SwA Forum March 12, 2010



Similar documents
The Open Group Perspective on Public Sector Cloud

Security Architecture Principles A Brief Introduction. Mark Battersby , Oslo

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

The problem of cloud data governance

Automating the IT Operations to Business Connection

Software Sustainability Challenges for Acquisition, Engineering, and Capability Delivery in the Face of the Growing Cyber Threat

IT Governance: The benefits of an Information Security Management System

VCE BUSINESS UPDATE AND OVERVIEW

Requirement Management with the Rational Unified Process RUP practices to support Business Analyst s activities and links with BABoK

Mapping Service-Orientation to TOGAF 9 - Part II: Architecture Adoption, Service Inventories and Hierarchies

Setting up an Effective Enterprise Architecture capability. Simon Townson Principal Enterprise Architect SAP

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

PUB (MPI) 1-62 Reference: Gartner Scorecard

Federal Enterprise Architecture and Service-Oriented Architecture

Business Partner Program Guide

McAfee Security Architectures for the Public Sector

STATEMENT of. Open Group and The Open Group Trusted Technology Forum. Submitted for the record. Hearing on. March 27, 2012

Enterprise IT Architectures BPM (Business Process Management)

Information Security Management System for Microsoft s Cloud Infrastructure

Public Cloud Workshop Offerings

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

How to bridge the gap between business, IT and networks

Improved SOA Portfolio Management with Enterprise Architecture and webmethods

SOA Enabled Workflow Modernization

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Q3 IIBA Corporate Member Forum. Will start promptly on the hour

Trust and Dependability in Cloud Computing

Data Center Solutions

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

A Standards-Based Approach to Extracting Business Rules

A discussion of information integration solutions November Deploying a Center of Excellence for data integration.

Redefining Static Analysis A Standards Approach. Mike Oara CTO, Hatha Systems

SOA, Cloud Computing & Semantic Web Technology: Understanding How They Can Work Together. Thomas Erl, Arcitura Education Inc. & SOA Systems Inc.

Enabling Information PREVIEW VERSION

Security Coordination with IF-MAP

Information Technology Architect Certification Program: Frequently Asked Questions June 2009 Version 2.1

Topology and Orchestration Specification for Cloud Applications. An Open Standard for Cloud Application Portability

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

Building a better more secure Cloud RICHARD MORRELL

HP Application Security Center

Requirements Management Practice Description

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

Domain 1 The Process of Auditing Information Systems

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Professional Cloud Solutions and Service Practices

JBOSS ENTERPRISE SOA PLATFORM AND JBOSS ENTERPRISE DATA SERVICES PLATFORM VALUE PROPOSITION AND DIFFERENTIATION

Role of Enterprise Architecture in Mergers & Acquisitions. Satish Chandra, Mahindra Satyam

The OMG BPM Standards

INDEPENDENT TESTING & QA SERVICES

The Role of Cisco SONA in Enterprise Architecture Frameworks and Strategies

Project Management and ITIL Transitions

Proven approaches for Legacy Systems Modernization

Security Controls What Works. Southside Virginia Community College: Security Awareness

Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration

INTEGRATING SUBSTATION IT AND OT DEVICE ACCESS AND MANAGEMENT

Introduction to etom. White Paper Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Open Group Vulnerability Management Proposal Mike Jerbic, November 16, 2003

Automating Control Frameworks: A Tool for Managing Compliance and Risk in Government Services

Cloud Security Trust Cisco to Protect Your Data

ARC VIEW. Services Oriented Drives Support Critical Energy Management and Asset Management Applications through IT/OT Convergence. Keywords.

A Software Development Platform for SOA

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Guiding SOA Evolution through Governance From SOA 101 to Virtualization to Cloud Computing

Secunia Vulnerability Intelligence Manager

Modernizing enterprise application development with integrated change, build and release management.

Introduction to SOA governance and service lifecycle management.

Scanning Open Source Software and Managing License Obligations on IBM SmartCloud. Because code travels

Security as Architecture A fine grained multi-tiered containment strategy

What Business and Process Analysts Need to Know About BPM Suites

Capgemini and Pegasystems: Delivering Business Value through Partnership

Best Practices for Building Mobile Web

Open Group SOA Governance. San Diego 2009

Cloud Security Certification

Collaborating for Quality in Agile Application Development From Beginning to End

Integrated Solution Offerings for Insurance IBM Insurance Framework

Smart Data Center Solutions

IT Audit in the Cloud

The Art of Architecture Transformation. Copyright 2012, Oracle and/or its affiliates. All rights reserved.

BMC Client Management - SCAP Implementation Statement. Version 12.0

Continuous Network Monitoring

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Hans Bos Microsoft Nederland.

