Category Archives: RISK Management

Open FAIR Blog Series – Five Reasons You Should Use the Open FAIR Body of Knowledge

By Jim Hietala, VP, Security and Andrew Josey, Director of Standards, The Open Group

This is the second in our blog series introducing the Open FAIR Body of Knowledge.

In this blog, we provide 5 reasons why you should use the Open FAIR Body of Knowledge for Risk Analysis:

1. Emphasis on Risk

Often the emphasis in such analyses is placed on security threats and controls, without due consideration of impact.  For example, we have a firewall protecting all our customer information – but what if the firewall is breached and the customer information stolen or changed? Risk analysis using Open FAIR evaluates both the probability that bad things will happen, and the impact if they do happen. By using the Open FAIR Body of Knowledge, the analyst measures and communicates the risk, which is what management cares about.

2. Logical and Rational Framework

It provides a framework that explains the how and why of risk analysis. It improves consistency in undertaking analyses.

3. Quantitative

It’s easy to measure things without considering the risk context – for example, the systems should be maintained in full patch compliance – but what does that mean in terms of loss frequency or the magnitude of loss? The Open FAIR taxonomy and method provide the basis for meaningful metrics.

4. Flexible

Open FAIR can be used at different levels of abstraction to match the need, the available resources, and available data.

5. Rigorous

There is often a lack of rigor in risk analysis: statements are made such as: “that new application is high risk, we could lose millions …” with no formal rationale to support them. The Open FAIR risk analysis method provides a more rigorous approach that helps to reduce gaps and analyst bias. It improves the ability to defend conclusions and recommendations.

In our next blog, we will look at how the Open FAIR Body of Knowledge can be used with other Open Group standards.

The Open FAIR Body of Knowledge consists of the following Open Group standards:

  • Risk Taxonomy (O-RT), Version 2.0 (C13K, October 2013) defines a taxonomy for the factors that drive information security risk – Factor Analysis of Information Risk (FAIR).
  • Risk Analysis (O-RA) (C13G, October 2013) describes process aspects associated with performing effective risk analysis.

These can be downloaded from The Open Group publications catalog at http://www.opengroup.org/bookstore/catalog.

Our other publications include a Pocket Guide and a Certification Study Guide.

62940-hietalaJim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT Security, Risk Management and Healthcare programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on Information Security, Risk Management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

andrew-small1Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF® 9.1, ArchiMate® 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX® Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

Leave a comment

Filed under Data management, digital technologies, Information security, Open FAIR Certification, RISK Management, Security, Uncategorized

Open FAIR Blog Series – An Introduction to Risk Analysis and the Open FAIR Body of Knowledge

By Jim Hietala, VP, Security and Andrew Josey, Director of Standards, The Open Group

This is the first in a four-part series of blogs introducing the Open FAIR Body of Knowledge. In this first blog. we look at what the Open FAIR Body of Knowledge provides, and why a taxonomy is needed for Risk Analysis.

An Introduction to Risk Analysis and the Open FAIR Body of Knowledge

The Open FAIR Body of Knowledge provides a taxonomy and method for understanding, analyzing and measuring information risk. It allows organizations to:

  • Speak in one language concerning their risk using the standard taxonomy and terminology, and communicate risk effectively to senior management
  • Consistently study and apply risk analysis principles to any object or asset
  • View organizational risk in total
  • Challenge and defend risk decisions
  • Compare risk mitigation options

What does FAIR stand for?

FAIR is an acronym for Factor Analysis of Information Risk.

Risk Analysis: The Need for an Accurate Model and Taxonomy

Organizations seeking to analyze and manage risk encounter some common challenges. Put simply, it is difficult to make sense of risk without having a common understanding of both the factors that (taken together) contribute to risk, and the relationships between those factors. The Open FAIR Body of Knowledge provides such a taxonomy.

Here’s an example that will help to illustrate why a standard taxonomy is important. Let’s assume that you are an information security risk analyst tasked with determining how much risk your company is exposed to from a “lost or stolen laptop” scenario. The degree of risk that the organization experiences in such a scenario will vary widely depending on a number of key factors. To even start to approach an analysis of the risk posed by this scenario to your organization, you will need to answer a number of questions, such as:

  • Whose laptop is this?
  • What data resides on this laptop?
  • How and where did the laptop get lost or stolen?
  • What security measures were in place to protect the data on the laptop?
  • How strong were the security controls?

