IT Policy & Management


      Organizations frequently must evaluate and select a variety of information technology (IT) security services in order to maintain and improve their overall IT security program and enterprise architecture. IT security services, which range from security policy development to intrusion detection support, may be offered by an IT group internal to an organization, or by a growing group of vendors. Organizations can benefit when choices among services and service providers stimulate competition and bring innovation to the marketplace. However, it is difficult and challenging to determine service provider capabilities, measure service reliability and navigate the many complexities involved in security service agreements. Individuals who are responsible for selecting, implementing, and managing IT security services for an organization must carefully evaluate their options before selecting resources that will be entrusted to meet their particular IT security program requirements. The factors to be considered when selecting, implementing, and managing IT security services include: the type of service arrangement; service provider qualifications, operational requirements and capabilities, experience, and viability; the trustworthiness of service provider employees; and the service provider’s capability to deliver adequate protection for the organization systems, applications, and information. These considerations will apply (to varying degrees) to every service depending on the size, type, complexity, cost, and criticality of the services being considered and the specific needs of the organization implementing or contracting for the services.

The Guide to Information Technology Security Services, Special Publication 800-35, provides assistance with the selection, implementation, and management of IT security services by guiding organizations through the various phases of the IT security services life cycle. This life cycle provides a framework that enables the IT security decision-makers to organize their IT security efforts—from initiation to closeout. The systematic management of the IT security services process is critically important. Failure to consider the many issues involved and to manage the organizational risks can seriously impact the organization. IT security decision-makers must think about the costs involved and the underlying security requirements, as well as the potential impact of their decisions on the organizational mission, operations, strategic functions, personnel, and service provider arrangements. The six phases of the IT security life cycle are:

  • Phase 1: Initiation—the organization determines if it should investigate whether implementing an IT security service might improve the effectiveness of the organization’s IT security program.

  • Phase 2: Assessment—the organization determines the security posture of the current environment using metrics and identifies the requirements and viable solutions.

  • Phase 3: Solution—decision-makers evaluate potential solutions, develop the business case and specify the attributes of an acceptable service arrangement solution from the set of available options.

  • Phase 4: Implementation—the organization selects and engages the service provider, develops a service arrangement, and implements the solution.

  • Phase 5: Operations—the organization ensures operational success by consistently monitoring service provider and organizational security performance against identified requirements, periodically evaluating changes in risks and threats to the organization, and ensuring the organizational security solution is adjusted as necessary to maintain an acceptable security posture.

  • Phase 6: Closeout—the organization ensures a smooth transition as the service ends or is discontinued.

We assist businessiness in training them on IT Policy and Management.