Industry View

Looking for Information Security Control in a Global Business Climate

Mike Jerbic details efforts by The Open Group Security Forum to help further develop secure information architecture standards

By Mike Jerbic, The Open Group Security Forum

Page 2

The Objectives: Information-centric security has a primary objective: to control information as if it were property. Previously, The Open Group Security Forum and the American Bar Association collaborated on another paper titled "Framework for Control over Electronic Chattel Paper—Compliance with UCC § 9-105 " that articulated the principles of establishing control of electronic transferable assets, or electronic property, compliant to the Uniform Commercial Code. UCC § 9-105 essentially enforced the same "control" over transferable electronic assets (chattel paper) that exists with the possession of tangible, physical chattel paper. This research developed a model of control, with its necessary components, that is now extended to the general case of establishing and maintaining control (the equivalent of possession of real-world assets) of the intangible information asset. Today's security objective is to maintain control over information both inside and outside the enterprise. Control establishes the equivalence of possession, which in turn supports the importance of treating information as property.

The Process: Using the objective of control, the stake-holding participants must establish and enforce a process resembling policy compliance to establish control of information both inside and between enterprises. Within the enterprise, corporate policy is the governing objective against which business process, information technology, risk management and regulatory compliance objectives are resolved. Between enterprises, such as service providers and service consumers, objectives are specified in service level agreements or other contracts and verified through auditable performance measures.

Delivering information securely will require increased emphasis on enterprise architecture and effective communication among the diverse stakeholder community. Today, security is considered a non-functional property of the IT system, similar to quality, manageability, and usability. As a result, it is harder to measure and discuss security unambiguously. However, it is through security and its impact upon enterprise architecture that control over information, both inside and outside the enterprise, is established.

Non-functional properties, such as quality and security, tend to be processes that resemble negotiations which resolve conflict between competing interests. In this manner the continuing dialogue, debate, conflict resolution, lessons learned and improvement is often more important than an arrival at any final destination. C-level security practitioners must become adept at leading organizational stakeholders through this journey.

The Open Group Security Forum, as a leading consortium representing the value that sound enterprise security architecture contributes toward delivery of effective information security solutions, wants to facilitate and encourage development of tools, methods and open standards needed to improve security architecture methodology and essential practices. These will enable the security architect to contribute most effectively to the community of excellence that the governance team represents, to take information-centric security from an "as-is-now" to a "where-we-want-to-be" state. Other key areas of interest relevant to the industry include:
- Information Risk Analysis. Stakeholders throughout the enterprise are challenged with complying with information security regulations. Most of these regulations, such as Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA) , specify a "risk based" security program. Standards for what a risk-based security program are, however, are not well developed. The Open Group Security Forum is working on a project to develop an information risk assessment framework with an initial proposal being FAIR, or Factor Analysis for Information Risk.
- The diverse stakeholder community requires visibility into the information risk and security posture. Enterprise architecture today is primarily centered at business management and technical interests, but this must change to include corporate legal, audit, risk, and compliance interests. Architectural viewpoints, and ways of visualizing security properties that these interest groups can comprehend, are essential to the enterprise architecture of the future. The Open Group members are exploring ways to visualize information risk and security in meaningful ways to non-technical professionals.
- Architecture for control can and should be better developed. Control requires architected means to monitor, detect and correct for deviations from the control objective. Developing architectural viewpoints suitable for a wide range of audiences could be developed as part of the Open Group's already industry-leading TOGAF architecture standards.