SlideShare a Scribd company logo

Information Security Governance - 2008 - Brotby - Appendix A SABSA Business Attributes and Metrics_2.pdf

D
dharmaonline86

Information Security Governance - 2008 - Brotby - Appendix A SABSA Business Attributes and Metrics

Technology
1 of 17
Download to read offline
Information Security Governance. By Krag Brotby 163 Copyright © 2009 John Wiley & Sons, Inc. Appendix A SABSA Business Attributes and Metrics Business Metric Suggested attribute Attribute explanation type measurement approach User attributes. These attributes are related to the user’s experience of interacting with the business system. Accessible Information to which the user Soft Search tree depth is entitled to gain access should necessary to find the be easily found and accessed by information that user. Accurate The information provided to Hard Acceptance testing on users should be accurate within key data to demonstrate a range that has been preagreed compliance with design upon as being applicable to the rules service being delivered. Anonymous For certain specialized types of Hard Rigorous proof of system service, the anonymity of the functionality user should be protected. Soft Red team review* Consistent The way in which log-in, Hard Conformance with navigation, and target services design style guides are presented to the user should Soft Red team review be consistent across different times, locations, and channels of access. app-a.qxd 3/5/2009 6:30 PM Page 163
Business Metric Suggested attribute Attribute explanation type measurement approach Current Information provided to users Hard Refresh rates at the data should be current and kept up source and replication of to date, within a range that has refreshed data to the been preagreed upon as being destination applicable for the service being delivered. Duty- For certain sensitive tasks, the Hard Functional testing segregated duties should be segregated so that no user has access to both aspects of the task. Educated The user community should be Soft Competence surveys and aware educated and trained so that they can embrace the security culture There should be sufficient user awareness of security issues so that behavior of users is compliant with security policies. Informed The user should be kept fully Soft Focus groups or informed about services, satisfaction surveys operating procedures, operational schedules, planned outages, and so on. Motivated The interaction with the system Soft Focus groups or should add positive motivation satisfaction surveys to the user to complete the business tasks at hand. Protected The user’s information and Soft Penetration test. (Could access privileges should be be regarded as “hard,” protected against abuse by other but only if a penetration users or by intruders. is achieved. Failure to penetrate does not mean that penetration is impossible.) Reliable The services provided to the Soft A definition of “quality” user should be delivered at a is needed against which reliable level of quality. to compare. Responsive The users obtain a response Hard Response time within a satisfactory period of time that meets their expectations. 164 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 164 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Supported When a user has problems or Soft Focus groups or difficulties in using the system satisfaction surveys. or its services, there should be Independent audit and a means by which the user can review against Security receive advice and support so Architecture Capability that the problems can be Maturity Model† resolved to the satisfaction of the user. Timely Information is delivered or Hard Refresh rates at the data made accessible to the user source and replication of at the appropriate time or refreshed data to the within the appropriate time destination period. Transparent Providing full visibility to the Soft Focus groups or user of the logical process but satisfaction surveys. hiding the physical structure of Independent audit and the system (as a url hides the review against Security actual physical locations of Architecture Capability Web servers). Maturity Model† Usable The system should provide Soft Numbers of “clicks” or easy-to-use interfaces that can keystrokes required. be navigated intuitively by a Conformance with user of average intelligence and industry standards, e.g., training level (for the given color palettes. Feedback system). The user’s experience from focus groups. of these interactions should be at best interesting and at worst neutral. Management attributes. This group of attributes is related to the ease and effectiveness with which the business system and its services can be managed. Automated Wherever possible (and Soft Independent design depending upon cost/benefit review factors) the management and operation of the system should be automated. SABSA Business Attributes and Metrics 165 app-a.qxd 3/5/2009 6:30 PM Page 165 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Change- Changes to the system should Soft Documented change managed be properly managed so that the management system, impact of every change is with change management evaluated and the changes are history, evaluated by approved in advance of being independent audit implemented. Controlled The system should at all times Soft Independent audit and remain in the control of its review against Security managers. This means that the Architecture Capability management will observe the Maturity Model† operation and behavior of the system, will make decisions about how to control it based on these observations, and will implement actions to exert that control. Cost- The design, acquisition, Hard Individual budgets for effective implementation, and operation the phases of of the system should be achieved development and for at a cost that the business finds ongoing operation, acceptable when judged against maintenance and support the benefits derived. Efficient The system should deliver the Hard A target efficiency ratio target services with optimum based on (Input efficiency, avoiding wastage of value)/(Output value) resources. Maintainable The system should capable of Soft Documented execution being maintained in a state of of a preventive mainte- good repair and effective, nance schedule for both efficient operation. The actions hardware and software, required to achieve this should correlated against targets feasible within the normal for continuity of service, operational conditions of the such as mean time system. between failures (MTBF) Measured The performance of the system Hard Documented tracking should be measured against a and reporting of a variety of desirable performance portfolio of conventional targets so as to provide feedback system performance information to support the parameters, together with management and control process. other attributes from this list 166 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 166 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Supportable The system should be capable of Hard Fault-tracking system being supported in terms of both providing measurements the users and the operations of MTBF, MTTR (mean staff, so that all types of time to repair), and problems and operational maximum time to repair, difficulties can be resolved. with targets for each parameter Operational attributes. These attributes describe the ease and effectiveness with which the business system and its services can be operated. Available The information and services Hard As specified in the SLA provided by the system should be available according to the requirements specified in the service-level agreement (SLA). Continuous The system should offer Hard Percentage up-time “continuous service.” The exact correlated versus definition of this phrase will scheduled and/or always be subject to a SLA. unscheduled downtime, or MTBF, or MTTR Detectable Important events must be Hard Functional testing detected and reported. Error-free The system should operate Hard Percentage or absolute without producing errors. error rates (per transaction, per batch, per time period, etc.) Interoperable The system should interoperate Hard Specific interoperability with other similar systems, both requirements immediately and in the future, as intersystem communication becomes increasingly a requirement. Monitored The operational performance of Soft Independent audit and the system should be review against Security continuously monitored to Architecture Capability ensure that other attribute Maturity Model† specifications are being met. Any deviations from acceptable limits should be notified to the systems management function. SABSA Business Attributes and Metrics 167 app-a.qxd 3/5/2009 6:30 PM Page 167 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Productive The system and its services Hard User output targets should operate so as to sustain related to specific and enhance productivity of the business activities users, with regard to the business processes in which they are engaged. Recoverable The system should be able to Hard As specified in the SLA. be recovered to full operational status after a breakdown or disaster, in accordance with the SLA. Risk management attributes. These attributes describe the business requirements for mitigating operational risk. This group most closely relates to the “security requirements” for protecting the business. Access- Access to information and Hard Reporting of all controlled functions within the system unauthorised access should be controlled in attempts, including accordance with the authorized number of incidents per privileges of the party requesting period, severity, and the access. Unauthorized access result (did the access should be