The level of risk to your organization will vary widely based upon the answers to these questions. The degree of overall organizational risk posed by lost laptops must also include an estimation of the frequency of occurrence of lost or stolen laptops across the organization.

In one extreme, suppose the laptop belonged to your CTO, who had IP stored on it in the form of engineering plans for a revolutionary product in a significant new market. If the laptop was unprotected in terms of security controls, and it was stolen while he was on a business trip to a country known for state-sponsored hacking and IP theft, then there is likely to be significant risk to your organization. On the other extreme, suppose the laptop belonged to a junior salesperson a few days into their job, it contained no customer or prospect lists, and it was lost at a security checkpoint at an airport. In this scenario, there’s likely to be much less risk. Or consider a laptop which is used by the head of sales for the organization, who has downloaded Personally Identifiable Information (PII) on customers from the CRM system in order to do sales analysis, and has his or her laptop stolen. In this case, there could be Primary Loss to the organization, and there might also be Secondary Losses associated with reactions by the individuals whose data is compromised.

The Open FAIR Body of Knowledge is designed to help you to ask the right questions to determine the asset at risk (is it the laptop itself, or the data?), the magnitude of loss, the skill level and motivations of the attacker, the resistance strength of any security controls in place, the frequency of occurrence of the threat and of an actual loss event, and other factors that contribute to the overall level of risk for any specific risk scenario.

In our next blog in this series, we will consider 5 reasons why you should use The Open FAIR Body of Knowledge for Risk Analysis.

The Open FAIR Body of Knowledge consists of the following Open Group standards:

  • Risk Taxonomy (O-RT), Version 2.0 (C13K, October 2013) defines a taxonomy for the factors that drive information security risk – Factor Analysis of Information Risk (FAIR).
  • Risk Analysis (O-RA) (C13G, October 2013) describes process aspects associated with performing effective risk analysis.

These can be downloaded from The Open Group publications catalog at http://www.opengroup.org/bookstore/catalog.

Our other publications include a Pocket Guide and a Certification Study Guide.

62940-hietalaJim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT Security, Risk Management and Healthcare programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on Information Security, Risk Management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

 

andrew-small1Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF® 9.1, ArchiMate® 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX® Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.

1 Comment

Filed under Data management, digital technologies, Identity Management, Information security, Open FAIR Certification, RISK Management, Security, Standards, Uncategorized

The Open Group Boston 2014 – Day Two Highlights

By Loren K. Bayes, Director, Global Marketing Communications

Enabling Boundaryless Information Flow™  continued in Boston on Tuesday, July 22Allen Brown, CEO and President of The Open Group welcomed attendees with an overview of the company’s second quarter results.

The Open Group membership is at 459 organizations in 39 countries, including 16 new membership agreements in 2Q 2014.

Membership value is highlighted by the collaboration Open Group members experience. For example, over 4,000 individuals attended Open Group events (physically and virtually whether at member meetings, webinars, podcasts, tweet jams). The Open Group website had more than 1 million page views and over 105,000 publication items were downloaded by members in 80 countries.

Brown also shared highlights from The Open Group Forums which featured status on many upcoming white papers, snapshots, reference models and standards, as well as individiual Forum Roadmaps. The Forums are busy developing and reviewing projects such as the Next Version of TOGAF®, an Open Group standard, an ArchiMate® white paper, The Open Group Healthcare Forum charter and treatise, Standard Mils™ APIs and Open Fair. Many publications are translated into multiple languages including Chinese and Portuguese. Also, a new Forum will be announced in the third quarter at The Open Group London 2014 so stay tuned for that launch news!

Our first keynote of the day was Making Health Addictive by Joseph Kvedar, MD, Partners HealthCare, Center for Connected Health.

