Tag Archives: ISO

Improving Signal-to-Noise in Risk Management

By Jack Jones, CXOWARE

One of the most important responsibilities of the information security professional (or any IT professional, for that matter) is to help management make well-informed decisions. Unfortunately, this has been an illusive objective when it comes to risk. Although we’re great at identifying control deficiencies, and we can talk all day long about the various threats we face, we have historically had a poor track record when it comes to risk. There are a number of reasons for this, but in this article I’ll focus on just one — definition.

You’ve probably heard the old adage, “You can’t manage what you can’t measure.”  Well, I’d add to that by saying, “You can’t measure what you haven’t defined.” The unfortunate fact is that the information security profession has been inconsistent in how it defines and uses the term “risk.” Ask a number of professionals to define the term, and you will get a variety of definitions.

Besides inconsistency, another problem regarding the term “risk” is that many of the common definitions don’t fit the information security problem space or simply aren’t practical. For example, the ISO27000 standard defines risk as, “the effect of uncertainty on objectives.” What does that mean? Fortunately (or perhaps unfortunately), I must not be the only one with that reaction because the ISO standard goes on to define “effect,” “uncertainty,” and “objectives,” as follows:

  • Effect: A deviation from the expected — positive and/or negative
  • Uncertainty: The state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence or likelihood
  • Objectives: Can have different aspects (such as financial, health and safety, information security, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)

NOTE: Their definition for ”objectives” doesn’t appear to be a definition at all, but rather an example. 

Although I understand, conceptually, the point this definition is getting at, my first concern is practical in nature. As a Chief Information Security Officer (CISO), I invariably have more to do than I have resources to apply. Therefore, I must prioritize and prioritization requires comparison and comparison requires measurement. It isn’t clear to me how “uncertainty regarding deviation from the expected (positive and/or negative) that might affect my organization’s objectives” can be applied to measure, and thus compare and prioritize, the issues I’m responsible for dealing with.

This is just an example though, and I don’t mean to pick on ISO because much of their work is stellar. I could have chosen any of several definitions in our industry and expressed varied concerns.

In my experience, information security is about managing how often loss takes place, and how much loss will be realized when/if it occurs. That is our profession’s value proposition, and it’s what management cares about. Consequently, whatever definition we use needs to align with this purpose.

The Open Group’s Risk Taxonomy (shown below), based on Factor Analysis of Information Risk (FAIR), helps to solve this problem by providing a clear and practical definition for risk. In this taxonomy, Risk is defined as, “the probable frequency and probable magnitude of future loss.”

Taxonomy image

The elements below risk in the taxonomy form a Bayesian network that models risk factors and acts as a framework for critically evaluating risk. This framework has been evolving for more than a decade now and is helping information security professionals across many industries understand, measure, communicate and manage risk more effectively.

In the communications context, you have to have a very clear understanding of what constitutes signal before you can effectively and reliably filter it out from noise. The Open Group’s Risk Taxonomy gives us an important foundation for achieving a much clearer signal.

I will be discussing this topic in more detail next week at The Open Group Conference in Newport Beach. For more information on my session or the conference, visit: http://www.opengroup.org/newportbeach2013.

Jack Jones HeadshotJack Jones has been employed in technology for the past twenty-nine years, and has specialized in information security and risk management for twenty-two years.  During this time, he’s worked in the United States military, government intelligence, consulting, as well as the financial and insurance industries.  Jack has over nine years of experience as a CISO, with five of those years at a Fortune 100 financial services company.  His work there was recognized in 2006 when he received the 2006 ISSA Excellence in the Field of Security Practices award at that year’s RSA conference.  In 2007, he was selected as a finalist for the Information Security Executive of the Year, Central United States, and in 2012 was honored with the CSO Compass award for leadership in risk management.  He is also the author and creator of the Factor Analysis of Information Risk (FAIR) framework.

1 Comment

Filed under Cybersecurity

The Open Group SOA Governance Framework Becomes an International Standard

By Heather Kreger, CTO International Standards, IBM and Chris Harding, Director for Interoperability, The Open Group

The Open Group SOA Governance Framework is now an International Standard, having passed its six month ratification vote in ISO and IEC.

According to Gartner, effective governance is a key success factor for Service-Oriented Architecture (SOA) solutions today and in the future. This endorsement of The Open Group standard by ISO is exciting, because it means that this vendor-neutral, proven SOA governance standard is now available to governments and enterprises world-wide.

Published by The Open Group in 2009, the SOA Governance Framework enables organizations—public, private, large and small—to develop their own robust governance regimens, rapidly and using industry best practices. This substantially reduces the cost and risk of using SOA. As an international standard, the framework will now provide authoritative guidelines for companies across the globe to implement sound SOA governance practices.

The framework includes a standard governance reference model and a mechanism for enterprises to customize and implement the compliance, dispensation and communication processes that are appropriate for them. Long term vitality is an essential part of the framework, and it gives guidance on evolving these processes over time in the light of changing business and technical circumstances, ensuring the on-going alignment of business and IT.

This is The Open Group’s second international standard on SOA, the first being the Open Services Integration Maturity Model (OSIMM), which passed ISO ratification in January 2012. Since then, we have seen OSIMM being considered for adoption as a national standard in countries such as China and Korea. We are hoping that the new SOA Governance Framework International Standard will be given the same consideration. The Open Group also contributed its SOA Ontology and SOA Reference Architecture standards to JTC1 and is engaged in the development of international standards on SOA there.

In addition to submitting our SOA standards for international ratification, The Open Group is actively leveraging its SOA standards in its Cloud architecture projects. In particular, the Cloud Governance Project in The Open Group Cloud Computing Work Group is developing a Cloud Governance Framework based on and extending the SOA Governance Framework. This emerging standard will identify cloud specific governance issues and offer guidance and best practices for addressing them.

Finally, The Open Group is engaged in the development of Cloud architecture standards in JTC1, and in particular in the new Collaboration between ISO/IEC JTC1 SC38 and ITUT’s Cloud groups to create a common Combined Team Cloud Vocabulary and Combined Team Cloud Architecture. All of this is very exciting work, both for the SOA and for the Cloud Computing Work Group. Stay tuned for more developments as these projects progress!

Resources

Heather Kreger is IBM’s lead architect for Smarter Planet, Policy, and SOA Standards in the IBM Software Group, with 15 years of standards experience. She has led the development of standards for Cloud, SOA, Web services, Management and Java in numerous standards organizations, including W3C, OASIS, DMTF, and Open Group.Heather is currently co-chair for The Open Group’s SOA Work Group and liaison for the Open Group SOA and Cloud Work Groups to ISO/IEC JTC1 SC7 SOA SG and INCITS DAPS38 (US TAG to ISO/IEC JTC 1 SC38). Heather is also the author of numerous articles and specifications, as well as the book Java and JMX, Building Manageable Systems, and most recently was co-editor of Navigating the SOA Open Standards Landscape Around Architecture.

Dr. Chris Harding is Director for Interoperability and SOA at The Open Group. He has been with The Open Group for more than ten years, and is currently responsible for managing and supporting its work on interoperability, including SOA and interoperability aspects of Cloud Computing. He is a member of the BCS, the IEEE and the AEA, and is a certified TOGAF practitioner.

Comments Off

Filed under Cloud/SOA

Optimizing ISO/IEC 27001 Using O-ISM3

By Jim Hietala, The Open Group and Vicente Aceituno, Sistemas Informáticos Abiertos

The Open Group has just published a guide titled “Optimizing ISO/IEC 27001 using O-ISM3” that will be of interest to organizations using ISO27001/27002 as their Information Security Management System (ISMS).

By way of background, The Open Group published our Open Information Security Management Maturity Model last year, O-ISM3. O-ISM3 brings continuous improvement to information security management, and it provides a framework for security decision-making that is top down in nature, where security controls, security objectives and spending decisions are driven by (and aligned with) business objectives.

We have for some time now heard from information security managers that they would like a resource aimed at showing how the O-ISM3 standard could be used to manage information security alongside ISO27001/27002. This new guide provides specific guidance on this topic.

We view this as an important resource, for the following reasons:

  • O-ISM3 complements ISO27001/2 by adding the “how” dimension to information security management
  • O-ISM3 uses a process-oriented approach, defining inputs and outputs, and allowing for evaluation by process-specific metrics
  • O-ISM3 provides a framework for continuous improvement of information security processes

This resource:

  • Maps O-ISM3 and ISO27001 security objectives
  • Maps ISO27001/27002 controls and documents to O-ISM3 security processes, documents, and outputs
  • Provides a critical linkage between the controls-based approach found in ISO27001 to the process-based approach found in O-ISM3

If you have interest in information security management, we encourage you to have a look at Optimizing ISO/IEC 27001 using O-ISM3. The guide may be downloaded (at no cost, minimal registration required) here.

Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT security and risk management programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

Vicente Aceituno, CISA, has 20 years experience in the field of IT and Information Security. During his career in Spain and the UK, he has worked for companies like Coopers & Lybrand, BBC News, Everis, and SIA Group. He is the main author of the Information Security Management Method ISM3, author of the information security book “Seguridad de la Información,” Director of the ISM3 Consortium (www.ism3.com) and President of the Spanish chapter of the ISSA.

