ITIL (IT Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL is used by CIOs (especially in larger organizations) as a framework for managing ITIL divides service value into fit to purpose (utility) and fit to use (warranty). Fit for use means that service is available when a user needs it. Fit to purpose means that service fulfils customer needs.
Since cyber security is just another IT service, I thought that I would look at it under the lens of ITIL – in other words whether, when implemented, are cyber security controls fit-to-purpose – i.e. do they protect organizational assets from cyber attack?
Cyber security tools and processes protect assets in two ways:
1. Reducing the likelihood of a successful attack by
a. completely avoiding a risk and removing the attack surface in consideration
b. diminishing risk by reducing the relevant attack surface
c. increasing effort needed to conduct an attack
2. Reducing the impact of a successful attack, thus restricting losses
The first maps into the proactive categories of the NIST framework (Identify, Protect) while the second maps into the reactive categories (Detect, Respond, Record).
So what do we know about cyber security fitness-to-purpose? The short answer is not much, but here are the nonpartisan results I have managed to find:
o CSC 1: Inventory of Authorized & Unauthorized Devices
o CSC 2: Inventory of Authorized and Unauthorized Software
o CSC 3: Secure Configurations for Hardware and Software
o CSC 4: Continuous Vulnerability Assessment and Remediation
o CSC 5: Controlled Use of Administrative Privileges
Australian Signals Directorate (ASD) top 4 controls also claim to mitigate at least 85% of intrusion techniques
o Application whitelisting
o Patching applications
o Patching Operating Systems
o Minimizing administrative privileges (similar to CSC5)
If anyone has more data on actual measures of cyber security fitness-for-purpose – please share.