a.1 acknowledgement
Post on 25-Dec-2021
0 Views
Preview:
TRANSCRIPT
247 E. v. Faber, W. Behnsen, Secure ICT Service Provisioning for Cloud, Mobile and Beyond, DOI 10.1007/978-3-658-00069-1, © Springer Fachmedien Wiesbaden 2013
A Authors and acknowledgement
A.1 Acknowledgement
The Enterprise Security Architecture for Reliable ICT Services (ESARIS), with its architectural approaches, concepts and models, as well as all the specific meas-ures, is the result of a project started by T-Systems’ Security Management in order to develop the general treatment of ICT security issues following the trend towards industrialized ICT production and delivery. The authors would like to thank T-Systems for having been charged with the development of the architec-ture and its components. This was and still is an undertaking which is both fas-cinating and challenging. It is fascinating from a scientific or technical point of view since T-Systems was open to the introduction of new models, the integra-tion of these into common practices and the use of a systematic holistic ap-proach, which was built to collect and organize all the individual parts in one model. It was and still is a practical undertaking since ESARIS was built to se-cure T-Systems’ real ICT business and there was no option for a green-field ap-proach since T-Systems has been in the business for a long time. The authors would like to thank T-Systems for its decision to publish parts of the work and for being given the opportunity to develop a large section of the manuscript for this book as part of their work as permanent, paid employees.
It is discussing problems that often leads to new innovations. Thus, a long time ago a small group of security professionals and leaders sat down together to talk about the difficulties once more, but ended up stepping aside from these and going far beyond this task. This group, together with the authors, did something radical: The authors would mainly like to thank Thomas Speichert, Jörn Garbers and Thomas Breitenbach, who opened the door to a real change towards strate-gic and structural thinking. This later led to a fundamental change in the mode of operation. These individuals developed initial concepts and acknowledged their development. Then Thomas Speichert in particular staffed a real project, which was both a necessary and a major step. Without Thomas Speichert’s and Jörn Garber’s continuous and strong support and Thomas Breitenbach’s helpful interventions, this project would not have produced the amazing results it has. The authors would also like to thank their other main supporters, including Thomas Ade, Heike Bayerl and Sebastian Winterstein, for their contribution to the transformation of local practices into global standards. Andreas Bläse and Matthias Freitag promoted security architectures (for a long time) and the idea of publishing this book (for a few months). They also organized a very essential resource. Thank you.
248 A Authors and acknowledgement
Even though this book is the work of single individuals, the whole architecture and its series of security standards is not. Hence, the authors would like to thank their many colleagues who have been consulted and who have contributed ei-ther by providing sources and tips, performing reviews or by writing standards or parts thereof. This is not the place to mention all the experts who have made a contribution to this. But as regards this book, the authors would like to thank Dr. Ludger Walther and Bernd H. Sievers for being kind enough to read the manuscript, and for their helpful remarks.
One of the authors (Eberhard von Faber) would like to point out that this book, and possibly the entire architecture, might not exist in this form without his extensive thinking on information security in general, and the security aspects in outsourcing models in particular which he did in his sideline job as professor for IT Security at Brandenburg University of Applied Science. The author would like to thank T-Systems for supporting him and granting him permission to maintain this “hobby”. He would like to thank the university, specifically the staff at the Department of Business and Management, for their kind affiliation and numerous students for their probing questions. More importantly, he would like to say thank you for the intensive and fruitful close collaboration during the elaboration of ESARIS and the writing of this book. It is a pleasure working with you, Wolfgang.
The other author (Wolfgang Behnsen) would like to express his deepest grati-tude to Eberhard von Faber for his excellent and purposeful teamwork and for the many hours of inspiring discussions: designing and building ESARIS was and still is – besides being hard work – a type of intellectual adventure. It is worth pointing out that security is not an easy task. In one sense, he considers somebody working in security to be like Sisyphus, a king in Greek mythology who was condemned to rolling a rock up to the top of a hill repeatedly without a break or a chance to change his situation. In using this metaphor, ESARIS is the tool that enables Sisyphus to end his dilemma.
This book – written by humans – may contain errors. However, we know that computer programs do not make their job any easier, since ultimately these are also man-made. Interested readers are nonetheless invited to provide their valu-able comments to the authors.
A.2 Curriculum vitae of Eberhard von Faber 249
A.2 Curriculum vitae of Eberhard von Faber
Eberhard von Faber from T-Systems studied elec-trical engineering and obtained a doctorate in the field of semiconductor physics. He is a professor for IT Security at Brandenburg University of Ap-plied Science. In this sideline job, he teaches the Security Management Master's degree course.
In January 1992, he started his career as a devel-oper for security products. He developed the first hardware-based security system for notebook computers. This security system was made avail-able in the form of a credit card-sized PC Card and featured a full size microcomputer with bat-tery backup secure key storage.
One key element was a highly integrated circuit (ASIC) especially developed for this product in order to manage the integration into the card’s small form factor. It also featured the world’s fastest integrated circuit for DES encryption.
He left the company in 1994 and moved to debis Systemhaus, where he worked in various fields of security engineering, security consulting and security evaluation.
Mr. von Faber developed the basic conception for a sophisticated electronic car immobilizer system – still in existence today – for a leading automotive com-pany. Another large security engineering project was the development of an infrastructure for secure communication for a German banking consortium in around 1996. The system was designed from scratch.
Eberhard von Faber demonstrated in 1995/1996 that the Data Encryption Stan-dard (DES) is no longer secure against a brute-force attack. As a result, the Ger-man financial industry decided to replace this algorithm in all payment systems and components. This issue was kept strictly confidential and was completed long before the “Deep Crack” brute-force attack of June 1998.
Mr. von Faber has conducted security evaluations, especially of integrated cir-cuits used in international payment systems. He invented several highly sophis-ticated techniques for attacks. He is the main author of the international stan-dard for the security of smart card integrated circuits.
He set up and developed the Commercially Licensed Security Evaluation Facil-ity of debis Systemhaus. Mr. von Faber headed this lab and was active as an evaluator until 2003.
Source: private
250 A Authors and acknowledgement
Mr. von Faber now works for T-Systems, where he has held various positions. He has made a significant contribution to the company’s security portfolio strat-egy, formed and shaped the structure of the security offering portfolio, worked on the go-to-market strategy and supported marketing activities. He was also involved in developing prize-winning, innovative solutions.
He is an internationally recognized security expert, responsible for more than 100 public talks and publications. Nowadays he works in Security Strategy and Executive Consulting. His special subjects are security strategy, enterprise secu-rity management, identity and access management, as well as IT security solu-tions and components. His current special interests are security aspects in out-sourcing models including cloud computing, measuring security and assurance models as well as enterprise security architectures.
A.3 Curriculum vitae of Wolfgang Behnsen
Wolfgang Behnsen from T-Systems studied mathematics and graduated with a diploma from the University of Hagen (FernUniversität (FU) in Hagen) in 1995. He holds several internationally recognized security certificates, including Certi-fied Information Systems Security Professional (CISSP), Certified in Risk and Information Sys-tems Control (CRISC), Certified Information Se-curity Manager (CISM) and Certified Information Systems Auditor (CISA). He is currently Senior Security Manager at T-Systems Production.
After completing his vocational training as a Mathematical Technical Assistant at the RWTH
Aachen University (Rheinisch-Westfälische Technische Universität) in 1982, he started his career as a Technical Employee at the Chair of Programming Lan-guages of the Friedrich-Alexander Universität Erlangen-Nürnberg. His main tasks included software development as well as operations (from planning up to administration) of the IT infrastructure of the Chair.
In 1996, he moved to debis Systemhaus where he worked as an IT Systems Spe-cialist & Consultant. He dealt with the management of complex client/server environments, operations of security systems such as firewalls and authentica-tion servers (from planning up to administration) and security consultancy for customers with respect to topics such as secure Internet access, secure remote access and similar.
Source: private
A.3 Curriculum vitae of Wolfgang Behnsen 251
From 1999 to 2002, he held the position of IT Security Manager and representa-tive of the Head of IT Security of debis Systemhaus, later in this period also of T-Systems ITS. He was responsible for the creation and coordination of security policies, standards and guidelines, coordination of the overall strategic and op-erational security issues and Europe-wide performance of security audits of company units on behalf of the board of management.
From 2003 to 2007, he worked as Senior Security Consultant at T-Systems. He was mainly responsible for consultancy on security strategy, corporate-wide information security management, enterprise security architectures, manage-ment of (IT) security projects and the performance of security audits and re-views at enterprise-level for a variety of large companies from different sectors.
Since 2008 he has been working for T-Systems Production as Senior Security Manager. One aspect of this role is to assume responsibility regarding security governance in all phases of Big Deals. The other aspect is the development of security practices in ICT Service Delivery. Since end of 2010, Mr. Behnsen has been involved in the development and implementation of T-Systems’ “Enter-prise Security Architecture for Reliable ICT Services (ESARIS)”.
He is a member of “Deutsche Mathematiker-Vereinigung (DMV)”, “Information Systems Audit and Control Association (ISACA)” and “Gesellschaft für Infor-matik (GI)”. From 2002 to 2007 he was Vice Chairman of GI’s professional group “Management of Information Security”. His special subjects and interests include security strategy, security governance, enterprise security management, enter-prise security architectures, security assurance and auditing, and all kinds of en-terprise-level security frameworks such as COBIT, ISO27000-series and ITIL.
252 B Terms and definitions
B Terms and definitions
Terms and definitions can also be found in the literature:89
B.1 Fundamental terms
Goals of Information Security (CIA)
Confidentiality
The confidentiality of information expresses the need to be protected from being accessed by or disclosed to unauthorized subjects (individu-als or systems). Confidentiality is preserved, e.g. by restricting access, readability and flow of information.
Integrity
The integrity of information, systems and services is the property of not being altered or corrupted, or tampered with, in an unauthorized man-ner or accidentally. Integrity can be preserved, e.g. by limiting the ability to make modifications. Integrity can be detected, e.g. by comparison.
