Author's Note (August 2016)
With ServiceNow offering Security Operations (which is a a great move), I wanted to share an article I wrote about how individuals well versed with the principles of ITSM can get their heads around a Security-based engagements.
I wrote this article the late Summer of 2014 for Fruition Partners. So some of the example are a bit dated, but they are definitely timely....Hopefully you find this useful.
Applying IT Service Management Beyond IT- Corporate Security and Crisis Management
Originally Publish on August 25, 2014 (Fruition Partners)
In the last few months, I've engaged in numerous discussions about how their ServiceNow platform can be configured to support Corporate Security and Crisis Management.
One example is a company within restaurant space.
On the surface "Corporate Security" and "Crisis Management" sounds to be a bit excessive and overblown; however with a restaurant chain, occurrences such as food illnesses, robberies, social unrest (protests), medical emergencies, and data breaches at the corporate level are occurrences that can cripple an operation and ravage the organization's brand (some restaurant examples will be illustrated later in the article)
Additionally, a lack of security awareness within any organization and in any industry can have a devastating effect
To provide an example, Target Corporation (NYSE: TGT) received a devastating hit when it was announced the organization experienced a data breach of its customer's credit and debit card information during the 2013 holiday shopping season. The aftermath was staggering and the repercussions are still being felt.
Based on a Washington Post article published on Feb 26, 2014, the "…December data breach that enabled the theft of millions of customers' payment information" had helped drag Target's fourth-quarter profit down 46 percent to $520 million. The massive cyber attack has already cost the retailer $17 million. The final tally will be bigger, Target said, though it's unclear by how much" (Reporter: Amrita Jayakumar — Washington Post).
Whether or not the Target scenario could have been avoided or the damage mitigated based on a more proficient response is up for debate, however any corporation is susceptible to this type of threat as well as other adverse scenarios such as weather, crime, social unrest, and internal issues (waste, fraud, and mismanagement). As a result, a comprehensive and easy to use Corporate Security solution is just as vital as an IT Service Management solution when it comes to protecting an organization's brand, assets, and (most importantly) employees.
IT Service Management has been mentioned within this article on purpose. A capable Corporate Security solution will apply processes that are commonly found within ITIL. This is not a coincidence since the principles for managing an IT infrastructure can be applied to protecting an organization or even a community.
In regards to the Corporate Security solution, the following diagram (see image) provides an overview of how an Incident can be managed as a crisis and then transitioned to an Investigation phase. Additionally, as the Corporate Security solution expands, key data (Intelligence) can be leveraged to assist with providing timely information to the Crisis Desk and investigators.
Here is an overview of key areas within a Corporate Security solution that encompass Crisis Desk/Incident, Investigation, and Intelligence.
CRISIS MANAGEMENT (ITIL EQUIVALENT: INCIDENT MANAGEMENT)
The natural starting point for a Corporate Security deployment is the Crisis Desk (Incident Management). Today, it is common and surprising to find many corporations relying upon email, spreadsheets, or legacy solutions to track and respond to significant events that impact the organization. In that regard, these organizations miss the opportunity to track events, document outcomes, and build a history to allow for improved responses and increase risk avoidance.
For an organization, like a restaurant corporation, an Incident can range from common and routine occurrences such as a potential safety issue (i.e. service door lock is broken) to something quite significant and potentially hazardous such as serious weather; crime (i.e. assault, robbery, etc.); food illness (i.e. 1993 Jack-in-the-Box e coli fatalities) and social/political unrest (i.e. On the night of August 9/10, 2014 when protesters, after being tear gassed by police, in Ferguson, MO, broke through a window to gain entry into the McDonald's.)
In all occurrences, it is the Crisis Desk's responsibility to track and document the event and, more importantly, to provide instructions to ensure employee and guest safety when necessary. In that regard, many well-organized Corporate Security teams have developed playbooks that are taught to employees and followed by the Crisis Desk. A solid Incident Management solution, for a Crisis Desk, will automatically present the appropriate playbook based on the Incident type.
