Security review using SABSA

1

2

3

4

5

a

6

7

8

9 Physical Architecture

Attribute - Opportunities and Enablement

Contextual Architecture

Conceptual Architecture

Logical Architecture

Security Threat

Index - Security Review (Generic)

Business Drivers

Business Attributes

Attribute Profile

Attribute - Risks and Controls

Index - Security Review (Generic)

Driver # Business Drivers

BD1

BD2

BD3

BD4

BD5

BD6

BD7

BD8

BD9

BD10

BD11

BD12

BD13

BD14

BD15

BD16

Business Drivers

Protecting the reputation of the Organization, ensuring that it is perceived as competent in

its sector

Preventing losses through financial fraud

Providing the ability to prosecute those who attempt to defraud the Organization

Providing support to the claims made by the Organization about its competence to carry out

its intended functions

Protecting the trust that exists in business relationships and propagating that trust across

remote electronic business communications links and distributed information systems

Maintaining the confidence of other key parties in their relationships with the Organization

Maintaining the operational capability of the Organization’s systems

Maintaining the continuity of service delivery, including the ability to meet the requirements

of service level agreements where these exist

Maintaining the accuracy of information

Maintaining the ability to govern

Detecting attempted financial fraud

Providing and maintaining the ability to ensure that the solutions provided for securing

electronic business services provide a clear and unambiguous definition of responsibilities

and liabilities for all parties at every stage of the transaction.

Providing and maintaining the ability to resolve disputes between the Organization and any

other parties, quickly, efficiently and with minimum cost

Ensuring that information processed in the Organization’s systems can be brought to a court

of law as evidence in support of both criminal and civil proceedings and that the court will

admit the evidence, and that the evidence will withstand hostile criticism by the other side’s

expert witnesses

Ensuring that the information security approaches used in the systems directly support

compliance by the Organization with commercial contracts to which the Organization is a

party

Ensuring that the Organization is at all times compliant with the laws and sectoral

regulations, and that the information security approach in the systems directly and indirectly

supports legal compliance

BD17

BD18

BD19

BD20

BD21

BD22

BD23

BD24

BD25

BD26

BD27

BD28

BD29

BD30

BD31

BD32

BD33

BD34

BD35

BD36

Maintaining the privacy of personal and business information that is stored, processed and

communicated by the Organization’s systems

Protecting against the deliberate, accidental or negligent corruption of personal and

business information that is stored, processed and communicated by the systems

Ensuring that an entity that makes a business transaction cannot later deny having made the

transaction, and that the entity will be bound by the contractual obligations associated with

making the transaction

Ensuring that all users can be held accountable for the actions that they take in making use

of their access privileges

Ensuring that access privileges are designed and implemented in such a way as to minimize

the risk of a single individual having excessive power that could be abused without easily

being detected

Providing a means by which the Organization can monitor compliance with its various

information security policies and can detect, investigate and remedy any attempted

violations of those policies

Providing assurance of the correct functioning of the Organization’s systems and sub-

systems

Providing for the setting of policy and the control and monitoring of compliance with policy

by the authorities vested with responsibility for corporate governance in the system

environment

Protecting other parties with whom the Organization has business dealings from abuse, loss

of business or personal information

Ensuring that employees using the system are only granted authorized access within need to

know and need to use privileges

Ensuring the system security solution is cost effective and provides good value for money

Ensuring that the security of the Organization’s information is dependent only upon its

system security measures and not on the security competence of any other organization

Ensuring that the granularity of system security services is appropriate to business need

Preserving the ability of authorized business users to maintain a high level of productivity

Ensuring that information security interfaces are easy and simple to use

Utilizing, where possible, commercial- off-the- shelf products to build information security

solutionsEnsuring that security services can be extended to all user locations, to all interface types

and across all network types that will be used to support delivery

Maximize the economic advantage of the Enterprise Security Architecture

Security services to be supported through electronic communications, without the need for

physical transfer of documents or storage media.System security solutions should as far as possible comply with internal and external

standards and best practices

BD37

BD38

BD39

BD40

BD41

BD42

BD43

Ensure that the required internal and external cultural shift is achieved to support the

Security Architecture

Ensuring accurate information is available when needed

Minimise the risk of loss of key customer relationships

Minimize the risk of excessive loading on insurance premiums due to negligence on the

Organization’s behalf or lack of due diligence

The Security Architecture should be independent of any specific vendor or product, and

should be capable of supporting multiple products from multiple vendors

The Security Architecture must remain compatible with new technical solutions as these

evolve and become available, and with new business requirements as these emerge, with a

minimum of redesign

The Security Architecture must be able to be adapted to counter new threats and

vulnerabilities as they are discovered

Business

Attribute

Accessible

Accurate

Anonymous

Consistent

Business Attribute Definition Suggested Measurement Approach Metric Type

Soft

Information to which the user is entitled to gain

access should be easily found and accessed by

that user.

The information provided to users should be

accurate within a range that has been preagreed

upon as being applicable to the service being

delivered.

Acceptance testing on key data to demonstrate compliance

with design rules

For certain specialized types of service, the

anonymity of the user should be protected.

Hard

Soft

User Attributes

Soft

Hard

Conformance with design style guides Red team review

Business Attributes

Search tree depth necessary to find the information

Rigorous proof of system functionality

Red team review

The way in which log-in, navigation, and target

services are presented to the user should be

consistent across different times, locations, and

channels of access.

Business Attributes

User Attributes Management

Attributes Risk Management

Attributes Legal/Regulatory

Attributes Technical Strategy

Attributes Operational Attributes

Business Strategy Attributes

Current

Duty

Segregated

Educated and

Aware

Informed

Motivated

Protected

Reliable

Responsive

Supported

A definition of “quality” is needed against which to compare.

When a user has problems or difficulties in using

the system or its services, there should be a

means by which the user can receive advice and

support so that the problems an be resolved to

the satisfaction of the user.

Focus groups or satisfaction surveys. Independent audit and

review against Security Architecture Capability Maturity Model.

Soft

Soft

Hard

Soft

Soft

For certain sensitive tasks, the segregated duties

should be segregated so that no user has access

to both aspects of the task.

Functional testing

The user community should be educated and

aware and trained so that they can embrace the

security culture There should be sufficient user

awareness of security issues so that behavior of

users is compliant with security policies.

Competence surveys

The user should be kept fully informed about

services, operating procedures, operational

schedules, planned outages, and so on.

Focus groups or satisfaction surveys

The interaction with the system should add

positive motivation to the user to complete the

business tasks at hand.


The user’s information and access privileges

should be protected against abuse by other users

or by intruders.

The users obtain a response within a satisfactory

period of time that meets their expectations.

The services provided to the user should be

delivered at a reliable level of quality.

Information provided to users should be current

and kept up to date, within a range that has been

preagreed upon as being applicable for the

service being delivered.

Refresh rates at the data source and replication of source and

replication of refreshed data to the destination.Hard

Hard

Soft

Soft

Penetration test. (Could access privileges should be be regarded

as “hard,” but only if a penetration is achieved. Failure to

penetrate does not mean that penetration is impossible.)

Response time

Timely

Transparent

Usable

Automated

Change-

Managed

Controlled

Soft

Soft

Wherever possible (and depending upon

cost/benefit factors) the management and

operation of the system should be automated.

Changes to the system should be properly

managed so that the impact of every change is

evaluated and the changes are approved in

advance of being implemented

The system should at all times remain in the

control of its managers. This means that the

management will observe the operation and

behaviour of the system, will make decisions

about how to control it based on these

observations, and will implement actions to exert

that control.

SoftIndependent design review

Documented change management system, with change

management history, evaluated by history, evaluated by

independent audit

Independent audit and review against Security Architecture

Capability Maturity Model

Information is delivered or made accessible to

the user at the appropriate time or within the

appropriate time period.

The system should provide easy-to-use

interfaces that can be navigated intuitively by a

user of average intelligence and training level

(for the given system). The user’s experience of

these interactions should be at best interesting

and at worst neutral.

Refresh rates at the data source and replication of refreshed

data to the

destination.

Numbers of “clicks” or keystrokes required. Conformance with

industry standards, e.g., color palettes. Feedback from focus

groups.

Providing full visibility to the user of the logical

process but hiding the physical structure of the

system (as a url hides the

actual physical locations of Web servers).

Focus groups or satisfaction surveys. Independent audit and

review against Security Architecture Capability Maturity Model

Hard

Soft

Soft

Management Attributes

Cost Effective

Efficient

Maintanable

Measured

Supportable

Access

Controlled

Accountable

Access to information and functions within the

system should be controlled in accordance with

the authorized privileges of the party requesting

the access. Unauthorized access should be

prevented.

