IT Service Ownership

industrialhorse

I couldn't find the appropriate forum to post this and since it relates to Information Security I thought I may as well look for some answers here.

I've been tasked with writing an IT service description for security software that my company has subscribed to and in the process of rolling out. That was fine until a senior member of the team questioned who should be regarded as the service owners for the product - our Information Security team or the IT Service Delivery team. I have looked at a few articles online which state some obvious things like accountability and service vs process owners but no actual answer to the subject of service ownership.

Any ideas folks?

ItHurtsWhenIP

industrialhorse wrote: »

I couldn't find the appropriate forum to post this and since it relates to Information Security I thought I may as well look for some answers here.

I've been tasked with writing an IT service description for security software that my company has subscribed to and in the process of rolling out. That was fine until a senior member of the team questioned who should be regarded as the service owners for the product - our Information Security team or the IT Service Delivery team. I have looked at a few articles online which state some obvious things like accountability and service vs process owners but no actual answer to the subject of service ownership.

Any ideas folks?

What is the nature of the software (endpoint security, perimeter security, etc.) and what team will support it when rolled out.

For example, in my last ITIL workplace, the Local IT Service team were considered the owners for the endpoint security service, as they were the ones that rolled it out and supported any issues with it. The corporate InfoSec team would have only stated what product we use and all of the policies surrounding how it should be configured.

For perimeter security it was the regional network team who had ownership, again with corporate InfoSec stating what should be used and how it was configured.

That was the situation in a large (60,000+) corporate environment, YMMV.

If you're an ITILed environment, surely there is guidance available on this?

BoB_BoT

As ItHurtsWhenIP said, who's going to maintain it and deal with user requests in the future? I thought it was pretty clear cut who owns the service, it's the team who's going to support the end user and software package.

industrialhorse

ItHurtsWhenIP wrote: »

What is the nature of the software (endpoint security, perimeter security, etc.) and what team will support it when rolled out.

For example, in my last ITIL workplace, the Local IT Service team were considered the owners for the endpoint security service, as they were the ones that rolled it out and supported any issues with it. The corporate InfoSec team would have only stated what product we use and all of the policies surrounding how it should be configured.

For perimeter security it was the regional network team who had ownership, again with corporate InfoSec stating what should be used and how it was configured.

That was the situation in a large (60,000+) corporate environment, YMMV.

If you're an ITILed environment, surely there is guidance available on this?

Unfortunately no as the Infosec team here is in it's infancy and I'm new to the team aswell after spending a bit of time away from Information Security so.......

industrialhorse

BoB_BoT wrote: »

As ItHurtsWhenIP said, who's going to maintain it and deal with user requests in the future? I thought it was pretty clear cut who owns the service, it's the team who's going to support the end user and software package.

Well the Infosec team will be supporting the end users in terms of guidance, configuration and other ongoing changes. From a non-technical point of view, I would have considered us (Infosec) to be the service owners due to it being security software but the programme manager has challenged this and wants a firm answer to confirm if we are responsible or not