prevented. attempt succeed?) Accountable All parties having authorized Soft Independent audit and access to the system should be review against Security held accountable for their Architecture Capability actions. Maturity Model† with respect to the ability to hold accountable all authorized parties Assurable There should be a means to Hard Documented standards provide assurance that the exist against which to system is operating as expected audit and that all of the various Soft Independent audit and controls are correctly review against Security implemented and operated. Architecture Capability Maturity Model† 168 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 168 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Assuring Protecting employees against Soft Independent audit and honesty false accusations of dishonesty review against Security or malpractice. Architecture Capability Maturity Model† with respect to the ability to prevent false accusations that are difficult to repudiate Auditable The actions of all parties having Soft Independent audit and authorized access to the system, review against Security and the complete chain of events Architecture Capability and outcomes resulting from these Maturity Model† actions, should be recorded so that this history can be reviewed. The audit records should provide an appropriate level of detail, in accordance with business needs. The actual configuration of the Hard Documented target system should also be capable configuration exists of being audited so as to under change control compare it with a target with a capability to configuration that represents the check current configur- implementation of the security ation against this target policy that governs the system. Soft Independent audit and re- view against Security Architecture Capability Maturity Model† Authenticated Every party claiming a unique Soft Independent audit and identity (i.e., a claimant) should review against Security be subject to a procedure that Architecture Capability verifies that the party is indeed Maturity Model† with the authentic owner of the respect to the ability to claimed identity. authenticate successfully every claim of identity Authorized The system should allow only Hard Reporting of all those actions that have been unauthorized actions, explicitly authorized. including number of incidents per period, severity, and result (did the action succeed?) SABSA Business Attributes and Metrics 169 app-a.qxd 3/5/2009 6:30 PM Page 169 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Authorized Soft Independent audit and (cont.) review against Security Architecture Capability Maturity Model† with respect to the ability to detect unauthorized actions Capturing New risks emerge over time. Hard Percentage of vendor- new risks The system management and published patches and operational environment should upgrades actually provide a means to identify and installed assess new risks (new threats, Soft Independent audit and new impacts, or new review against Security vulnerabilities). Architecture Capability Maturity Model† of a documented risk assessment process and a risk assessment history Confidential The confidentiality of Hard Reporting of all (corporate) information should disclosure incidents, be protected in accordance with including number of security policy. Unauthorized incidents per period, disclosure should be prevented. severity, and type of disclosure Crime-free Cyber-crime of all types should Hard Reporting of all incidents be prevented. of crime, including number of incidents per period, severity, and type of crime Flexibly Security can be provided at Soft Independent audit and secure various levels, according to review against Security business need. The system Architecture Capability should provide the means to Maturity Model† secure information according to these needs, and may need to offer different levels of security for different types of information (according to security classification). 170 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 170 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Identified Each entity that will be granted Hard Proof of uniqueness of access to system resources and naming schemes each object that is itself a system resource should be uniquely identified (named) such that there can never be confusion as to which entity or object is being referenced. Independently The security of the system Soft Independent audit and secure should not rely upon the security review against Security of any other system that is not Architecture Capability within the direct span of control Maturity Model† of of this system. technical security architecture at conceptual, logical, and physical layers In our Information that has value to Soft Independent audit and sole the business should be in the review against Security possession possession of the business, Architecture Capability stored and protected by the Maturity Model† system against loss (as in no longer being available) or theft (as in being disclosed to an unauthorised party). This will include information that is regarded as “intellectual property.” Integrity- The integrity of information Hard Reporting of all incidents assured should be protected to provide of compromise, assurance that it has not suffered including number of unauthorized modification, incidents per period, duplication, or deletion. severity, and type of compromise Soft Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to detect integrity compromise incidents SABSA Business Attributes and Metrics 171 app-a.qxd 3/5/2009 6:30 PM Page 171 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Non- When one party uses the system Hard Reporting of all incidents repudiable to send a message to another of unresolved party, it should not be possible repudiations, including for the first party to falsely deny number of incidents per having sent the message, or to period, severity, and type falsely deny its contents. of repudiation Soft Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to prevent repudiations that cannot be easily resolved Owned There should be an entity Soft Independent audit and designated as “owner” of every review against Security system. This owner is the policy Architecture Capability maker for all aspects of risk Maturity Model† of the management with respect to the ownership arrangements system, and exerts the ultimate and of the management authority for controlling the processes by which system. owners should fulfil their responsibilities, and of their diligence in so doing Private The privacy of (personal) Hard Reporting of all information should be disclosure incidents, protected in accordance with including number of relevant privacy or “data incidents per period, protection” legislation, so as severity, and type of to meet the reasonable disclosure expectation of citizens for privacy. Unauthorized disclosure should be prevented. Trustworthy The system should be able to be Soft Focus groups or trusted to behave in the ways satisfaction surveys specified in its functional researching the question specification and should protect “Do you trust the against a wide range of potential service?” abuses. 172 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 172 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Legal and regulatory attributes. This group of attributes describes the business requirements for mitigating operational risks that have a specific legal or regulatory connection. Admissible The system should provide Soft Independent audit and forensic records (audit trails and review against Security so on) that will be deemed to be Architecture Capability “admissible” in a court of law, Maturity Model† by should that evidence ever need computer forensics to be presented in support of a expert criminal prosecution or a civil litigation. Compliant The system should comply with Soft Independent compliance all applicable regulations, laws, audit with respect to the contracts, policies, and inventories of mandatory standards, both regulations, laws, internal and external. policies, etc. Enforceable The system should be designed, Soft Independent review of: implemented and operated such (1) inventory of contracts, that all applicable contracts, policies, regulations and policies, regulations, and laws laws for completeness, can be enforced by the system. and (2) enforceability of contracts, policies, laws, and regulations on the inventory Insurable The system should be risk- Hard Verify against insurance managed to enable an insurer to quotations offer reasonable commercial terms for insurance against a standard range of insurable risks Legal The system should be designed, Soft Independent audit and implemented, and operated in review against Security accordance with the requirements Architecture Capability of any applicable legislation. Maturity Model.