ITIL Security Management - The Security Management Process - Evaluation

Evaluation

The evaluation of the implementation and the plans is very important. The evaluation is necessary to measure the success of the implementation and the Security plans. The evaluation is also very important for the clients (and possibly third parties). The results of the Evaluation sub-process are used to maintain the agreed measures and the implementation itself. Evaluation results can lead to new requirements and so lead to a Request for Change. The request for change is then defined and it is then send to the Change Management process.

Mainly there are three sorts of evaluation; the Self assessment; internal audit, and external audit.

The self assessment is mainly carried out in the organization of the processes. The internal audits are carried out by internal IT-auditors and the external audits are carried out by external independent IT-auditors. Besides, the evaluations already mentioned an evaluation based on the communicated security incidents will also take place. The most important activities for this evaluation are the security monitoring of IT-systems; verify if the security legislation and the implementation of the security plans are complied; trace and react to undesirable use of the IT-supplies.

The activities that take place in the evaluation sub-process are summed up in the following table (Table 2.4.1). The table contains the name of the (sub) activity and a short definition of the activity.

Activities Sub-Activities Descriptions
Evaluate Self assessment In this process an examination of the implemented security agreements is done by the organization of the process itself. The result of this process is SELF ASSESSMENT DOCUMENTS.
Internal Audit In this process an examination of the implemented security agreements is done by an internal EDP auditor. The result of this process is INTERNAL AUDIT.
External audit In this process an examination of the implemented security agreements is done by an external EDP auditor. The result of this process is EXTERNAL AUDIT.
Evaluation based on security incidents In this process an examination of the implemented security agreements is done based on security events which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service. The result of this process is SECURITY INCIDENTS.
Reporting In this process the whole Evaluate implementation process is documented in a specific way. This process ends with REPORTS.

Table 2.4.1: (Sub) activities and descriptions Evaluation sub-process ITIL Security Management

Figure 2.4.1: Process-data model Evaluation sub-process

The process-data diagram illustrated in the figure 2.4.1 consists of a meta-process model and a meta-data model. The Evaluation sub-process was modeled using the meta-modeling technique. The dotted arrows running from the meta-process diagram (left) to the meta-data diagram (right) indicate which concepts are created/ adjusted in the corresponding activities. All of the activities in the evaluation phase are standard activities. For a short description of the Evaluation phase concepts see Table 2.4.2 where the concepts are listed and defined.

Concept Description
EVALUATION Evaluated/checked implementation.
RESULTS The outcome of the evaluated implementation.
SELF ASSESSMENT DOCUMENTS Result of the examination of the security management by the organization of the process itself.
INTERNAL AUDIT Result of the examination of the security management by the internal EDP auditor.
EXTERNAL AUDIT Result of the examination of the security management by the external EDP auditor.
SECURITY INCIDENTS DOCUMENTS Results of evaluating security events which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service.

Table 2.4.2: Concept and definition evaluation sub-process Security management

Read more about this topic:  ITIL Security Management, The Security Management Process

Famous quotes containing the word evaluation:

    Evaluation is creation: hear it, you creators! Evaluating is itself the most valuable treasure of all that we value. It is only through evaluation that value exists: and without evaluation the nut of existence would be hollow. Hear it, you creators!
    Friedrich Nietzsche (1844–1900)

    Good critical writing is measured by the perception and evaluation of the subject; bad critical writing by the necessity of maintaining the professional standing of the critic.
    Raymond Chandler (1888–1959)