[Zurück]

C. Frühwirth:
"Improving Security Incident Management in multi national IT Service Providers";
Betreuer/in(nen): S. Biffl; Institut für Softwaretechnik und Interaktive Systeme, 2008; Abschlussprüfung: 21.02.2008.

The realities of information security have changed tremendously in this decade and
the expectations on today´s IT security management have gone beyond providing
plain physical security. Today, security management is increasingly under pressure
from three factors: 1.) attacks on IT systems have increased in numbers and
sophistication 2.) legal regulations like the Sarbanes Oxley (SOX) act call for
standardized security processes and audits 3.) Management wants to regain control
over security business processes and costs. Improving IT security management
means to tackle all of the three factors.
To deal with evolved, attacks a new generation of event based intrusion detection
systems is needed. On the legislative side, improvements come from the
implementation of industry standard frameworks which facilitate compliance audits.
Security business process can be improved by reengineering them to take advantage
of the 1.) advanced intrusion detection tools 2.) standard frameworks for legal
compliance and 3.) through intelligent security management software tools.
This work studies an IT security business process at a multinational IT service
provider and evaluates its compliance with the industry standard frameworks COBIT
and ITIL. The study uses a survey to document the actual work practices at the IT
service provider and comparable international corporations. Previously informal
process descriptions are formalized and metrics are established to document the
current security management baseline.
Proposals for performance improvements are developed by analyzing the formalized
processes, the stakeholders´ goals and comparing the actual process status with these
goals. Performance is measured in terms of a) execution time and b) execution costs
for each process. Stakeholder requirements are gathered via structured interviews
with company representatives, CIOs and network security staff.
The result of the analysis is used to configure and deploy a next-generation intrusion
detection and incident management tool - the Cisco built "monitoring analysis and
response system" (MARS). Cisco MARS uses event correlation to identify multistage
security incidents and is able to trigger incident handling processes. The MARS
configuration is adapted to fulfill stakeholder requirements as well as comply with
legal regulations of the SOX act.
The IT security management business process is reviewed and adapted to take
advantage of the new incident management system. Process reengineering is used to
further align the processes with the COBIT and ITIL frameworks and facilitate
independent security audits.
All analysis and work results are compiled into a best-practice integration plan for
companies facing similar challenges as the assessed IT service provider. A final
evaluation compares the company´s previous baseline of incident handling processes
with the improved version.