† Examples include data protection Verification of the laws, laws controlling the use of inventory of applicable cryptographic technology, laws laws to check for controlling insider dealing on the completeness and stock market, and laws governing suitability information that is considered racist, seditious, or pornographic. SABSA Business Attributes and Metrics 173 app-a.qxd 3/5/2009 6:30 PM Page 173 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Liability- The system services should be Soft Independent legal expert managed designed, implemented and review of all applicable operated so as to manage the contracts, SLAs, etc. liability of the organization with regard to errors, fraud, malfunction, and so on. In particular, the responsibilities and liabilities of each party should be clearly defined. Regulated The system should be designed, Soft Independent audit and implemented, and operated in review against Security accordance with the require- Architecture Capability ments of any applicable Maturity Model† . regulations. These may be Verification of the general (such as safety inventory of applicable regulations) or industry-specific regulations to check for (such as banking regulations). completeness and suitability Resolvable The system should be designed, Soft Independent audit and implemented and operated in review against Security such a way that disputes can be Architecture Capability resolved with reasonable ease Maturity Model† by legal and without undue impact on expert time, cost, or other valuable resources. Time-bound Meeting requirements for max- Hard Independent functional imum or minimum periods of design review against time, for example, a minimum specified functional period for records retention or requirements a maximum period within which something must be completed. Technical strategy attributes. This group of attributes describes the needs for fitting into an overall technology strategy. Architectur- The system architecture should, Soft Independent audit and ally open wherever possible, not be locked review against Security into specific vendor interface Architecture Capability standards and should allow Maturity Model† of flexibility in the choice of technical architecture vendors and products, both (conceptual, logical, and initially and in the future. physical) 174 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 174 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach COTS/GOTS Wherever possible, the system Soft Independent audit and compliant should utilize commercial off- review against Security the-shelf or government off-the- Architecture Capability shelf components, as appropriate. Maturity Model† of technical architecture (conceptual, logical, and physical) Extendable The system should be capable Soft Independent audit and of being extended to incorporate review against Security new functional modules as Architecture Capability required by the business. Maturity Model† of technical architecture (conceptual, logical & physical) Flexible & The system should be flexible Soft Independent audit and Adaptable and adaptable to meet new review against Security business requirements as they Architecture Capability emerge. Maturity Model† of technical architecture (conceptual, logical, and physical) Future-proof The system architecture should Soft Independent audit and be designed as much as possible review against Security to accommodate future changes Architecture Capability in both business requirements Maturity Model† of and technical solutions. technical architecture (conceptual, logical, and physical) Legacy- A new system should be able to Soft Independent audit and sensitive work with any legacy systems review against Security or databases with which it needs Architecture Capability to interoperate or integrate. Maturity Model† of technical architecture (conceptual, logical, and physical) Migrateable There should be a feasible, Soft Independent audit and manageable migration path, review against Security acceptable to the business users, Architecture Capability that moves from an old system Maturity Model† of to a new one, or from one technical architecture released version to the next. (conceptual, logical, and physical) SABSA Business Attributes and Metrics 175 app-a.qxd 3/5/2009 6:30 PM Page 175 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Multisourced Critical system components Soft Independent audit and should be obtainable from more review against Security than one source, to protect Architecture Capability against the risk of the single Maturity Model† of source of supply and support technical architecture at being withdrawn. the component level Scaleable The system should be scaleable Soft Independent audit and to the size of user community, review against Security data storage requirements, Architecture Capability processing throughput, and so Maturity Model† of on that might emerge over the technical architecture lifetime of the system. (conceptual, logical, and physical) Simple The system should be as simple Soft Independent audit and as possible, since complexity review against Security only adds further risk. Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical) Standards The system should be designed, Soft Independent audit and compliant implemented and operated to review of: (1) the inven- comply with appropriate tory of standards to check technical and operational for completeness and standards. appropriateness, and (2) compliance with stan- dards on the inventory Traceable The development and implemen- Soft Independent expert tation of system components review of documented should be documented so as traceability matrices and to provide complete two-way trees traceability. That is, every implemented component should be justifiable by tracing back to the business requirements that led to its inclusion in the system, and it should be possible to review every business requirement and demonstrate which of the implemented system components are there to meet this requirement. 176 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 176 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Upgradeable The system should be capable Soft Independent audit and of being upgraded with ease to review against Security incorporate new releases of Architecture Capability hardware and software. Maturity Model† of technical architecture (conceptual, logical, and physical) Business strategy attributes. This group of attributes describes the needs for fitting into an overall business strategy. Brand The system should help to Soft Market surveys enhancing establish, build, and support the brand of the products or services based upon this system. Business- Enabling the business and Soft Business management enabled fulfilling business objectives focus group should be the primary driver for the system design. Competent The system should protect the Soft Independent audit, or reputation of the organization focus groups, or as being competent in its satisfaction surveys industry sector Confident The system should behave in Soft Independent audit, or such a way as to safeguard focus groups, or confidence placed in the satisfaction surveys organization by customers, suppliers, shareholders, regulators, financiers, the marketplace, and the general public. Credible The system should behave in Soft Independent audit, or such a way as to safeguard the focus groups, or credibility of the organization. satisfaction surveys Culture- The system should be designed, Soft Independent audit and sensitive built, and operated with due review of (1) the care and attention to cultural inventory of issues relating to those who will requirements in this area experience the system in any to check for way. These issues include such completeness and SABSA Business Attributes and Metrics 177 app-a.qxd 3/5/2009 6:30 PM Page 177 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Culture- matters as religion, gender, race, appropriateness, and (2) sensitive nationality, language, dress code, compliance of system (cont.) social customs, ethics, politics, functionality with this set and the environment. The of requirements objective should be to avoid or minimize offence or distress caused to others. Enabling The system architecture and Soft Business management time-to- design should allow new focus group market business initiatives to be delivered to the market with minimum delay. Governable The system should enable the Soft Senior management owners and executive managers focus group. Independent of the organization to control audit and review against the business and to discharge Security Architecture their responsibilities for Capability Maturity governance. Model† for governance Providing Protecting other parties with Soft Independent audit, or good whom we do business from focus groups, or stewardship abuse, loss of business, or satisfaction surveys and custody personal information of value to those parties through inadequate stewardship on our part. Providing As much as possible, the Soft Independent audit and investment system should be designed to review against Security reuse reuse previous investments and Architecture Capability to ensure that new investments Maturity Model† of tech- are reusable in the future. nical architecture (con- ceptual, logical, physical, and component) Providing The system should provide a Hard Financial returns and RoI return on return of value to the business indices selected in investment to justify the investment made consultation with the in creating and operating the Chief Financial Officer system. Soft Qualitative value propositions tested by opinion surveys at senior management and boardroom level 178 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 178 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
Business Metric Suggested attribute Attribute explanation type measurement approach Reputable The system should behave in Soft Independent audit, or such a way as to safeguard the focus groups, or business reputation of the satisfaction surveys organization. Hard Correlation of the stock value of the organization versus publicity of system event history SABSA Business Attributes and Metrics 179 *A red team review is an objective appraisal by an independent team of experts who have been briefed to think either like the user or like an opponent/attacker, whichever is appropriate to the objectives of the review. † The type Architectural Capability Maturity Model referred to is based upon the ideas of capability maturity models. app-a.qxd 3/5/2009 6:30 PM Page 179 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License

