Routine – day-to-day security management using ESARIS

Abstract

Larger IT departments and specialized ICT Service Providers must be able to define, communicate and correctly apply hundreds and thousands of single security measures in a large-scale, industrial environment with thousands of employees located in many countries. The IT production is characterized by standardization and a rigorous division of labor within the ICT Service Provider and its supplier network. The ICT Service Provider offers its ICT services to many customers (user organizations). There are new challenges with respect to IT security in such an environment. The Enterprise Security Architecture for Reliable ICT Services (ESARIS) is built to meet these challenges. This chapter investigates and summarizes effects on the security management. Essential tasks for the Security Management organization are highlighted. First, the focus is on differences at the provider’s side caused by meeting the new challenges by using ESARIS (Sect. 13.1). The actual implementation of the concepts and methods defined in ESARIS is a pre-condition for reaping the benefits of ESARIS, primarily higher efficiency and improved security. A primary task of the Security Management organization in day-to-day business is therefore to ensure that the company adheres to the security standards. There are different techniques for verifying if and to what extent security standards are actually applied (Sect. 13.2). The use of ESARIS decreases the effort for managing security but the Security Management organization of the ICT Service Provider will still have trouble and see confusion. A considerable portion of the security management activities must therefore be dedicated to motivation, cultural change, convincing, training and the like. Some important tips are provided to deal with trouble and confusion (Sect. 13.3). The security management of a user organization undergoes a big change when ICT services are outsourced for the first time. The last section focuses on major activities for the user organization’s Security Management organization. Together with the huge amount of detail about the provider’s side given in other chapters of this book, a portrait of a joint security management is drawn (Sect. 13.4).