3. Driver #
Business Drivers
BD1
BD2
BD3
BD4
BD5
BD6
BD7
BD8
BD9
BD10
BD11
BD12
BD13
BD14
BD15
BD16
Business Drivers
Protecting the reputation of the Organization, ensuring that it is perceived as competent in its sector
Preventing losses through financial fraud
Providing the ability to prosecute those who attempt to defraud the Organization
Providing support to the claims made by the Organization about its competence to carry out its intended functions
Protecting the trust that exists in business relationships and propagating that trust across remote electronic business communications links and distributed information systems
Maintaining the confidence of other key parties in their relationships with the Organization
Maintaining the operational capability of the Organization’s systems
Maintaining the continuity of service delivery, including the ability to meet the requirements of service level agreements where these exist
Maintaining the accuracy of information
Maintaining the ability to govern
Detecting attempted financial fraud
Providing and maintaining the ability to ensure that the solutions provided for securing electronic business services provide a clear and unambiguous definition of responsibilities and liabilities for all parties at every stage of the transaction.
Providing and maintaining the ability to resolve disputes between the Organization and any other parties, quickly, efficiently and with minimum cost
Ensuring that information processed in the Organization’s systems can be brought to a court of law as evidence in support of both criminal and civil proceedings and that the court will admit the evidence, and that the evidence will withstand hostile criticism by the other side’s expert witnesses
Ensuring that the information security approaches used in the systems directly support compliance by the Organization with commercial contracts to which the Organization is a party
Ensuring that the Organization is at all times compliant with the laws and sectoral regulations, and that the information security approach in the systems directly and indirectly supports legal compliance
4. BD17
BD18
BD19
BD20
BD21
BD22
BD23
BD24
BD25
BD26
BD27
BD28
BD29
BD30
BD31
BD32
BD33
BD34
BD35
BD36
Maintaining the privacy of personal and business information that is stored, processed and communicated by the Organization’s systems
Protecting against the deliberate, accidental or negligent corruption of personal and business information that is stored, processed and communicated by the systems
Ensuring that an entity that makes a business transaction cannot later deny having made the transaction, and that the entity will be bound by the contractual obligations associated with making the transaction
Ensuring that all users can be held accountable for the actions that they take in making use of their access privileges
Ensuring that access privileges are designed and implemented in such a way as to minimize the risk of a single individual having excessive power that could be abused without easily being detected
Providing a means by which the Organization can monitor compliance with its various information security policies and can detect, investigate and remedy any attempted violations of those policies
Providing assurance of the correct functioning of the Organization’s systems and sub- systems
Providing for the setting of policy and the control and monitoring of compliance with policy by the authorities vested with responsibility for corporate governance in the system environment
Protecting other parties with whom the Organization has business dealings from abuse, loss of business or personal information
Ensuring that employees using the system are only granted authorized access within need to know and need to use privileges
Ensuring the system security solution is cost effective and provides good value for money
Ensuring that the security of the Organization’s information is dependent only upon its system security measures and not on the security competence of any other organization
Ensuring that the granularity of system security services is appropriate to business need
Preserving the ability of authorized business users to maintain a high level of productivity
Ensuring that information security interfaces are easy and simple to use
Utilizing, where possible, commercial- off-the- shelf products to build information security solutions
Ensuring that security services can be extended to all user locations, to all interface types and across all network types that will be used to support delivery
Maximize the economic advantage of the Enterprise Security Architecture
Security services to be supported through electronic communications, without the need for physical transfer of documents or storage media.
System security solutions should as far as possible comply with internal and external standards and best practices
5. BD37
BD38
BD39
BD40
BD41
BD42
BD43
Ensure that the required internal and external cultural shift is achieved to support the Security Architecture
Ensuring accurate information is available when needed
Minimise the risk of loss of key customer relationships
Minimize the risk of excessive loading on insurance premiums due to negligence on the Organization’s behalf or lack of due diligence
The Security Architecture should be independent of any specific vendor or product, and should be capable of supporting multiple products from multiple vendors
The Security Architecture must remain compatible with new technical solutions as these evolve and become available, and with new business requirements as these emerge, with a minimum of redesign
The Security Architecture must be able to be adapted to counter new threats and vulnerabilities as they are discovered
6.
7. Business Attribute
Accessible
Accurate
Anonymous
Consistent
Business Attribute Definition
Suggested Measurement Approach
Metric Type
Soft
Information to which the user is entitled to gain access should be easily found and accessed by that user.
The information provided to users should be accurate within a range that has been preagreed upon as being applicable to the service being delivered.
Acceptance testing on key data to demonstrate compliance with design rules
For certain specialized types of service, the anonymity of the user should be protected.
HardSoft
User Attributes
Soft
Hard
Conformance with design style guides Red team review
Business Attributes
Search tree depth necessary to find the information
Rigorous proof of system functionality Red team review
The way in which log-in, navigation, and target services are presented to the user should be consistent across different times, locations, and channels of access. Business Attributes User Attributes Management Attributes Risk Management Attributes Legal/Regulatory Attributes Technical Strategy Attributes Operational Attributes Business Strategy Attributes
8. Current
Duty Segregated
Educated and Aware
Informed
Motivated
Protected
Reliable
Responsive
Supported
A definition of “quality” is needed against which to compare.
When a user has problems or difficulties in using the system or its services, there should be a means by which the user can receive advice and support so that the problems an be resolved to the satisfaction of the user.
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model.
Soft
Soft
Hard
Soft
Soft
For certain sensitive tasks, the segregated duties should be segregated so that no user has access to both aspects of the task.
Functional testing
The user community should be educated and aware and trained so that they can embrace the security culture There should be sufficient user awareness of security issues so that behavior of users is compliant with security policies.
Competence surveys
The user should be kept fully informed about services, operating procedures, operational schedules, planned outages, and so on.
Focus groups or satisfaction surveys
The interaction with the system should add positive motivation to the user to complete the business tasks at hand.
Focus groups or satisfaction surveys
The user’s information and access privileges should be protected against abuse by other users or by intruders.
The users obtain a response within a satisfactory period of time that meets their expectations.
The services provided to the user should be delivered at a reliable level of quality.
Information provided to users should be current and kept up to date, within a range that has been preagreed upon as being applicable for the service being delivered.
Refresh rates at the data source and replication of source and replication of refreshed data to the destination.
Hard
Hard
Soft
Soft
Penetration test. (Could access privileges should be be regarded as “hard,” but only if a penetration is achieved. Failure to penetrate does not mean that penetration is impossible.)
Response time
9. Timely
Transparent
Usable
Automated
Change- Managed
Controlled
Soft
Soft
Wherever possible (and depending upon cost/benefit factors) the management and operation of the system should be automated.
Changes to the system should be properly managed so that the impact of every change is evaluated and the changes are approved in advance of being implemented
The system should at all times remain in the control of its managers. This means that the management will observe the operation and behaviour of the system, will make decisions about how to control it based on these observations, and will implement actions to exert that control.
Soft
Independent design review
Documented change management system, with change management history, evaluated by history, evaluated by independent audit
Independent audit and review against Security Architecture Capability Maturity Model
Information is delivered or made accessible to the user at the appropriate time or within the appropriate time period.
The system should provide easy-to-use interfaces that can be navigated intuitively by a user of average intelligence and training level (for the given system). The user’s experience of these interactions should be at best interesting and at worst neutral.
Refresh rates at the data source and replication of refreshed data to the destination.
Numbers of “clicks” or keystrokes required. Conformance with industry standards, e.g., color palettes. Feedback from focus groups.
Providing full visibility to the user of the logical process but hiding the physical structure of the system (as a url hides the actual physical locations of Web servers).
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model
Hard
Soft
Soft
Management Attributes
10. Cost Effective
Efficient
Maintanable
Measured
Supportable
Access Controlled
Accountable
Access to information and functions within the system should be controlled in accordance with the authorized privileges of the party requesting the access. Unauthorized access should be prevented.
All parties having authorized access to the system should be held accountable for their actions.
Reporting of all unauthorised access attempts, including number of incidents per period, severity, and result (did the access attempt succeed?)
Hard
Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to hold accountable
Soft
Hard
Risk Management Attributes
A target efficiency ratio based on (Input value)/(Output value)
Documented execution of a preventive maintenance schedule for both hardware and software, correlated against targets for continuity of service, such as mean time between failures (MTBF)
Documented tracking and reporting of a portfolio of conventional system performance parameters, together with other attributes from this list
Fault-tracking system providing measurements of MTBF, MTTR (mean time to repair), and maximum time to repair, with targets for each parameter
Hard
Hard
Soft
Hard
The system should capable of being maintained in a state of ¬good repair and effective, efficient operation. The actions required to achieve this should be feasible within the normal operational
The system should be capable of being supported in terms of both the users and the operations staff, so that all types of problems and operational difficulties can be resolved.
Individual budgets for the phases of development and for on- going operation, maintenance and support
The performance of the system should be measured against a variety of desirable performance targets so as to provide feedback
The design, acquisition, implementation, and operation of the system should be achieved at a cost that the business finds acceptable when judged against acceptable when judged against the benefits derived.
The system should deliver the target services with optimum efficiency, avoiding wastage of resources.
11. Assurable
Assuring Honesty
Auditable
Authenticated
Authorised
Capturing New Risk
The system should allow only those actions that have been explicitly authorized.
New risks emerge over time. The system management and operational environment should provide a means to identify and assess new risks (new threats, new impacts, or new vulnerabilities).
There should be a means to provide assurance that the system is operating as expected and that all of the various controls are correctly implemented and operated.
Protecting employees against false accusations of dishonesty or malpractice.
Every party claiming a unique identity (i.e., a claimant) should be subject to a procedure that verifies that the party is indeed the authentic owner of the claimed identity.
Reporting of all unauthorized actions, including number of incidents per period, severity, and result (did the action succeed?) Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to detect
HardSoft
Percentage of vendor published patches and upgrades actually installedIndependent audit and review against Security Architecture Capability Maturity Model of a documented risk assessment process and a risk assessment history
HardSoft
Hard Soft
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent false accusations that are difficult to repudiate
Soft
Independent audit and review against Security Architecture Capability Maturity ModelDocumented target configuration exists under change control with a capability to check current configuration against this target Independent audit and review against Security Architecture Capability Maturity Model
SoftHardSoft
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to authenticate successfully every claim of identity
Soft
Documented standards exist against which to audit Independent audit and review against Security Architecture Capability Maturity Model
The actions of all parties having authorized access to the system, and the complete chain of events and outcomes resulting from these actions, should be recorded so that this history can be reviewed. The audit records should provide an appropriate level of detail, in accordance with business needs. The actual configuration of the system should
12. Confidential
Crime Free
Flexibly Secure
Identified
Independently Secure
In our Sole Posession
Cyber-crime of all types should be prevented.
Each entity that will be granted access to system resources and each object that is itself a system resource should be uniquely identified (named) such that there can never be confusion as to
The security of the system should not rely upon the security of any other system that is not within the direct span of control of this system.
Information that has value to the business should be in the possession of the business, stored and protected by the system against loss (as in no longer being available) or theft (as in being disclosed to an unauthorised party). This will include information that is regarded as “intellectual property.”
The confidentiality of (corporate) information should be protected in accordance with security policy. Unauthorized disclosure should be prevented.
Security can be provided at various levels, according to business need. The system should provide the means secure information according to these needs, and may need to offer different levels of security for different types of
Soft
Independent audit and review against Security Architecture Capability Maturity Model
Soft
Reporting of all incidents of crime, including number of incidents per period, severity, and type of crime
Hard
Independent audit and review against Security Architecture Capability to Maturity Model
Soft
Proof of uniqueness of naming schemes
Hard
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Hard
Independent audit and review against Security Architecture Capability Maturity Model of technical security architecture at conceptual, logical, and physical layers
13. Integrity Assured
Non- Repudiable
Owned
Private
Trustworthy
There should be an entity designated as “owner” of every system. This owner is the policy maker for all aspects of risk management with respect to the system, and exerts the ultimate authority for controlling the system.
The privacy of (personal) information should be protected in accordance with relevant privacy or “data protection” legislation, so as to meet the reasonable expectation of citizens for privacy. Unauthorized disclosure should be prevented.
Soft
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Hard
Reporting of all incidents of compromise, including number of incidents per period, severity, and type of compromise Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to detect integrity compromise incidents
Focus groups or satisfaction surveys researching the question “Do you trust the service?”
Hard
HardSoft
Reporting of all incidents of unresolved repudiations, including number of incidents per period, severity, and type of repudiationIndependent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent repudiations that cannot be easily resolved
HardSoft
When one party uses the system to send a message to another party, it should not be possible for the first party to falsely deny having sent the message, or to falsely deny its contents.
The system should be able to be trusted to behave in the ways specified in its functional specified in its functional specification and should protect against a wide range of potential abuses.
Independent audit and review against Security Architecture Capability Maturity Model of the ownership arrangements and of the management processes by which owners should fulfil their responsibilities, and of their diligence in so doing
The integrity of information should be protected to provide assurance that it has not suffered unauthorized modification, duplication, or deletion.
14. Admissable
Compliant
Enforceable
Insurable
Legal
Liability Managed
Verify against insurance quotations
Hard
Independent legal expert review of all applicable contracts, SLAs, etc.
Soft
Soft
The system should be designed, implemented, and operated in accordance with the requirements of any applicable legislation. Examples include data protection laws, laws controlling the use of cryptographic technology, laws controlling insider dealing on the stock market, and laws
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable laws to check for completeness and suitability
Legal/Regulatory Attributes
Independent audit and review against Security Architecture Capability Maturity Model by computer forensics expert
Soft
Independent compliance audit with respect to the inventories of regulations, laws, policies, etc.
Soft
The system should comply with all applicable regulations, laws, contracts, policies, and mandatory standards, both internal and external.
The system should be risk-managed to enable an insurer to offer reasonable commercial terms for insurance against a standard range of insurable
Independent review of: (1) inventory of contracts, policies, regulations and laws for completeness, and (2) enforceability of contracts, policies, laws, and regulations on the inventory
Soft
The system services should be designed, implemented and operated so as to manage the liability of the organization with regard to errors, fraud, malfunction, and so on. In particular, the responsibilities and liabilities of each party
The system should be designed, implemented and operated such that all applicable contracts, policies, regulations, and laws can be enforced by the system.
The system should provide forensic records (audit trails and so on) that will be deemed to be “admissible” in a court of law, should that evidence ever need to be presented in support of a criminal prosecution or a civil litigation.
15. Regulated
Resolvable
Time-Bound
Architecturally Open
COTS/GOTS
Extendible
Flexible / Adaptable
The system should be capable of being extended to incorporate new functional modules as required by the business.
The system should be flexible and adaptable to meet new business requirements as they emerge.
Independent audit and review against Security Architecture Capability Maturity Mode of technical architecture (conceptual, logical, and physical)
Soft
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical & physical)
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Soft
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable regulations to check for completeness and suitability
Soft
Independent functional design review against specified functional requirements
Hard
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Soft
Technology Strategy Attributes
The system should be designed, implemented and operated in such a way that disputes can be resolved with reasonable ease and without undue impact on time, cost, or other valuable resources.
Wherever possible, the system should utilize commercial off- the-shelf or government off-the- shelf components, as appropriate.
The system architecture should, wherever possible, not be locked into specific vendor interface standards and should allow flexibility in
The system should be designed, implemented, and operated in accordance with the requirements of any applicable regulations. These may be general (such as safety regulations) or industry-specific (such as banking regulations).
Independent audit and review against Security Architecture Capability Maturity Model Maturity Model by legal expert
Soft
Soft
Meeting requirements for maximum or minimum periods of time, for example, a minimum period for records retention or a maximum period within which something must be completed.
16. Future Proof
Legacy Sensitive
Migratable
Multi- Sourced
Scalable
Simple
Standards Compliant
There should be a feasible, manageable migration path, acceptable to the business users, that moves from an old system to a new one, or
Critical system components should be obtainable from more than one source, to protect against the risk of the single source of supply and support being withdrawn.
The system should be as simple as possible, since complexity only adds further risk.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Independent audit and review of: (1) the inventory of standards to check for completeness and appropriateness, and (2) compliance with stan¬dards on the inventory
Soft
Soft
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
The system architecture should be designed as much as possible to accommodate future changes in both business requirements and technical solutions.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Soft
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture at the component level
Soft
Soft
The system should be scaleable to the size of user community, data storage requirements, processing throughput, and so on that might emerge over the lifetime of the system.
The system should be designed, implemented and operated to comply with appropriate technical and operational standards.
A new system should be able to work with any legacy systems or databases with which it needs to interoperate or integrate.
17. Traceable
Upgrdeable
Available
Continuous
Detectable
Error-Free
The system should be capable of being upgraded with ease to incorporate new releases of hardware and software.
Independent expert review of documented traceability matrices and trees
Soft
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
Important events must be detected and reported.
As specified in the SLA
Hard
Functional testing
Hard
Hard
Percentage or absolute error rates (per transaction, per batch, per time period, etc.)
The system should offer “continuous service.” The exact definition of this phrase will always be subject to a SLA.
Percentage up-time correlated versus scheduled and/or unscheduled downtime, or MTBF, or MTTR
Hard
Operational Attributes
The information and services provided by the system should be available according to the requirements specified in the service-level agreement (SLA).
The system should operate without producing errors.
The development and implementation of system components should be documented so as to provide complete two-way traceability. That is, every implemented component should be justifiable by tracing back to the business requirements that led to its inclusion in the system, and it should be possible to review every business requirement and demonstrate which of the implemented system components are there to meet this requirement.
18. Inter- Operable
Monitored
Productive
Recoverable
Brand Enhancing
Business Enabled
Competent
Independent audit, or focus groups, or satisfaction surveys
Specific interoperability requirements
Soft
Market surveys
Soft
Business management focus group
Soft
Hard
As specified in the SLA.
Hard
Independent audit and review against Security Architecture Capability Maturity Model
Soft
The system and its services should operate so as to sustain and enhance productivity of the users, with regard to the business processes in which they are engaged.
The operational performance of the system should be continuously monitored to ensure that other attribute specifications are being met. Any deviations from acceptable limits should be
Business Strategy Attributes
The system should help to establish, build, and support the brand of the products or services based upon this system.
The system should interoperate with other similar systems, both immediately and in the future, as intersystem communication becomes increasingly a requirement. The system should interoperate
The system should protect the reputation of the organization as being competent in its industry sector
User output targets related to specific business activities
The system should be able to be recovered to full operational status after a breakdown or disaster, in accordance with the SLA.
Enabling the business and fulfilling business objectives should be the primary driver for the system design.
Hard
19. Confident
Credible
Culture- Sensitive
Enabling- Time-to- Market
Governable
The system architecture and time-to-design should allow new market business initiatives to be delivered to the market with minimum delay.
Business management focus group
Soft
The system should enable the owners and executive managers of the organization to control the business and to discharge their responsibilities for governance.
The system should be designed, built, and operated with due care and attention to cultural issues relating to those who will experience the system in any way. These issues include such matters as religion, gender, race, nationality, language, dress code, social customs, ethics, politics, and the environment. The objective should be to avoid or minimize offence or distress caused to others.
Independent audit and review of (1) the inventory of requirements in this area to check for completeness and appropriateness, and (2) compliance of system functionality with this set of requirements
Independent audit, or focus groups, or satisfaction surveys
Soft
Senior management focus group. Independent audit and review against Security Architecture Capability Maturity Model for governance
Soft
Soft
Independent audit, or focus groups, or satisfaction surveys
Soft
The system should behave in such a way as to safeguard the credibility of the organization.
The system should behave in such a way as to safeguard confidence placed in the organization by customers, suppliers, shareholders, regulators, financiers, the marketplace, and the general public
20. Provide Good Stewardship and Custody
Providing Investment Re-use
Providing Return On Investment
Reputable
The system should provide a return on return of value to the business to justify the investment made in creating and operating the system.
Financial returns and RoI indices selected in consultation with the Chief Financial OfficerQualitative value propositions tested by opinion surveys at senior management and boardroom level
Hard Soft
As much as possible, the system should be designed to reuse previous investments and to ensure that new investments are reusable in the future.
Independent audit, or focus groups, or satisfaction surveysCorrelation of the stock value of the organization versus publicity of system event history
SoftHard
Independent audit, or focus groups, or satisfaction surveys
Soft
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (con- ceptual, logical, physical, and component)
Soft
The system should behave in such a way as to safeguard the business reputation of the organization.
Protecting other parties with whom we do business from abuse, loss of business, or personal information of value to those parties through inadequate stewardship on our part.
21. Business Attribute
Business Driver
Accessible
5
Accurate
7
Anonymous
4
Consistent
23, 41
Business Attribute Definition
Measurement Approach
Metric
Information to which the user is entitled to gain access should be easily found and accessed by that user.
Search tree depth necessary to find the information
Soft
The information provided to users should be accurate within a range that has been preagreed upon as being applicable to the service being
Acceptance testing on key data to demonstrate compliance with design rules
Hard
For certain specialized types of service, the anonymity of the user should be protected.
Rigorous proof of system functionality Red team review
HardSoft
Conformance with design style guides Red team review
Soft
Performance Target
User Attributes
The way in which log-in, navigation, and target services are presented to the user should be consistent across different times, locations, and channels of access. Business Attributes User Attributes Management Attributes Risk Management Attributes Legal/Regulatory Attributes Technical Strategy Attributes Operational Attributes Business Strategy Attributes
22. Current
7
Duty Segregated
12
Educated and Aware
31.4
Informed
6
Motivated
25
Protected
21
Reliable
16
Responsive
5
Supported
6
Timely
41
Transparent
4
Information provided to users should be current and kept up to date, within a range that has been preagreed upon as being applicable for the service
Refresh rates at the data source and replication of source and replication of refreshed data to the destination.
Hard
For certain sensitive tasks, the segregated duties should be segregated so that no user has access to both aspects of the task.
Functional testing
Hard
The user community should be educated and aware and trained so that they can embrace the security culture There should be sufficient user awareness of security issues so that behavior of users is compliant with security policies.
Competence surveys
Soft
The user should be kept fully informed about services, operating procedures, operational schedules, planned outages, and so on.
Focus groups or satisfaction surveys
Soft
The interaction with the system should add positive motivation to the user to complete the business tasks at hand.
Focus groups or satisfaction surveys
Soft
The user’s information and access privileges should be protected against abuse by other users or by intruders.
Penetration test. (Could access privileges should be be regarded as “hard,” but only if a penetration is achieved. Failure to penetrate does not mean that penetration is impossible.)
Soft
The services provided to the user should be delivered at a reliable level of quality.
A definition of “quality” is needed against which to compare.
Soft
The users obtain a response within a satisfactory period of time that meets their expectations.
Response time
Hard
When a user has problems or difficulties in using the system or its services, there should be a means by which the user can receive advice and support so that the problems an be resolved to the satisfaction of the user.
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model.
Soft
Information is delivered or made accessible to the user at the appropriate time or within the appropriate time period.
Refresh rates at the data source and replication of refreshed data to the destination.
Hard
Providing full visibility to the user of the logical process but hiding the physical structure of the system (as a url hides the actual physical locations of Web servers).
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model
Soft
23. Usable
12
Automated
33.32
Change- Managed
39
Controlled
30
Cost Effective
27
Efficient
29
Maintanable
6
Measured
6
Supportable
8
The system should provide easy-to-use interfaces that can be navigated intuitively by a user of average intelligence and training level (for the given system). The user’s experience of these interactions should be
Numbers of “clicks” or keystrokes required. Conformance with industry standards, e.g., color palettes. Feedback from focus groups.
Soft
Wherever possible (and depending upon cost/benefit factors) the management and operation of the system should be automated.
Independent design review
Soft
Changes to the system should be properly managed so that the impact of every change is evaluated and the changes are approved in advance of being
Documented change management system, with change management history, evaluated by history, evaluated by independent audit
Soft
The system should at all times remain in the control of its managers. This means that the management will observe the operation and behaviour of the system, will make decisions about how to control it based on these observations, and will implement actions to exert that control.
Independent audit and review against Security Architecture Capability Maturity Model
Soft
The design, acquisition, implementation, and operation of the system should be achieved at a cost that the business finds acceptable when judged
Individual budgets for the phases of development and for on-going operation, maintenance and support
Hard
The system should deliver the target services with optimum efficiency, avoiding wastage of resources.
A target efficiency ratio based on (Input value)/(Output value)
Hard
The system should capable of being maintained in a state of ¬good repair and effective, efficient operation. The actions required to achieve this should be feasible within the normal operational
Documented execution of a preventive maintenance schedule for both hardware and software, correlated against targets for continuity of service, such as mean time between failures (MTBF)
Soft
The performance of the system should be measured against a variety of desirable performance targets so as to provide feedback information to support
Documented tracking and reporting of a portfolio of conventional system performance parameters, together with other attributes from this list
Hard
The system should be capable of being supported in terms of both the users and the operations staff, so that all types of problems and operational
Fault-tracking system providing measurements of MTBF, MTTR (mean time to repair), and maximum time to repair, with targets for each parameter
Hard
Risk Management Attributes
Management Attributes
24. Access Controlled
12
Accountable
14.15
Assurable
14.15
Assuring Honesty
18
Auditable
14
Authenticated
19
Authorised
21
Access to information and functions within the system should be controlled in accordance with the authorized privileges of the party requesting the access. Unauthorized access should be prevented.
Reporting of all unauthorised access attempts, including number of incidents per period, severity, and result (did the access attempt succeed?)
Hard
All parties having authorized access to the system should be held accountable for their actions.
Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to hold
Soft
There should be a means to provide assurance that the system is operating as expected and that all of the various controls are correctly implemented and operated.
Documented standards exist against which to audit Independent audit and review against Security Architecture Capability Maturity Model
Hard Soft
Protecting employees against false accusations of dishonesty or malpractice.
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent false accusations that are difficult to repudiate
Soft
The actions of all parties having authorized access to the system, and the complete chain of events and outcomes resulting from these actions, should be recorded so that this history can be reviewed. The audit records should provide an appropriate level of detail, in accordance with business needs. The actual configuration of the system should also be capable of being audited so as to compare it with a target configuration that represents the
Independent audit and review against Security Architecture Capability Maturity ModelDocumented target configuration exists under change control with a capability to check current configuration against this target Independent audit and review against Security Architecture Capability Maturity Model
SoftHardSoft
Every party claiming a unique identity (i.e., a claimant) should be subject to a procedure that verifies that the party is indeed the authentic owner of the claimed identity.
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to authenticate successfully every claim of identity
Soft
The system should allow only those actions that have been explicitly authorized.
Reporting of all unauthorized actions, including number of incidents per period, severity, and result (did the action succeed?) Independent audit and review against Security Architecture Capability Maturity Model† with
HardSoft
25. Capturing New Risk
39
Confidential
17
Crime Free
36, 39
Flexibly Secure
23.33
Identified
20
Independently Secure
28
In our Sole Posession
41
New risks emerge over time. The system management and operational environment should provide a means to identify and assess new risks (new threats, new impacts, or new vulnerabilities).
Percentage of vendor published patches and upgrades actually installedIndependent audit and review against Security Architecture Capability Maturity Model of a documented risk assessment process and a risk
HardSoft
The confidentiality of (corporate) information should be protected in accordance with security policy. Unauthorized disclosure should be
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Hard
Cyber-crime of all types should be prevented.
Reporting of all incidents of crime, including number of incidents per period, severity, and type of crime
Hard
Soft
Security can be provided at various levels, according to business need. The system should provide the means secure information according to these needs, and may need to offer different levels of security for different types of information (according to security classification).
Independent audit and review against Security Architecture Capability to Maturity Model
Soft
Each entity that will be granted access to system resources and each object that is itself a system resource should be uniquely identified (named) such that there can never be confusion as to which
Proof of uniqueness of naming schemes
Hard
The security of the system should not rely upon the security of any other system that is not within the direct span of control of this system.
Independent audit and review against Security Architecture Capability Maturity Model of technical security architecture at conceptual, logical, and physical layers
Soft
Information that has value to the business should be in the possession of the business, stored and protected by the system against loss (as in no longer being available) or theft (as in being disclosed to an unauthorised party). This will include information that is regarded as “intellectual property.”
Independent audit and review against Security Architecture Capability Maturity Model
26. Integrity Assured
19
Non- Repudiable
19
Owned
23
Private
12.16
Trustworthy
12.16
Admissable
5,7,14
Reporting of all incidents of compromise, including number of incidents per period, severity, and type of compromise Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to detect integrity compromise
HardSoft
When one party uses the system to send a message to another party, it should not be possible for the first party to falsely deny having sent the message, or to falsely deny its contents.
Reporting of all incidents of unresolved repudiations, including number of incidents per period, severity, and type of repudiationIndependent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent repudiations that cannot be
HardSoft
The system should provide forensic records (audit trails and so on) that will be deemed to be “admissible” in a court of law, should that evidence ever need to be presented in support of a criminal prosecution or a civil litigation.
Independent audit and review against Security Architecture Capability Maturity Model by computer forensics expert
Soft
There should be an entity designated as “owner” of every system. This owner is the policy maker for all aspects of risk management with respect to the system, and exerts the ultimate authority for controlling the system.
Independent audit and review against Security Architecture Capability Maturity Model of the ownership arrangements and of the management processes by which owners should fulfil their responsibilities, and of their diligence in so doing
Soft
The privacy of (personal) information should be protected in accordance with relevant privacy or “data protection” legislation, so as to meet the reasonable expectation of citizens for privacy. Unauthorized disclosure should be prevented.
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Hard
Legal/Regulatory Attributes
The system should be able to be trusted to behave in the ways specified in its functional specified in its functional specification and should protect against a wide range of potential abuses.
Focus groups or satisfaction surveys researching the question “Do you trust the service?”
Hard
The integrity of information should be protected to provide assurance that it has not suffered unauthorized modification, duplication, or deletion.
27. Compliant
41.24
Enforceable
25,26,14
Insurable
15,27,9, 11, 13
Legal
16,18,14,11, 13
Liability Managed
36,19,11, 13
Regulated
19,2,14
Resolvable
19.2
The system should comply with all applicable regulations, laws, contracts, policies, and mandatory standards, both internal and external.
Independent compliance audit with respect to the inventories of regulations, laws, policies, etc.
Soft
The system should be designed, implemented and operated such that all applicable contracts, policies, regulations, and laws can be enforced by the system.
Independent review of: (1) inventory of contracts, policies, regulations and laws for completeness, and (2) enforceability of contracts, policies, laws, and regulations on the inventory
Soft
The system should be risk-managed to enable an insurer to offer reasonable commercial terms for insurance against a standard range of insurable risks
Verify against insurance quotations
Hard
The system should be designed, implemented, and operated in accordance with the requirements of any applicable legislation. Examples include data protection laws, laws controlling the use of cryptographic technology, laws controlling insider dealing on the stock market, and laws governing information that is considered racist, seditious, or pornographic.
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable laws to check for completeness and suitability
Soft
The system services should be designed, implemented and operated so as to manage the liability of the organization with regard to errors, fraud, malfunction, and so on. In particular, the responsibilities and liabilities of each party should
Independent legal expert review of all applicable contracts, SLAs, etc.
Soft
The system should be designed, implemented, and operated in accordance with the requirements of any applicable regulations. These may be general (such as safety regulations) or industry-specific (such as banking regulations).
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable regulations to check for completeness and suitability
Soft
The system should be designed, implemented and operated in such a way that disputes can be resolved with reasonable ease and without undue
Independent audit and review against Security Architecture Capability Maturity Model Maturity Model by legal expert
Soft
28. Time-Bound
35.41
Architecturally Open
29.32
COTS/GOTS
32
Extendible
33
Flexible / Adaptable
33
Future Proof
37
Legacy Sensitive
37.38
Migratable
38
Multi-Sourced
40
Scalable
40
Meeting requirements for maximum or minimum periods of time, for example, a minimum period for records retention or a maximum period within which something must be completed.
Independent functional design review against specified functional requirements
Hard
The system architecture should, wherever possible, not be locked into specific vendor interface standards and should allow flexibility in the choice
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Soft
Wherever possible, the system should utilize commercial off- the-shelf or government off-the- shelf components, as appropriate.
Independent audit and review against Security Architecture Capability Maturity Mode of technical architecture (conceptual, logical, and physical)
Soft
The system should be capable of being extended to incorporate new functional modules as required by the business.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical & physical)
Soft
The system should be flexible and adaptable to meet new business requirements as they emerge.
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Soft
The system architecture should be designed as much as possible to accommodate future changes in both business requirements and technical solutions.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
A new system should be able to work with any legacy systems or databases with which it needs to interoperate or integrate.
