Service Management Systems- What You Need to Know

Review from Part 1 – the SKMS. The whole point of an integrated service management system (SMS) is to strategically plan for, deliver and protect business value with investments in Information Technologies and services.

Security (Cybersecurity) is a key business value of all IT services provided to the enterprise that must be strategically accounted for throughout the IT investment value life cycle.

 
 

What is Service Management?

A holistic Service Management capability is achieved with a combination of

  • An integrated Service Management System (SMS) - Part 2 is covered here in this post.

  • A supporting Service Knowledge Management System (SKMS) – Covered previously in Part 1.

Why have a Service Management System for Strategic and Proactive Cybersecurity?

Just like the SKMS (in Part 1), In the new age of Artificial Intelligence (AI), knowledge is wisdom.

If you don’t have an integrated SMS operating model built for purpose, you can’t hope to create, maintain, certify, audit, improve or leverage the complexity of the interrelated data and knowledge assets that your organization creates, and will need strategically and proactively, to plan for and deliver cybersecurity of the future. Without it, you will lack the data, information, and strategic knowledge assets required to make real-time strategic IT investment decisions related to cybersecurity to deliver real competitive advantage both in terms of market share and in operational margins that improve efficiencies and effectiveness.

 
 

Is your organization seeking to just survive AI and cyber threats or leverage it to become a disruptor or market leader despite it?

What is a Service Management System (SMS) Operating Model?

A Service Management System (SMS) Is a structured, integrated, and systematic approach, or IT operating model, used by organizations to manage IT Investment value lifecycle knowledge assets. It is critical to understand the IT SMS operating model components and practices that create, maintain, and deliver cybersecurity management policy, strategy, objectives, and desired outcomes starting at IT service strategy, through service planning, delivery, operation, and includes the continuous improvement of services provided to the enterprise, business lines, their customers or / or clients.

It encompasses the policies, practices, procedures, and resources aimed at ensuring the effective and efficient delivery of (secure), cost effective services that deliver enterprise

strategies and outcomes while defending against, managing and / or mitigating cybersecurity event and business risks.

 
 

Cybersecurity interfaces with IT Service Management operation and delivery practices where security issues are involved. Such issues relate to the Confidentiality, Integrity, and Availability of data, as well as the security of hardware and software components, documentation, and procedures. For example, the ability to assess the Impact of proposed Changes on security, to raise RFCs in response to security events and problems; to ensure confidentiality and integrity of security data and to maintain the security when software is released into production.

The SMS IT Investment Value Lifecycle

  1. Customer and Stakeholder Engagement: Engaging with customers and stakeholders is essential to understand their needs, gather feedback, and ensure that the services provided align with their expectations.

  2. Service Strategy: Provides guidance on how to view service management in the context of Business Architecture / Enterprise Architecture (EA) in the alignment of IT to enterprise cybersecurity objectives, not only as an organizational capability but as a strategic asset. It describes the principles underpinning the practice of service management which are useful for developing service management and cybersecurity policies, guidelines, and processes across the ITIL service value lifecycle and it is informed by #1 above.

  3. Service Planning and Design: This involves defining the scope and objectives of services, and security, identifying customer needs and expectations, and designing the processes and resources needed to deliver those services effectively.

  4. Service Delivery: This phase involves the actual implementation and operation of services according to the (cybersecurity) plans and designs. It includes managing resources, handling customer interactions, and ensuring that services are delivered as promised.

  5. Service Monitoring and Control: Organizations need to continually monitor the performance (and security) of their services to ensure they meet agreed-upon levels of quality and availability. This includes tracking key performance indicators (KPIs), detecting and addressing issues, and making necessary adjustments.

  6. Service Improvement: Based on performance monitoring and feedback from customers and stakeholders, organizations should regularly assess their services and cybersecurity performance to look for ways to enhance them. This could involve identifying areas for improvement, making changes to processes, and implementing best practices.

  7. Documentation and Communication: Clear documentation of (cybersecurity) practices, processes, procedures, policies, and service agreements is crucial for maintaining consistency and transparency. Effective communication ensures that everyone involved is aware of roles, responsibilities, and expectations.

Here are a few Service Management practices you may be familiar with that are fundamental to operational cybersecurity delivery.

SMS IT Operating Practices that Support Cybersecurity

Practice
Capabilities
Rationale
Change Management
  1. Security relationship to the process
  2. Risk assessment and acceptance
  3. Change test/planning
  4. BC/DR
  1. Is security part of your authority model? Approver
  2. Does your Risk assessment and acceptance include security related components?
  3. Was there a change to the configuration and has it been verified as secure?
  4. Does the change have a relationship to BC/DR in anyway? If yes when is the change complete
IT Asset Management
  1. Inventory of assets and status of each
  2. EOL/EOS
  3. Disposal
  1. You can’t secure what you can’t identify.
  2. Is the asset still secure?
  3. Was all the data wiped/destroyed
Incident Management
  1. Identifying security related incidents
  2. Hierarchical escalation during breach
  3. Protocols during Major Incident (security related)
  4. BC/DR
  1. How are security incidents managed? During and after action
  2. How to notify the business and IT execs
  3. Documentation and ownership of the major security incident
  4. When do you consider a Security incident a disaster to keep business going
Service Configuration Management
  1. Secure builds
  2. Visibility into CI relationships and dependencies
  1. Are our system/software configurations secure? (CSI Benchmark, NIST etc.)
  2. Are critical systems exposed?
Service Level Management
  1. Documented XLAs, SLAs, OLAs and UCs
  2. Effective and efficient Secure services
  1. Do all agreements with the customers/users address security where needed? Where applicable does it integrate back to the other processes (IM, CM, EM etc.)
  2. Do scans, audits, remediation hurt service levels are they performed with Service Availability in mind
Event Management
  1. Monitoring and Alerting
  2. Actionable alert thresholds
  1. Are clear Event Models defined for security related alerts? e.g., actions, escalation etc.
  2. Should system perform an actionable event to stop the breach e.g., shut down a system or network
Availability Management
  1. Service Availability against security incidents
  1. Clear understanding into the success of your cyber-security program
Continuity Management
  1. Business Continuity – IT Continuity plan
  1. Established and tested architecture, business and IT operational contingencies with escalation and communication plan based in event correlation (Event Management)
Identity and Access Management
  1. Implementing architecture, infrastructure, and application development standards to ensure that only authorized individuals have access to systems and data.
  1. Are the data types and related regulations of the service or application defined?
    2. • HIPAA
    • PCI DSS
    • GDPR -European Union regulations
    • CCPA (California Consumer Privacy Act)
    • FERPA (Family Educational Rights & Privacy
  2. Are clear user roles / responsibilities using the service or application defined?

Go to Part 1 – Get a debrief on the other half- Service Knowledge Management Systems

Ready to implement proactive security measures with Burwood’s experts?

October 10, 2023

 
Featured
Andrew Kelley
Andrew Kelley

Andrew Kelley is a Senior Consultant of Intelligent Operations at Burwood Group.

 
Security, Intelligent OperationsAndrew KelleyBurwood Group