Authenticity
The authenticity of information is the property of being genuine. This encompasses integrity but additionally means that its origin is verified. Authenticity can be preserved, e.g. through the authentication of remote subjects or through the authentication of data (e.g. using signatures).
Availability
The availability of information, systems and services is the property of being accessible and usable upon legitimate demand. Availability is pre-served, e.g. through redundancy, capacity and resilience.
89 Kissel, Richard (ed.): Glossary of Key Information Security Terms; National Institute
of Standards and Technology, U.S. Department of Commerce, NIST IR 7298, Rev. 1, Feb. 2011 [12]
Chrissis, Mary Beth; Mike Konrad and Sandy Shrum: CMMI – Guidelines for Process Integration and Product Improvement; Addison-Wesley, 2003, ISBN 0-321-15496-7 [31]
ISO/IEC 27000 - Information technology — Security techniques — Information secu-rity management systems — Overview and vocabulary; as of 2009-05-01 [2]
B.1 Fundamental terms 253
Accountability
Accountability is the property that actions of an entity can be uniquely traced back to that entity which can be identified. The purpose can be different. Examples include non-repudiation, forensics, billing, as well as resource allocation and optimization.
Threats and risks
Threat
A threat is an anticipated scenario or circumstance with the potential of violating a security policy. A threat requires a vulnerability to be utilized or exploited before the business is impacted. Threats are directed to-wards assets.
Vulnerability
Vulnerabilities relate to the absence of or defect in appropriate security measures (or security control). Technical vulnerabilities are gaps in tech-nology which – if exploited – lead to a breach of security or violation of a security policy. For more detail refer to the definitions in Sect. B.3.
Security
Security is the absence of unaccepted risks. This condition is seen as the result of implementing and maintaining security measures (technical, procedural and organizational). Security will allow an organization to perform as desired despite the risks its ICT is exposed to.
Risk
A risk is generated if a threat can – with a given probability – utilize or exploit a vulnerability (absence of or defect in appropriate security meas-ures), which has an impact on business.
Asset
An asset is anything that has value for the organization and is critical for being able to meet the business objectives. Therefore, assets need to be protected from being put at risk.
Goals and measures
Security objective
A security objective is a statement of the desired state to be achieved. Usually it combines a specific subject and environment with declara-tions of confidentiality, integrity, authenticity, availability, accountability and
254 B Terms and definitions
the like. More specifically, a security objective can determine the out-come of an action.
Security measure
A security measure is any means that is suitable to mitigate risks. Secu-rity measure is synonymous with security control. Security measures can be administrative, organizational or procedural, technical or legal.
Security requirements
Security requirements describe the characteristics of security controls. This is done in a way that allows flexibility in selecting and designing the controls. Security requirements reply to security objectives that in turn are formulated as response to identified threats.
Security target
A security target is a comprehensive security specification that includes the identification of threats in a defined environment (problem state-ment), the description of security objectives defined as responses to that problem statement, as well as a description of security requirements which are chosen in order to achieve the security objectives.
Assurance
Assurance is the level of confidence that the “entity under considera-tion” meets its security target, in particular that the security objectives are met. Assurance is established by applying assurance measures (e.g. by following specific security procedures in the life-cycle) and by providing transparency about and third-party assessment of these measures.
Certification
Certification is the confirmation that assurance has been established in a defined process using pre-defined criteria. The confirmation is issued by an independent certification authority or certification body. Often this certification authority basically confirms that assurance has been estab-lished in accordance to the certification requirements (i.e., the above conditions of applying a “defined process” and “pre-defined criteria”). The assessment against the “pre-defined criteria” is then conducted by another party called the evaluation facility. The evaluation facility needs to be accredited by the certification authority, which requires approval and continuous monitoring of the business and activity.
B.2 Terms relating to security organization 255
Process and improvement
Capability
Capabilities are the means of an organization or people to master antici-pated situations and gradually improve them. Capabilities usually ap-ply to an individual, well-defined area. Capabilities can be determined. Their quality can be measured, e.g. by reflecting on how the result is achieved and how this can be proven to an audience.
Maturity
Maturity allows predictions of general outcomes of upcoming or future projects, activities etc. This requires maturity to be measured. Maturity usually applies to multiple areas.
Procedure A procedure is a specific and usually specified way to carry out a proc-ess or parts of it.
Process A process is a set of subsequent or interrelated activities that serve an overall common purpose.
B.2 Terms relating to security organization
Security architecture
Enterprise Security Architecture (ESA) An Enterprise Security Architecture (ESA) is a rigorous structured ap-proach built to achieve an adequate level of (information or IT) security in an enterprise. The security architecture defines and comprises elements (e.g. the methods and security measures), their relations (e.g. interfaces, interactions and dependencies) and a taxonomy that provides a rigorous structure and an ordering schema (e.g. hierarchies, organization, conven-tions). The means or security measures that are applied comprise techno-logical, organizational and procedural means. The term is synonymous with Enterprise Information Security Architecture (EISA) where the focus is on mitigation of IT or information-related risks.
