Is ITIL an audit benchmark for vulnerability management

Is ITIL more geared towards audit as opposed to vulnerability assessment?
Say for example if you looked at a set of web servers and found they were insecure due to multiple vulnerabilities, it is really an "as is" type review, as opposed to an "how things came to be this way", which I guess ITIL procedures could provide?

So could ITIL be used to identify "How things came to be that way" for security issues? If so are there any specific ITIL modules that focus specifically on security and security management?
LVL 4
pma111Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ashunnagCommented:
ITIL is not security or security management course! it is a library of best practices and guidelines on how to develop and maintain you IT systems and make it align with business.

It contains modules about managing your services you offer to your clients or customers, how to develop them, provide them, maintain SLA and enhance your services continually.

if your looking for security audit and vulnerability, check CompTIA Sercurity+, CISM, or CISSP. these will help you alot.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
What I was getting at however was, a pen test or vuln assessment just shows "as is - i.e. here are your security weaknesses", not "how this came to be - through poor patch mgmt/hardening/account mgmt these problems arose".

My question is what do you check to identify "how this came to be", what benchmarks or platofrms can be used in this area? ITIL seems to have access mgmt, account mgmt, patch mgmt etc.

I dont think waiting for a vuln assessment to flag up problems then apply quick fixes is a very good practice at all. They should serve as assurance or identify anything overlooked, but not be the justifacation to start doing things properly.
pma111Author Commented:
And im not after a course of qualifacation either.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

ashunnagCommented:
No ITIL don't have Access management, account managemnt, patch management, .... it might talk about for better system development. if you are looking for such tools or references you should check ISO standards, or refer to the mentioned above courses they have what you need.
pma111Author Commented:
Any specific ISO standard?

I am after the management processes and a benchmark that can be used that will identify "How things came to be so insecure".

Surely there must exist such in the year 2012.

I am thinking NIST may be more what we are after.

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
ashunnagCommented:
Yup NIST is one of the standards organizations and you can follow their standards and procedures.

For ISO refer to ISO 27000 standards, below is the link:
http://www.27000.org/
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.