On security for IT services

Security by Loopzilla at flickr - some rights reserved

[from: http://www.flickr.com/photos/loopzilla/2073400408/]

How should one go about regarding security for IT services?

One can look at it taking in account the service lifecycle approach from ITIL and concentrate on the Design phase, when we can invest early in order to achieve that honorable goal of having the minimum (avoidable) surprises and rework when service finally goes live. In other words, reduce operational costs by designing services right.

Some ideas (in no particular order):

1. Ensure external partners and suppliers that contribute to the services know and formally agree to their responsibilities (Underpinning Contracts)
2. Also get internal groups/teams formally agree on their responsibilities (Operational Level Agreements)
3. Changes to the services must include security impact assessment
4. A procedure for receiving and acting on security vulnerabilities reported from vendors of components that support the service
5. Include an explicit security section regarding security requisites in the initial analysis phase for new or changed services
6. Link the security requisites to service level targets so the SLA covers them
7. Check those requisites with customer when feasible (or at least with yourself if you’re a good candidate for using the service)
8. Make sure security tests are covered in the test plan
9. Then, while transitioning the service, perform the security tests
10. Have experts trying to break your service from outside and inside
11. Use the tools. There are technical tools and best practices you can apply thus avoiding reinventing the wheel or forgetting important checks
12. If a security incident happens is it clear for everybody who must be involved and what to do?

Yes, some of these will happen in the Transition and Operation phases even though their planning occurs before.

Love to hear about more ideas!