Cyber Security & Compliance Briefing

SOA + BPM = Agile Integrated Tax Systems. Hemant Sharma CTO, State and Local Government

Transcription:

SwA Forum March 12, 2010 Open Group and OMG Update & Discussion on Standards Harmonization Andras Szakal IBM Distinguished Engineer Director Software Architecture IBM Federal Software Group 2009 IBM Corporation

Agenda Update on Software Assurance Activities The Open Group Object Management Group Harmonization 2 2009 IBM Corporation

Standards Success Requires Broad Vision The industry invests widely to develop and influence standards, enhance consumablity and drive standards-based business strategies. Early Customer Engagements Competitive Initiatives Products Early Code (POC) Partners Competitors Complementary Intellectual Property Public Relations Standards Bodies Industry Groups ISVs, Adjacent Standards The value back to the end user and the industry is realized in Choice, Flexibility, Speed, Agility, Skills. 3 2009 IBM Corporation

Open Group SwA Activities Overview Compliance Automated Security Compliance Expert (ACE) XDAS Update of the Distributed Audit Service ISM3 - Information Security Metrics/Maturity Model (ISM3) Method TOGAF Security Guidance SOA Reference Architecture SOA Security Guide Cloud Security Cloud security standards / best practices Cybersecurity Trustworthy Vendor Framework Profession Certification IT Architect Profession Certification (ITAC) IT Specialist Certification (ITSC) ITSC Security Stream 4 2009 IBM Corporation

Automated Compliance Expert Requirements Customer Collaboration and Requirement Gathering Industry Financial Medical Entertainment Consultants Auditors Research Governance Customer Pain Points Cost of Compliance Manual configuration home-grown configuration scripts difficult to maintain and audit Companies and systems must meet multiple compliance regulations PCI, SOX/COBIT, Internal Security Policies, US Gov. Compliance Audits: Time consuming Expensive Auditors/Audits are not consistent Desired Features Automated Security and Compliance Configuration Automated Monitoring Standardized Compliance Combines Multiple Compliance Requirements Platform Independent Complete Audit Reporting Compliance Over Ride and Policy Authoring 5 5 2009 IBM Corporation

ACEML and SCAP Integration Point Rule to Command Mapping Reconciliation of Policy Standards Blending Compliance Policy Authoring Tools NIST Specific Rule to command Mapping File ACEML The System s Rule to command Mapping File Computer System ACEML Actionable command Actual System Configuration Results recorded back into the ACEML file ACEML 6 2009 IBM Corporation

XDAS Distributed Audit Service XDAS Data Model XDAS Positioning Effort to update the XDAS specification to be broadly applicable to today's cross platform architecture Focused on integration with SIEM tools 7 2009 IBM Corporation

ISM3 Information Security Maturity Management Maturity Model Information Security Metrics/Maturity Model (ISM3) Standard: Incorporating best practices for linking security to business needs, using a process-based approach, providing implementation guidance, and using specific metrics, while preserving compatibility with current IT and security management standards. EU / Span based Security Operations Maturity Model Rationalize with other security maturity models 8 2009 IBM Corporation

Open Group Security and Assurance Method Standards Activities Integration of Security into TOGAF: Joint activity with the RT&ES Forum and SOA Working Group. Enterprise Security Architecture (ESA) Guide: Updating our 2004 ESA Guide. COA Framework Standard: Developing a standard for a Framework for Collaboration-Oriented Architectures. Security Reference Architecture: Developing a reference architecture,to demonstrate how to build secure EAs. Cloud Security Reference Architecture Guide: Joint activity with the Cloud Computing Working Group. SOA-Security Guide: In collaboration with the SOA Working Group, developing a best practice guide to explain what additional security considerations SOA environments demand. Secure Mobile Architectures (SMA) Standard: Specifying the common technologies for a standards-based SMA solution.other industry groups involved include the PCI Forum, ARC, SANS Institute, ISA, and TCG-TNC. Application areas include large manufacturing flow lines and safety-critical SCADA environments. Trust Management/Classification Model Guide: A practical approach describing the essential common levels of sensitivity and classification for the value of data, and effective protection mechanisms to assure secure operation. 9 2009 IBM Corporation

Cloud Security Define the appropriate building blocks, roles and use cases that address the appropriate confidentially, integrity and availability requirements of cloud computing Develop a Cloud security reference architecture 10 2009 IBM Corporation

Cybersecurity Trustworthy Technology Supplier Framework Effort to identify industry best practices for Building trustworthy products Managing trustworthy suppliers 11 2009 IBM Corporation

IT Profession Certification Premier IT Architect & IT Specialist Profession Certification Accredited companies: EDS, HP, CapGemini, IBM, Rayteon, more More than 2.5K certified architects IT Specialist Stream includes Security Architect http://www.opengroup.org/itac/ http://www.opengroup.org/itsc 12 2009 IBM Corporation

Software Assurance (SwA) Ecosystem Standard-based Solution OMG focused on core technology standards Tooling interoperability standards Goal: Standard-based integrated tooling environment that dramatically reduces the cost of multi-disciplinary software assurance activities Based on integrated ISO/OMG Open Standards Semantics of Business Vocabulary and Rules (SBVR) For formally capturing knowledge about vulnerabilities Knowledge Discovery Metamodel (KDM) Achieving system transparency in unified way Software Assurance Metamodel: Argumentation Metamodel (ARM) and Software Assurance Evidence Metamodel (SAEM) Intended for presenting Assurance Case and providing end-to-end traceability: requirementto-artifact Software Metrics Metamodel Representing libraries of system and assurance metrics SwA Ecosystem is expending: OMG SysA TF developing and integrating standards in area of Threat Risk Assessments and defining Security Vocabulary. 13 2009 IBM Corporation

Harmonizing Gov & Industry Standards Activities What needs to happen? Community-to-Industry Outreach Standardization principles Why do we standardize as an industry Where do we standardize not all standards bodies are equal Reduce the me-too standards efforts Establish an industry outreach system like FedBizOps Announce interest in industry participation in work groups How to Contribute Contribute to the right open standards body Find the authoritative source Example DMTS for systems management Contribute directly to industry Standards Continuity & Integrity Technology Standards should be apolitical (should not be sited in legislature) 14 2009 IBM Corporation

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information