Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Business Quality Needs


Published on

Quality Needs for Security

Published in: Technology
  • Be the first to comment

Business Quality Needs

  1. 1. QualityFoundations of Information Security Series Vicente Aceituno @vaceituno (c)Inovement Europe 2014
  2. 2. Vicente Aceituno - Skype: vaceituno Linkedin - Inovement Europe - Video Blog - Blog - Twitter - Presentations - Articles -
  3. 3. Foundations of Information Security Series  Needs  Secrecy  Intellectual Property you Own  Intellectual Property you Use  Privacy  Availability  Retention  Expiration  Quality  Obligations  Technical  Compliance  Legal
  4. 4. What is Information Security?  “Information Security” is an emergent property of people using information.  People have expectations about information.  If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.
  5. 5. What is Information Security?  When expectations about information are met, there is “Security”.  When expectations about information are not met, there is an “Incident”.
  6. 6. What is Information Security?  Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.  Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.
  7. 7. Quality
  8. 8. Quality  Some expectations of people about information are related to completeness, validity, accuracy, and lack of contradiction.  This is a simplified view, with a focus on security, of the whole range of aspects of quality expectations about information.
  9. 9. Quality  If these expectations are met or not is independent of the observer and repeatable.  Quality expectations can be determined answering the following questions:  What is the information necessary for each use case?  How recent needs to be that information in order to be valid?  What is the widest margin of error of that information in order to be accurate enough?  Which pairs of information fields and ranges of values could be considered as contradictory?  Answering these question renders requirements that can managed.
  10. 10. Quality related incidents  When less information than necessary is available.  When the information is too old to be considered valid.  When the margin of error of the information is bigger than acceptable.  When pairs of information fields are contradictory. For a more complete list of incidents check
  11. 11. Achieving Quality  In order to achieve Quality, normally quality checks and proper design of information systems is used.  The related O-ISM3 process are:  TSP-6: Security Architecture  OSP-8: Software Development Lifecycle Control  OSP-21: Information Quality and Compliance Assessment
  12. 12. Quality
  13. 13. The O-ISM3 Challenge  This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.  Check the exercise in full at  A summary of conclusions from the exercise, in relation to Quality, follow.
  14. 14. Secrecy Business Needs Intellectual Property PrivacyIntegrity Business Obligations Integrity Availability Retention Quality Expiration
  15. 15. Integrity  ISO Definition: The property of safeguarding the accuracy and completeness of assets.  ITIL Definition: A security principle that ensures data and Configuration Items are only modified by authorized personnel and Activities. Integrity considers all possible causes of modification, including software and hardware Failure, environmental Events, and human intervention.  CobIT Definition: Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
  16. 16. Quality and Integrity  Integrity can’t be measured (it doesn’t have units). Therefore is not independent of the observer nor repeatable like Quality is.  Quality can be used to measure, communicate and manage a specific expectation of people about information.  Integrity is not necessary to understand or measure Quality.
  17. 17. Quality and Integrity  Quality and Integrity are not equivalent.  Integrity and Quality are not synonymous.  Integrity is not useful to understand Quality.
  18. 18.  Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at:  Learn Advanced Information Security Management, joining us at an O-ISM3 Course: