
- Protection of Production Environments
- Backup and Restore
- General Housekeeping
- Monitoring and Auditing
- Vulnerability and Patch Management
Several of the ISMS topics in this section recommend policies that will influence technology user activity, with governance applied by the ICT function. These would typically involve the adherence to monitoring ‘Acceptable Use’ policies. However, much of what is included in this part of the ISMS deliberately concentrates on the ICT team’s own activity.
System administrators and other roles in ICT will often have elevated access privileges to allow them to carry out special maintenance functions. These privileges present additional risk if security implications are not fully understood. This makes it vital that appropriate preventive measures are implemented.
The inclusion of relevant ICT operational management details in an ISMS ensures a security perspective is applied to routine activity carried out by the organisation’s technology service provider. Importantly, including these responsibilities in the ISMS means there is greater visibility of exactly what security practices are carried out by ICT. This serves to ensure that ICT operational activity receives particular focus in the effort to maintain a safe and secure environment. In line with other content in the ISMS, it emphasises the importance of security to all parts of the organisation.
In some cases, the ISMS will expand on the common-sense approach prescribed by the operational management standard by taking a security specific stance. For example, by insisting that encryption be used in the backup of sensitive or confidential data.
In other cases the ISMS will create new procedures that may otherwise by excluded from the standard ICT operating procedures. For example, by specifying the need for a particular type of audit log review to aid the early detection of security incidents.
Note that this section of the ISMS is not intended to be a replacement for a comprehensive ICT service management framework. It is expected to complement and supplement the ICT operational work and to ensure security is emphasised at all times.
More To Come...
Look out for the next instalment in this topic.
In the meantime, browse more Thistle Tech posts by clicking this button.
If you need assistance with this topic,
or advice on any other aspect of what we do,
feel free to contact us using this button.