Solved

Is ITIL an audit benchmark for vulnerability management

Posted on 2012-03-12
6
713 Views
Last Modified: 2012-03-15
Is ITIL more geared towards audit as opposed to vulnerability assessment?
Say for example if you looked at a set of web servers and found they were insecure due to multiple vulnerabilities, it is really an "as is" type review, as opposed to an "how things came to be this way", which I guess ITIL procedures could provide?

So could ITIL be used to identify "How things came to be that way" for security issues? If so are there any specific ITIL modules that focus specifically on security and security management?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 6

Accepted Solution

by:
ashunnag earned 500 total points
ID: 37709559
ITIL is not security or security management course! it is a library of best practices and guidelines on how to develop and maintain you IT systems and make it align with business.

It contains modules about managing your services you offer to your clients or customers, how to develop them, provide them, maintain SLA and enhance your services continually.

if your looking for security audit and vulnerability, check CompTIA Sercurity+, CISM, or CISSP. these will help you alot.
0
 
LVL 3

Author Comment

by:pma111
ID: 37709630
What I was getting at however was, a pen test or vuln assessment just shows "as is - i.e. here are your security weaknesses", not "how this came to be - through poor patch mgmt/hardening/account mgmt these problems arose".

My question is what do you check to identify "how this came to be", what benchmarks or platofrms can be used in this area? ITIL seems to have access mgmt, account mgmt, patch mgmt etc.

I dont think waiting for a vuln assessment to flag up problems then apply quick fixes is a very good practice at all. They should serve as assurance or identify anything overlooked, but not be the justifacation to start doing things properly.
0
 
LVL 3

Author Comment

by:pma111
ID: 37709632
And im not after a course of qualifacation either.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 6

Expert Comment

by:ashunnag
ID: 37709839
No ITIL don't have Access management, account managemnt, patch management, .... it might talk about for better system development. if you are looking for such tools or references you should check ISO standards, or refer to the mentioned above courses they have what you need.
0
 
LVL 3

Author Comment

by:pma111
ID: 37709965
Any specific ISO standard?

I am after the management processes and a benchmark that can be used that will identify "How things came to be so insecure".

Surely there must exist such in the year 2012.

I am thinking NIST may be more what we are after.

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
0
 
LVL 6

Expert Comment

by:ashunnag
ID: 37713561
Yup NIST is one of the standards organizations and you can follow their standards and procedures.

For ISO refer to ISO 27000 standards, below is the link:
http://www.27000.org/
0

Featured Post

Are Your IoT Devices Out to Get You?

IoT business is booming, with manufacturers connecting any and every “thing” to the Internet. But as pressure grows to release new products faster and faster, we’re all left to wonder: is security a priority? Join our webinar on June 29th for the answer.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question