Enterprise Security Architecture for Reliable ICT Services (ESARIS) An Enterprise Security Architecture for Reliable ICT Services (ESARIS) is an Enterprise Security Architecture (ESA) made for ICT Service Providers. An Enterprise Security Architecture (ESA) has the general goal or pur-
256 B Terms and definitions
pose of protecting an enterprise or, more specifically, the information and IT being used. It can be built and maintained by any enterprise that processes information. – An Enterprise Security Architecture for Reliable ICT Services (ESARIS) is built and maintained by ICT Service Providers with the clear goal, purpose and focus to deliver ICT services to custom-ers with an adequate level of security. Thus, an ESA protects an enter-prise and its business, whereas an ESARIS is built and maintained in or-der to reduce risks for customers who consume any ICT service from the ICT Service Provider.
Information Security Management System (ISMS) An Information Security Management System (ISMS) is a model that en-ables an enterprise to cope adequately with information security. It com-prises policies, procedures and guidelines and is used to establish, moni-tor and improve an enterprise’s overall information security. An ISMS is an enablement, governing and management framework. An Enterprise Security Architecture (ESA), moreover, comprises the individual, very specific measures that enforce security by averting threats.
Security Management
Security policies Security policies express intention and direction through the definition of rules and criteria. Usually policies abstract from technology. They are often put into force by the management.
Security record A security record is a document in any format that provides evidence of activities. Activities can be automated (operation and usage of ICT) or manual (human intervention). Evidence can pertain to the activity itself or to its result. Automatically generated records are also called log data. They are also called audit data, audit logs or audit trails if systems ac-tivities are recorded chronologically.
Security report A security report is a reply to a specific request and not just evidence like a security record. Usually, a security report is provided in order to provide evidence of a provided service or its quality. A security report is created to leave the department or domain it is created in. Its purpose is third-party notification. Security reporting is the process of communicat-ing to contracting bodies and the like based upon security reports.
B.2 Terms relating to security organization 257
Security audit A security audit is an independent review and examination of records, reports or observed facts by people. Audits can be conducted to verify the existence and effectiveness of controls, to check compliance with policies and procedures, and to identify and recommend necessary changes in controls, policies, or procedures. An audit usually includes practical tests. – For information on automated “observation”, refer to security record and log data.
Security testing Security testing is an independent review, “hands-on” trial and exami-nation of ICT security measures by people. Testing is conducted to verify the existence and effectiveness of controls, to check compliance with policies and procedures, and to identify and recommend necessary changes in controls, policies, or procedures. Security testing is also per-formed as part of a security evaluation; and penetration testing or ethi-cal hacking are specific types of security testing.
Service Management
Change
A change is the alteration to ICT, more specifically to a Configuration Item (CI). This includes the addition, modification or removal of ICT services, approved or supported hardware, network, software, applications, envi-ronments, systems, desktop workplaces or associated documentation.
Configuration Item (CI)
A Configuration Item (CI) is any component that needs to be managed in order to deliver an ICT service. Information about each CI is recorded in a configuration record in a data base and maintained throughout its life-cycle by Configuration Management. Examples of Configuration Items are ICT services, hardware, software, buildings, people and formal documentation such as process documentation and service level agree-ments (SLA).
Criticality
The criticality measures the dependency of the customer on the proper operation of an ICT service. The value is assigned to the ICT elements (Configuration Items) used and which are necessary to provide the ICT service.
258 B Terms and definitions
Customer Business Impact (CBI)
The Customer Business Impact (CBI) measures the degree of impact caused due to an incident. It combines the measured loss of availability (see service restriction) and the measured dependency of the customer to maintain the business (see criticality). Thus, the CBI does consider the use of the ICT service or systems in the customer’s business context. The CBI does not consider security aspects such as the loss of confidentiality or integrity of data.
Release
A Release is a collection of hardware, software, documentation, processes or other components required to implement one or more approved Changes to ICT Services. The contents of each Release are managed, tested and deployed as a single entity.
Request for Change (RfC)
A Request for Change (RfC) is a formal proposal to initiate a change. It contains a description about the action requested. This term does not de-scribe the change itself or records of it.
Service restriction
The service restriction measures the degree of impact caused due to an in-cident. The service restriction solely considers the loss of availability. It does not consider the use of the ICT service or systems in the customer’s business context. The service restriction is used to determine the Customer Business Impact (CBI).
The ICT Service Provider and its business
Transition
Transition is the process of moving ICT service provisioning to an ICT Service Provider. The Transition is the execution of a set of contractually defined projects to take over operational responsibility for the cus-tomer’s services that are in-scope. ICT services are taken over without any change (also called “as-is”) which defines the so-called Current Mode of Operation (CMO). However, Transition also allows for making ad-justments and limited improvements, which turns the ICT operation from CMO into a different mode of operation managed by the ICT Ser-vice Provider (CMO+). During transition, the transfer of all defined CMO assets, staff and/or services to the ICT Service Provider is prepared and performed.
B.3 Terms relating to difficulties and restoration 259
Transformation
Transformation is the modernization of ICT service provisioning at the ICT Service Provider. The Transformation is the execution of a set of con-tractually defined projects to implement the service level agreement (SLA), to reduce the total cost of ownership (TCO), and to enhance or implement new services. Emphasis is on standardization, centralization and integration. Transformation moves the ICT service into its so-called Future Mode of Operation (FMO).
Current Mode of Operation (CMO)
The Current Mode of Operation (CMO) is the mode of ICT operation be-fore Transition starts. In other words, the customer’s ICT systems are op-erated “as-is” and without any change being made by the ICT Service Provider.
Current Mode of Operation plus (CMO+)
The CMO+ is the mode of ICT operation after Transition ends and before Transformation starts. The CMO+ is different to the CMO since the ICT services are adapted and improved to some extent when moved to the ICT Service Provider and operated under the provider’s responsibility.
Future Mode of Operation (FMO)
The Future Mode of Operation (FMO) is the mode of ICT operation after Transformation has finished. That means that optimized operation is achieved after the implementation of all agreed projects. The CMO+ is changed to the FMO during Transformation.
B.3 Terms relating to difficulties and restoration
Vulnerabilities, events and incidents
Patches
Patches are pieces of software that are developed to expand or replace existing code because the latter is defective. Patches address and remove existing defects in software or enable additional functionality.
Problem
A Problem refers to the cause of (security) incidents or a lack of perform-ance, a shortage of capacity or failure in functionality. A Problem re-quires a repair. The cause, however, is usually not known at the time a problem record is created, and the Problem Management process is re-sponsible for further investigation.
260 B Terms and definitions
Vulnerability (general)
Vulnerabilities relate to the absence of or defect in appropriate security measures (or security control). The term “appropriate” refers to the fact that threats and risks are analyzed and security objectives are defined. Then secu-rity requirements and security measures are designed that are intended to meet the security objectives, counter the threats and mitigate the risk.
Vulnerability (technical)
Vulnerabilities are gaps in technology which – if exploited – lead to a breach of security or violation of a security policy. Gaps are caused by de-fects in software, misconfiguration or general or architectural design er-rors. Day-to-day corrective measures are patches (which remove defects in software) and changes in the configuration (removing or replacing equipment, changing the equipment setup). – Gaps may also be caused by unanticipated changes in the usage and operating environment and by technological progress which may, for instance, allow or provide new methods of attack.
Vulnerability Assessment
Vulnerability assessment requires prior identification of vulnerabilities, e.g. using vulnerability notification services (CERT advisory services), release notes from manufactures, other sources of announcements, as well as results from any security testing, which includes integrity scan-ning, detection of changes, automated and manual penetration testing. Vulnerability assessment includes identification of root cause, evalua-tion of impact and mitigation planning. Mitigation planning includes the planning of any corrective action and the evaluation of anticipated and achieved results.
Logging
Logging is the process of producing log data. Log data is records being produced by ICT systems and components at run-time in order to report on usage and operation. Log data which is most relevant for managing security is that which relates to security events.
Monitoring
Monitoring is any observation of ICT systems and components during run-time. The result is data which are usually logged. Whereas genuine log data are produced by the ICT systems or components itself (own re-cords), monitoring is supervision at run-time and produces records (or log data) externally.
B.3 Terms relating to difficulties and restoration 261
Log management
Log management is any analysis and processing of log data in order to allow system troubleshooting, checking of compliance with policies and regulation, to identify and respond to security events and security inci-dents and to perform security investigations (forensic analysis).
Security events
Security events are any security-related or security-relevant action that is made visible by a log entry, an alarm or any other observation that has been tracked. A security event is “neutral” or not yet measured in terms of its effect. It may represent a critical security breach or just an authorized use of the ICT.
Security incidents
Security incidents are security events that violate a security policy and re-quire human intervention which is beyond applying day-to-day correc-tive measures. A security incident can be caused by the exploitation of a (technical) vulnerability, of another weakness in organization or processes; it may utilize human failure or misconduct, or a combination thereof.
Security incident response
Security incident response comprises notification to users and other groups as well as any actions taken in order to minimize losses, destruc-tion, systems outage or any other business impact.
Forensic analysis
Forensic analysis is the process of reconstructing past events from the analysis of traces being produced or recorded during the event and to identify the root cause. Forensic analysis tries to avoid any alteration to systems and data being involved or used in the event. Forensic analysis should provide evidence and accounting data.
Business Continuity Management
Business Continuity Management provides precautions that minimize the impact of possible disruptions to ICT service provisioning or of a business-critical loss of data, which includes a timely and outright re-covery of service and data. Business Continuity Management comprises Business Continuity Planning that utilizes a Risk Management approach. Business Continuity Management also comprises practical execution, or emergency management. ESARIS deals with ICT services. Strictly speak-ing, it concerns (ICT) service continuity.
262 B Terms and definitions
B.4 Major concepts and models at a glance
This section provides a “fast track to ESARIS” by delivering definitions or short explanations for major concepts or models of ESARIS. The figures are reproduced from the previous sections in order to ease the use of this glossary.
Situation
ESARIS Standardization Philosophy
“ICT outsourcing” started with moving systems from customer prem-ises to large data centers of specialized ICT Service Providers. New sys-tems were developed as dedicated systems to fit the specific require-ments of the customer. At this time, silos were set up which resulted in heterogeneous environments. – In order to reduce costs and improve flexibility, today’s “outsourcing” uses shared systems and demands largely standardized services. ESARIS follows this trend and supports industrialized ICT production and delivery.
Fig. 75: ESARIS Standardization Philosophy (Fig. 14)
ESARIS Duplex Security Management Concept
The ESARIS Duplex Security Management Concept firstly recalls that there are, for ICT Service Providers, two distinct goals in the field of informa-tion security: the protection of the enterprise as a whole and of the ser-vice or product being provided. Both areas can cause risks to both the enterprise and its customers. Hence, the two areas are interwoven. The ESARIS Duplex Security Management Concept indicates the necessity and existence of two different security organizations or perspectives. Each one will concentrate on one scenario while supporting the other. The in-terrelation is called “duplex” since none of them should actively control an issue that is already and actively controlled by the other party.
B.4 Major concepts and models at a glance 263
Enterprisesecurity
Product/Servicesecurity
primary interest
Corporate SecurityManagement (board)
Perspective:
Area:
Product Security Management (sales, service, production)
secondary interest(since unsecure products may put the
enterprise at risk)
secondary interest(since security gaps in the enterprise may
cause vulnerabilities in products)
primary interest
Leadership: governance, risk, compliance
customer requirements(Automotive, Finance, Public, …)
partiallyoverlap
Leadership: governance, risk, compliance
customer requirements(Automotive, Finance, Public, …)
partiallyoverlap
Requirements:
Fig. 76: ESARIS Duplex Security Management Concept (Fig. 15)
ESARIS Governance Model
The ESARIS Governance Model combines and aligns the two perspectives and tasks described in the ESARIS Duplex Security Management Concept. The two perspectives are called governance, risk and compliance (GRC) perspective and business perspective here, whereby the first clearly con-trols the second. Note, however, that there can be conflicts and other constraints such as funding of security measures and others resulting from the actual practice thereof.
“Products” (ICT Services) service design service delivery contracting, communication security management prioritization
Privacy and regulatory compliance
Risk management (incl. those by “products”)+
requirements for business
Governance
requirements from customers
technological constraints
business constraints (€)… (€)
ESARIS
+
Corporate SecurityManagement
Product Security Management
business perspective
Fig. 77: ESARIS Governance Model (Fig. 16)
Approach
ESARIS Industrialization Concept
It is a major goal of ESARIS to increase the degree of standardization. ICT services shall be produced in an industrialized way that requires embedded and related ICT security measures to be standardized as well. ICT services provide a minimum, baseline or standard security (blue). Requirements that are not common to all customers are met by adding pre-defined options (black). Customer-specific services that meet full custom requirements are considered as exceptional cases. The different
264 B Terms and definitions
types of solutions consider both the provider’s and the customer’s re-quirements.
corporate governance, risk, compliance
customer requirements(Automotive, Finance, Public, …)
partiallyoverlap
standard options full custom
no-go
industrialized services(established platforms and processes)
customer-specific services
requirements identification
requirements consolidation
conception, integration
operations, maintenance
Fig. 78: ESARIS Industrialization Concept (Fig. 21)
ESARIS Composition Model
ESARIS is built to support the ICT core business. The provider follows a modular approach in providing ICT services and the embedded or asso-ciated ICT security measures. Each ICT service consists of a baseline ser-vice (rectangle with interfaces) but allows options to be added (shown as plugs). The ICT security measures are provided in the same manner. There is a baseline security which can be enhanced using options. Many of the security options are also available as dedicated security services and therefore part of the ICT Security Service portfolio.
baseline security service (in line with industry standards)
baseline security services plus options
ICT:
Security:
ICT:
Security:
ICT services for a customer available unused options
Example 1
Example 2
Fig. 79: ESARIS Composition Model (Fig. 22)
Framework for ESARIS
ESARIS does not comprise or regulate all security management activities of the ICT Service Provider. This part is called the Enablement Framework for ESARIS. ESARIS does not incorporate all possible security practices, measures or controls. This part is called the Enforcement Framework of ESARIS. – ESARIS provides information about the real and existing se-
B.4 Major concepts and models at a glance 265
curity practices that make the ICT services secure and enhance the trust-worthiness of the provider and its ICT services.
Framework for ESARIS
Enablement (ISMS) security management process and
reference model (mainly ISO 27001)
impact analysis for
non-framework requirements
Enforcement (Practice) controls (mainly ISO 27002) specific standards (e.g. PCI)
Requirements (corporate and customer)
Enterprise Security Architecture
industrialized ESARIS Services processes and roles for new business,
changes and operational services service management
technology platform evidence (monitoring, analytics
and reporting)
custom services(specific service
and realization for a customer)
Fig. 80: Framework for ESARIS (Fig. 17)
Enablement Framework for ESARIS
The ICT Service Provider has set up processes and organizations to pro-tect the company as a whole. This includes minimizing risks that are as-sociated with the business (delivery of services to customers). The secu-rity standards and measures that are structured in ESARIS are set up and maintained using the security management processes and organiza-tions that exist. They are called the Enablement Framework for ESARIS since they enable the enterprise to protect its business and its services as stipulated in ESARIS.