Recommended

Non Functional Testing
Non Functional TestingNon Functional Testing
Non Functional TestingNishant Worah
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 
ATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxSumathi Gnanasekaran
 
ATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxSumathi Gnanasekaran
 
ATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxSumathi Gnanasekaran
 
Qms
QmsQms
QmsKalpanaSingh105
 
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATION
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATIONTESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATION
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATIONKMSSolutionsMarketin
 
ConOps: A control system ...
ConOps: A control system ...ConOps: A control system ...
ConOps: A control system ...PMHaas
 

Recommended

Non Functional Testing
Non Functional TestingNon Functional Testing
Non Functional TestingNishant Worah
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 
ATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxSumathi Gnanasekaran
 
ATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxSumathi Gnanasekaran
 
ATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxATTRIBUTES RELATED TO SOFTWARE AGING.docx
ATTRIBUTES RELATED TO SOFTWARE AGING.docxSumathi Gnanasekaran
 
Qms
QmsQms
QmsKalpanaSingh105
 
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATION
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATIONTESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATION
TESTING STRATEGIES TO ENSURE A CORE BANKING TRANSFORMATIONKMSSolutionsMarketin
 
ConOps: A control system ...
ConOps: A control system ...ConOps: A control system ...
ConOps: A control system ...PMHaas
 
Cmms
CmmsCmms
Cmmsdeepakshi_aswal
 
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACHEVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACHPriyanka Karancy
 
IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIdentity Defined Security Alliance
 
Ch 1-Non-functional Requirements.ppt
Ch 1-Non-functional Requirements.pptCh 1-Non-functional Requirements.ppt
Ch 1-Non-functional Requirements.pptbalewayalew
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Identity Defined Security Alliance
 
Micro Service automation by Srijit Jain
Micro Service automation by Srijit JainMicro Service automation by Srijit Jain
Micro Service automation by Srijit JainSoftware Testing Board
 
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...IJERA Editor
 
Requirements Engineering
Requirements EngineeringRequirements Engineering
Requirements EngineeringEhsan Elahi
 
IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]Akram Abbasi
 
RELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCERELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCEkifayat ullah
 
RELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCERELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCEkifayat ullah
 
Testing Types And Models
Testing Types And ModelsTesting Types And Models
Testing Types And Modelsnazeer pasha
 
Developing supplemental performance requirements
Developing supplemental performance requirementsDeveloping supplemental performance requirements
Developing supplemental performance requirementscsk selva
 
Computer system overview
Computer system overviewComputer system overview
Computer system overviewVikrant Singh Parmar
 
Rethinking Test Automation: The Case for Moving Beyond the User Interface
Rethinking Test Automation: The Case for Moving Beyond the User InterfaceRethinking Test Automation: The Case for Moving Beyond the User Interface
Rethinking Test Automation: The Case for Moving Beyond the User InterfaceCognizant
 
Performance testing methodologies
Performance testing methodologiesPerformance testing methodologies
Performance testing methodologiesDhanunjay Rasamala
 
Best Practices for Applications Performance Testing
Best Practices for Applications Performance TestingBest Practices for Applications Performance Testing
Best Practices for Applications Performance TestingBhaskara Reddy Sannapureddy
 
GRC tools
GRC toolsGRC tools
GRC toolsRahulTripathi330262
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 

More Related Content

Similar to Information Security Governance - 2008 - Brotby - Appendix A SABSA Business Attributes and Metrics_2.pdf

EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACHEVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACHPriyanka Karancy
 
Ch 1-Non-functional Requirements.ppt
Ch 1-Non-functional Requirements.pptCh 1-Non-functional Requirements.ppt
Ch 1-Non-functional Requirements.pptbalewayalew
 
Micro Service automation by Srijit Jain
Micro Service automation by Srijit JainMicro Service automation by Srijit Jain
Micro Service automation by Srijit JainSoftware Testing Board
 
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...IJERA Editor
 
Requirements Engineering
Requirements EngineeringRequirements Engineering
Requirements EngineeringEhsan Elahi
 
IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]Akram Abbasi
 
RELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCERELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCEkifayat ullah
 
RELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCERELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCEkifayat ullah
 
Testing Types And Models
Testing Types And ModelsTesting Types And Models
Testing Types And Modelsnazeer pasha
 
Developing supplemental performance requirements
Developing supplemental performance requirementsDeveloping supplemental performance requirements
Developing supplemental performance requirementscsk selva
 
Rethinking Test Automation: The Case for Moving Beyond the User Interface
Rethinking Test Automation: The Case for Moving Beyond the User InterfaceRethinking Test Automation: The Case for Moving Beyond the User Interface
Rethinking Test Automation: The Case for Moving Beyond the User InterfaceCognizant
 
Performance testing methodologies
Performance testing methodologiesPerformance testing methodologies
Performance testing methodologiesDhanunjay Rasamala
 
Best Practices for Applications Performance Testing
Best Practices for Applications Performance TestingBest Practices for Applications Performance Testing
Best Practices for Applications Performance TestingBhaskara Reddy Sannapureddy
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?mbmobile
 

Similar to Information Security Governance - 2008 - Brotby - Appendix A SABSA Business Attributes and Metrics_2.pdf (20)

Cmms
CmmsCmms
Cmms
 
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACHEVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
EVALUATING SOFTWARE QUALITY : A QUANTITATIVE APPROACH
 
IDSA at Denver IAM Meetup
IDSA at Denver IAM MeetupIDSA at Denver IAM Meetup
IDSA at Denver IAM Meetup
 
Ch 1-Non-functional Requirements.ppt
Ch 1-Non-functional Requirements.pptCh 1-Non-functional Requirements.ppt
Ch 1-Non-functional Requirements.ppt
 
Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018 Silicon Valley IDSA Meetup October 2018
Silicon Valley IDSA Meetup October 2018
 
Micro Service automation by Srijit Jain
Micro Service automation by Srijit JainMicro Service automation by Srijit Jain
Micro Service automation by Srijit Jain
 
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
Extensive Security and Performance Analysis Shows the Proposed Schemes Are Pr...
 
Requirements Engineering
Requirements EngineeringRequirements Engineering
Requirements Engineering
 
IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]IS-1 Short Report [Muhammad Akram Abbasi]
IS-1 Short Report [Muhammad Akram Abbasi]
 
RELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCERELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCE
 
RELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCERELIABILITY CENTERED MAINTAINANCE
RELIABILITY CENTERED MAINTAINANCE
 
Testing Types And Models
Testing Types And ModelsTesting Types And Models
Testing Types And Models
 
Developing supplemental performance requirements
Developing supplemental performance requirementsDeveloping supplemental performance requirements
Developing supplemental performance requirements
 
Computer system overview
Computer system overviewComputer system overview
Computer system overview
 
Rethinking Test Automation: The Case for Moving Beyond the User Interface
Rethinking Test Automation: The Case for Moving Beyond the User InterfaceRethinking Test Automation: The Case for Moving Beyond the User Interface
Rethinking Test Automation: The Case for Moving Beyond the User Interface
 
Performance testing methodologies
Performance testing methodologiesPerformance testing methodologies
Performance testing methodologies
 
Best Practices for Applications Performance Testing
Best Practices for Applications Performance TestingBest Practices for Applications Performance Testing
Best Practices for Applications Performance Testing
 
GRC tools
GRC toolsGRC tools
GRC tools
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
How much does it cost to be Secure?
How much does it cost to be Secure?How much does it cost to be Secure?
How much does it cost to be Secure?
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Information Security Governance - 2008 - Brotby - Appendix A SABSA Business Attributes and Metrics_2.pdf