Dr. Kvedar described how Healthcare delivery is changing, with mobile technology being a big part. Other factors pushing changes are reimbursement paradigms and caregivers being paid to be more efficient and interested in keeping people healthy and out of hospitals. The goal of Healthcare providers is to integrate care into the day-to-day lives of patients. Healthcare also aims for better technologies and architecture.

Mobile is a game-changer in Healthcare because people are “always on and connected”. Mobile technology allows for in-the-moment messaging, ability to capture health data (GPS, accelerator, etc.) and display information in real time as needed. Bottom-line, smartphones are addictive so they are excellent tools for communication and engagement.

But there is a need to understand and address the implications of automating Healthcare: security, privacy, accountability, economics.

The plenary continued with Proteus Duxbury, CTO, Connect for Health Colorado, who presented From Build to Run at the Colorado Health Insurance Exchange – Achieving Long-term Sustainability through Better Architecture.

Duxbury stated the keys to successes of his organization are the leadership and team’s shared vision, a flexible vendor being agile with rapidly changing regulatory requirements, and COTS solution which provided minimal customization and custom development, resilient architecture and security. Connect for Health experiences many challenges including budget restraints, regulation and operating in a “fish bowl”. Yet, they are on-track with their three-year ‘build to run’ roadmap, stabilizing their foundation and gaining efficiencies.

During the Q&A with Allen Brown following each presentation, both speakers emphasized the need for standards, architecture and data security.

Brown and DuxburyAllen Brown and Proteus Duxbury

During the afternoon, track sessions consisted of Healthcare, Enterprise Architecture (EA) & Business Value, Service-Oriented Architecture (SOA), Security & Risk Management, Professional Development and ArchiMate Tutorials. Chris Armstrong, President, Armstrong Process Group, Inc. discussed Architecture Value Chain and Capability Model. Laura Heritage, Principal Solution Architect / Enterprise API Platform, SOA Software, presented Protecting your APIs from Threats and Hacks.

The evening culminated with a reception at the historic Old South Meeting House, where the Boston Tea Party began in 1773.

photo2

IMG_2814Networking Reception at Old South Meeting House

A special thank you to our sponsors and exhibitors at The Open Group Boston 2014: BiZZdesign, Black Duck, Corso, Good e-Learning, Orbus and AEA.

Join the conversation #ogBOS!

Loren K. BaynesLoren K. Baynes, Director, Global Marketing Communications, joined The Open Group in 2013 and spearheads corporate marketing initiatives, primarily the website, blog and media relations. Loren has over 20 years experience in brand marketing and public relations and, prior to The Open Group, was with The Walt Disney Company for over 10 years. Loren holds a Bachelor of Business Administration from Texas A&M University. She is based in the US.

2 Comments

Filed under Accreditations, Boundaryless Information Flow™, Business Architecture, COTS, Data management, Enterprise Architecture, Enterprise Transformation, Healthcare, Information security, Open FAIR Certification, OTTF, RISK Management, Service Oriented Architecture, Standards, Uncategorized

The Open Group Boston 2014 to Explore How New IT Trends are Empowering Improvements in Business

By The Open Group

The Open Group Boston 2014 will be held on July 21-22 and will cover the major issues and trends surrounding Boundaryless Information Flow™. Thought-leaders at the event will share their outlook on IT trends, capabilities, best practices and global interoperability, and how this will lead to improvements in responsiveness and efficiency. The event will feature presentations from representatives of prominent organizations on topics including Healthcare, Service-Oriented Architecture, Security, Risk Management and Enterprise Architecture. The Open Group Boston will also explore how cross-organizational collaboration and trends such as big data and cloud computing are helping to make enterprises more effective.

The event will consist of two days of plenaries and interactive sessions that will provide in-depth insight on how new IT trends are leading to improvements in business. Attendees will learn how industry organizations are seeking large-scale transformation and some of the paths they are taking to realize that.