Additionally, the Crisis Desk is a communication hub responsible for managing responses based on the Incident type. For a mundane event such as a door lock repair, the Crisis Desk would hand this to facilities, while a significant issue such as social unrest may need to include communication to franchise owners and local media. In both cases, the incident must be documented and the communication tasks must be identified and managed.
Finally, to tie in the IT Service Management concept to the Corporate Security offering, Corporate Security Incident Management does follow the IT Incident Management process closely; however, it is important to note that there are significant differences in regards to tracking specific data, response times, and the definition of when an Incident is resolved.
INVESTIGATION MANAGEMENT (ITIL EQUIVALENT: PROBLEM MANAGEMENT)
When the words "Corporate" and "Investigation" are brought together, terms like "Witch hunt" and "Inquisition" can pop into people's minds. This can be a legitimate concern if an organization does not conduct investigations properly or allow for emotional, unfair, or unjust inquiries to occur.
The primary purpose of any corporate investigation, especially after an occurrence that involved employee or guest safety, is to determine root cause of the occurrence and to determine how avoid future occurrences. In doing so, the investigator will review if proper established procedures were followed. Additionally, the investigator will look for opportunities to recommend improvements.
A tragic example is the July 1997 Georgetown Starbucks murder of three employees during a botched robbery (Washington Post — March 17, 1999 — Full Text: "Starbucks Affidavit"). While Starbucks could not have prevented the actions of the gunman, the company did conduct its own investigation. Based on their internal investigation, the company reinforced its employee security policy on what to do during a robbery (stressing employee safety first). Additionally, Starbucks has established mandatory monthly safety and security training for all of its stores, (Starbuck's Corporate Social Responsibility Fiscal 2003 Annual Report.)
It is also important to note that an investigation doesn't have to be reactive (based on an Incident). The organization can direct Corporate Security to conduct proactive audits that will follow the same investigation process.
For an Investigation or an Audit, the key steps to successfully complete the work begin with planning the investigation/audit. Next is to assign a lead investigator/auditor and allow them to conduct their work. Once they conclude their work, then leadership can conduct a formal review of the findings (which may include an approval process.) Depending on the Investigation/Audit, the finding may need to be released to the organization and to the public.
In regards to tying IT Service Management to Corporate Investigation, it is similar to Problem Management since the purpose of the Investigation is to determine root cause or responsibility for an adverse (or potentially adverse) occurrence (i.e. root cause of a data breach or review vendors supply chain.) The Investigation or audit will require the need to manage the planning, assignment, data gathering, and documentation of an inquiry or audit.
INTELLIGENCE MANAGEMENT (ITIL EQUIVALENT: CMDB & KNOWLEDGE MANAGEMENT)
Intelligence is the controlled repository of information. Intelligence can be anything, but for corporate organization, Intelligence data is normally limited to people, locations, and organizations (i.e. suppliers, vendors, contractors, and detractors (criminal, activist, etc.) Data can be added to the repository through incidents, investigations/audits, and tips/leads (not shown in diagram). The repository can be queried by investigators or auditors to compile background/supporting material. Additionally, if Intelligence is presented properly it can also enhance real-time information for Crisis/Incident Management (historical events, habitual personalities, etc.).
PARTING THOUGHT (Updated for 2016)
With the introduction of ServiceNow Security Operations Suite (Security Incident Response and Vulnerability Management), we can present a path to closely align IT with Security Operations within the platform (which includes the introduction CyberSecurity best practices and the ability to mesh with ITSM immediately). Additionally, to better serve your customer (and the basis of this article), we can also consider how the ServiceNow platform can be leveraged to increase security awareness so an organization can better protect its data; its facilities; its brand (reputation), and most importantly, its people.
Original Article (Fruition Partners August 2014): http://fruitionpartners.com/2014822applying-it-service-management-beyond-it-corporate-security-and-c...