All parties having authorized access to the

system should be held accountable for their

actions.

Reporting of all unauthorised access attempts, including

number of incidents per period, severity, and result (did the

access attempt succeed?)

Hard


Capability

Maturity Model† with respect to the ability to hold accountable

Soft

Hard

Risk Management Attributes

A target efficiency ratio based on (Input value)/(Output value)

Documented execution of a preventive maintenance schedule

for both hardware and software, correlated against targets for

continuity of service, such as mean time between failures

(MTBF)

Documented tracking and reporting of a portfolio of

conventional system performance parameters, together with

other attributes from this list Fault-tracking system providing measurements of MTBF, MTTR

(mean time to repair), and maximum time to repair, with

targets for each parameter

Hard

Hard

Soft

Hard

The system should capable of being maintained

in a state of ¬good repair and effective, efficient

operation. The actions required to achieve this

should be feasible within the normal operational

The system should be capable of being

supported in terms of both the users and the

operations staff, so that all types of problems

and operational difficulties can be resolved.

Individual budgets for the phases of development and for on-

going operation, maintenance and support

The performance of the system should be

measured against a variety of desirable

performance targets so as to provide feedback

The design, acquisition, implementation, and

operation of the system should be achieved at a

cost that the business finds acceptable when

judged against acceptable when judged against

the benefits derived.

The system should deliver the target services

with optimum efficiency, avoiding wastage of

resources.

Assurable

Assuring

Honesty

Auditable

Authenticate

d

Authorised

Capturing

New Risk

The system should allow only those actions that

have been explicitly authorized.

New risks emerge over time. The system

management and operational environment

should provide a means to identify and assess

new risks (new threats, new impacts, or new

vulnerabilities).

There should be a means to provide assurance

that the system is operating as expected and that

all of the various controls are correctly

implemented and operated.

Protecting employees against false accusations

of dishonesty or malpractice.

Every party claiming a unique identity (i.e., a

claimant) should be subject to a procedure that

verifies that the party is indeed the authentic

owner of the claimed identity.

Reporting of all unauthorized actions, including number of

incidents per period, severity, and result (did the action

succeed?)


Capability Maturity Model† with respect to the ability to detect

Hard

Soft

Percentage of vendor published patches and upgrades actually

installed


Capability Maturity Model of a documented risk assessment

process and a risk assessment history

Hard

Soft

Hard

Soft


Capability Maturity Model with respect to the ability to prevent

false accusations that are difficult to repudiate

Soft



Documented target configuration exists under change control

with a capability to check current configuration against this

target



Soft

Hard

Soft


Capability Maturity Model with respect to the ability to

authenticate successfully every claim of identity

Soft

Documented standards exist against which to audit


Capability

Maturity Model

The actions of all parties having authorized

access to the system, and the complete chain of

events and outcomes resulting from these

actions, should be recorded so that this history

can be reviewed.

The audit records should provide an appropriate

level of detail, in accordance with business

needs.

The actual configuration of the system should

Confidential

Crime Free

Flexibly

Secure

Identified

Independentl

y Secure

In our Sole

Posession

Cyber-crime of all types should be prevented.

Each entity that will be granted access to system

resources and each object that is itself a system

resource should be uniquely identified (named)

such that there can never be confusion as to

The security of the system should not rely upon

the security of any other system that is not

within the direct span of control of this system.

Information that has value to the business should

be in the possession of the business, stored and

protected by the system against loss (as in no

longer being available) or theft (as in being

disclosed to an unauthorised party). This will

include information that is regarded as

“intellectual property.”

The confidentiality of (corporate) information

should be protected in accordance with security

policy. Unauthorized disclosure should be

prevented.

Security can be provided at various levels,

according to business need. The system should

provide the means secure information according

to these needs, and may need to offer different

levels of security for different types of

Soft



Soft

Reporting of all incidents of crime, including number of

incidents per period, severity, and type of crime

Hard


Capability to Maturity Model

Soft

Proof of uniqueness of naming schemes Hard

Reporting of all disclosure incidents, including number of

incidents per period, severity, and type of disclosure

Hard


Capability Maturity Model of technical security architecture at

conceptual, logical, and physical layers

Integrity

Assured

Non-

Repudiable

Owned

Private

Trustworthy

There should be an entity designated as “owner”

of every system. This owner is the policy maker

for all aspects of risk management with respect

to the system, and exerts the ultimate authority

for controlling the system.

The privacy of (personal) information should be

protected in accordance with relevant privacy or

“data protection” legislation, so as to meet the

reasonable expectation of citizens for privacy.

Unauthorized disclosure should be prevented.

Soft

Reporting of all disclosure incidents, including number of

incidents per period, severity, and type of disclosure

Hard

Reporting of all incidents of compromise, including number of

incidents per period, severity, and type of compromise


Capability Maturity Model with respect to the ability to detect

integrity compromise incidents

Focus groups or satisfaction surveys researching the question

“Do you trust the service?”

Hard

Hard

Soft

Reporting of all incidents of unresolved repudiations, including

number of incidents per period, severity, and type of

repudiation


Capability Maturity Model with respect to the ability to prevent

repudiations that cannot be easily resolved

Hard

Soft

When one party uses the system to send a

message to another party, it should not be

possible for the first party to falsely deny having

sent the message, or to falsely deny its contents.

The system should be able to be trusted to

behave in the ways specified in its functional

specified in its functional specification and

should protect against a wide range of potential

abuses.


Capability Maturity Model of the ownership arrangements and

of the management processes by which owners should fulfil

their responsibilities, and of their diligence in so doing

The integrity of information should be protected

to provide assurance that it has not suffered

unauthorized modification, duplication, or

deletion.

Admissable

Compliant

Enforceable

Insurable

Legal

Liability

Managed

Verify against insurance quotations

Hard

Independent legal expert review of all applicable contracts,

SLAs, etc. Soft

Soft

The system should be designed, implemented,

and operated in

accordance with the requirements of any

applicable legislation. Examples include data

protection laws, laws controlling the use of

cryptographic technology, laws controlling

insider dealing on the stock market, and laws


Capability

Maturity Model. Verification of the inventory of applicable laws

to check for completeness and suitability

Legal/Regulatory Attributes


Capability

Maturity Model by computer forensics expert Soft

Independent compliance audit with respect to the inventories

of

regulations, laws, policies, etc. Soft

The system should comply with all applicable

regulations, laws, contracts, policies, and

mandatory standards, both internal and external.

The system should be risk-managed to enable an

insurer to offer reasonable commercial terms for

insurance against a standard range of insurable

Independent review of:

(1) inventory of contracts, policies, regulations and laws for

completeness, and

(2) enforceability of contracts, policies, laws, and regulations on

the

inventory

Soft

The system services should be designed,

implemented and operated so as to manage the

liability of the organization with regard to errors,

fraud, malfunction, and so on. In particular, the

responsibilities and liabilities of each party

The system should be designed, implemented

and operated such that all applicable contracts,

policies, regulations, and laws can be enforced

by the system.

The system should provide forensic records

(audit trails and so on) that will be deemed to be

“admissible” in a court of law, should that

evidence ever need to be presented in support

of a criminal prosecution or a civil litigation.

Regulated

Resolvable

Time-Bound

Architecturall

y Open

COTS/GOTS

Extendible

Flexible /

Adaptable

The system should be capable of being extended

to incorporate new functional modules as

required by the business. The system should be flexible and adaptable to

meet new business requirements as they

emerge.


Capability Maturity Mode of technical architecture (conceptual,

logical, and physical)

Soft


Capability Maturity Model of technical architecture

(conceptual, logical & physical)Independent audit and review against Security Architecture

Capability Maturity Model† of technical architecture

(conceptual, logical, and physical) Soft


Capability Maturity Model. Verification of the inventory of

applicable regulations to check for completeness and suitability Soft

Independent functional design review against specified

functional requirements Hard



(conceptual, logical, and physical)

Soft

Technology Strategy Attributes


and operated in such a way that disputes can be

resolved with reasonable ease and without

undue impact on time, cost, or other valuable

resources.

Wherever possible, the system should utilize

commercial off- the-shelf or government off-the-

shelf components, as appropriate.

The system architecture should, wherever

possible, not be locked into specific vendor

interface standards and should allow flexibility in

The system should be designed, implemented,

and operated in accordance with the

requirements of any applicable regulations.

These may be general (such as safety

regulations) or industry-specific (such as banking

regulations).