The first day of the event will bring together subject matter experts in the Open Platform 3.0™, Boundaryless Information Flow™ and Enterprise Architecture spaces. The day will feature thought-leaders from organizations including Boston University, Oracle, IBM and Raytheon. One of the keynotes is from Marshall Van Alstyne, Professor at Boston University School of Management & Researcher at MIT Center for Digital Business, which reveals the secret of internet-driven marketplaces. Other content:

• The Open Group Open Platform 3.0™ focuses on new and emerging technology trends converging with each other and leading to new business models and system designs. These trends include mobility, social media, big data analytics, cloud computing and the Internet of Things.
• Cloud security and the key differences in securing cloud computing environments vs. traditional ones as well as the methods for building secure cloud computing architectures
• Big Data as a service framework as well as preparing to deliver on Big Data promises through people, process and technology
• Integrated Data Analytics and using them to improve decision outcomes

The second day of the event will have an emphasis on Healthcare, with keynotes from Joseph Kvedar, MD, Partners HealthCare, Center for Connected Health, and Connect for Health Colorado CTO, Proteus Duxbury. The day will also showcase speakers from Hewlett Packard and Blue Cross Blue Shield, multiple tracks on a wide variety of topics such as Risk and Professional Development, and Archimate® tutorials. Key learnings include:

• Improving healthcare’s information flow is a key enabler to improving healthcare outcomes and implementing efficiencies within today’s delivery models
• Identifying the current state of IT standards and future opportunities which cover the healthcare ecosystem
• How Archimate® can be used by Enterprise Architects for driving business innovation with tried and true techniques and best practices
• Security and Risk Management evolving as software applications become more accessible through APIs – which can lead to vulnerabilities and the potential need to increase security while still understanding the business value of APIs

Member meetings will also be held on Wednesday and Thursday, June 23-24.

Don’t wait, register now to participate in these conversations and networking opportunities during The Open Group Boston 2014: http://www.opengroup.org/boston2014/registration

Join us on Twitter – #ogchat #ogBOS

1 Comment

Filed under ArchiMate®, Boundaryless Information Flow™, Business Architecture, Cloud/SOA, Conference, Enterprise Architecture, Enterprise Transformation, Healthcare, Information security, Open Platform 3.0, Professional Development, RISK Management, Service Oriented Architecture, Standards, Uncategorized

The Open Group Summit Amsterdam 2014 – Day Two Highlights

By Loren K. Baynes, Director, Global Marketing Communications, The Open Group

On Tuesday, May 13, day two of The Open Group Summit Amsterdam, the morning plenary began with a welcome from The Open Group President and CEO Allen Brown. He presented an overview of the Forums and the corresponding Roadmaps. He described the process of standardization, from the initial work to a preliminary standard, including review documents, whitepapers and snapshots, culminating in the final publication of an open standard. Brown also announced that Capgemini is again a Platinum member of The Open Group and contributes to the realization of the organization’s objectives in various ways.

Charles Betz, Chief Architect, Signature Client Group, AT&T and Karel van Zeeland, Lead IT4IT Architect, Shell IT International, presented the second keynote of the morning, ‘A Reference Architecture For the Business of IT’.  When the IT Value Chain and IT4IT Reference Architecture is articulated, instituted and automated, the business can experience huge cost savings in IT and significantly improved response times for IT service delivery, as well as increasing customer satisfaction.

AmsterdamPlenaryKarel van Zeeland, Charles Betz and Allen Brown

In 1998, Shell Information Technology started to restructure the IT Management and the chaos was complete. There were too many tools, too many vendors, a lack of integration, no common data model, a variety of user interfaces and no standards to support rapid implementation. With more than 28 different solutions for incident management and more than 160 repositories of configuration data, the complexity was immense. An unclear relationship with Enterprise Architecture and other architectural issues made the case even worse.

Restructuring the IT Management turned out to be a long journey for the Shell managers. How to manage 1,700 locations in 90 countries, 8,000 applications, 25,000 servers, dozens of global and regional datacenters,125,000 PCs and laptops, when at the same time you are confronted with trends like BYOD, mobility, cloud computing, security, big data and the Internet of Things (IoT).  According to Betz and van Zeeland, IT4IT is a promising platform for evolution of the IT profession. IT4IT however has the potential to become a full open standard for managing the business of IT.