  • 1. Information Security Governance. By Krag Brotby 163 Copyright © 2009 John Wiley & Sons, Inc. Appendix A SABSA Business Attributes and Metrics Business Metric Suggested attribute Attribute explanation type measurement approach User attributes. These attributes are related to the user’s experience of interacting with the business system. Accessible Information to which the user Soft Search tree depth is entitled to gain access should necessary to find the be easily found and accessed by information that user. Accurate The information provided to Hard Acceptance testing on users should be accurate within key data to demonstrate a range that has been preagreed compliance with design upon as being applicable to the rules service being delivered. Anonymous For certain specialized types of Hard Rigorous proof of system service, the anonymity of the functionality user should be protected. Soft Red team review* Consistent The way in which log-in, Hard Conformance with navigation, and target services design style guides are presented to the user should Soft Red team review be consistent across different times, locations, and channels of access. app-a.qxd 3/5/2009 6:30 PM Page 163
  • 2. Business Metric Suggested attribute Attribute explanation type measurement approach Current Information provided to users Hard Refresh rates at the data should be current and kept up source and replication of to date, within a range that has refreshed data to the been preagreed upon as being destination applicable for the service being delivered. Duty- For certain sensitive tasks, the Hard Functional testing segregated duties should be segregated so that no user has access to both aspects of the task. Educated The user community should be Soft Competence surveys and aware educated and trained so that they can embrace the security culture There should be sufficient user awareness of security issues so that behavior of users is compliant with security policies. Informed The user should be kept fully Soft Focus groups or informed about services, satisfaction surveys operating procedures, operational schedules, planned outages, and so on. Motivated The interaction with the system Soft Focus groups or should add positive motivation satisfaction surveys to the user to complete the business tasks at hand. Protected The user’s information and Soft Penetration test. (Could access privileges should be be regarded as “hard,” protected against abuse by other but only if a penetration users or by intruders. is achieved. Failure to penetrate does not mean that penetration is impossible.) Reliable The services provided to the Soft A definition of “quality” user should be delivered at a is needed against which reliable level of quality. to compare. Responsive The users obtain a response Hard Response time within a satisfactory period of time that meets their expectations. 164 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 164 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 3. Business Metric Suggested attribute Attribute explanation type measurement approach Supported When a user has problems or Soft Focus groups or difficulties in using the system satisfaction surveys. or its services, there should be Independent audit and a means by which the user can review against Security receive advice and support so Architecture Capability that the problems can be Maturity Model† resolved to the satisfaction of the user. Timely Information is delivered or Hard Refresh rates at the data made accessible to the user source and replication of at the appropriate time or refreshed data to the within the appropriate time destination period. Transparent Providing full visibility to the Soft Focus groups or user of the logical process but satisfaction surveys. hiding the physical structure of Independent audit and the system (as a url hides the review against Security actual physical locations of Architecture Capability Web servers). Maturity Model† Usable The system should provide Soft Numbers of “clicks” or easy-to-use interfaces that can keystrokes required. be navigated intuitively by a Conformance with user of average intelligence and industry standards, e.g., training level (for the given color palettes. Feedback system). The user’s experience from focus groups. of these interactions should be at best interesting and at worst neutral. Management attributes. This group of attributes is related to the ease and effectiveness with which the business system and its services can be managed. Automated Wherever possible (and Soft Independent design depending upon cost/benefit review factors) the management and operation of the system should be automated. SABSA Business Attributes and Metrics 165 app-a.qxd 3/5/2009 6:30 PM Page 165 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 4. Business Metric Suggested attribute Attribute explanation type measurement approach Change- Changes to the system should Soft Documented change managed be properly managed so that the management system, impact of every change is with change management evaluated and the changes are history, evaluated by approved in advance of being independent audit implemented. Controlled The system should at all times Soft Independent audit and remain in the control of its review against Security managers. This means that the Architecture Capability management will observe the Maturity Model† operation and behavior of the system, will make decisions about how to control it based on these observations, and will implement actions to exert that control. Cost- The design, acquisition, Hard Individual budgets for effective implementation, and operation the phases of of the system should be achieved development and for at a cost that the business finds ongoing operation, acceptable when judged against maintenance and support the benefits derived. Efficient The system should deliver the Hard A target efficiency ratio target services with optimum based on (Input efficiency, avoiding wastage of value)/(Output value) resources. Maintainable The system should capable of Soft Documented execution being maintained in a state of of a preventive mainte- good repair and effective, nance schedule for both efficient operation. The actions hardware and software, required to achieve this should correlated against targets feasible within the normal for continuity of service, operational conditions of the such as mean time system. between failures (MTBF) Measured The performance of the system Hard Documented tracking should be measured against a and reporting of a variety of desirable performance portfolio of conventional targets so as to provide feedback system performance information to support the parameters, together with management and control process. other attributes from this list 166 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 166 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 5. Business Metric Suggested attribute Attribute explanation type measurement approach Supportable The system should be capable of Hard Fault-tracking system being supported in terms of both providing measurements the users and the operations of MTBF, MTTR (mean staff, so that all types of time to repair), and problems and operational maximum time to repair, difficulties can be resolved. with targets for each parameter Operational attributes. These attributes describe the ease and effectiveness with which the business system and its services can be operated. Available The information and services Hard As specified in the SLA provided by the system should be available according to the requirements specified in the service-level agreement (SLA). Continuous The system should offer Hard Percentage up-time “continuous service.” The exact correlated versus definition of this phrase will scheduled and/or always be subject to a SLA. unscheduled downtime, or MTBF, or MTTR Detectable Important events must be Hard Functional testing detected and reported. Error-free The system should operate Hard Percentage or absolute without producing errors. error rates (per transaction, per batch, per time period, etc.) Interoperable The system should interoperate Hard Specific interoperability with other similar systems, both requirements immediately and in the future, as intersystem communication becomes increasingly a requirement. Monitored The operational performance of Soft Independent audit and the system should be review against Security continuously monitored to Architecture Capability ensure that other attribute Maturity Model† specifications are being met. Any deviations from acceptable limits should be notified to the systems management function. SABSA Business Attributes and Metrics 167 app-a.qxd 3/5/2009 6:30 PM Page 167 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 6. Business Metric Suggested attribute Attribute explanation type measurement approach Productive The system and its services Hard User output targets should operate so as to sustain related to specific and enhance productivity of the business activities users, with regard to the business processes in which they are engaged. Recoverable The system should be able to Hard As specified in the SLA. be recovered to full operational status after a breakdown or disaster, in accordance with the SLA. Risk management attributes. These attributes describe the business requirements for mitigating operational risk. This group most closely relates to the “security requirements” for protecting the business. Access- Access to information and Hard Reporting of all controlled functions within the system unauthorised access should be controlled in attempts, including accordance with the authorized number of incidents per privileges of the party requesting period, severity, and the access. Unauthorized access result (did the access should be prevented. attempt succeed?) Accountable All parties having authorized Soft Independent audit and access to the system should be review against Security held accountable for their Architecture Capability actions. Maturity Model† with respect to the ability to hold accountable all authorized parties Assurable There should be a means to Hard Documented standards provide assurance that the exist