Define scope and ISMS policy
Define risk assessment approach
Identify risks, derive control obj. & controls
Approve residual risks
Draw up statement of applicability (SoA)
Implement risk handling plan & controls
Define process for monitoring the
effectiveness of controls
Develop security awareness
Monitoring & review security incidents
Review risk assessment approach
Implement appropriate corrective and
preventative controls
Communicate activities & improvements
Ensure improvements achieve targets
P1
P2
P3
P4
P5
D1
D2
D3
Lead ISMS and steer fundsD4
Implement methods to identify / handle security
incidentsD5
C1
Evaluate effectiveness of the controls implementedC2
C3
Perform and document ISMS auditsC4
Carry out management evaluationsC5
Implement identified improvements in ISMSA1
A2
A3
A4
Activities of the Enablement Framework(conducted by Corporate Security Management)
Fig. 81: Enablement Framework for ESARIS (Fig. 19)
Enforcement Framework for ESARIS
ICT Service Providers have experience in protecting ICT services and have developed different procedures and solutions. Most ICT security measures are, however, industry practices and controls that are defined and developed outside the enterprise. ICT security solutions such as
266 B Terms and definitions
firewalls are integrated and operated by the ICT Service Provider but purchased from suitable vendors. All the solutions, controls or measures that may be utilized to protect the ICT services are considered to form a so-called Enforcement Framework for ESARIS. This framework also com-prises methods to take advantage of and to assess these practices for the protection of the provider’s ICT services. Requirements(corporate and customers)
Set of Controls(ISO27002 etc.)
Risk Management (Business Case)
Controls of ESARIS and its ICT Security Standards
AA
BB
CC
R1R2
R3R4
R5
C1 C2 C3 C4 C5 C6 C7
Implementation
DD
Fig. 82: Enforcement Framework for ESARIS (Fig. 20)
Content
ESARIS Dimensions
ESARIS spans three dimensions and thereby responds to three ques-tions: What? – ESARIS comprises all components that are needed to de-liver secure ICT services and dedicated security services to customers. Who? – ESARIS comprises definitions of roles and responsibilities as well as of processes and practices. How? – ESARIS comprises the secu-rity standards showing how security is “achieved” and allow for “as-sessing” the level being achieved.
ESARIS Platform
New Business & Major Changes(Project Business)
Operations(Daily Business)
Wha
t? W
ork
area
s
11
Who
? R
oles
etc
.
22
How
? St
anda
rds
33 Fig. 83: ESARIS Dimensions (Fig. 23)
B.4 Major concepts and models at a glance 267
ESARIS Work Areas
The ESARIS Work Areas are one of the ESARIS Dimensions (i.e. No. 1). ESARIS considers the whole life-cycle. Consequently, there are three work areas that are considered. The so-called ESARIS Technology Plat-form comprises all elements that are prepared and available to deliver ICT services in a secure way. Secondly, there is the Project Business in which new business is prepared and major changes are made. The third dimension is Operations, where ICT services are actually delivered to customers in a secure way.
Bid, Transition, Transformation Set-up for operations Major Changes
New Business & Major Changes(Project Business)
Service Delivery Management Provide industrialized and customer
specific ICT Services Evidence
Operations(Daily Business)
Define Offering & SDEs Initial set-up of ESARIS (creation and extension) Maintenance of ESARIS (improvements)
ESARIS Platform
Ente
rpris
e Se
curit
y Ar
chite
ctur
efo
r Rel
iabl
e IC
T Se
rvic
es (E
SAR
IS)
ESARIS reflects three types of business:Customer Projects – Operations – Platform Preparation
Fig. 84: ESARIS Work Areas (Fig. 24)
ESARIS Collaboration Model
The ESARIS Collaboration Model fills one of the ESARIS Dimensions (i.e. No. 2) and describes the roles and their interaction in Project Business and Operations (refer to ESARIS Work Areas). In particular, it features the Security Manager who is responsible for security issues in the Project Business (plan – build) and the Customer Security Manager who does per-form this task in Operations.
Security Manager
Customer
ICT SRC Manager
Security Architects and Experts (engineering)
Customer Security Manager
Operations Manager
Operations Personnel
step-by-step transfer of business
Project (bid, transition, transformation)
Operations(CMO+FMO)
requirements requirements
governance
Offering Manager Fig. 85: ESARIS Collaboration Model (Fig. 27)
268 B Terms and definitions
Hierarchy of Security Standards
The Hierarchy of Security Standards fills in one of the ESARIS Dimensions (i.e. No. 3). This hierarchy comprises an overall security policy on the top (Level 1) and a more detailed rule base below (Level 2). These two concern the whole enterprise and its business. The next levels (3 to 5) deal with the ICT service delivery. They describe security principles and standards that are built and maintained in order to deliver ICT services in a secure way. Such a hierarchy may look different and use other terms.