Jeroen Tas, CEO of Healthcare Informatics Solutions and Services within Philips Healthcare, explained in his keynote speech, “Philips is becoming a software company”. Digital solutions connect and streamline workflow across the continuum of care to improve patient outcomes. Today, big data is supporting adaptive therapies. Smart algorithms are used for early warning and active monitoring of patients in remote locations. Tas has a dream, he wants to make a valuable contribution to a connected healthcare world for everyone.

In January 2014, Royal Philips announced the formation of Healthcare Informatics Solutions and Services, a new business group within Philips’ Healthcare sector that offers hospitals and health systems the customized clinical programs, advanced data analytics and interoperable, cloud-based platforms necessary to implement new models of care. Tas, who previously served as the Chief Information Officer of Philips, leads the group.

In January of this year, The Open Group launched The Open Group Healthcare Forum whichfocuses on bringing Boundaryless Information Flow™ to the healthcare industry enabling data to flow more easily throughout the complete healthcare ecosystem.

Ed Reynolds, HP Fellow and responsible for the HP Enterprise Security Services in the US, described the role of information risk in a new technology landscape. How do C-level executives think about risk? This is a relevant and urgent question because it can take more than 243 days before a data breach is detected. Last year, the average cost associated with a data breach increased 78% to 11.9 million dollars. Critical data assets may be of strategic national importance, have massive corporate value or have huge significance to an employee or citizen, be it the secret recipe of Coca Cola or the medical records of a patient. “Protect your crown jewels” is the motto.

Bart Seghers, Cyber Security Manager, Thales Security and Henk Jonkers, Senior Research Consultant of BiZZdesign, visualized the Business Impact of Technical Cyber Risks. Attacks on information systems are becoming increasingly sophisticated. Organizations are increasingly networked and thus more complex. Attacks use digital, physical and social engineering and the departments responsible for each of these domains within an organization operate in silos. Current risk management methods cannot handle the resulting complexity. Therefore they are using ArchiMate® as a risk and security architecture. ArchiMate is a widely accepted open standard for modeling Enterprise Architecture. There is also a good fit with other EA and security frameworks, such as TOGAF®. A pentest-based Business Impact Assessment (BIA) is a powerful management dashboard that increases the return on investment for your Enterprise Architecture effort, they concluded.

Risk Management was also a hot topic during several sessions in the afternoon. Moderator Jim Hietala, Vice President, Security at The Open Group, hosted a panel discussion on Risk Management.

In the afternoon several international speakers covered topics including Enterprise Architecture & Business Value, Business & Data Architecture and Open Platform 3.0™. In relation to social networks, Andy Jones, Technical Director, EMEA, SOA Software, UK, presented “What Facebook, Twitter and Netflix Didn’t Tell You”.

The Open Group veteran Dr. Chris Harding, Director for Interoperability at The Open Group, and panelists discussed and emphasized the importance of The Open Group Open Platform 3.0™. The session also featured a live Q&A via Twitter #ogchat, #ogop3.

The podcast is now live. Here are the links:

Briefings Direct Podcast Home Page: http://www.briefingsdirect.com/

PODCAST STREAM: http://traffic.libsyn.com/interarbor/BriefingsDirect-The_Open_Group_Amsterdam_Conference_Panel_Delves_into_How_to_Best_Gain_Business_Value_From_Platform_3.mp3

PODCAST SUMMARY: http://briefingsdirect.com/the-open-group-amsterdam-panel-delves-into-how-to-best-gain-business-value-from-platform-30

In the evening, The Open Group hosted a tour and dinner experience at the world-famous Heineken Brewery.

For those of you who attended the summit, please give us your feedback! https://www.surveymonkey.com/s/AMST2014

Comments Off

Filed under ArchiMate®, Boundaryless Information Flow™, Certifications, Enterprise Architecture, Enterprise Transformation, Healthcare, Open Platform 3.0, RISK Management, Standards, TOGAF®, Uncategorized

Heartbleed: Tips and Lessons Learned

By Jim Hietala, VP, Security, The Open Group

During our upcoming event May 12-14, The Open Group Summit 2014 AmsterdamEnabling Boundaryless Information Flow™ – one of the discussions will be around risk management and the development of open methodologies for managing risk.

