The Need for Change Management
The increased security concerns within the IT sector has a direct consequence on the number of changes (i.e., patch installations to solve vulnerabilities, configuration changes to block an attachment, etc.) requested. Very often those changes are planned, driven by security or compliance requirements, the introduction of advanced technologies or other shifts, but sometimes the changes are driven by urgency when IT systems are under attack.
In any case, the need for proper governance of those incidents cannot be of secondary importance when compared with a security incident. In fact, the lack of governance would ultimately result in the interruption or disruption of service, which will impact business processes anyway. Effective governance can be achieved by integrating the security framework with the service management processes. This is a quite general concept, although it is possible to find excellent existing guidelines. Let me share what I think are the most important practices to consider when designing a service.
Best Practices to Handle Change in Security
1. Managing Reactions Within a Service Management Structure
If security information and event management (SIEM) responsibilities are to identify offenses and recommend particular reactions, the best practice is to have the change submitted within a proper change management process. The offense managed via the SIEM has to be transformed into an incident managed with a service desk tool. Change management can be effective by having a clear knowledge of the enterprise configuration. In fact, whether the change can be performed or not depends on the configuration of the various assets involved in — and the relationship between — the various assets.
2. Risk Management
If the previous section was about mitigating the risk of disruption depending on an unauthorized change, the objective of this section is to analyze the opposite aspect: Managing change must take into consideration the possible effect of a change on the enterprise in terms of security. Changes can sometimes be required in emergency situations, and they would be approved by an emergency review board — so the CISO needs to provide an answer quickly. Having a risk management tool integrated into the SIEM platform makes the integration of service management into the security framework that much more effective.
3. Integrating With Business Service Management
Very often the cost of a security incident is difficult to estimate, particularly if we consider factors such as brand reputation and other long-term impacts. Nevertheless, there are elements that could be easily predicted. This information can be used as the basis for a decision.
What are the elements of the service impacted, and what is the cost of interrupting such a service? If a security incident can be translated into an event to be processed by the business service manager — and if the business manager has visibility into the asset configurations, their relations and the architecture of the service — sizing the impact of an incident and eventual violation of a service level agreement could be done. While this is not an element that can be used to understand the cost of the security incident, it is something that can be used to make the proper decision.