Capability Maturity Model Maturity Model by legal expert

Soft

Soft

Meeting requirements for maximum or minimum

periods of time, for example, a minimum period

for records retention or a maximum period

within which something must be completed.

Future Proof

Legacy

Sensitive

Migratable

Multi-

Sourced

Scalable

Simple

Standards

Compliant

There should be a feasible, manageable

migration path, acceptable to the business users,

that moves from an old system to a new one, or

Critical system components should be obtainable

from more than one source, to protect against

the risk of the single source of supply and

support being withdrawn.

The system should be as simple as possible, since

complexity only adds further risk.




Independent audit and review of:

(1) the inventory of standards to check for completeness and

appropriateness, and

(2) compliance with stan¬dards on the inventory

Soft

Soft




The system architecture should be designed as

much as possible to accommodate future

changes in both business requirements and

technical solutions.






(conceptual, logical, and physical)Soft




Soft


Capability Maturity Model of technical architecture at the

component level

Soft

Soft

The system should be scaleable to the size of

user community, data storage requirements,

processing throughput, and so on that might

emerge over the lifetime of the system.


and operated to comply with appropriate

technical and operational standards.

A new system should be able to work with any

legacy systems or databases with which it needs

to interoperate or integrate.

Traceable

Upgrdeable

Available

Continuous

Detectable

Error-Free

The system should be capable of being upgraded

with ease to incorporate new releases of

hardware and software.

Independent expert review of documented traceability

matrices and trees

Soft




Important events must be detected and

reported.

As specified in the SLA

Hard

Functional testing Hard

HardPercentage or absolute error rates (per transaction, per batch,

per time period, etc.)

The system should offer “continuous service.”

The exact

definition of this phrase will always be subject to

a SLA.

Percentage up-time correlated versus scheduled and/or

unscheduled downtime, or MTBF, or MTTR Hard

Operational Attributes

The information and services provided by the

system should be available according to the

requirements specified in the service-level

agreement (SLA).

The system should operate without producing

errors.

The development and implementation of system

components should be documented so as to

provide complete two-way traceability. That is,

every implemented component should be

justifiable by tracing back to the business

requirements that led to its inclusion in the

system, and it should be possible to review every

business requirement and demonstrate which of

the implemented system components are there

to meet this requirement.

Inter-

Operable

Monitored

Productive

Recoverable

Brand

Enhancing

Business

Enabled

Competent Independent audit, or focus groups, or satisfaction surveys

Specific interoperability requirements

Soft

Market surveys

Soft

Business management focus group

Soft

Hard

As specified in the SLA.

Hard


Capability Maturity Model Soft

The system and its services should operate so as

to sustain and enhance productivity of the users,

with regard to the business processes in which

they are engaged.

The operational performance of the system

should be continuously monitored to ensure that

other attribute specifications are being met. Any

deviations from acceptable limits should be


The system should help to establish, build, and

support the brand of the products or services

based upon this system.

The system should interoperate with other

similar systems, both immediately and in the

future, as intersystem communication becomes

increasingly a requirement. The system should

interoperate

The system should protect the reputation of the

organization as being competent in its industry

sector

User output targets related to specific business activities

The system should be able to be recovered to full

operational status after a breakdown or disaster,

in accordance with the SLA.

Enabling the business and fulfilling business

objectives should be the primary driver for the

system design.

Hard

Confident

Credible

Culture-

Sensitive

Enabling-

Time-to-

Market

Governable

The system architecture and time-to-design

should allow new market business initiatives to

be delivered to the market with minimum delay.


Soft

The system should enable the owners and

executive managers of the organization to

control the business and to discharge their

responsibilities for governance.

The system should be designed, built, and

operated with due care and attention to cultural

issues relating to those who will experience the

system in any way. These issues include such

matters as religion, gender, race, nationality,

language, dress code, social customs, ethics,

politics, and the environment. The objective

should be to avoid or minimize offence or

distress caused to others.

Independent audit and review of

(1) the inventory of requirements in this area to check for

completeness and appropriateness, and

(2) compliance of system functionality with this set of

requirements

Independent audit, or focus groups, or satisfaction surveys

Soft

Senior management focus group. Independent audit and review

against Security Architecture Capability Maturity Model for

governance Soft

Soft


Soft

The system should behave in such a way as to

safeguard the credibility of the organization.


safeguard confidence placed in the organization

by customers, suppliers, shareholders,

regulators, financiers, the marketplace, and the

general public

Provide Good

Stewardship

and Custody

Providing

Investment

Re-use

Providing

Return On

Investment

Reputable

The system should provide a return on return of

value to the business to justify the investment

made in creating and operating the system.

Financial returns and RoI indices selected in consultation with

the Chief Financial Officer

Qualitative value propositions tested by opinion surveys at

senior management and boardroom level

Hard

Soft

As much as possible, the system should be

designed to reuse previous investments and to

ensure that new investments are reusable in the

future.


Correlation of the stock value of the organization versus

publicity of system event history

Soft

Hard


Soft


Capability Maturity Model† of technical architecture (con-

ceptual, logical, physical, and component) Soft


safeguard the business reputation of the

organization.

Protecting other parties with whom we do

business from abuse, loss of business, or

personal information of value to those parties

through inadequate stewardship on our part.

Business

Attribute

Business

Driver

Accessible 5

Accurate 7

Anonymous 4

Consistent 23, 41

Business Attribute Definition Measurement Approach Metric

Information to which the user is entitled to gain

access should be easily found and accessed by that

user.

Search tree depth necessary to find the information Soft

The information provided to users should be

accurate within a range that has been preagreed

upon as being applicable to the service being

Acceptance testing on key data to demonstrate

compliance with design rules

Hard

For certain specialized types of service, the

anonymity of the user should be protected.


Red team review

Hard

Soft

Conformance with design style guides

Red team review

Soft

Performance

Target

User Attributes

The way in which log-in, navigation, and target

services are presented to the user should be

consistent across different times, locations, and

channels of access.

Business Attributes

User Attributes Management

Attributes

Risk Management

Attributes


Technical Strategy

Attributes


Business Strategy

Attributes

Current 7

Duty

Segregated

12

Educated and

Aware

31.4

Informed 6

Motivated 25

Protected 21

Reliable 16

Responsive 5

Supported 6

Timely 41

Transparent 4

Information provided to users should be current and

kept up to date, within a range that has been

preagreed upon as being applicable for the service

Refresh rates at the data source and replication of

source and replication of refreshed data to the

destination.

Hard

For certain sensitive tasks, the segregated duties

should be segregated so that no user has access to

both aspects of the task.

Functional testing Hard

The user community should be educated and aware

and trained so that they can embrace the security

culture There should be sufficient user awareness of

security issues so that behavior of users is compliant

with security policies.

Competence surveys Soft

The user should be kept fully informed about

services, operating procedures, operational

schedules, planned outages, and so on.

Focus groups or satisfaction surveys Soft

The interaction with the system should add positive

motivation to the user to complete the business

tasks at hand.

Focus groups or satisfaction surveys Soft

The user’s information and access privileges should

be protected against abuse by other users or by

intruders.

Penetration test. (Could access privileges should be

be regarded as “hard,” but only if a penetration is

achieved. Failure to penetrate does not mean that

penetration is impossible.)

Soft

The services provided to the user should be

delivered at a reliable level of quality.

A definition of “quality” is needed against which to

compare.

Soft

The users obtain a response within a satisfactory

period of time that meets their expectations.

Response time Hard

When a user has problems or difficulties in using the

system or its services, there should be a means by

which the user can receive advice and support so

that the problems an be resolved to the satisfaction

of the user.

Focus groups or satisfaction surveys. Independent

audit and review against Security Architecture

Capability Maturity Model.

Soft

Information is delivered or made accessible to the

user at the appropriate time or within the

appropriate time period.

Refresh rates at the data source and replication of

refreshed data to the

destination.

Hard

Providing full visibility to the user of the logical

process but hiding the physical structure of the

system (as a url hides the actual physical locations

of Web servers).

Focus groups or satisfaction surveys. Independent

audit and review against Security Architecture


Soft

Usable 12

Automated 33.32

Change-

Managed

39

Controlled 30

Cost Effective 27

Efficient 29

Maintanable 6

Measured 6

Supportable 8

The system should provide easy-to-use interfaces

that can be navigated intuitively by a user of

average intelligence and training level (for the given

system). The user’s experience of these interactions

should be

Numbers of “clicks” or keystrokes required.

Conformance with

industry standards, e.g., color palettes. Feedback

from focus groups.