Managing risk is an essential component of an information security program. Risk management is fundamental to effectively securing information, IT assets, and critical business processes. Risk management is also a challenge to get right. With numerous risk management frameworks and standards available, it can be difficult for practitioners to know where to start, and what methodologies to employ.

Recently, the Heartbleed bug has been wreaking havoc not only for major websites and organizations, but the security confidence of the public in general. Even as patches are being made to guarantee safety, systems will remain vulnerable for an extended period of time. Taking proactive steps and learning how to manage risk is imperative to securing your privacy.

With impacts on an estimated 60-70% of websites, Heartbleed is easily the security vulnerability with the highest degree of potential impact ever. There is helpful guidance as to what end-users can try to do to insulate themselves from any negative consequences.

Large organizations obviously need to determine where they have websites and network equipment that is vulnerable, in order to rapidly remediate this. Scanning your IP address range (both for internal addresses, and for IP addresses exposed to the Internet) should be done ASAP, to allow you to identify all sites, servers, and other equipment using OpenSSL, and needing immediate patching.

In the last few days, it has become clear that we are not just talking about websites/web servers. Numerous network equipment vendors have used OpenSSL in their networking products. Look closely at your routers, switches, firewalls, and make sure that you understand in which of these OpenSSL is also an issue. The impact of OpenSSL and Heartbleed on these infrastructure components is likely to be a bigger problem for organizations, as the top router manufacturers all have products affected by this vulnerability.

Taking a step back from the immediate frenzy of finding OpenSSL, and patching websites and network infrastructure to mitigate this security risk, it is pretty clear that we have a lot of work to do as a security community on numerous fronts:

• Open source security components that gain widespread use need much more serious attention, in terms of finding/fixing software vulnerabilities
• For IT hardware and software vendors, and for the organizations that consume their products, OpenSSL and Heartbleed will become the poster child for why we need more rigorous supply chain security mechanisms generally, and specifically for commonly used open source software.
• The widespread impacts from Heartbleed should also focus attention on the need for radically improved security for the emerging Internet of Things (IoT). As bad as Heartbleed is, try to imagine a similar situation when there are billions of IP devices connected to the internet. This is precisely where we are headed absent big changes in software assurance/supply chain security for IoT devices.

Finally, there is a deeper issue here: CIOs and IT people should realize that the fundamental security barriers, such as SSL are under constant attack – and these security walls won’t hold forever. So, it is important not to simply patch your SSL and reissue your certificates, but to rethink your strategies for security defense in depth, such as increased protection of critical data and multiple independent levels of security.

You also need to ensure that your suppliers are implementing security practices that are at least as good as yours – how many web sites got caught out by Heartbleed because of something their upstream supplier did?

Discussions during the Amsterdam Summit will outline important areas to be aware of when managing security risk, including how to be more effective against any copycat bugs. Be sure to sign up now for our summit http://www.opengroup.org/amsterdam2014 .

For more information on The Open Group Security Forum, please visit http://www.opengroup.org/subjectareas/security.

62940-hietalaJim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security, risk management and healthcare programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

2 Comments

Filed under Boundaryless Information Flow™, Cybersecurity, Information security, RISK Management

How the Open Trusted Technology Provider Standard (O-TTPS) and Accreditation Will Help Lower Cyber Risk

By Andras Szakal, Vice President and Chief Technology Officer, IBM U.S. Federal

Changing business dynamics and enabling technologies

In 2008, IBM introduced the concept of a “Smarter Planet.” The Smarter Planet initiative focused, in part, on the evolution of globalization against the backdrop of changing business dynamics and enabling technologies. A key concept was the need for infrastructure to be tightly integrated, interconnected, and intelligent, thereby facilitating collaboration between people, government and businesses in order to meet the world’s growing appetite for data and automation. Since then, many industries and businesses have adopted this approach, including the ICT (information and communications technology) industries that support the global technology manufacturing supply chain.

