Object Orientated Security Policy

I gave a talk this week on Object Orientated Security Architecture to a Infosec management audience outside of the normal financial sectors that I work. Hopefully it was well received and made some sense. You can download the original presentation here.

Current State

• Invisible policy framework
• •Loose collection of abstract policies
• •Rarely if ever read, understood or referred to
• •Complex & technical v. functional & clear
• •No business rules (BPML)
• •Monolithic & centralised v. global and federated
• •Uncertain legal status
• •Audit/accountancy driven v. business focused
• •Control rather than functionality

New Ideas

• •Inheritance applied to Security Policy
• •General and abstract to specific and detailed
• •Data, event and process centred
• • Detailed and technical to minimal and clear
• • Navigable framework
• •Process catalogue
• •human readable (ie not just by policy wonks)
• •machine executable

• Components

• Visual Policy framework – (BITS SIG++)
• Hierarchal process catalogue (BITS AUP++)
• •Security Architecture Capture
• subset of BITS SIG
• concentrates on data flows
• asset, data, risk classes
• business value and application complexity
• operational impact analysis

Compliance

• Standardised Information Gathering (SIG) -

- ISO27002:2005, COBIT, PCI-DSS 1.1

• Agreed Upon Procedures (AUP)

• - GLB, HIPPA, COSO, SysTrust, SOX

• Employment Law