Soft

Wherever possible (and depending upon

cost/benefit factors) the management and

operation of the system should be automated.

Independent design review Soft

Changes to the system should be properly managed

so that the impact of every change is evaluated and

the changes are approved in advance of being

Documented change management system, with

change management history, evaluated by history,

evaluated by independent audit

Soft

The system should at all times remain in the control

of its managers. This means that the management

will observe the operation and behaviour of the

system, will make decisions about how to control it

based on these observations, and will implement

actions to exert that control.

Independent audit and review against Security

Architecture Capability Maturity Model

Soft

The design, acquisition, implementation, and

operation of the system should be achieved at a

cost that the business finds acceptable when judged

Individual budgets for the phases of development

and for on-going operation, maintenance and

support

Hard

The system should deliver the target services with

optimum efficiency, avoiding wastage of resources.

A target efficiency ratio based on (Input

value)/(Output value)

Hard

The system should capable of being maintained in a

state of ¬good repair and effective, efficient

operation. The actions required to achieve this

should be feasible within the normal operational

Documented execution of a preventive maintenance

schedule for both hardware and software,

correlated against targets for continuity of service,

such as mean time between failures (MTBF)

Soft

The performance of the system should be measured

against a variety of desirable performance targets

so as to provide feedback information to support

Documented tracking and reporting of a portfolio of

conventional system performance parameters,

together with other attributes from this list

Hard

The system should be capable of being supported in

terms of both the users and the operations staff, so

that all types of problems and operational

Fault-tracking system providing measurements of

MTBF, MTTR (mean time to repair), and maximum

time to repair, with targets for each parameter

Hard



Access

Controlled

12

Accountable 14.15

Assurable 14.15

Assuring

Honesty

18

Auditable 14

Authenticated 19

Authorised 21

Access to information and functions within the

system should be controlled in accordance with the

authorized privileges of the party requesting the

access. Unauthorized access should be prevented.

Reporting of all unauthorised access attempts,

including number of incidents per period, severity,

and result (did the access attempt succeed?)

Hard

All parties having authorized access to the system

should be held accountable for their actions.


Architecture Capability

Maturity Model† with respect to the ability to hold

Soft

There should be a means to provide assurance that

the system is operating as expected and that all of

the various controls are correctly implemented and

operated.




Maturity Model

Hard

Soft

Protecting employees against false accusations of

dishonesty or malpractice.


Architecture Capability Maturity Model with respect

to the ability to prevent false accusations that are

difficult to repudiate

Soft

The actions of all parties having authorized access to

the system, and the complete chain of events and

outcomes resulting from these actions, should be

recorded so that this history can be reviewed.

The audit records should provide an appropriate

level of detail, in accordance with business needs.

The actual configuration of the system should also

be capable of being audited so as to compare it with

a target configuration that represents the



Documented target configuration exists under

change control with a capability to check current

configuration against this target



Soft

Hard

Soft

Every party claiming a unique identity (i.e., a

claimant) should be subject to a procedure that

verifies that the party is indeed the authentic owner

of the claimed identity.



to the ability to authenticate successfully every

claim of identity

Soft

The system should allow only those actions that

have been explicitly authorized.

Reporting of all unauthorized actions, including

number of incidents per period, severity, and result

(did the action succeed?)


Architecture Capability Maturity Model† with

Hard

Soft

Capturing

New Risk

39

Confidential 17

Crime Free 36, 39

Flexibly

Secure

23.33

Identified 20

Independentl

y Secure

28

In our Sole

Posession

41

New risks emerge over time. The system

management and operational environment should

provide a means to identify and assess new risks

(new threats, new impacts, or new vulnerabilities).

Percentage of vendor published patches and

upgrades actually installed


Architecture Capability Maturity Model of a

documented risk assessment process and a risk

Hard

Soft

The confidentiality of (corporate) information

should be protected in accordance with security

policy. Unauthorized disclosure should be

Reporting of all disclosure incidents, including


disclosure

Hard

Cyber-crime of all types should be prevented. Reporting of all incidents of crime, including number

of incidents per period, severity, and type of crime

Hard

Soft

Security can be provided at various levels, according

to business need. The system should provide the

means secure information according to these needs,

and may need to offer different levels of security for

different types of information (according to security

classification).


Architecture Capability to Maturity Model

Soft

Each entity that will be granted access to system

resources and each object that is itself a system

resource should be uniquely identified (named)

such that there can never be confusion as to which

Proof of uniqueness of naming schemes Hard

The security of the system should not rely upon the

security of any other system that is not within the

direct span of control of this system.


Architecture Capability Maturity Model of technical

security architecture at conceptual, logical, and

physical layers

Soft

Information that has value to the business should be

in the possession of the business, stored and

protected by the system against loss (as in no longer

being available) or theft (as in being disclosed to an

unauthorised party). This will include information

that is regarded as “intellectual property.”



Integrity

Assured

19

Non-

Repudiable

19

Owned 23

Private 12.16

Trustworthy 12.16

Admissable 5,7,14

Reporting of all incidents of compromise, including


compromise



to the ability to detect integrity compromise

Hard

Soft

When one party uses the system to send a message

to another party, it should not be possible for the

first party to falsely deny having sent the message,

or to falsely deny its contents.

Reporting of all incidents of unresolved

repudiations, including number of incidents per

period, severity, and type of repudiation



to the ability to prevent repudiations that cannot be

Hard

Soft

The system should provide forensic records (audit

trails and so on) that will be deemed to be

“admissible” in a court of law, should that evidence

ever need to be presented in support of a criminal

prosecution or a civil litigation.


Architecture Capability Maturity Model by computer

forensics expert

Soft

There should be an entity designated as “owner” of

every system. This owner is the policy maker for all

aspects of risk management with respect to the

system, and exerts the ultimate authority for

controlling the system.


Architecture Capability Maturity Model of the

ownership arrangements and of the management

processes by which owners should fulfil their

responsibilities, and of their diligence in so doing

Soft

The privacy of (personal) information should be

protected in accordance with relevant privacy or

“data protection” legislation, so as to meet the

reasonable expectation of citizens for privacy.

Unauthorized disclosure should be prevented.

Reporting of all disclosure incidents, including


disclosure

Hard


The system should be able to be trusted to behave

in the ways specified in its functional specified in its

functional specification and should protect against a

wide range of potential abuses.

Focus groups or satisfaction surveys researching the

question “Do you trust the service?”

Hard

The integrity of information should be protected to

provide assurance that it has not suffered

unauthorized modification, duplication, or deletion.

Compliant 41.24

Enforceable 25,26,14

Insurable 15,27,9,

11, 13

Legal 16,18,14,

11, 13

Liability

Managed

36,19,11,

13

Regulated 19,2,14

Resolvable 19.2

The system should comply with all applicable

regulations, laws, contracts, policies, and mandatory

standards, both internal and external.

Independent compliance audit with respect to the

inventories of

regulations, laws, policies, etc.

Soft

The system should be designed, implemented and

operated such that all applicable contracts, policies,

regulations, and laws can be enforced by the

system.


(1) inventory of contracts, policies, regulations and

laws for completeness, and

(2) enforceability of contracts, policies, laws, and

regulations on the

inventory

Soft

The system should be risk-managed to enable an

insurer to offer reasonable commercial terms for

insurance against a standard range of insurable risks

Verify against insurance quotations Hard

The system should be designed, implemented, and

operated in accordance with the requirements of

any applicable legislation. Examples include data

protection laws, laws controlling the use of

cryptographic technology, laws controlling insider

dealing on the stock market, and laws governing

information that is considered racist, seditious, or

pornographic.



Maturity Model. Verification of the inventory of

applicable laws to check for completeness and

suitability

Soft

The system services should be designed,

implemented and operated so as to manage the

liability of the organization with regard to errors,

fraud, malfunction, and so on. In particular, the

responsibilities and liabilities of each party should

Independent legal expert review of all applicable

contracts, SLAs, etc.

Soft

The system should be designed, implemented, and

operated in accordance with the requirements of

any applicable regulations. These may be general

(such as safety regulations) or industry-specific

(such as banking regulations).


Architecture Capability Maturity Model. Verification

of the inventory of applicable regulations to check

for completeness and suitability

Soft


operated in such a way that disputes can be

resolved with reasonable ease and without undue


Architecture Capability Maturity Model Maturity

Model by legal expert

Soft

Time-Bound 35.41

Architecturall

y Open

29.32

COTS/GOTS 32

Extendible 33

Flexible /

Adaptable

33

Future Proof 37

Legacy

Sensitive

37.38

Migratable 38

Multi-Sourced 40

Scalable 40

Meeting requirements for maximum or minimum

periods of time, for example, a minimum period for

records retention or a maximum period within

which something must be completed.

Independent functional design review against

specified functional requirements

Hard

The system architecture should, wherever possible,

not be locked into specific vendor interface

standards and should allow flexibility in the choice


Architecture Capability Maturity Model† of technical

architecture (conceptual, logical, and physical)

Soft

Wherever possible, the system should utilize

commercial off- the-shelf or government off-the-

shelf components, as appropriate.


Architecture Capability Maturity Mode of technical


Soft

The system should be capable of being extended to

incorporate new functional modules as required by

the business.



architecture (conceptual, logical & physical)

Soft

The system should be flexible and adaptable to

meet new business requirements as they emerge.




Soft

The system architecture should be designed as

much as possible to accommodate future changes in

both business requirements and technical solutions.




Soft

A new system should be able to work with any

legacy systems or databases with which it needs to

interoperate or integrate.




Soft

There should be a feasible, manageable migration

path, acceptable to the business users, that moves

from an old system to a new one, or from one




Soft

Critical system components should be obtainable

from more than one source, to protect against the

risk of the single source of supply and support being

withdrawn.



architecture at the component level

Soft

The system should be scaleable to the size of user

community, data storage requirements, processing

throughput, and so on that might emerge over the




Soft


Simple 31

Standards

Compliant

24

Traceable 19, 20,

22

Upgradeable 38

Available 6

Continuous 6

Detectable 10

Error-Free 18

Inter-

Operable

38

The system should be as simple as possible, since

complexity only adds further risk.




Soft


operated to comply with appropriate technical and

operational standards.


(1) the inventory of standards to check for

completeness and appropriateness, and


Soft

The development and implementation of system

components should be documented so as to provide

complete two-way traceability. That is, every

implemented component should be justifiable by

tracing back to the business requirements that led

to its inclusion in the system, and it should be

possible to review every business requirement and

demonstrate which of the implemented system

components are there to meet this requirement.

Independent expert review of documented

traceability matrices and trees

Soft

The system should be capable of being upgraded

with ease to incorporate new releases of hardware

and software.




Soft

The information and services provided by the

system should be available according to the

requirements specified in the service-level

As specified in the SLA Hard

The system should offer “continuous service.” The

exact

definition of this phrase will always be subject to a

Percentage up-time correlated versus scheduled

and/or unscheduled downtime, or MTBF, or MTTR

Hard

Important events must be detected and reported. Functional testing Hard

The system should operate without producing

errors.

Percentage or absolute error rates (per transaction,

per batch, per time period, etc.)

Hard

The system should interoperate with other similar

systems, both immediately and in the future, as

intersystem communication becomes increasingly a

Specific interoperability requirements Hard


Monitored 22.24

Productive 5

Recoverable 18

Brand

Enhancing

1

Business

Enabled

2

Competent 1.4

Confident 4

Credible 5

Culture-

Sensitive

16

Enabling-Time-

to-Market

41

The operational performance of the system should

be continuously monitored to ensure that other

attribute specifications are being met. Any



Soft

The system and its services should operate so as to

sustain and enhance productivity of the users, with

regard to the business processes in which they are

User output targets related to specific business

activities

Hard

The system should be able to be recovered to full

operational status after a breakdown or disaster, in

As specified in the SLA. Hard

The system should help to establish, build, and

support the brand of the products or services based

upon this system.

Market surveys Soft

Enabling the business and fulfilling business

objectives should be the primary driver for the

system design.

Business management focus group Soft

The system should protect the reputation of the

organization as being competent in its industry

sector

Independent audit, or focus groups, or satisfaction

surveys

Soft


safeguard confidence placed in the organization by

customers, suppliers, shareholders, regulators,

financiers, the marketplace, and the general public


surveys

Soft


safeguard the credibility of the organization.


surveys

Soft

The system should be designed, built, and operated

with due care and attention to cultural issues

relating to those who will experience the system in

any way. These issues include such matters as

religion, gender, race, nationality, language, dress

code, social customs, ethics, politics, and the

environment. The objective should be to avoid or

minimize offence or distress caused to others.


(1) the inventory of requirements in this area to

check for completeness and appropriateness, and

(2) compliance of system functionality with this set

of requirements

Soft

The system architecture and time-to-design should

allow new market business initiatives to be

delivered to the market with minimum delay.

Business management focus group Soft


Governable 8, 16

Provide Good

Stewardship

and Custody

3,12,21

Providing

Investment Re-

use

38

Providing

Return On

Investment

2

Reputable 8

The system should enable the owners and executive

managers of the organization to control the

business and to discharge their responsibilities for

governance.

Senior management focus group. Independent audit

and review against Security Architecture Capability

Maturity Model for governance

Soft

Protecting other parties with whom we do business

from abuse, loss of business, or personal

information of value to those parties through

inadequate stewardship on our part.


surveys

Soft

As much as possible, the system should be designed

to reuse previous investments and to ensure that

new investments are reusable in the future.



architecture (con-ceptual, logical, physical, and

component)

Soft

The system should provide a return on return of

value to the business to justify the investment made

in creating and operating the system.

Financial returns and RoI indices selected in

consultation with the Chief Financial Officer

Qualitative value propositions tested by opinion

surveys at senior management and boardroom level

Hard

Soft


safeguard the business reputation of the

organization.


surveys

Correlation of the stock value of the organization

Soft

Hard

Business

Attribute

Business

Driver

Confidential Integrity Availability

Accessible 5

Accurate 7

Anonymous 4

Consistent 23, 41

Current 7

Duty Segregated 12


User Attributes

Conformance with design style

guides

Refresh rates at the data source

and replication of source and

replication of refreshed data to

the destination.

Information to which the user is

entitled to gain access should be

easily found and accessed by

that user.

Risk (Impact Based) Security Controls

Acceptance testing on key data

to demonstrate compliance with

design rules

Rigorous proof of system

functionality

Conflicting duties and areas of

responsibility should be

segregated to reduce

opportunities for

unauthorized or unintentional

modification or misuse of the

Educated and

Aware31.4

Informed 6

Motivated 25

Protected 21

Reliable 16

Responsive 5

Supported 6

Timely 41

Transparent 4

Usable 12

Automated 33.32

Change-

Managed39

Controlled 30

Cost Effective 27

Efficient 29

Penetration test. (Could access

privileges should be be regarded

as “hard,” but only if a

penetration is achieved. Failure A definition of “quality” is

needed against which to

compare.

Focus groups or satisfaction

surveys


surveys

Competence surveys

Numbers of “clicks” or

keystrokes required.

Conformance with

industry standards, e.g., color

palettes. Feedback from focus

Independent design review

Refresh rates at the data source

and replication of refreshed data

to the Focus groups or satisfaction

surveys. Independent audit and

review against Security

Architecture Capability Maturity


Response time


surveys. Independent audit and


Architecture Capability Maturity

Model.

Individual budgets for the

phases of development and for

on-going operation,

A target efficiency ratio based

on (Input value)/(Output value)

Documented change

management system, with

change management history,

Independent audit and review

against Security Architecture


Maintanable 6

Measured 6

Supportable 8

Access

Controlled

12

Accountable 14.15

Assurable 14.15

Assuring

Honesty

18

Auditable 14

Authenticated 19

Authorised 21

Capturing

New Risk

39

Documented execution of a

preventive maintenance

schedule for both hardware and

software, correlated against

Documented tracking and

reporting of a portfolio of

conventional system

Reporting of all unauthorized

actions, including number of

incidents per period, severity,

and result (did the action

succeed?)




Documented target

configuration exists under

change control with a capability

to check current configuration

against this target



Capability

Maturity Model with respect to

the ability to hold accountable

all authorized parties Documented standards exist

against which to audit


against Security Architecture Independent audit and review


Capability Maturity Model with

respect to the ability to prevent

Fault-tracking system providing

measurements of MTBF, MTTR

(mean time to repair), and

Reporting of all unauthorised

access attempts, including

number of incidents per period,

severity, and result (did the

access attempt succeed?)




Capability Maturity Model with

respect to the ability to

Percentage of vendor published

patches and upgrades actually

installed



Confidential 17

Crime Free 36, 39

Flexibly Secure 23.33

Identified 20

Independentl

y Secure

28

In our Sole

Posession

41

Integrity

Assured

19

Non-Repudiable 19

Owned 23

Private 12.16

Trustworthy 12.16

Proof of uniqueness of naming

schemes



Capability Maturity Model of

technical security architecture at

Reporting of all incidents of

crime, including number of Independent audit and review


Capability to Maturity Model

Reporting of all disclosure

incidents, including number of


Reporting of all disclosure

incidents, including number of


and type of disclosure


surveys researching the question

“Do you trust the service?”



Capability Maturity Model of the

ownership arrangements and of

the management processes by





compromise, including number

of incidents per period, severity,

and type of compromise





unresolved repudiations,

including number of incidents

per period, severity, and type of

repudiation


Admissable 5,7,14

Compliant 41.24


Insurable 15,27,9,

11, 13

Legal 16,18,14,1

1, 13

Liability

Managed

36,19,11,

13

Regulated 19,2,14

Resolvable 19.2

Time-Bound 35.41

Architecturall

y Open

29.32

COTS/GOTS 32

Extendible 33

Flexible /

Adaptable

33

Independent compliance audit

with respect to the inventories

of



Capability

Maturity Model by computer

forensics expert


(1) inventory of contracts,

policies, regulations and laws for

completeness, and

(2) enforceability of contracts,

policies, laws, and regulations on

the

inventory Verify against insurance

quotations



Capability Maturity Model.

Verification of the inventory of Independent audit and review



Maturity Model by legal expert



Capability

Maturity Model. Verification of

the inventory of applicable laws

to check for completeness and

suitability



Capability Maturity Mode of

technical architecture

Independent functional design

review against specified

functional requirements



Capability Maturity Model† of





Independent legal expert review

of all applicable contracts, SLAs,

etc.





Future Proof 37

Legacy Sensitive 37.38

Migratable 38

Multi-Sourced 40

Scalable 40

Simple 31

Standards

Compliant

24

Traceable 19, 20, 22

Upgrdeable 38

Available 6

Continuous 6

Detectable 10

Error-Free 18

Inter-Operable 38

Monitored 22.24




technical architecture at the Independent audit and review












Functional testing

Percentage or absolute error

rates (per transaction, per batch,

per time period, etc.)

Independent expert review of

documented traceability

matrices and trees









of:

(1) the inventory of standards to

check for completeness and




Percentage up-time correlated

versus scheduled and/or

unscheduled downtime, or





(conceptual, logical, and

physical)

Specific interoperability

requirements

Productive

5

Recoverable 18

Brand Enhancing 1

Business

Enabled

2

Competent 1.4

Confident 4

Credible 5

Culture-

Sensitive

16

Enabling-

Time-to-

Market

41

Governable 8, 16

Provide Good

Stewardship

and Custody

3,12,21

Providing

Investment

Re-use

38

Providing

Return On

Investment

2

Reputable 8

Independent audit, or focus

groups, or satisfaction surveys

Market surveys

Business management focus

group Independent audit, or focus


User output targets related to

specific business activities





Correlation of the stock value of




technical architecture (con-Financial returns and RoI indices

selected in consultation with the

Chief Financial Officer

Qualitative value propositions

tested by opinion surveys at

Senior management focus

group. Independent audit and


Architecture Capability Maturity Independent audit, or focus



(1) the inventory of

requirements in this area to

check for completeness and


(2) compliance of system

functionality with this set of Business management focus

group



Deter Prevent Contain Detect Track Recover Voice Data Video System Information


Management Activity Controls

User Attributes

Architecture Controls







Business

Attribute

Business

Driver

Confidential Integrity Availability

Accessible 5

Accurate 7

Search tree depth necessary to find the information

Acceptance testing on key data to demonstrate compliance with design rules

Opportunities

Enablement

User Attributes


Anonymous 4

Consistent 23, 41

Current 7

Duty Segregated 12

Educated and

Aware31.4

Informed 6

Motivated 25

Protected 21

Reliable 16

Responsive 5

Supported 6

Focus groups or satisfaction surveys. Independent audit and review against

Security Architecture Capability Maturity Model.

Penetration test. (Could access privileges should be be regarded as “hard,” but

only if a penetration is achieved. Failure to penetrate does not mean that

penetration is impossible.)

A definition of “quality” is needed against which to compare.

Response time

Competence surveys



Conformance with design style guides Red team review

Refresh rates at the data source and replication of source and replication of

refreshed data to the destination.

Functional testing


Red team review

Timely 41

Transparent 4

Usable 12

Automated 33.32

Change-Managed 39

Controlled 30

Cost Effective 27

Efficient 29

Maintanable 6

Documented execution of a preventive maintenance schedule for both

hardware and software, correlated against targets for continuity of service, such

as mean time between failures (MTBF)

Individual budgets for the phases of development and for on-going operation,

maintenance and support

A target efficiency ratio based on (Input value)/(Output value)

Documented change management system, with change management history,

evaluated by history, evaluated by independent audit

Independent audit and review against Security Architecture Capability Maturity

Model

Numbers of “clicks” or keystrokes required. Conformance with

industry standards, e.g., color palettes. Feedback from focus groups.


Independent design review

Refresh rates at the data source and replication of refreshed data to the

destination.

Focus groups or satisfaction surveys. Independent audit and review against

Security Architecture Capability Maturity Model

Measured 6

Supportable 8

Access Controlled 12

Accountable 14.15

Assurable 14.15

Assuring Honesty 18

Auditable 14

Authenticated 19 Independent audit and review against Security Architecture Capability Maturity

Model with respect to the ability to authenticate successfully every claim of

identity


Model with respect to the ability to prevent false accusations that are difficult

to repudiate


Model

Documented target configuration exists under change control with a capability

to check current configuration against this target


Model

Independent audit and review against Security Architecture Capability

Maturity Model† with respect to the ability to hold accountable all authorized

parties



Maturity Model

Fault-tracking system providing measurements of MTBF, MTTR (mean time to

repair), and maximum time to repair, with targets for each parameter


Reporting of all unauthorised access attempts, including number of incidents

per period, severity, and result (did the access attempt succeed?)

Documented tracking and reporting of a portfolio of conventional system

performance parameters, together with other attributes from this list

Authorised 21

Capturing New

Risk

39

Confidential 17

Crime Free 36, 39

Flexibly Secure 23.33

Identified 20

Independently

Secure

28

In our Sole

Posession

41 Independent audit and review against Security Architecture Capability Maturity

Model

Proof of uniqueness of naming schemes


Model of technical security architecture at conceptual, logical, and physical

layers

Reporting of all incidents of crime, including number of incidents per period,

severity, and type of crimeIndependent audit and review against Security Architecture Capability to

Maturity Model

Percentage of vendor published patches and upgrades actually installed


Model of a documented risk assessment process and a risk assessment history

Reporting of all disclosure incidents, including number of incidents per period,

severity, and type of disclosure

Reporting of all unauthorized actions, including number of incidents per period,

severity, and result (did the action succeed?)


Model† with respect to the ability to detect unauthorized actions

Integrity Assured 19

Non-Repudiable 19

Owned 23

Private 12.16

Trustworthy 12.16

Admissable 5,7,14

Compliant 41.24



Maturity Model by computer forensics expert

Independent compliance audit with respect to the inventories of

regulations, laws, policies, etc.

Reporting of all disclosure incidents, including number of incidents per period,

severity, and type of disclosure

Focus groups or satisfaction surveys researching the question “Do you trust the

service?”

Reporting of all incidents of unresolved repudiations, including number of

incidents per period, severity, and type of repudiation


Model with respect to the ability to prevent repudiations that cannot be easily

resolved


Model of the ownership arrangements and of the management processes by

which owners should fulfil their responsibilities, and of their diligence in so

doing

Reporting of all incidents of compromise, including number of incidents per

period, severity, and type of compromise


Model with respect to the ability to detect integrity compromise incidents


Insurable 15,27,9,

11, 13

Legal 16,18,14,1

1, 13

Liability Managed 36,19,11,

13

Regulated 19,2,14

Resolvable 19.2

Time-Bound 35.41

Architecturally

Open

29.32

Independent functional design review against specified functional requirements



Model† of technical architecture (conceptual, logical, and physical)


Model. Verification of the inventory of applicable regulations to check for

completeness and suitability


Model Maturity Model by legal expert


Maturity Model. Verification of the inventory of applicable laws to check for

completeness and suitability

Independent legal expert review of all applicable contracts, SLAs, etc.


(1) inventory of contracts, policies, regulations and laws for completeness, and

(2) enforceability of contracts, policies, laws, and regulations on the

inventory

Verify against insurance quotations

COTS/GOTS 32

Extendible 33

Flexible /

Adaptable

33

Future Proof 37

Legacy Sensitive 37.38

Migratable 38

Multi-Sourced 40

Scalable 40

Simple 31

Standards

Compliant

24


Model of technical architecture (conceptual, logical, and physical)


(1) the inventory of standards to check for completeness and appropriateness,

and



Model of technical architecture at the component level












Mode of technical architecture (conceptual, logical, and physical)


Model of technical architecture (conceptual, logical & physical)

Traceable 19, 20, 22

Upgrdeable 38

Available

6

Continuous 6

Detectable 10

Error-Free 18

Inter-Operable 38

Monitored 22.24

Productive

5

Recoverable

18


User output targets related to specific business activities


Specific interoperability requirements


Model

Functional testing

Percentage or absolute error rates (per transaction, per batch, per time period,

etc.)



Percentage up-time correlated versus scheduled and/or unscheduled

downtime, or MTBF, or MTTR

Independent expert review of documented traceability matrices and trees



Brand Enhancing 1

Business Enabled 2

Competent 1.4

Confident 4

Credible 5

Culture-Sensitive 16

Enabling-Time-to-

Market

41

Governable 8, 16

Provide Good

Stewardship and

Custody

3,12,21

Providing

Investment Re-

use

38



Model† of technical architecture (con-ceptual, logical, physical, and component)


Senior management focus group. Independent audit and review against Security

Architecture Capability Maturity Model for governance



(1) the inventory of requirements in this area to check for completeness and


(2) compliance of system functionality with this set of requirements



Market surveys


Providing Return

On Investment

2

Reputable 8

Financial returns and RoI indices selected in consultation with the Chief

Financial Officer

Qualitative value propositions tested by opinion surveys at senior management

and boardroom level


Correlation of the stock value of the organization versus publicity of system

event history

Posture Recover Maturity Entrench Compliance

Architecture Enablers (Aligned to Inf. Sec. Strategy) Management Activity

Enablers

User Attributes








Destruction of

Information and/or

other Resources

Corruption or

Modification of

Information

Theft, Removal or Loss

of Information and/or

other Resources

Disclosure of

Information

Interruption of

Services

Y Y Y Y

Y Y

Y Y

Y Y

Y Y

Y Y

Y Y Y Y Y

Y

Security Threat

Data Confidentiality

Data Integrity

Non-Repudiation

Mapping Security Dimensions to Security ThreatsThe intersection of each Security Layer with each Security Plane represents a security perspective where Security Dimensions are applied to counteract the

threats.

Privacy

Access Control

Security Dimension

Authentication

Availability

Communication Flow Security

Contextual Architecture - Security Review

Business Attributes The business attributes can be defined as follows:

-What are the business goals for the requirement?

-What are the business objectives for the requirement?

-What ar the business targets for the requirement?

-What business assets will be affected by this requirement?

Business Requirement

Business Drivers for Security

Business-level assets, goals & objectives

The business requirement abstracted into one or more statements of security-relevance to the

business requirement:

-What are the security pre-requisites for the requirement?

-What can security do to protect / enhance / support the business in the context of the requirement?

The contextual architecture captures and presents the full set of relevant requirements for the scope of the assignment

Conceptual layer sets out the strategy for treating risk and meeting the control and enablement objectives

Business Attributes

Conceptual Architecture - Security Review

The business attributes can be defined as follows:

-What are the business goals for the requirement?

-What are the business objectives for the requirement?

-What ar the business targets for the requirement?

-What business assets will be affected by this requirement?

Business Risks - Attributes The business risks for attributes are as follows:

-What are the identified risks?

-What are the architectural controls?

-What ar the security controls?

-What management acitvity controls are in place?

Business Opportunites - Attributes The business opportunities for attributes are as follows:

-What are the identified opportunites?

-What are the architectural enablers?

-What ar the security enablers?

-What management acitvity enablers are in place?

Business Requirement Business-level assets, goals & objectives

Business Drivers for Security The business requirement abstracted into one or more statements of security-relevance to the

business requirement:

-What are the security pre-requisites for the requirement?

-What can security do to protect / enhance / support the business in the context of the requirement?

A

c

c

e

s

s

C

o

n

t

r

o

l

A

u

t

h

e

n

t

i

c

a

t

i

o

n

A

v

a

i

l

a

b

i

l

i

t

y

C

o

m

m

u

n

i

c

a

t

i

o

n

F

l

o

w

S

e

c

u

r

i

t

y

D

a

t

a

C

o

n

f

i

d

e

n

t

i

a

l

i

t

y

D

a

t

a

I

n

t

e

g

r

i

t

y

N

o

n

-

R

e

p

u

d

i

a

t

i

o

n

P

r

i

v

a

c

y

Business

Driver

Business

Attribute

The user that will be using the application

The provider of the software

Middleware or Enterprise Services Bus

Logical Architecture - Security Review

Application Provider

Application Middleware

Security Dimensions

Application Security

Application User

Is the software provided by an ISV

Code Integrity refers to protecting assets

used to build and run application object code

to ensure that what is delivered to service

management for deployment has not been

tampered with or incorporated any unknown

source code.

Image Integrity covers the entire runtime

stack, from operating system to middleware

components and application platforms that

are needed to run the application or service.

Secure provisioning ensures that handing

over code to release management for

installation and configuration of dependent

software infrastructure is done in accordance

with security policy and, in certain cases, per

contract with the customer.

Image Provisioning manages access to the

image contents. Image provisioning manages

access to the image for deployment, defining

who can access and deploy instances of the

image in a production environment.

Image Provisioning

Service Provider

Code Integrity

Image Integrity

Release Provisioning

Static Code Analysis refers to the tools and

processes that are usually instituted by a

software development team or a build team

to examine all the artifacts and components

that are used to build an application. The

analysis looks for security vulnerabilities and

poor coding practices that can create

security, performance, or other problems.

Runtime Analysis, or software profiling, refers

to the ability to observe a running software

system and analyze its behavior to detect

vulnerabilities in the code.

In a Software Escrow, a third party keeps a

copy of the source code, and possibility other

materials, which it will release to the

customer only if specific ciumstances arise,

mainly if the vendor who developed the code

goes out of business or for some reason is not

meeting the obligations and responsibilities

Business

Driver

Business

Attribute

Data Discovery is the process of identifying all

the data repositories in the organization and

analyzing the schema and data values and

data patterns to identify relationships

between the database elements.

Static Code Analysis

Data Discovery

Runtime Analysis

Software Escrow

Data Security

Data Classification manages both lower-level,

logical data classification and business level

classifications.

Data Assurance processes provide a

governance checkpoint for aggregation,

redaction, and obfuscation requirements to

ensure confidentiality and privacy.Data Redaction refers to methods for

eliminating sensitive or confidential

data from a data set based on policy rules

before it is given to a receiver.

Data Retention capabilities cover both backup

and archive tools and processes.

Data Disposal refers to the tools and

processes to delete data from a system that is

no longer needed and required by law or

policy to be retained.

Business

Driver

Business

Attribute

The perimeter defense sits at the edge of the

internal network and protects it against

unauthorized access

The network infrastructure segregates the

network into manageable and isolated areas

and prevents unauthorized access between

subnets. It also provides various services, like

monitoring, that track suspicious events

happening on the internal network.

The host defenses protect individual systems

and the applications they run.

Data Assurance

Data Retention

Data Redaction

Data Disposal

Data Classification

Network Infrastructure

Protection

Infrastructure Security

Perimeter Defence

Host Defences

Data security protects data in transit and data

stored on disk to provide the requisite

confidentiality, integrity and

availability.

Business

Driver

Business

Attribute

Software Replication and Back-

Trusted Time

User Interface for Security

Security Policy Management

Security Service Management

Stored Data Confidentiality

Stored Data Integrity Protection

Software Integrity Protection

Software Licensing Protection

System Configuration

Data Replication and Back-Up

Message Contents

Non-Repudiation

Traffic Flow Confidentiality

Authorisation

Logical Access Control

Audit Trails

Entity Authentication

Session Authentication

Message Origin Authentication

Message Integrity Protection

Message Replay Protection

Entity Unique Naming

Entity Registration

Entity Public Key Certification

Entity Credentials Certification

Directory Service

Data Security Mechanisms

Security Services

Intrusion Detection

Incident Response

Environmental Security

User Support

Disaster recovery

Crisis Management

System Audit

Physical Security

Personnel Security

Security Operations

Security Provisioning

Security Administration

Security Monitoring

Security Measurements and

Security Alarm Management

Security Training and

A

c

c

e

s

s

C

o

n

t

r

o

l

A

u

t

h

e

n

t

i

c

a

t

i

o

n

A

v

a

i

l

a

b

i

l

i

t

y

C

o

m

m

u

n

i

c

a

t

i

o

n

F

l

o

w

S

e

c

u

r

i

t

y

D

a

t

a

C

o

n

f

i

d

e

n

t

i

a

l

i

t

yD

a

t

a

I

n

t

e

g

r

i

t

y

N

o

n

-

R

e

p

u

d

i

a

t

i

o

n

P

r

i

v

a

c

y

M

a

n

a

g

e

m

e

n

t

P

l

a

n

e

C

o

n

t

r

o

l

P

l

a

n

e

E

n

d

-

U

s

e

r

P

l

a

n

e

Business

Driver

Business

Attribute

Application User The user that will be using the application

Application Provider The provider of the software

Application Middleware Middleware or Enterprise Services Bus

Software Escrow In a Software Escrow, a third party keeps a

copy of the source code, and possibility other

materials, which it will release to the customer

only if specific ciumstances arise, mainly if the

vendor who developed the code goes out of

business or for some reason is not meeting the

obligations and responsibilities

Service Provider Is the software provided by an ISV

Physical Architecture - Security Review

Security PlanesSecurity Dimensions

Application Security

Code Integrity Code Integrity refers to protecting assets used

to build and run application object code to

ensure that what is delivered to service

management for deployment has not been

tampered with or incorporated any unknown

Image Integrity Image Integrity covers the entire runtime

stack, from operating system to middleware

components and application platforms that

are needed to run the application or service.

Release Provisioning Secure provisioning ensures that handing over

code to release management for installation

and configuration of dependent software

infrastructure is done in accordance with

security policy and, in certain cases, per

Image Provisioning Image Provisioning manages access to the

image contents. Image provisioning manages

access to the image for deployment, defining

who can access and deploy instances of the

image in a production environment.

Static Code Analysis Static Code Analysis refers to the tools and

processes that are usually instituted by a

software development team or a build team to

examine all the artifacts and components that

are used to build an application. The analysis

looks for security vulnerabilities and poor

coding practices that can create security,

Runtime Analysis Runtime Analysis, or software profiling, refers

to the ability to observe a running software

system and analyze its behavior to detect

vulnerabilities in the code.

Business

Driver

Business

AttributeData Security

Data Discovery Data Discovery is the process of identifying all

the data repositories in the organization and

analyzing the schema and data values and data

patterns to identify relationships between the

database elements.

Data Classification Data Classification manages both lower-level,

logical data classification and business level

Data Assurance Data Assurance processes provide a

governance checkpoint for aggregation,

redaction, and obfuscation requirements to

ensure confidentiality and privacy.

Data Redaction Data Redaction refers to methods for

eliminating sensitive or confidential

data from a data set based on policy rules

before it is given to a receiver.

Data Retention Data Retention capabilities cover both backup

and archive tools and processes.

Data Disposal Data Disposal refers to the tools and processes

to delete data from a system that is no longer

needed and required by law or policy to be

Business

Driver

Business

Attribute

Perimeter Defence The perimeter defense sits at the edge of the

internal network and protects it against

unauthorized access

Network Infrastructure

Protection

The network infrastructure segregates the

network into manageable and isolated areas

and prevents unauthorized access between

subnets. It also provides various services, like

monitoring, that track suspicious events

happening on the internal network.

Host Defences The host defenses protect individual systems

and the applications they run.

Infrastructure Security

Data Security

Mechanisms

Data security protects data in transit and data

stored on disk to provide the requisite

confidentiality, integrity and

availability.

Business

Driver

Business

Attribute

Logical Service Physical Mechanism

Entity Unique Naming Naming standards

Naming procedure

Directory system

Entity Registration Registration policy

Registration authority system

Registration procedure

Entity Public Key

Certification

Certification policy

Certification authority system

Certification procedure

Certificate syntax standards

Certificate publishing mechanism (directory)

Certificate revocation list (CRL)

CRL publishing and management (directory)

Entity Credentials

Certification

Certification policy

Certification authority system

Certification procedure

Certificate syntax standards

Certificate publishing mechanism (directory)

Certificate revocation list (CRL)

CRL publishing and management (directory)

Security Services

Directory Service Directory system

Directory access protocols

Directory object and attribute syntax rules

Directory replication

Entity Authentication Login procedure

User passwords and tokens

Client user agents for authentication

Authentication exchange protocols

Authentication server system

Directory system

Session Authentication Mutual two-way and three-way authentication

exchanges

Session context (finite state machine)

Message Origin

Authentication

Message source identifiers, protected by:

Message integrity checksums

Digital signatures Hashing

Message Integrity

Protection

Message integrity checksums Digital signatures

Hashing

Message Replay

Protection

Message nonce values protected by message

integrity checksums

Message Contents

Confidentiality

Message contents encryption

Encryption key management

Routing control to physically secure networks

Non-Repudiation Digital signatures

Notarisation servers

Transaction logs

Trusted third party certification / arbitration

Traffic Flow

Confidentiality

Traffic padding

Authorisation Roles Fixed role associations with entities

Real-time role association with entities

Authorisation certificates

Logical Access Control Local access control agents

Local role access control lists (ACLs)

Central access manager (CAM)

CAM role ACLs

Central application access control agents

Central application role ACLs

Database management system mechanisms

File system mechanisms

Audit Trails Event logs

Event log integrity protection mechanisms

Event log browsing tools

Event log analysis tools

Reporting tools

Stored Data

Confidentiality

Logical access control mechanisms

Physical access control mechanisms

Stored data encryption

Media storage security

Media disposal procedures

Stored Data Integrity

Protection

Message integrity checksums Digital signatures

Hashing

Software Integrity

Protection

Development lifecycle controls

Delivery and installation controls

Production system configuration control

Production system change control

Production system management authorisation

Crypto-checksums on object code images

Regular inspection of object code images and

checksums

Anti-virus tools Software Licensing

Protection

Software metering

System Configuration

Protection

Production system configuration control

Production system change control

Production system management authorisation

Cryptographic checksums on configuration data

files

Regular inspection of configuration data files

and checksums Data Replication and

Back-Up

Regular back-up copying

Back-up media management: labelling,

indexing, transport, storage, retrieval, media

recycling, media disposal

Software Replication and

Back-Up

Master software media management: labelling,

indexing, transport, storage, retrieval

Trusted Time Secure time server with clock Secure time

server protocols

User Interface for

Security

GUI login screens

GUI security message screens

Single sign-on mechanism

Ergonomic design of authentication devices Security Policy

Management

Data content monitoring and filtering

Real-time system monitoring

Security Service

Management

Security service management sub-system

Secure management protocols

Management agents in managed components

Access control at all agents and sub-systems

Security alarms

Security Training and

Awareness

Training courses

Training manuals and documentation

Publicity campaigns

Security Operations

Management

Operator authentication mechanisms

Operator activity logs

Operations event logs

Security Provisioning Security service management sub-system



Access control at all agents and sub-systems Security Administration Security service management sub-system



Access control at all agents and sub-systems

Security alarms

Security Monitoring User activity logs Application event logs

Operator activity logs

Management event logs

Event log browsing and analysis Security Measurements

and Metrics

Cryptographic test mechanisms

Inspection tools

Penetration testing

Statistical tests

Security Alarm

Management

Security alarms

Security alarm monitoring

Intrusion Detection Intrusion ‘signature’ analysis on network traffic

Real-time system monitoring

Alarms

Incident Response Data collection and analysis

Incident assessment procedures

Response action management procedures

User Support Help desk Trouble ticketing system

Disaster recovery Data back-ups

Software back-ups

Data restoration procedures

Off-site back-up storage

Back-up media management: indexing,

labelling, transport, storage, retrieval, recycling,

disposal

Crisis Management Vested authority in a crisis manager and crisis

management team

Assessment procedures

Escalation procedures System Audit Independent inspection Regular scanning with

system audit tools

Physical Security Secure premises with locks, guards, etc

Locked rooms for servers, operations and

communications

Physical protection for cabling

Authorisation procedures

Identification badges and visitor procedures

Supervision of contract engineers etc

Personnel Security Hiring, background checking and vetting

procedures

Training courses, booklets, publicity campaigns

Disciplinary procedures Environmental Security Site-selection procedures

Fire prevention, detection and quenching

Flood avoidance, detection and removal

Air temperature and humidity controls

Electrical power protection mechanisms

Security review using SABSA

Documents