against which to system is operating as expected audit and that all of the various Soft Independent audit and controls are correctly review against Security implemented and operated. Architecture Capability Maturity Model† 168 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 168 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 7. Business Metric Suggested attribute Attribute explanation type measurement approach Assuring Protecting employees against Soft Independent audit and honesty false accusations of dishonesty review against Security or malpractice. Architecture Capability Maturity Model† with respect to the ability to prevent false accusations that are difficult to repudiate Auditable The actions of all parties having Soft Independent audit and authorized access to the system, review against Security and the complete chain of events Architecture Capability and outcomes resulting from these Maturity Model† actions, should be recorded so that this history can be reviewed. The audit records should provide an appropriate level of detail, in accordance with business needs. The actual configuration of the Hard Documented target system should also be capable configuration exists of being audited so as to under change control compare it with a target with a capability to configuration that represents the check current configur- implementation of the security ation against this target policy that governs the system. Soft Independent audit and re- view against Security Architecture Capability Maturity Model† Authenticated Every party claiming a unique Soft Independent audit and identity (i.e., a claimant) should review against Security be subject to a procedure that Architecture Capability verifies that the party is indeed Maturity Model† with the authentic owner of the respect to the ability to claimed identity. authenticate successfully every claim of identity Authorized The system should allow only Hard Reporting of all those actions that have been unauthorized actions, explicitly authorized. including number of incidents per period, severity, and result (did the action succeed?) SABSA Business Attributes and Metrics 169 app-a.qxd 3/5/2009 6:30 PM Page 169 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 8. Business Metric Suggested attribute Attribute explanation type measurement approach Authorized Soft Independent audit and (cont.) review against Security Architecture Capability Maturity Model† with respect to the ability to detect unauthorized actions Capturing New risks emerge over time. Hard Percentage of vendor- new risks The system management and published patches and operational environment should upgrades actually provide a means to identify and installed assess new risks (new threats, Soft Independent audit and new impacts, or new review against Security vulnerabilities). Architecture Capability Maturity Model† of a documented risk assessment process and a risk assessment history Confidential The confidentiality of Hard Reporting of all (corporate) information should disclosure incidents, be protected in accordance with including number of security policy. Unauthorized incidents per period, disclosure should be prevented. severity, and type of disclosure Crime-free Cyber-crime of all types should Hard Reporting of all incidents be prevented. of crime, including number of incidents per period, severity, and type of crime Flexibly Security can be provided at Soft Independent audit and secure various levels, according to review against Security business need. The system Architecture Capability should provide the means to Maturity Model† secure information according to these needs, and may need to offer different levels of security for different types of information (according to security classification). 170 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 170 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 9. Business Metric Suggested attribute Attribute explanation type measurement approach Identified Each entity that will be granted Hard Proof of uniqueness of access to system resources and naming schemes each object that is itself a system resource should be uniquely identified (named) such that there can never be confusion as to which entity or object is being referenced. Independently The security of the system Soft Independent audit and secure should not rely upon the security review against Security of any other system that is not Architecture Capability within the direct span of control Maturity Model† of of this system. technical security architecture at conceptual, logical, and physical layers In our Information that has value to Soft Independent audit and sole the business should be in the review against Security possession possession of the business, Architecture Capability stored and protected by the Maturity Model† system against loss (as in no longer being available) or theft (as in being disclosed to an unauthorised party). This will include information that is regarded as “intellectual property.” Integrity- The integrity of information Hard Reporting of all incidents assured should be protected to provide of compromise, assurance that it has not suffered including number of unauthorized modification, incidents per period, duplication, or deletion. severity, and type of compromise Soft Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to detect integrity compromise incidents SABSA Business Attributes and Metrics 171 app-a.qxd 3/5/2009 6:30 PM Page 171 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 10. Business Metric Suggested attribute Attribute explanation type measurement approach Non- When one party uses the system Hard Reporting of all incidents repudiable to send a message to another of unresolved party, it should not be possible repudiations, including for the first party to falsely deny number of incidents per having sent the message, or to period, severity, and type falsely deny its contents. of repudiation Soft Independent audit and review against Security Architecture Capability Maturity Model† with respect to the ability to prevent repudiations that cannot be easily resolved Owned There should be an entity Soft Independent audit and designated as “owner” of every review against Security system. This owner is the policy Architecture Capability maker for all aspects of risk Maturity Model† of the management with respect to the ownership arrangements system, and exerts the ultimate and of the management authority for controlling the processes by which system. owners should fulfil their responsibilities, and of their diligence in so doing Private The privacy of (personal) Hard Reporting of all information should be disclosure incidents, protected in accordance with including number of relevant privacy or “data incidents per period, protection” legislation, so as severity, and type of to meet the reasonable disclosure expectation of citizens for privacy. Unauthorized disclosure should be prevented. Trustworthy The system should be able to be Soft Focus groups or trusted to behave in the ways satisfaction surveys specified in its functional researching the question specification and should protect “Do you trust the against a wide range of potential service?” abuses. 172 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 172 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 11. Business Metric Suggested attribute Attribute explanation type measurement approach Legal and regulatory attributes. This group of attributes describes the business requirements for mitigating operational risks that have a specific legal or regulatory connection. Admissible The system should provide Soft Independent audit and forensic records (audit trails and review against Security so on) that will be deemed to be Architecture Capability “admissible” in a court of law, Maturity Model† by should that evidence ever need computer forensics to be presented in support of a expert criminal prosecution or a civil litigation. Compliant The system should comply with Soft Independent compliance all applicable regulations, laws, audit with respect to the contracts, policies, and inventories of mandatory standards, both regulations, laws, internal and external. policies, etc. Enforceable The system should be designed, Soft Independent review of: implemented and operated such (1) inventory of contracts, that all applicable contracts, policies, regulations and policies, regulations, and laws laws for completeness, can be enforced by the system. and (2) enforceability of contracts, policies, laws, and regulations on the inventory Insurable The system should be risk- Hard Verify against insurance managed to enable an insurer to quotations offer reasonable commercial terms for insurance against a standard range of insurable risks Legal The system should be designed, Soft Independent audit and implemented, and operated in review against Security accordance with the requirements Architecture Capability of any applicable legislation. Maturity Model.