Intelligent and interconnected critical systems

This transformation has infused technology into virtually all aspects of our lives, and involves, for example, government systems, the electric grid and healthcare. Most of these technological solutions are made up of hundreds or even thousands of components that are sourced from the growing global technology supply chain.
Intelligent and interconnected critical systems

In the global technology economy, no one technology vendor or integrator is able to always provide a single source solution. It is no longer cost competitive to design all of the electronic components, printed circuit boards, card assemblies, or other sub-assemblies in-house. Adapting to the changing market place and landscape by balancing response time and cost efficiency, in an expedient manner, drives a more wide-spread use of OEM (original equipment manufacturer) products.

As a result, most technology providers procure from a myriad of global component suppliers, who very often require similarly complex supply chains to source their components. Every enterprise has a supplier network, and each of their suppliers has a supply chain network, and these sub-tier suppliers have their own supply chain networks. The resultant technology supply chain is manifested into a network of integrated suppliers.

Increasingly, the critical systems of the planet — telecommunications, banking, energy and others — depend on and benefit from the intelligence and interconnectedness enabled by existing and emerging technologies. As evidence, one need only look to the increase in enterprise mobile applications and BYOD strategies to support corporate and government employees.

Cybersecurity by design: Addressing risk in a sustainable way across the ecosystem

Whether these systems are trusted by the societies they serve depends in part on whether the technologies incorporated into them are fit for the purpose they are intended to serve. Fit for purpose is manifested in two essential ways:

- Does the product meet essential functional requirements?
– Has the product or component been produced by trustworthy provider?

Of course, the leaders or owners of these systems have to do their part to achieve security and safety: e.g., to install, use and maintain technology appropriately, and to pay attention to people and process aspects such as insider threats. Cybersecurity considerations must be addressed in a sustainable way from the get-go, by design, and across the whole ecosystem — not after the fact, or in just one sector or another, or in reaction to crisis.

Assuring the quality and integrity of mission-critical technology

In addressing the broader cybersecurity challenge, however, buyers of mission-critical technology naturally seek reassurance as to the quality and integrity of the products they procure. In our view, the fundamentals of the institutional response to that need are similar to those that have worked in prior eras and in other industries — like food.

The very process of manufacturing technology is not immune to cyber-attack. The primary purpose of attacking the supply chain typically is motivated by monetary gain. The primary goals of a technology supply chain attack are intended to inflict massive economic damage in an effort to gain global economic advantage or as a way to seeding targets with malware that provides unfettered access for attackers.

It is for this reason that the global technology manufacturing industry must establish practices that mitigate this risk by increasing the cost barriers of launching such attacks and increasing the likelihood of being caught before the effects of such an attack are irreversible. As these threats evolve, the global ICT industry must deploy enhanced security through advanced automated cyber intelligence analysis. As critical infrastructure becomes more automated, integrated and essential to critical to functions, the technology supply chain that surrounds it must be considered a principle theme of the overall global security and risk mitigation strategy.

A global, agile, and scalable approach to supply chain security

Certainly, the manner in which technologies are invented, produced, and sold requires a global, agile, and scalable approach to supply chain assurance and is essential to achieve the desired results. Any technology supply chain security standard that hopes to be widely adopted must be flexible and country-agnostic. The very nature of the global supply chain (massively segmented and diverse) requires an approach that provides practicable guidance but avoids being overtly prescriptive. Such an approach would require the aggregation of industry practices that have been proven beneficial and effective at mitigating risk.

The OTTF (The Open Group Trusted Technology Forum) is an increasingly recognized and promising industry initiative to establish best practices to mitigate the risk of technology supply chain attack. Facilitated by The Open Group, a recognized international standards and certification body, the OTTF is working with governments and industry worldwide to create vendor-neutral open standards and best practices that can be implemented by anyone. Current membership includes a list of the most well-known technology vendors, integrators, and technology assessment laboratories.

The benefits of O-TTPS for governments and enterprises

IBM is currently a member of the OTTF and has been honored to hold the Chair for the last three years.  Governments and enterprises alike will benefit from the work of the OTTF. Technology purchasers can use the Open Trusted Technology Provider™ Standard (O-TTPS) and Framework best-practice recommendations to guide their strategies.

