I gave a talk this week on Object Orientated Security Architecture to a Infosec management audience outside of the normal financial sectors that I work. Hopefully it was well received and made some sense. You can download the original presentation here.
Current State
- Invisible policy framework
- •Loose collection of abstract policies
- •Rarely if ever read, understood or referred to
- •Complex & technical v. functional & clear
- •No business rules (BPML)
- •Monolithic & centralised v. global and federated
- •Uncertain legal status
- •Audit/accountancy driven v. business focused
- •Control rather than functionality
- •Inheritance applied to Security Policy
- •General and abstract to specific and detailed
- •Data, event and process centred
- • Detailed and technical to minimal and clear
- • Navigable framework
- •Process catalogue
- •human readable (ie not just by policy wonks)
- •machine executable
• Components
- Visual Policy framework – (BITS SIG++)
- Hierarchal process catalogue (BITS AUP++)
- •Security Architecture Capture
- subset of BITS SIG
- concentrates on data flows
- asset, data, risk classes
- business value and application complexity
- operational impact analysis
- Standardised Information Gathering (SIG) -
- Agreed Upon Procedures (AUP)
• - GLB, HIPPA, COSO, SysTrust, SOX
- Employment Law