ITIL v2 discussed security very much as an afterthought and really included most of what was said about security in availability management. In fact, at one point well into the release of ITIL v2, a brief security add-on was included in the foundation syllabus. That describes it very well, as security in ITIL v2 had a very “add-on” and incomplete feel to it.
When ITIL v3 was release in 2003, an entirely new information security management process was added to the Service Design book. This reflects the importance that many organizations placed on effective security measures since the early 2000’s. Because ITIL is ultimately a reflection of how many organizations deliver their IT services, adding a process focused on security is in-line with the market trend. Security is important and will continue to be important for the foreseeable future.
ITIL v3 describes at a very high-level what a security process should most likely accomplish for an organization. This includes ensuring that information is:
- Available and usable
- Resistant to attacks
- Held confidentially
- Is authentic and protected against unauthorized modification
Furthermore, ITIL v3 goes on to describe what a functioning and healthy information security management system (ISMS) looks like as well as the various activities it performs. Although not necessarily the intent, it’s accurate to say that the ISMS ITIL v3 describes aligns nicely with what’s required in the ISO/IEC 27001 specification.
The point of ITIL v3’s information security management process is not to prescribe exactly how any organization should carry-out information security related activities, it’s to provide a mechanism through which an organization can better organize and control its approach to information security. Organizations that don’t adequately protect their information resources in a controlled and predictable fashion run a much higher risk of security-related impact to their business operations.
In summary, what ITIL says about security is basically what effective organizations do to minimize the risk of security-related business impacts. Following this set of best practices can help you.