Pau Lo
asked on
Is ITIL an audit benchmark for vulnerability management
Is ITIL more geared towards audit as opposed to vulnerability assessment?
Say for example if you looked at a set of web servers and found they were insecure due to multiple vulnerabilities, it is really an "as is" type review, as opposed to an "how things came to be this way", which I guess ITIL procedures could provide?
So could ITIL be used to identify "How things came to be that way" for security issues? If so are there any specific ITIL modules that focus specifically on security and security management?
Say for example if you looked at a set of web servers and found they were insecure due to multiple vulnerabilities, it is really an "as is" type review, as opposed to an "how things came to be this way", which I guess ITIL procedures could provide?
So could ITIL be used to identify "How things came to be that way" for security issues? If so are there any specific ITIL modules that focus specifically on security and security management?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
And im not after a course of qualifacation either.
No ITIL don't have Access management, account managemnt, patch management, .... it might talk about for better system development. if you are looking for such tools or references you should check ISO standards, or refer to the mentioned above courses they have what you need.
ASKER
Any specific ISO standard?
I am after the management processes and a benchmark that can be used that will identify "How things came to be so insecure".
Surely there must exist such in the year 2012.
I am thinking NIST may be more what we are after.
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
I am after the management processes and a benchmark that can be used that will identify "How things came to be so insecure".
Surely there must exist such in the year 2012.
I am thinking NIST may be more what we are after.
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
Yup NIST is one of the standards organizations and you can follow their standards and procedures.
For ISO refer to ISO 27000 standards, below is the link:
http://www.27000.org/
For ISO refer to ISO 27000 standards, below is the link:
http://www.27000.org/
ASKER
My question is what do you check to identify "how this came to be", what benchmarks or platofrms can be used in this area? ITIL seems to have access mgmt, account mgmt, patch mgmt etc.
I dont think waiting for a vuln assessment to flag up problems then apply quick fixes is a very good practice at all. They should serve as assurance or identify anything overlooked, but not be the justifacation to start doing things properly.