† Examples include data protection Verification of the laws, laws controlling the use of inventory of applicable cryptographic technology, laws laws to check for controlling insider dealing on the completeness and stock market, and laws governing suitability information that is considered racist, seditious, or pornographic. SABSA Business Attributes and Metrics 173 app-a.qxd 3/5/2009 6:30 PM Page 173 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 12. Business Metric Suggested attribute Attribute explanation type measurement approach Liability- The system services should be Soft Independent legal expert managed designed, implemented and review of all applicable operated so as to manage the contracts, SLAs, etc. liability of the organization with regard to errors, fraud, malfunction, and so on. In particular, the responsibilities and liabilities of each party should be clearly defined. Regulated The system should be designed, Soft Independent audit and implemented, and operated in review against Security accordance with the require- Architecture Capability ments of any applicable Maturity Model† . regulations. These may be Verification of the general (such as safety inventory of applicable regulations) or industry-specific regulations to check for (such as banking regulations). completeness and suitability Resolvable The system should be designed, Soft Independent audit and implemented and operated in review against Security such a way that disputes can be Architecture Capability resolved with reasonable ease Maturity Model† by legal and without undue impact on expert time, cost, or other valuable resources. Time-bound Meeting requirements for max- Hard Independent functional imum or minimum periods of design review against time, for example, a minimum specified functional period for records retention or requirements a maximum period within which something must be completed. Technical strategy attributes. This group of attributes describes the needs for fitting into an overall technology strategy. Architectur- The system architecture should, Soft Independent audit and ally open wherever possible, not be locked review against Security into specific vendor interface Architecture Capability standards and should allow Maturity Model† of flexibility in the choice of technical architecture vendors and products, both (conceptual, logical, and initially and in the future. physical) 174 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 174 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 13. Business Metric Suggested attribute Attribute explanation type measurement approach COTS/GOTS Wherever possible, the system Soft Independent audit and compliant should utilize commercial off- review against Security the-shelf or government off-the- Architecture Capability shelf components, as appropriate. Maturity Model† of technical architecture (conceptual, logical, and physical) Extendable The system should be capable Soft Independent audit and of being extended to incorporate review against Security new functional modules as Architecture Capability required by the business. Maturity Model† of technical architecture (conceptual, logical & physical) Flexible & The system should be flexible Soft Independent audit and Adaptable and adaptable to meet new review against Security business requirements as they Architecture Capability emerge. Maturity Model† of technical architecture (conceptual, logical, and physical) Future-proof The system architecture should Soft Independent audit and be designed as much as possible review against Security to accommodate future changes Architecture Capability in both business requirements Maturity Model† of and technical solutions. technical architecture (conceptual, logical, and physical) Legacy- A new system should be able to Soft Independent audit and sensitive work with any legacy systems review against Security or databases with which it needs Architecture Capability to interoperate or integrate. Maturity Model† of technical architecture (conceptual, logical, and physical) Migrateable There should be a feasible, Soft Independent audit and manageable migration path, review against Security acceptable to the business users, Architecture Capability that moves from an old system Maturity Model† of to a new one, or from one technical architecture released version to the next. (conceptual, logical, and physical) SABSA Business Attributes and Metrics 175 app-a.qxd 3/5/2009 6:30 PM Page 175 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 14. Business Metric Suggested attribute Attribute explanation type measurement approach Multisourced Critical system components Soft Independent audit and should be obtainable from more review against Security than one source, to protect Architecture Capability against the risk of the single Maturity Model† of source of supply and support technical architecture at being withdrawn. the component level Scaleable The system should be scaleable Soft Independent audit and to the size of user community, review against Security data storage requirements, Architecture Capability processing throughput, and so Maturity Model† of on that might emerge over the technical architecture lifetime of the system. (conceptual, logical, and physical) Simple The system should be as simple Soft Independent audit and as possible, since complexity review against Security only adds further risk. Architecture Capability Maturity Model† of technical architecture (conceptual, logical, and physical) Standards The system should be designed, Soft Independent audit and compliant implemented and operated to review of: (1) the inven- comply with appropriate tory of standards to check technical and operational for completeness and standards. appropriateness, and (2) compliance with stan- dards on the inventory Traceable The development and implemen- Soft Independent expert tation of system components review of documented should be documented so as traceability matrices and to provide complete two-way trees traceability. That is, every implemented component should be justifiable by tracing back to the business requirements that led to its inclusion in the system, and it should be possible to review every business requirement and demonstrate which of the implemented system components are there to meet this requirement. 176 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 176 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 15. Business Metric Suggested attribute Attribute explanation type measurement approach Upgradeable The system should be capable Soft Independent audit and of being upgraded with ease to review against Security incorporate new releases of Architecture Capability hardware and software. Maturity Model† of technical architecture (conceptual, logical, and physical) Business strategy attributes. This group of attributes describes the needs for fitting into an overall business strategy. Brand The system should help to Soft Market surveys enhancing establish, build, and support the brand of the products or services based upon this system. Business- Enabling the business and Soft Business management enabled fulfilling business objectives focus group should be the primary driver for the system design. Competent The system should protect the Soft Independent audit, or reputation of the organization focus groups, or as being competent in its satisfaction surveys industry sector Confident The system should behave in Soft Independent audit, or such a way as to safeguard focus groups, or confidence placed in the satisfaction surveys organization by customers, suppliers, shareholders, regulators, financiers, the marketplace, and the general public. Credible The system should behave in Soft Independent audit, or such a way as to safeguard the focus groups, or credibility of the organization. satisfaction surveys Culture- The system should be designed, Soft Independent audit and sensitive built, and operated with due review of (1) the care and attention to cultural inventory of issues relating to those who will requirements in this area experience the system in any to check for way. These issues include such completeness and SABSA Business Attributes and Metrics 177 app-a.qxd 3/5/2009 6:30 PM Page 177 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 16. Business Metric Suggested attribute Attribute explanation type measurement approach Culture- matters as religion, gender, race, appropriateness, and (2) sensitive nationality, language, dress code, compliance of system (cont.) social customs, ethics, politics, functionality with this set and the environment. The of requirements objective should be to avoid or minimize offence or distress caused to others. Enabling The system architecture and Soft Business management time-to- design should allow new focus group market business initiatives to be delivered to the market with minimum delay. Governable The system should enable the Soft Senior management owners and executive managers focus group. Independent of the organization to control audit and review against the business and to discharge Security Architecture their responsibilities for Capability Maturity governance. Model† for governance Providing Protecting other parties with Soft Independent audit, or good whom we do business from focus groups, or stewardship abuse, loss of business, or satisfaction surveys and custody personal information of value to those parties through inadequate stewardship on our part. Providing As much as possible, the Soft Independent audit and investment system should be designed to review against Security reuse reuse previous investments and Architecture Capability to ensure that new investments Maturity Model† of tech- are reusable in the future. nical architecture (con- ceptual, logical, physical, and component) Providing The system should provide a Hard Financial returns and RoI return on return of value to the business indices selected in investment to justify the investment made consultation with the in creating and operating the Chief Financial Officer system. Soft Qualitative value propositions tested by opinion surveys at senior management and boardroom level 178 SABSA Business Attributes and Metrics app-a.qxd 3/5/2009 6:30 PM Page 178 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License
  • 17. Business Metric Suggested attribute Attribute explanation type measurement approach Reputable The system should behave in Soft Independent audit, or such a way as to safeguard the focus groups, or business reputation of the satisfaction surveys organization. Hard Correlation of the stock value of the organization versus publicity of system event history SABSA Business Attributes and Metrics 179 *A red team review is an objective appraisal by an independent team of experts who have been briefed to think either like the user or like an opponent/attacker, whichever is appropriate to the objectives of the review. † The type Architectural Capability Maturity Model referred to is based upon the ideas of capability maturity models. app-a.qxd 3/5/2009 6:30 PM Page 179 10.1002/9780470476017.app1, Downloaded from https://onlinelibrary.wiley.com/doi/10.1002/9780470476017.app1, Wiley Online Library on [02/04/2024]. See the Terms and Conditions (https://onlinelibrary.wiley.com/terms-and-conditions) on Wiley Online Library for rules of use; OA articles are governed by the applicable Creative Commons License