3 Comments

Filed under Cybersecurity, Information security, Security Architecture

OSIMM Goes de Jure: The First International Standards on SOA

By Heather Kreger, CTO International Standards, IBM

I was very excited to see OSIMM pass its ratification vote within the International Organization for Standardization (ISO) on January 8, 2012, becoming the first International Standard on SOA.  This is the culmination of a two year process that I’ve been driving for The Open Group in ISO/IEC JTC1.  Having the OSIMM standard recognized globally is a huge validation of the work that The Open Group and the SOA Work Group have been doing over the past few years since OSIMM first became an Open Group standard in 2009.  Even though the process for international standard ratification is a lengthy one, it has been worth the effort and we’ve already submitted additional Open Group standards to ISO.  For those of you interested in the process, read on…

How it works

In order for OSIMM to become an international standard, The Open Group had to first be approved as an “Approved Reference Organization” and “Publically Available Specification” (PAS) Submitter, in a vote by every JTC1 country.

What does this REALLY mean? It means Open Group standards can be referenced by international standards and it means the Open Group can submit standards to ISO/IEC and ask for them to follow the PAS process, which ratifies standards as they are as International Standards if they pass the international vote.  Each country votes and comments on the specification and if there are comments, there is a ballot resolution meeting with potentially an update to the submitted specification. This all sounds straightforward until you mix in The Open Group’s timeline for approving updates to standards with the JTC1 process. In the end, this takes about a year.

Why drag you through this?  I just wanted you to appreciate what an accomplishment the OSIMM V2 ISO/IEC 16680 is for The Open Group.  The SOA Governance Framework Standard is now following the same process. The SOA Ontology and new SOA Reference Architecture Standards have also been submitted to ISO’s SOA Work Group (in SC38) as input to a normal working group processes.

The OSIMM benefit

Let’s also revisit OSIMM, since it’s been awhile since OSIMM V1 was first standardized in 2009. OSIMM V2 is technically equivalent to OSIMM V1, although we did some clarifications to answer comments from the PAS processes and added an appendix positioning OSIMM with them maturity models in ISO/IEC JTC1.

OSIMM leverages proven best practices to allow consultants and IT practitioners to assess an organization’s readiness and maturity level for adopting services in SOA and Cloud solutions. It defines a process to create a roadmap for incremental adoption that maximizes business benefits at each stage along the way. The model consists of seven levels of maturity and seven dimensions of consideration that represent significant views of business and IT capabilities where the application of SOA principles is essential for the deployment of services. OSIMM acts as a quantitative model to aid in assessment of current state and desired future state of SOA maturity. OSIMM also has an extensible framework for understanding the value of implementing a service model, as well as a comprehensive guide for achieving their desired level of service maturity.

There are a couple of things I REALLY like about OSIMM, especially for those new to SOA:

First, it’s an easy, visual way to grasp the full breadth of what is SOA. From no services to simple, single, hand-developed services or dynamically created services.  In fact, the first three levels of maturity are “pre-services” approaches we all know and use (i.e.: object-oriented and components). With this, everyone can find what they are using…even if they are not using services at all.

Second, it’s a self assessment. You use this to gauge your own use of services today and where you want to be. You can reassess to “track” your progress (sort of like weight loss) on employing services. Because you have to customize the indicators and the weight of the maturity scores will differ according to what is important to your company, it doesn’t make sense to compare scores between two companies. In addition, every company has a different target goal. So, no, sorry, you cannot brag that you are more mature than your arch competitor!  However, some of the process assessments in ISO/IEC SC7 ARE for just that, so check out the OSIMM appendix for links and pointers!

Which brings me to my third point–there is no “right” level of maturity. The most mature level doesn’t make sense for most companies.  OSIMM is a great tool to force your business and IT staff into a discussion to agree together on what the current level is and what the right level is for them – everyone on the same page.

Finally, it’s flexible. You can add indicators and adjust weightings to make it accurate and a reflection of the needs of your business AND IT departments.  You can skip levels, be at different levels of maturity for different business dimensions.  You work on advancing the use of services in the dimension that gives you the most business value, you don’t have to give them all “equal attention” or get them to the same level.

Resources

The following resources are available if you are interested in learning more about the OSIMM V2 Standard:

IBM is also presenting next week during The Open Group Conference in San Francisco, which will discuss how to extend OSIMM for your organization.

Heather KregerHeather Kreger is IBM’s lead architect for Smarter Planet, Policy, and SOA Standards in the IBM Software Group, with 15 years of standards experience. She has led the development of standards for Cloud, SOA, Web services, Management and Java in numerous standards organizations, including W3C, OASIS, DMTF, and Open Group.Heather is currently co-chair for The Open Group’s SOA Work Group and liaison for the Open Group SOA and Cloud Work Groups to ISO/IEC JTC1 SC7 SOA SG and INCITS DAPS38 (US TAG to ISO/IEC JTC 1 SC38). Heather is also the author of numerous articles and specifications, as well as the book Java and JMX, Building Manageable Systems, and most recently was co-editor of Navigating the SOA Open Standards Landscape Around Architecture.

1 Comment

Filed under Cloud/SOA, Service Oriented Architecture, Standards