A wide range of technology vendors can use O-TTPS approaches to build security and integrity into their end-to-end supply chains. The first version of the O-TTPS is focused on mitigating the risk of maliciously tainted and counterfeit technology components or products. Note that a maliciously tainted product is one that has been produced by the provider and acquired through reputable channels but which has been tampered maliciously. A counterfeit product is produced other than by or for the provider, or is supplied by a non-reputable channel, and is represented as legitimate. The OTTF is currently working on a program that will accredit technology providers who conform to the O-TTPS. IBM expects to complete pilot testing of the program by 2014.

IBM has actively supported the formation of the OTTF and the development of the O-TTPS for several reasons. These include but are not limited to the following:

- The Forum was established within a trusted and respected international standards body – The Open Group.
– The Forum was founded, in part, through active participation by governments in a true public-private partnership in which government members actively participate.
– The OTTF membership includes some of the most mature and trusted commercial technology manufactures and vendors because a primary objective of the OTTF was harmonization with other standards groups such as ISO (International Organization for Standardization) and Common Criteria.

The O-TTPS defines a framework of organizational guidelines and best practices that enhance the security and integrity of COTS ICT. The first version of the O-TTPS is focused on mitigating certain risks of maliciously tainted and counterfeit products within the technology development / engineering lifecycle. These best practices are equally applicable for systems integrators; however, the standard is intended to primarily address the point of view of the technology manufacturer.

O-TTPS requirements

The O-TTPS requirements are divided into three categories:

1. Development / Engineering Process and Method
2. Secure Engineering Practices
3. Supply Chain Security Practices

The O-TTPS is intended to establish a normalized set of criteria against which a technology provider, component supplier, or integrator can be assessed. The standard is divided into categories that define best practices for engineering development practices, secure engineering, and supply chain security and integrity intended to mitigate the risk of maliciously tainted and counterfeit components.

The accreditation program

As part of the process for developing the accreditation criteria and policy, the OTTF established a pilot accreditation program. The purpose of the pilot was to take a handful of companies through the accreditation process and remediate any potential process or interpretation issues. IBM participated in the OTTP-S accreditation pilot to accredit a very significant segment of the software product portfolio; the Application Infrastructure Middleware Division (AIM) which includes the flagship WebSphere product line. The AIM pilot started in mid-2013 and completed in the first week of 2014 and was formally recognized as accredited in the fist week of February 2014.

IBM is currently leveraging the value of the O-TTPS and working to accredit additional development organizations. Some of the lessons learned during the IBM AIM initial O-TTPS accreditation include:

- Conducting a pre-assessment against the O-TTPS should be conducted by an organization before formally entering accreditation. This allows for remediation of any gaps and reduces potential assessment costs and project schedule.
– Starting with a segment of your development portfolio that has a mature secure engineering practices and processes. This helps an organization address accreditation requirements and facilitates interactions with the 3rd party lab.
– Using your first successful O-TTPS accreditation to create templates that will help drive data gathering and validate practices to establish a repeatable process as your organization undertakes additional accreditations.

andras-szakalAndras Szakal, VP and CTO, IBM U.S. Federal, is responsible for IBM’s industry solution technology strategy in support of the U.S. Federal customer. Andras was appointed IBM Distinguished Engineer and Director of IBM’s Federal Software Architecture team in 2005. He is an Open Group Distinguished Certified IT Architect, IBM Certified SOA Solution Designer and a Certified Secure Software Lifecycle Professional (CSSLP).  Andras holds undergraduate degrees in Biology and Computer Science and a Masters Degree in Computer Science from James Madison University. He has been a driving force behind IBM’s adoption of government IT standards as a member of the IBM Software Group Government Standards Strategy Team and the IBM Corporate Security Executive Board focused on secure development and cybersecurity. Andras represents the IBM Software Group on the Board of Directors of The Open Group and currently holds the Chair of the IT Architect Profession Certification Standard (ITAC). More recently, he was appointed chair of The Open Group Trusted Technology Forum and leads the development of The Open Trusted Technology Provider Framework.

1 Comment

Filed under Accreditations, Cybersecurity, government, O-TTF, O-TTPS, OTTF, RISK Management, Standards, supply chain, Supply chain risk