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Soft
There should be a feasible, manageable migration path, acceptable to the business users, that moves from an old system to a new one, or from one
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
Critical system components should be obtainable from more than one source, to protect against the risk of the single source of supply and support being withdrawn.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture at the component level
Soft
The system should be scaleable to the size of user community, data storage requirements, processing throughput, and so on that might emerge over the
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
Technology Strategy Attributes
29. Simple
31
Standards Compliant
24
Traceable
19, 20, 22
Upgradeable
38
Available
6
Continuous
6
Detectable
10
Error-Free
18
Inter- Operable
38
The system should be as simple as possible, since complexity only adds further risk.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
The system should be designed, implemented and operated to comply with appropriate technical and operational standards.
Independent audit and review of: (1) the inventory of standards to check for completeness and appropriateness, and (2) compliance with stan¬dards on the inventory
Soft
The development and implementation of system components should be documented so as to provide complete two-way traceability. That is, every implemented component should be justifiable by tracing back to the business requirements that led to its inclusion in the system, and it should be possible to review every business requirement and demonstrate which of the implemented system components are there to meet this requirement.
Independent expert review of documented traceability matrices and trees
Soft
The system should be capable of being upgraded with ease to incorporate new releases of hardware and software.
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Soft
The information and services provided by the system should be available according to the requirements specified in the service-level
As specified in the SLA
Hard
The system should offer “continuous service.” The exact definition of this phrase will always be subject to a
Percentage up-time correlated versus scheduled and/or unscheduled downtime, or MTBF, or MTTR
Hard
Important events must be detected and reported.
Functional testing
Hard
The system should operate without producing errors.
Percentage or absolute error rates (per transaction, per batch, per time period, etc.)
Hard
The system should interoperate with other similar systems, both immediately and in the future, as intersystem communication becomes increasingly a
Specific interoperability requirements
Hard
Operational Attributes
30. Monitored
22.24
Productive
5
Recoverable
18
Brand Enhancing
1
Business Enabled
2
Competent
1.4
Confident
4
Credible
5
Culture- Sensitive
16
Enabling-Time- to-Market
41
The operational performance of the system should be continuously monitored to ensure that other attribute specifications are being met. Any
Independent audit and review against Security Architecture Capability Maturity Model
Soft
The system and its services should operate so as to sustain and enhance productivity of the users, with regard to the business processes in which they are
User output targets related to specific business activities
Hard
The system should be able to be recovered to full operational status after a breakdown or disaster, in
As specified in the SLA.
Hard
The system should help to establish, build, and support the brand of the products or services based upon this system.
Market surveys
Soft
Enabling the business and fulfilling business objectives should be the primary driver for the system design.
Business management focus group
Soft
The system should protect the reputation of the organization as being competent in its industry sector
Independent audit, or focus groups, or satisfaction surveys
Soft
The system should behave in such a way as to safeguard confidence placed in the organization by customers, suppliers, shareholders, regulators, financiers, the marketplace, and the general public
Independent audit, or focus groups, or satisfaction surveys
Soft
The system should behave in such a way as to safeguard the credibility of the organization.
Independent audit, or focus groups, or satisfaction surveys
Soft
The system should be designed, built, and operated with due care and attention to cultural issues relating to those who will experience the system in any way. These issues include such matters as religion, gender, race, nationality, language, dress code, social customs, ethics, politics, and the environment. The objective should be to avoid or minimize offence or distress caused to others.
Independent audit and review of (1) the inventory of requirements in this area to check for completeness and appropriateness, and (2) compliance of system functionality with this set of requirements
Soft
The system architecture and time-to-design should allow new market business initiatives to be delivered to the market with minimum delay.
Business management focus group
Soft
Business Strategy Attributes
31. Governable
8, 16
Provide Good Stewardship and Custody
3,12,21
Providing Investment Re- use
38
Providing Return On Investment
2
Reputable
8
The system should enable the owners and executive managers of the organization to control the business and to discharge their responsibilities for governance.
Senior management focus group. Independent audit and review against Security Architecture Capability Maturity Model for governance
Soft
Protecting other parties with whom we do business from abuse, loss of business, or personal information of value to those parties through inadequate stewardship on our part.
Independent audit, or focus groups, or satisfaction surveys
Soft
As much as possible, the system should be designed to reuse previous investments and to ensure that new investments are reusable in the future.
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (con-ceptual, logical, physical, and component)
Soft
The system should provide a return on return of value to the business to justify the investment made in creating and operating the system.
Financial returns and RoI indices selected in consultation with the Chief Financial OfficerQualitative value propositions tested by opinion surveys at senior management and boardroom level
Hard Soft
The system should behave in such a way as to safeguard the business reputation of the organization.
Independent audit, or focus groups, or satisfaction surveysCorrelation of the stock value of the organization
SoftHard
32. Business Attribute
Business Driver
Confidential
Integrity
Availability
Accessible
5
Accurate
7
Anonymous
4
Consistent
23, 41
Current
7
Duty Segregated
12
Attribute - Risks and Controls
User Attributes
Conformance with design style guides
Refresh rates at the data source and replication of source and replication of refreshed data to the destination.
Information to which the user is entitled to gain access should be easily found and accessed by that user.
Risk (Impact Based)
Security Controls
Acceptance testing on key data to demonstrate compliance with design rules
Rigorous proof of system functionality
Conflicting duties and areas of responsibility should be segregated to reduce opportunities forunauthorized or unintentional modification or misuse of the
33. Educated and Aware
31.4
Informed
6
Motivated
25
Protected
21
Reliable
16
Responsive
5
Supported
6
Timely
41
Transparent
4
Usable
12
Automated
33.32
Change- Managed
39
Controlled
30
Cost Effective
27
Efficient
29
Penetration test. (Could access privileges should be be regarded as “hard,” but only if a penetration is achieved. Failure
A definition of “quality” is needed against which to compare.
Focus groups or satisfaction surveys
Focus groups or satisfaction surveys
Competence surveys
Numbers of “clicks” or keystrokes required. Conformance with industry standards, e.g., color palettes. Feedback from focus
Independent design review
Refresh rates at the data source and replication of refreshed data to the
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity
Management Attributes
Response time
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model.
Individual budgets for the phases of development and for on-going operation,
A target efficiency ratio based on (Input value)/(Output value)
Documented change management system, with change management history,
Independent audit and review against Security Architecture Capability Maturity Model
34. Maintanable
6
Measured
6
Supportable
8
Access Controlled
12
Accountable
14.15
Assurable
14.15
Assuring Honesty
18
Auditable
14
Authenticated
19
Authorised
21
Capturing New Risk
39
Documented execution of a preventive maintenance schedule for both hardware and software, correlated against
Documented tracking and reporting of a portfolio of conventional system
Reporting of all unauthorized actions, including number of incidents per period, severity, and result (did the action succeed?)
Independent audit and review against Security Architecture Capability Maturity ModelDocumented target configuration exists under change control with a capability to check current configuration against this target
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to hold accountable all authorized parties
Documented standards exist against which to audit Independent audit and review against Security Architecture
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent
Fault-tracking system providing measurements of MTBF, MTTR (mean time to repair), and
Reporting of all unauthorised access attempts, including number of incidents per period, severity, and result (did the access attempt succeed?)
Risk Management Attributes
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to
Percentage of vendor published patches and upgrades actually installedIndependent audit and review against Security Architecture
35. Confidential
17
Crime Free
36, 39
Flexibly Secure
23.33
Identified
20
Independently Secure
28
In our Sole Posession
41
Integrity Assured
19
Non-Repudiable
19
Owned
23
Private
12.16
Trustworthy
12.16
Proof of uniqueness of naming schemes
Independent audit and review against Security Architecture Capability Maturity Model of technical security architecture at
Reporting of all incidents of crime, including number of
Independent audit and review against Security Architecture Capability to Maturity Model
Reporting of all disclosure incidents, including number of incidents per period, severity,
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Focus groups or satisfaction surveys researching the question “Do you trust the service?”
