Thursday, January 17, 2008

Object Orientated Security Policy

I gave a talk this week on Object Orientated Security Architecture to a Infosec management audience outside of the normal financial sectors that I work. Hopefully it was well received and made some sense. You can download the original presentation here.

Current State

  • Invisible policy framework
  • Loose collection of abstract policies
  • Rarely if ever read, understood or referred to
  • Complex & technical v. functional & clear
  • No business rules (BPML)
  • Monolithic & centralised v. global and federated
  • Uncertain legal status
  • Audit/accountancy driven v. business focused
  • Control rather than functionality
New Ideas
  • Inheritance applied to Security Policy
  • General and abstract to specific and detailed
  • Data, event and process centred
  • Detailed and technical to minimal and clear
  • Navigable framework
  • Process catalogue
  • human readable (ie not just by policy wonks)
  • machine executable
Components

  • Visual Policy framework – (BITS SIG++)
  • Hierarchal process catalogue (BITS AUP++)
  • Security Architecture Capture
  • subset of BITS SIG
  • concentrates on data flows
  • asset, data, risk classes
  • business value and application complexity
  • operational impact analysis
Compliance

  • Standardised Information Gathering (SIG) -
- ISO27002:2005, COBIT, PCI-DSS 1.1

  • Agreed Upon Procedures (AUP)
- GLB, HIPPA, COSO, SysTrust, SOX

  • Employment Law

No comments: