Application security

Application security is the use of software, hardware, and procedural methods to protect applications from external threats. Once an afterthought in software design, security is becoming an increasingly important concern during development as applications become more frequently accessible over networks and are, as a result, vulnerable to a wide variety of threats. Security measures built into applications and a sound application security routine minimize the likelihood that unauthorized code will be able to manipulate applications to access, steal, modify, or delete sensitive data. Actions taken to ensure application security are sometimes called countermeasures. he most basic software countermeasure is an application firewall that limits the execution of files or the handling of data by specific installed programs. he most common hardware countermeasure is a router that can prevent the !" address of an individual computer from being directly visible on the !nternet. Other countermeasures include conventional firewalls, encryption#decryption programs, anti$virus programs, spyware detection#removal programs and biometric authentication systems. Application security can be enhanced by rigorously defining enterprise assets, identifying what each application does %or will do& with respect to these assets, creating a security profile for each application, identifying and prioritizing potential threats and documenting adverse events and the actions taken in each case. his process is known as threat modeling. !n this context, a threat is any potential or actual adverse event that can compromise the assets of an enterprise, including both malicious events, such as a denial$of$service %'oS& attack, and unplanned events, such as the failure of a storage device.
ITIL Security Management ITIL is not used to implement security but ITIL process may lead to enhanced security through controlled processes and ITIL Security Management will support ITIL process to take security into account. Security Management is the process of managing a defined level of security on information and IT services. Information security is achieved by implementing a suitable set of controls, which could be policies, practices, procedures, organizational structures and software functions. These controls need to be established to ensure that the specific security ob ectives of the organization are met. !IS" #$$%%&'(((). Some basics to note:
Security Management

Overview

Information Security Management dates back to the dawn of time. Cryptology, or the science keeping information confidential, is as old as civilisation itself and has occupied some of the most brilliant minds in the history of mathematics, especially (unfortunately) in times of war.

However, since the advent of today's ubiquitous communications networks, and the nternet in particular, the problems associated with information security have worsened considerably and affect almost all of us. !ut up your hand if your computer has never been infected by a virus, or you have never been sent spam, received unwanted telesales calls, had your personal data compromised, or worse, had your credit card number stolen. nformation is an integral part of any business and managing it correctly rests on three basic pillars"

Confidentiality" the information must only be accessible to its predefined recipients. Integrity" the information must be correct and complete. Availability" the information must be accessible when it is needed.
Security Management must, therefore, ensure that the information is correct and complete, that it is always available for business purposes and that it is only used by the people who are authorised to do so.

Security Management

Introduction and Objectives

#he main ob$ectives of Security Management may be summarised as"

%esigning a security policy (in collaboration with customer and suppliers) that is aligned with the
needs of the business.

&nsuring compliance with the agreed security standards. 'inimising the security risks threatening continuity of service.
!roper Security Management is not the (sole) responsibility of (security e)perts( who are unaware of other business processes. *alling into the temptation to establish security as a priority in its own right can limit the business opportunities offered by the flow of information between the different players involved and the opportunity to open up new networks and channels of communication. Security Management needs to have an in+depth knowledge of the business and the services the # organisation provides in order to establish security protocols ensuring that the information is accessible when needed by those people with authorisation to use it. ,nce the business's security requirements have been ascertained, Security Management must oversee that these are correctly set out in the relevant SLAs so that fulfillment of them can be ensured.

Security Management should also take into account the general risks to which the # infrastructure is e)posed, and which are not necessarily stated in an SLA, so as to ensure, as far as possible, that these risks do not represent a danger to service continuity. t is important for Security Management to be proactive and evaluate in advance the security risks that may arise from changes made to the infrastructure, new lines of business, etc.

#he main benefits of proper Security Management are"

nterruptions to service caused by viruses, computers being hacked into, etc. are avoided. #he number of incidents is minimised. nformation is accessible when it is needed and data integrity is preserved. %ata confidentiality, and the privacy of customers and users, is preserved. -egulations on data protection are complied with. #he perception customers and users have of the quality of service, and their confidence in it, is
improved. #he main difficulties when implementing Security Management may be summarised as"

 #here is insufficient commitment to the process from all the members of the # organisation. &)cessively restrictive security policies are established, with a negative effect on the business. #he tools needed to monitor and guarantee the security of the service (firewalls, antivirus software,
etc.) are not available.

.taff are not given adequate training to be able to apply security protocols. #here is a lack of coordination between the different processes, making it impossible to evaluate the
risks properly.

Security Management

Process

Security Management is closely related to practically all other # processes and needs the cooperation of the whole organisation in order to be a success. *or this collaboration to be effective it is necessary that Security Management"

&stablishes a clear and well defined security policy that serves as a guide to all the other processes. %raws up a Security Plan that includes all the appropriate levels of security in both the services
provided to customers and those service agreements signed with internal and e)ternal service providers.

mplements the Security Plan. 'onitors and evaluates compliance with the plan. !roactively supervises the levels of security by analysing trends, new risks and vulnerabilities. !eriodically conducts security audits.

Relationship with other ITIL processes

Security Management

Security Policy

t is essential to have a general framework in which to set all the subprocesses associated with Security Management. ts comple)ity and intricate interrelationships call for a clear global policy defining aspects such as the ob$ectives, responsibilities and resources. n particular the Security Policy has to define"

#he relationship with the general business policy. Coordination with other # processes. #he protocols for access to information. #he risk assessment procedures.

 #raining programmes. #he level of monitoring of security. /hat reports need to be issued periodically. #he scope of the Security Plan. #he structure and people responsible for the Security Management process. #he processes and procedures employed. #he people in charge of each subprocess. #he internal and e)ternal security auditors. #he necessary resources" software, hardware and staff.

Security Plan
#he aim of the Security Plan is to set the levels of security that need to be included as a part of the SLAs, OLAs and UCs. #his plan has to be drawn up on cooperation with Service Level Management, which is ultimately responsible for both the quality of the service delivered to customers and the service received by the # organisation and e)ternal suppliers. #he Security Plan has to be defined in such a way as to offer a better and more secure service to customers and never as an obstacle to developing their business activities. /henever possible, key metrics and indicators should be defined to allow the agreed levels of security to be evaluated. 0n essential aspect to take into account is establishing consistent security protocols covering all the phases of the service and all the levels involved. (0 chain is only as strong as its weakest link(, so it makes no sense, for e)ample, to establish strict access standards if an application has vulnerabilities to .12 in$ections. #his may enable you to fool some of your customers for a while by giving them an image of strength, but this will be worth little if someone discovers that the back door is open.

Security Management

Applying Security Measures

3o matter how good your security planning is, it will be useless if the envisaged measures are not put into practice. t is the responsibility of Security Management to coordinate the implementation of the security protocols and measures established in the Security Policy and the Security Plan. *irst of all, Security Management must verify that"

#he staff know and accept the established security measures and their responsibilities regarding
security.

&mployees sign confidentiality agreements relevant to their post and responsibility. #he relevant training is given.
Security Management is also directly responsible for"

0ssigning the resources necessary. 4enerating the necessary reference documentation. Collaborating with the Service
related incidents. es! and Incident Management to handle and resolve security+

nstalling and maintaining the hardware and software tools necessary to ensure security.

 Collaborating with C"ange Management and #elease Management to ensure that new
vulnerabilities are not introduced into live systems or test environments.

!roposing #$Cs to C"ange Management with a view to enhancing security. Collaborating with Service Continuity Management to ensure that the integrity and
confidentiality of the data are not compromised in the event of a disaster.

&stablishing the policies and protocols for access to information. 'onitoring the networks and online services to detect intruders and attacks.
t is necessary for the company's management to recognise the authority of Security Management in relation to these issues and to allow .ecurity 'anagement to propose binding disciplinary measures when employees or other personnel concerned with the security of the services fail to comply with their obligations.

Security Management

%valuation and Maintenance

%valuation
t is impossible to improve something you don't know about. t is therefore essential to evaluate compliance with the security measures, their results and the level of compliance with SLAs. 0lthough not essential, it is advisable for these evaluations to be backed up by e)ternal and5or internal security audits conducted by people who are independent from Security Management. #hese evaluations5audits should assess the performance of the process and put forward improvements. #hese will be set out in #$Cs& w"ic" will be sent for evaluation by C"ange Management. ndependently from these periodic evaluations, independent reports should be produced each time a serious security+related incident occurs. 0gain, if Security Management sees fit, these reports will be accompanied by the relevant #$Cs.

Maintenance
Security Management is a continuous process and the Security Plan and security+related sections of the SLAs need to be kept up+to+date. Changes in the Security Plan and the SLAs may be a result of the evaluation referred to above, or of changes made to # infrastructure or services. #here is nothing so dangerous as the false sense of security that obsolete security measures give. t is also important that Security Management is up+to+date regarding new risks and vulnerabilities caused by viruses, spyware, denial of service attacks, etc. and that the necessary hardware and software upgrades are made. #he human aspect should also not be overlooked" the human element is usually the weakest link in the chain.

Security Management

Controlling t"e Process

0s with all other # processes, it is necessary to rigorously control the process in order to ensure that Security Management fulfills its ob$ectives. 4ood Security Management should translate into"

-educing the number of security+related incidents. &fficient access to information by authorised personnel. !roactive management allowing potential vulnerabilities to be identified before they manifest
themselves or cause a serious degradation to the quality of service.

!reparing effective reports makes it possible to assess the performance of Security Management and provides vitally important information to other areas of # infrastructure. n particular, the documentation generated should include"

nformation on compliance with the security+related aspects of the SLAs, OLAs and UCs in force. 2ist of security+related incidents classified in terms of their impact on the quality of service. 0n evaluation of the training courses given and the results obtained. dentification of new threats and vulnerabilities faced by the # infrastructure. .ecurity audits. -eports on the level of implementation and fulfillment of the security plans in place.