Independent audit and review against Security Architecture Capability Maturity Model of the ownership arrangements and of the management processes by
Independent audit and review against Security Architecture Capability Maturity Model
Reporting of all incidents of compromise, including number of incidents per period, severity, and type of compromise Independent audit and review against Security Architecture
Legal/Regulatory Attributes
Reporting of all incidents of unresolved repudiations, including number of incidents per period, severity, and type of repudiationIndependent audit and review
36. Admissable
5,7,14
Compliant
41.24
Enforceable
25,26,14
Insurable
15,27,9, 11, 13
Legal
16,18,14,11, 13
Liability Managed
36,19,11, 13
Regulated
19,2,14
Resolvable
19.2
Time-Bound
35.41
Architecturally Open
29.32
COTS/GOTS
32
Extendible
33
Flexible / Adaptable
33
Independent compliance audit with respect to the inventories of
Independent audit and review against Security Architecture Capability Maturity Model by computer forensics expert
Independent review of: (1) inventory of contracts, policies, regulations and laws for completeness, and (2) enforceability of contracts, policies, laws, and regulations on the inventory
Verify against insurance quotations
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of
Independent audit and review against Security Architecture Capability Maturity Model Maturity Model by legal expert
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable laws to check for completeness and suitability
Independent audit and review against Security Architecture Capability Maturity Mode of technical architecture
Independent functional design review against specified functional requirements
Independent audit and review against Security Architecture Capability Maturity Model† of
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture
Independent legal expert review of all applicable contracts, SLAs, etc.
Technology Strategy Attributes
Independent audit and review against Security Architecture Capability Maturity Model of
37. Future Proof
37
Legacy Sensitive
37.38
Migratable
38
Multi-Sourced
40
Scalable
40
Simple
31
Standards Compliant
24
Traceable
19, 20, 22
Upgrdeable
38
Available
6
Continuous
6
Detectable
10
Error-Free
18
Inter-Operable
38
Monitored
22.24
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture at the
Independent audit and review against Security Architecture Capability Maturity Model of
Independent audit and review against Security Architecture Capability Maturity Model† of
Independent audit and review against Security Architecture Capability Maturity Model of
Independent audit and review against Security Architecture Capability Maturity Model
Functional testing
Percentage or absolute error rates (per transaction, per batch, per time period, etc.)
Independent expert review of documented traceability matrices and trees
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture
Independent audit and review against Security Architecture Capability Maturity Model of
Independent audit and review of: (1) the inventory of standards to check for completeness and appropriateness, and
Operational Attributes
As specified in the SLA
Percentage up-time correlated versus scheduled and/or unscheduled downtime, or
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Specific interoperability requirements
38. Productive
5
Recoverable
18
Brand Enhancing
1
Business Enabled
2
Competent
1.4
Confident
4
Credible
5
Culture- Sensitive
16
Enabling- Time-to- Market
41
Governable
8, 16
Provide Good Stewardship and Custody
3,12,21
Providing Investment Re-use
38
Providing Return On Investment
2
Reputable
8
Independent audit, or focus groups, or satisfaction surveys
Market surveys
Business management focus group
Independent audit, or focus groups, or satisfaction surveys
User output targets related to specific business activities
As specified in the SLA.
Business Strategy Attributes
Independent audit, or focus groups, or satisfaction surveysCorrelation of the stock value of
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (con-
Financial returns and RoI indices selected in consultation with the Chief Financial OfficerQualitative value propositions tested by opinion surveys at
Senior management focus group. Independent audit and review against Security Architecture Capability Maturity
Independent audit, or focus groups, or satisfaction surveys
Independent audit and review of (1) the inventory of requirements in this area to check for completeness and appropriateness, and (2) compliance of system functionality with this set of
Business management focus group
Independent audit, or focus groups, or satisfaction surveys
39. Deter
Prevent
Contain
Detect
Track
Recover
Voice
Data
Video
System
Information
Attribute - Risks and Controls
Management Activity Controls
User Attributes
Architecture Controls
54. Business Attribute
Business Driver
Confidential
Integrity
Availability
Accessible
5
Accurate
7
Search tree depth necessary to find the information
Acceptance testing on key data to demonstrate compliance with design rules
Opportunities
Enablement
User Attributes
Attribute - Opportunities and Enablement
55. Anonymous
4
Consistent
23, 41
Current
7
Duty Segregated
12
Educated and Aware
31.4
Informed
6
Motivated
25
Protected
21
Reliable
16
Responsive
5
Supported
6
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model.
Penetration test. (Could access privileges should be be regarded as “hard,” but only if a penetration is achieved. Failure to penetrate does not mean that penetration is impossible.)
A definition of “quality” is needed against which to compare.
Response time
Competence surveys
Focus groups or satisfaction surveys
Focus groups or satisfaction surveys
Conformance with design style guides Red team review
Refresh rates at the data source and replication of source and replication of refreshed data to the destination.
Functional testing
Rigorous proof of system functionality Red team review
56. Timely
41
Transparent
4
Usable
12
Automated
33.32
Change-Managed
39
Controlled
30
Cost Effective
27
Efficient
29
Maintanable
6
Documented execution of a preventive maintenance schedule for both hardware and software, correlated against targets for continuity of service, such as mean time between failures (MTBF)
Individual budgets for the phases of development and for on-going operation, maintenance and support
A target efficiency ratio based on (Input value)/(Output value)
Documented change management system, with change management history, evaluated by history, evaluated by independent audit
Independent audit and review against Security Architecture Capability Maturity Model
Numbers of “clicks” or keystrokes required. Conformance with industry standards, e.g., color palettes. Feedback from focus groups.
Management Attributes
Independent design review
Refresh rates at the data source and replication of refreshed data to the destination.
Focus groups or satisfaction surveys. Independent audit and review against Security Architecture Capability Maturity Model
57. Measured
6
Supportable
8
Access Controlled
12
Accountable
14.15
Assurable
14.15
Assuring Honesty
18
Auditable
14
Authenticated
19
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to authenticate successfully every claim of identity
Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent false accusations that are difficult to repudiate
Independent audit and review against Security Architecture Capability Maturity ModelDocumented target configuration exists under change control with a capability to check current configuration against this target Independent audit and review against Security Architecture Capability Maturity Model
Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to hold accountable all authorized parties
Documented standards exist against which to audit Independent audit and review against Security Architecture Capability Maturity Model
Fault-tracking system providing measurements of MTBF, MTTR (mean time to repair), and maximum time to repair, with targets for each parameter
Risk Management Attributes
Reporting of all unauthorised access attempts, including number of incidents per period, severity, and result (did the access attempt succeed?)
Documented tracking and reporting of a portfolio of conventional system performance parameters, together with other attributes from this list
58. Authorised
21
Capturing New Risk
39
Confidential
17
Crime Free
36, 39
Flexibly Secure
23.33
Identified
20
Independently Secure
28
In our Sole Posession
41
Independent audit and review against Security Architecture Capability Maturity Model
Proof of uniqueness of naming schemes
Independent audit and review against Security Architecture Capability Maturity Model of technical security architecture at conceptual, logical, and physical layers
Reporting of all incidents of crime, including number of incidents per period, severity, and type of crime
Independent audit and review against Security Architecture Capability to Maturity Model
Percentage of vendor published patches and upgrades actually installedIndependent audit and review against Security Architecture Capability Maturity Model of a documented risk assessment process and a risk assessment history
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Reporting of all unauthorized actions, including number of incidents per period, severity, and result (did the action succeed?) Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to detect unauthorized actions
59. Integrity Assured
19
Non-Repudiable
19
Owned
23
Private
12.16
Trustworthy
12.16
Admissable
5,7,14
Compliant
41.24
Legal/Regulatory Attributes
Independent audit and review against Security Architecture Capability Maturity Model by computer forensics expert
Independent compliance audit with respect to the inventories of regulations, laws, policies, etc.
Reporting of all disclosure incidents, including number of incidents per period, severity, and type of disclosure
Focus groups or satisfaction surveys researching the question “Do you trust the service?”
Reporting of all incidents of unresolved repudiations, including number of incidents per period, severity, and type of repudiationIndependent audit and review against Security Architecture Capability Maturity Model with respect to the ability to prevent repudiations that cannot be easily resolved
Independent audit and review against Security Architecture Capability Maturity Model of the ownership arrangements and of the management processes by which owners should fulfil their responsibilities, and of their diligence in so doing
Reporting of all incidents of compromise, including number of incidents per period, severity, and type of compromise Independent audit and review against Security Architecture Capability Maturity Model with respect to the ability to detect integrity compromise incidents
60. Enforceable
25,26,14
Insurable
15,27,9, 11, 13
Legal
16,18,14,11, 13
Liability Managed
36,19,11, 13
Regulated
19,2,14
Resolvable
19.2
Time-Bound
35.41
Architecturally Open
29.32
Independent functional design review against specified functional requirements
Technology Strategy Attributes
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable regulations to check for completeness and suitability
Independent audit and review against Security Architecture Capability Maturity Model Maturity Model by legal expert
Independent audit and review against Security Architecture Capability Maturity Model. Verification of the inventory of applicable laws to check for completeness and suitability
Independent legal expert review of all applicable contracts, SLAs, etc.
Independent review of: (1) inventory of contracts, policies, regulations and laws for completeness, and (2) enforceability of contracts, policies, laws, and regulations on the inventory
Verify against insurance quotations
61. COTS/GOTS
32
Extendible
33
Flexible / Adaptable
33
Future Proof
37
Legacy Sensitive
37.38
Migratable
38
Multi-Sourced
40
Scalable
40
Simple
31
Standards Compliant
24
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Independent audit and review of: (1) the inventory of standards to check for completeness and appropriateness, and (2) compliance with stan¬dards on the inventory
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture at the component level
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Mode of technical architecture (conceptual, logical, and physical)
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical & physical)
62. Traceable
19, 20, 22
Upgrdeable
38
Available
6
Continuous
6
Detectable
10
Error-Free
18
Inter-Operable
38
Monitored
22.24
Productive
5
Recoverable
18
Business Strategy Attributes
User output targets related to specific business activities
As specified in the SLA.
Specific interoperability requirements
Independent audit and review against Security Architecture Capability Maturity Model
Functional testing
Percentage or absolute error rates (per transaction, per batch, per time period, etc.)
Operational Attributes
As specified in the SLA
Percentage up-time correlated versus scheduled and/or unscheduled downtime, or MTBF, or MTTR
Independent expert review of documented traceability matrices and trees
Independent audit and review against Security Architecture Capability Maturity Model of technical architecture (conceptual, logical, and physical)
63. Brand Enhancing
1
Business Enabled
2
Competent
1.4
Confident
4
Credible
5
Culture-Sensitive
16
Enabling-Time-to- Market
41
Governable
8, 16
Provide Good Stewardship and Custody
3,12,21
Providing Investment Re- use
38
Independent audit, or focus groups, or satisfaction surveys
Independent audit and review against Security Architecture Capability Maturity Model† of technical architecture (con-ceptual, logical, physical, and component)
Business management focus group
Senior management focus group. Independent audit and review against Security Architecture Capability Maturity Model for governance
Independent audit, or focus groups, or satisfaction surveys
Independent audit and review of (1) the inventory of requirements in this area to check for completeness and appropriateness, and (2) compliance of system functionality with this set of requirements
Independent audit, or focus groups, or satisfaction surveys
Independent audit, or focus groups, or satisfaction surveys
Market surveys
Business management focus group
64. Providing Return On Investment
2
Reputable
8
Financial returns and RoI indices selected in consultation with the Chief Financial OfficerQualitative value propositions tested by opinion surveys at senior management and boardroom level
Independent audit, or focus groups, or satisfaction surveysCorrelation of the stock value of the organization versus publicity of system event history
65. Posture
Recover
Maturity
Entrench
Compliance
Architecture Enablers (Aligned to Inf. Sec. Strategy)
Management Activity Enablers
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76. Destruction of Information and/or other Resources
Corruption or Modification of Information
Theft, Removal or Loss of Information and/or other Resources
Disclosure of Information
Interruption of Services
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Security Threat
Data Confidentiality
Data Integrity
Non-Repudiation
Mapping Security Dimensions to Security Threats
The intersection of each Security Layer with each Security Plane represents a security perspective where Security Dimensions are applied to counteract the threats.
Privacy
Access Control
Security Dimension
Authentication
Availability
Communication Flow Security
77.
78. Contextual Architecture - Security Review
Business Attributes
The business attributes can be defined as follows: -What are the business goals for the requirement? -What are the business objectives for the requirement? -What ar the business targets for the requirement? -What business assets will be affected by this requirement?
Business Requirement
Business Drivers for Security
Business-level assets, goals & objectives
The business requirement abstracted into one or more statements of security-relevance to the business requirement: -What are the security pre-requisites for the requirement? -What can security do to protect / enhance / support the business in the context of the requirement?
The contextual architecture captures and presents the full set of relevant requirements for the scope of the assignment
79.
80. Conceptual layer sets out the strategy for treating risk and meeting the control and enablement objectives
Business Attributes
Conceptual Architecture - Security Review
The business attributes can be defined as follows: -What are the business goals for the requirement? -What are the business objectives for the requirement? -What ar the business targets for the requirement? -What business assets will be affected by this requirement?
Business Risks - Attributes
The business risks for attributes are as follows: -What are the identified risks? -What are the architectural controls? -What ar the security controls? -What management acitvity controls are in place?
Business Opportunites - Attributes
The business opportunities for attributes are as follows: -What are the identified opportunites? -What are the architectural enablers? -What ar the security enablers? -What management acitvity enablers are in place?
Business Requirement
Business-level assets, goals & objectives
Business Drivers for Security
The business requirement abstracted into one or more statements of security-relevance to the business requirement: -What are the security pre-requisites for the requirement? -What can security do to protect / enhance / support the business in the context of the requirement?
81.
82. Access Control
Authentication
Availability
Communication Flow Security
Data Confidentiality
Data Integrity
Non- Repudiation
Privacy
Business Driver
Business Attribute
The user that will be using the application
The provider of the software
Middleware or Enterprise Services Bus
Logical Architecture - Security Review
Application Provider
Application Middleware
Security Dimensions
Application Security
Application User
83. Is the software provided by an ISV
Code Integrity refers to protecting assets used to build and run application object code to ensure that what is delivered to service management for deployment has not been tampered with or incorporated any unknown source code.
Image Integrity covers the entire runtime stack, from operating system to middleware components and application platforms that are needed to run the application or service.
Secure provisioning ensures that handing over code to release management for installation and configuration of dependent software infrastructure is done in accordance with security policy and, in certain cases, per contract with the customer.
Image Provisioning manages access to the image contents. Image provisioning manages access to the image for deployment, defining who can access and deploy instances of the image in a production environment.
Image Provisioning
Service Provider
Code Integrity
Image Integrity
Release Provisioning
84. Static Code Analysis refers to the tools and processes that are usually instituted by a software development team or a build team to examine all the artifacts and components that are used to build an application. The analysis looks for security vulnerabilities and poor coding practices that can create security, performance, or other problems.
Runtime Analysis, or software profiling, refers to the ability to observe a running software system and analyze its behavior to detect vulnerabilities in the code.
In a Software Escrow, a third party keeps a copy of the source code, and possibility other materials, which it will release to the customer only if specific ciumstances arise, mainly if the vendor who developed the code goes out of business or for some reason is not meeting the obligations and responsibilities
Business Driver
Business Attribute
Data Discovery is the process of identifying all the data repositories in the organization and analyzing the schema and data values and data patterns to identify relationships between the database elements.
Static Code Analysis
Data Discovery
Runtime Analysis
Software Escrow
Data Security
85. Data Classification manages both lower-level, logical data classification and business level classifications.
Data Assurance processes provide a governance checkpoint for aggregation, redaction, and obfuscation requirements to ensure confidentiality and privacy.
Data Redaction refers to methods for eliminating sensitive or confidential data from a data set based on policy rules before it is given to a receiver.
Data Retention capabilities cover both backup and archive tools and processes.
Data Disposal refers to the tools and processes to delete data from a system that is no longer needed and required by law or policy to be retained.
Business Driver
Business Attribute
The perimeter defense sits at the edge of the internal network and protects it against unauthorized access
The network infrastructure segregates the network into manageable and isolated areas and prevents unauthorized access between subnets. It also provides various services, like monitoring, that track suspicious events happening on the internal network.
The host defenses protect individual systems and the applications they run.
Data Assurance
Data Retention
Data Redaction
Data Disposal
Data Classification
Network Infrastructure Protection
Infrastructure Security
Perimeter Defence
Host Defences
86. Data security protects data in transit and data stored on disk to provide the requisite confidentiality, integrity andavailability.
Business Driver
Business Attribute
Software Replication and Back-
Trusted Time
User Interface for Security
Security Policy Management
Security Service Management
Stored Data Confidentiality
Stored Data Integrity Protection
Software Integrity Protection
Software Licensing Protection
System Configuration
Data Replication and Back-Up
Message Contents
Non-Repudiation
Traffic Flow Confidentiality
Authorisation
Logical Access Control
Audit Trails
Entity Authentication
Session Authentication
Message Origin Authentication
Message Integrity Protection
Message Replay Protection
Entity Unique Naming
Entity Registration
Entity Public Key Certification
Entity Credentials Certification
Directory Service
Data Security Mechanisms
Security Services
87. Intrusion Detection
Incident Response
Environmental Security
User Support
Disaster recovery
Crisis Management
System Audit
Physical Security
Personnel Security
Security Operations
Security Provisioning
Security Administration
Security Monitoring
Security Measurements and
Security Alarm Management
Security Training and
88.
89.
90.
91. Access Control
Authentication
Availability
Communication Flow Security
Data Confidentiality
Data Integrity
Non- Repudiation
Privacy
Management Plane
Control Plane
End- User Plane
Business Driver
Business Attribute
Application User
The user that will be using the application
Application Provider
The provider of the software
Application Middleware
Middleware or Enterprise Services Bus
Software Escrow
In a Software Escrow, a third party keeps a copy of the source code, and possibility other materials, which it will release to the customer only if specific ciumstances arise, mainly if the vendor who developed the code goes out of business or for some reason is not meeting the obligations and responsibilities
Service Provider
Is the software provided by an ISV
Physical Architecture - Security Review
Security Planes
Security Dimensions
Application Security
92. Code Integrity
Code Integrity refers to protecting assets used to build and run application object code to ensure that what is delivered to service management for deployment has not been tampered with or incorporated any unknown
Image Integrity
Image Integrity covers the entire runtime stack, from operating system to middleware components and application platforms that are needed to run the application or service.
Release Provisioning
Secure provisioning ensures that handing over code to release management for installation and configuration of dependent software infrastructure is done in accordance with security policy and, in certain cases, per
Image Provisioning
Image Provisioning manages access to the image contents. Image provisioning manages access to the image for deployment, defining who can access and deploy instances of the image in a production environment.
Static Code Analysis
Static Code Analysis refers to the tools and processes that are usually instituted by a software development team or a build team to examine all the artifacts and components that are used to build an application. The analysis looks for security vulnerabilities and poor coding practices that can create security,
Runtime Analysis
Runtime Analysis, or software profiling, refers to the ability to observe a running software system and analyze its behavior to detect vulnerabilities in the code.
Business Driver
Business Attribute
Data Security
93. Data Discovery
Data Discovery is the process of identifying all the data repositories in the organization and analyzing the schema and data values and data patterns to identify relationships between the database elements.
Data Classification
Data Classification manages both lower-level, logical data classification and business level
Data Assurance
Data Assurance processes provide a governance checkpoint for aggregation, redaction, and obfuscation requirements to ensure confidentiality and privacy.
Data Redaction
Data Redaction refers to methods for eliminating sensitive or confidential data from a data set based on policy rules before it is given to a receiver.
Data Retention
Data Retention capabilities cover both backup and archive tools and processes.
Data Disposal
Data Disposal refers to the tools and processes to delete data from a system that is no longer needed and required by law or policy to be
Business Driver
Business Attribute
Perimeter Defence
The perimeter defense sits at the edge of the internal network and protects it against unauthorized access
Network Infrastructure Protection
The network infrastructure segregates the network into manageable and isolated areas and prevents unauthorized access between subnets. It also provides various services, like monitoring, that track suspicious events happening on the internal network.
Host Defences
The host defenses protect individual systems and the applications they run.
Infrastructure Security
94. Data Security Mechanisms
Data security protects data in transit and data stored on disk to provide the requisite confidentiality, integrity andavailability.
Business Driver
Business Attribute
Logical Service
Physical Mechanism
Entity Unique Naming
Naming standardsNaming procedure Directory system
Entity Registration
Registration policy Registration authority system Registration procedure
Entity Public Key Certification
Certification policy Certification authority system Certification procedure Certificate syntax standards Certificate publishing mechanism (directory) Certificate revocation list (CRL) CRL publishing and management (directory)
Entity Credentials Certification
Certification policy Certification authority system Certification procedure Certificate syntax standards Certificate publishing mechanism (directory) Certificate revocation list (CRL) CRL publishing and management (directory)
Security Services
95. Directory Service
Directory system Directory access protocols Directory object and attribute syntax rules Directory replication
Entity Authentication
Login procedure User passwords and tokens Client user agents for authentication Authentication exchange protocols Authentication server system Directory system
Session Authentication
Mutual two-way and three-way authentication exchanges Session context (finite state machine)
Message Origin Authentication
Message source identifiers, protected by: Message integrity checksums Digital signatures Hashing
Message Integrity Protection
Message integrity checksums Digital signatures Hashing
Message Replay Protection
Message nonce values protected by message integrity checksums
Message Contents Confidentiality
Message contents encryption Encryption key management Routing control to physically secure networks
Non-Repudiation
Digital signatures Notarisation servers Transaction logs Trusted third party certification / arbitration
96. Traffic Flow Confidentiality
Traffic padding
Authorisation
Roles Fixed role associations with entities Real-time role association with entities Authorisation certificates
Logical Access Control
Local access control agents Local role access control lists (ACLs) Central access manager (CAM) CAM role ACLs Central application access control agents Central application role ACLs Database management system mechanisms File system mechanisms
Audit Trails
Event logs Event log integrity protection mechanisms Event log browsing tools Event log analysis tools Reporting tools
Stored Data Confidentiality
Logical access control mechanisms Physical access control mechanisms Stored data encryption Media storage security Media disposal procedures
Stored Data Integrity Protection
Message integrity checksums Digital signatures Hashing
97. Software Integrity Protection
Development lifecycle controls Delivery and installation controls Production system configuration control Production system change control Production system management authorisation Crypto-checksums on object code images Regular inspection of object code images and checksums Anti-virus tools
Software Licensing Protection
Software metering
System Configuration Protection
Production system configuration control Production system change control Production system management authorisation Cryptographic checksums on configuration data files Regular inspection of configuration data files and checksums
Data Replication and Back-Up
Regular back-up copying Back-up media management: labelling, indexing, transport, storage, retrieval, media recycling, media disposal
Software Replication and Back-Up
Master software media management: labelling, indexing, transport, storage, retrieval
Trusted Time
Secure time server with clock Secure time server protocols
User Interface for Security
GUI login screens GUI security message screens Single sign-on mechanism Ergonomic design of authentication devices
Security Policy Management
Data content monitoring and filtering Real-time system monitoring
98. Security Service Management
Security service management sub-system Secure management protocols Management agents in managed components Access control at all agents and sub-systems Security alarms
Security Training and Awareness
Training courses Training manuals and documentation Publicity campaigns
Security Operations Management
Operator authentication mechanisms Operator activity logs Operations event logs
Security Provisioning
Security service management sub-system Secure management protocols Management agents in managed components Access control at all agents and sub-systems
Security Administration
Security service management sub-system Secure management protocols Management agents in managed components Access control at all agents and sub-systems Security alarms
Security Monitoring
User activity logs Application event logs Operator activity logs Management event logs Event log browsing and analysis
Security Measurements and Metrics
Cryptographic test mechanisms Inspection tools Penetration testing Statistical tests
Security Alarm Management
Security alarms Security alarm monitoring
99. Intrusion Detection
Intrusion ‘signature’ analysis on network traffic Real-time system monitoring Alarms
Incident Response
Data collection and analysis Incident assessment procedures Response action management procedures
User Support
Help desk Trouble ticketing system
Disaster recovery
Data back-ups Software back-ups Data restoration procedures Off-site back-up storage Back-up media management: indexing, labelling, transport, storage, retrieval, recycling, disposal
Crisis Management
Vested authority in a crisis manager and crisis management team Assessment procedures Escalation procedures
System Audit
Independent inspection Regular scanning with system audit tools
Physical Security
Secure premises with locks, guards, etc Locked rooms for servers, operations and communications Physical protection for cabling Authorisation procedures Identification badges and visitor procedures Supervision of contract engineers etc
100. Personnel Security
Hiring, background checking and vetting procedures Training courses, booklets, publicity campaigns Disciplinary procedures
Environmental Security
Site-selection procedures Fire prevention, detection and quenching Flood avoidance, detection and removal Air temperature and humidity controls Electrical power protection mechanisms