laidbackfreak wrote: » Ok I'm probably going to be looking at getting the foundation cert sometime over the next couple of months, but thats not what I wanted to ask. I had an interview recently in which I was asked about ITIL and what I understood of it to which I gave a reasonable answer to given my limited knowledge. One of the follow up questions through me a little and showed my lack of knowledge and while this doesnt bother me in terms of the interview it puzzles me all the same. I was asked what\if any were the downsides of ITIL ? Now I'm not expecting a "correct" answer as I'm well aware that wasnt the purpose of the question and again while I gave my answer I am intruiged as to how some of the more experienced ITIL folk would have answered that.
eMeS wrote: » -Weak framework for security that very much seems like "so what".
veritas_libertas wrote: » As in ITIL discourages it?
eMeS wrote: » No, that would be the equivalent of best practice suicide these days.... It's actually more of an afterthought. Initially v2 wrapped security into Availability Management, then they added a "bolt-on" security process. Now in v3 they've added a process called "Information Security Management", but I would say that it's very immature compared to more rigorous security best practices that are out there. MS
veritas_libertas wrote: » [Edit] Just found this link: http://www.best-management-practice.com/gempdf/ITILV3_and_Information_Security_White_Paper_May09.pdf
eMeS wrote: » I think this underscores my point...this is fluff compared to some of the real security stuff out there.... One of the other downsides often comes into play when you have consultants that think ITIL is the end-all-be-all answer to everything, and don't recognize or accept this key shortcoming... MS
veritas_libertas wrote: » I didn't read the PDF yet, but isn't ITIL just a way to provide some sort of basic map for how things should flow? If so then shouldn't it help with the security world as well?
eMeS wrote: » Not exactly on the first point. ITIL is a collection of a best practices for how to manage IT in the form of services. While it does offer some good suggestions in terms of security, if I were really interested in applying the best best practices to secure my IT, I wouldn't look to ITIL for those suggestions. There are definitely many good things about ITIL, but it definitely doesn't have all of the answers for everything under the Sun. MS
laidbackfreak wrote: » cheers guys some interesting food for thought there Interesting point about security being an after thought, but I would say that has been the norm in IT until fairly recently.
eMeS wrote: » What answer did you give in the interview? MS
laidbackfreak wrote: » To be honest I didnt, I said something along the lines of due to my lack of knowledge of the area I wasnt really in a position to explain the negative sides. Somewhat better phrased at the time. They accepted that as they were well aware I have no experience. I didnt get the job, but that was due to lack of current experience in MS than anything else, but the feedback was good and I obviously impressed them as they have another role coming up after xmas that they felt (as do I) that is more suitable to my current skillsets (Cisco) and wanted to know if I would be interested in that. To be honest despite not getting the role (and I wouldve been in a dilema about taking it, had I got it) it was one of the best interviews I've attended.
NinjaBoy wrote: » Sorry, going back to the original topic... ITIL is a complex beast to implement, I did my ITIL foundation and started to look into the higher levels and the first thing that popped into my head was, "wow, how the heck and I suppose to implement this and where am I going to get the resources". Then I was introduced to FITS, it's a stripped down version of ITIL (based on version 2 & 3) so it's easier for SMB and the education markets to implement. -Ken
