Business Availability Needs


Published on

Security of Business Availability Needs

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Availability Needs

  1. 1. AvailabilityFoundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno - Skype: vaceituno Linkedin - Inovement Europe - Video Blog - Blog - Twitter - Presentations - Articles -
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Availability
  8. 8. Availability  Some expectations of people about information are related to ownership, control and use of information over time.
  9. 9. Availability  Ownership is defined having legal rights and duties on something.  Control is defined as having the ability to:  Grant or deny access to users.  Attribute to specific users their use of information.  Use is defined as having access to read, write or modify information.
  10. 10. Availability  There is an expectation that information will be controlled during the working window.  There is an expectation that information will be used during the working window.
  11. 11. Availability  Information doesn’t sustain itself on thin air, it used and controlled through information systems.  A transaction is defined as information processing where there is a trustworthy bijective relationship between every output and the input used to produce it. Bijection: Learn a bit about information system components at
  12. 12. Availability Transactions should fulfil some basic criteria:  Atomicity: Changes to the state are atomic: either all happen or none happen. These changes include database changes, messages, and actions on transducers.  Consistency: Transformation of the state are correct. The actions taken as a group do not violate any of the constraints associated with the state.  Isolation: Even though transactions execute concurrently, it appears to each transaction T, that others executed either before T or after T, but not both.  Durability: Once a transaction completes successfully (commits), its changes to the state survive failures.
  13. 13. Availability  If these expectations are met or not is independent of the observer and repeatable.  Availability expectations can be determined answering the following questions:  When are the information systems supposed to be up and working? This is the working window.  What is the minimum acceptable performance of the information systems measured in outputs per input per unit of time? The duration when performance is below this value is considered downtime. During downtime the use and/or control of information is below satisfactory thresholds.
  14. 14. Availability  Availability expectations can be determined answering the following questions (continued):  What is the maximum duration of downtime of the information systems you are ready to accept for maintenance reasons and when should it better occur? This defines the maintenance window.  How long would a downtime of information systems would be acceptable? This defines unacceptable downtime.  How long is the shortest uptime of information systems that is acceptable? This defines acceptable uptime.  In the event of the information system downtime, how many transactions can be lost?  Answering these questions renders figures that can be measured and managed.
  15. 15. Availability related incidents  When there is unacceptable downtime or unacceptable uptime during the working window and out of maintenance windows.  When upon an unacceptable downtime event, more transactions than acceptable are lost and would have to be restarted. For a more complete list of incidents check
  16. 16. Achieving Availability  In order to achieve Availability, redundancy and transaction management measures are taken.  The O-ISM3 processes directly related to Availability are:  OSP-26: Enhanced Reliability and Availability Management  OSP-20: Incident Emulation  OSP-15: Operations Continuity Management  In order to manage transactions, information systems need Rollback, Rollforward, Deadlocks and Compensating transactions capabilities.
  17. 17. Availability
  18. 18. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at  A summary of conclusions from the exercise, in relation to availability, follow.
  19. 19. Secrecy Business Needs Intellectual Property Privacy Availability Business Obligations Availability Availability
  20. 20. Availability (traditional definition)  ISO Definition: The property of being accessible and useable upon demand by an authorized entity.  ITIL Definition: Ability of a Configuration Item or IT Service to perform its agreed Function when required. Availability is determined by Reliability, Maintainability, Serviceability, Performance, and Security.  CobIT Definition: Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
  21. 21. Availability (O-ISM3 definition) and Availability (traditional definition)  Availability can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Availability is.  Availability can be used to measure, communicate and manage a specific expectation of people about information.  Availability is not necessary to measure Availability.  Availability and Availability are not equivalent.  Availability and Availability are not synonymous.
  22. 22.  Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at:  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: