Introduction
Security controls can be administrative, technical, or physical in implementation and every security control that exists must deliver positive business value. Unfortunately, with the inner workings of information security typically not made common knowledge, the business value being delivered and the role it plays in achieving successful business outcomes is not usually recognized. This leaves the overall information security program vulnerable to not being strategically relevant to the organization’s business functions. To be successful in demonstrating value, information security needs to be strategically aligned to business functions and positioned as an empowering contributor to the organization’s success.
As part of the overall service management lifecycle, a service portfolio is the complete set of servicesmanaged and offered by the provider. The service catalog, also referred to as an information technology (IT) service catalog, is a subset of the service portfolio that acts as a centralized register and entry point for details about the organization’s available services. Through the creation of a service catalog, the value of information security can be demonstrated more effectively by aligning the delivered outcomes to business functions in a format that is easily understood.
Business Benefits
At a minimum, a service catalog provides organizations with a centralized way to see, find, invoke, and execute services regardless of where the service exists within the organization. Organizations utilize this service catalog to eliminate the need for developing and/or supporting localized implementations that may be otherwise redundant.
Implementing a service catalog demonstrates a positive return on investment (ROI) for the organization in the form of direct financial savings or through maximizing effectiveness and efficiencies within the organization. From the strategic alignment of information security to business functions, organization can realize ROI through the following positive effects of a service catalog:
• Provides a platform for better understanding and communicate business requirements
• Positions the overall information security program to be run like a business
• Reduces operational costs by identifying essential services and eliminating/consolidating redundant/unnecessary services
• Enhances operational efficiencies through the strategic structuring of resources and funding
• Helps market the awareness and visibility of the information security program to build stronger business relationships
Inevitably, if a service catalog does not already exist, somebody within the organization will understand the benefits of having it in place and what it provides in terms of visibility to the information security program. Once identified, creating a service catalog should not be viewed as a straightforward task. By taking a laid-back approach to creating a service catalog, the organization may not realize true ROI and will most likely be wasting its resources, time, effort, and money. Guidance and oversight should be in place right from the start to create the service catalog to make sure the organization properly utilizes its assets throughout the entire process.
Design Considerations
The creation of services that deliver business value will differ from one organization to the next. Before starting the work of designing services, every organization should consider including four consistent elements to support the service in delivering value:
• People: Human resources and the organization’s structure(s)
• Processes: Service management documentation
• Products: Technology and infrastructure
• Partners: Dependencies on external entities
Service catalogs include descriptive elements so users within the organization can easily find and request the desired service. There are no pre-defined requirements indicating what specific elements must be included in a service catalog, leaving the decision to include or exclude elements entirely up to the subjectivity of the organization. The most common descriptive elements that organizations should use in any service catalog implementation are:
Service name: The service name should clearly illustrate, in both business and IT terminology, how the service is commonly referred to throughout the organization. Structuring the name in such a way eliminates any confusion that may exist about the service.
Service description: The description should be written at a very high level, with no more than 2–3 lines, in a non-technical, business language that is simple and easy to understand.
Service family/group/category: Illustrated in Figure B.1, the hierarchical use of families, groups, and categories allows for individual services to be classified and aligned into the organization’s common fields of functionality. The purpose of classifying individual services into the larger areas is to simplify resource management and cost analysis.
Service family: In the first level of the service catalog hierarchy, the purpose of a service family is to translate services into core business driven functions, such as IT services or business services.
Service group: In the second level of the service catalog hierarchy, the purpose of a service group is to expand the individual business functions contained within the service family, such as security services or compliance.
Service category: In the third level of the service catalog hierarchy, the purpose of a service category is to specify the individual service functions, such as security operations or investigations.
Figure B.1 Operational service catalog hierarchy.
Service owner: The owner is the person within the organization who provides funding for the service; commonly assigned to the executive management person where the service is offered.
Key contact(s): The key contact(s) of the service are those within the organization who function as the focal point for all communication between IT departments and the business communities. These individuals are responsible for understanding and supporting the level of service being delivered in line with established service level objectives (SLO).
Service costs: Documenting all services as quantifiable provides organizations with a better understanding of where funding is allocated across the total cost for operating the service. Having identified all of the contributors to the total service cost, organizations can then implement a chargeback model for performing cost allocations based on the services’ activities costs.
Cost elements: The fixed (e.g., software licensing, capital) and variable (e.g., remuneration, outside data processing) costs associated with operating the service.
Cost driver: The specific fixed (e.g., software licenses) or variable (e.g., billable work hours) unit(s) of service activity that results in a change in cost to the requestor.
Cost per unit: The measurement used to identify the cost of delivering one unit of service activity.
(Total fixed costs + Total variable costs)/Total units produced
Cost allocation: The distribution of service costs through the organization to areas that consume the service activities.
A service catalog template has been provided as a reference in the Templates section of this book.
Summary
Every administrative, technical, and physical component used as part of a forensics investigation contributes to an organization’s overall investigative service offering. With the investigative service offerings mostly being considered as overhead to an organization, it is important that associated resources and technologies be identified so cost elements can be allocated appropriately.