Corporate Security Rule Base
Corporate Security Policy
ICT Security Standards
ICT Security Principles
L4
ICT Security Baselines
L3
L5
Refinement Pyramid of Standards Requirements for ICT Service Provisioning
ISO 27001Certificate
Detailed customer inquiry
Software settings,configuration
Examples
L2
L1
Certification and Audit
Security Measures
Security Implementation
Fig. 86: Hierarchy of Security Standards (Fig. 28)
ESARIS Concept of Double Direction Standards
ESARIS aims to standardize the security controls and to provide infor-mation, transparency and evidence to customers that security is actually being achieved. In order to ensure unambiguity, Level 4 of the Hierarchy of Security Standards is chosen to provide information to customers and simultaneously to provide directives for ICT service delivery and pro-duction. The ESARIS Concept of Double Direction Standards stipulates that the same text is used for both purposes. The security measures of
Directives for Service and Production
ICT Security Standards L4
ICT Security Baselines L5
Assurance to Customers Fulfillment
Attainment
Fig. 87: ESARIS Concept of Double Direction Standards (Fig. 29)
B.4 Major concepts and models at a glance 269
Level 4 therefore address a concrete security issue and respond to a question or concern that is of interest for customers. The context, pur-pose and effect become clear from studying the security measure. The security measures, moreover, provide directions for implementation, formulated as clearly and specifically as required in order to ensure that security objectives are achieved.
Specification
ESARIS Security Taxonomy
ESARIS describes security measures in a structured and totally modular way. The security measures had been distributed amongst several ICT Security Standards since both the ICT services and the security require-ments are manifold. The ICT Security Standards provide transparency to customers by explaining how the ICT Service Provider achieves and guarantees security. They are also directives for production and service delivery. The structure of the ICT Security Standards has therefore been designed to serve three objectives: Customers shall obtain answers on how their requirements are addressed. The individual departments and teams of the ICT Service Provider shall easily find the guidance relevant for them. Thirdly, the ICT Security Standards shall cover all relevant as-pects, i.e. “the whole world of IT and TC security” with all the details and variants across all technical disciplines and throughout the entire life-cycle. This structure is called ESARIS Security Taxonomy.
Evid
ence
and
C
usto
mer
Rel
atio
n
Serv
ice
Man
agem
ent
Customer and users Data center
Data Center Security
Networks
Vulnerability Assess-ment, Mitigation PlanVulnerability Assess-ment, Mitigation Plan
Logging, Monitoring & Security ReportingLogging, Monitoring & Security Reporting
Incident Handling and ForensicsIncident Handling and Forensics
User Identity Managementwwwwwwwww
User Identity Managementwwwwwwwww
Mobile Work-place SecurityMobile Work-place Security
Office Work-place Security
LogonLogonLogon Office Work-place Security
LogonLogonLogon
User LAN PeripheryUser LAN Periphery
Wide Area Network SecurityWide Area Network Security
Gateway and Central ServicesGateway and Central Services
Corporate Provider AccessCorporate Provider Access
Application and AM Security
01100110101110001110110010110
Logon
01100110101110001110110010110
LogonLogon
Application and AM Security
01100110101110001110110010110
Logon
01100110101110001110110010110
LogonLogon
Computer Systems SecurityComputer Systems Security
Data Center NetworksData Center Networks
VM and S/W Image Mngt.VM and S/W Image Mngt.
Database and Storage SecurityDatabase and Storage Security
Operations Support SecurityOperations Support Security
Administration Network SecurityAdministration Network Security
Remote User AccessRemote User Access
Provider Identity ManagementProvider Identity Management
Customer Communi-cation and SecurityCustomer Communi-cation and Security
Release Mngt. and Acceptance TestingRelease Mngt. and Acceptance Testing
Change and Problem ManagementChange and Problem Management
System Development Life-CycleSystem Development Life-Cycle
Systems Acquisition and Contracting
ABCDEABCDE Systems Acquisition
and Contracting
ABCDEABCDE
Asset and Configu-ration ManagementAsset and Configu-ration Management
Hardening, Provisio-ning & MaintenanceHardening, Provisio-ning & Maintenance
Security Patch ManagementSecurity Patch Management
Business Continuity ManagementBusiness Continuity Management
Certification and 3rd Party AssuranceCertification and 3rd Party Assurance Risk ManagementRisk Management
Fig. 88: ESARIS Security Taxonomy (Fig. 31)
270 B Terms and definitions
Clusters of ICT Security Standards
The Clusters of ICT Security Standards are one element or aspect of the ESARIS Security Taxonomy. The lower half of standards in the map is pri-marily oriented towards individual ICT services and their functionality. The standards of this part can be grouped into so-called clusters. The same can be done with the standards of the upper half. The diagram be-low provides six clusters as used in the original map of ICT Security Standards.
Evid
ence
and
C
usto
mer
Rel
atio
n
Serv
ice
Man
agem
ent
Customer and users Data center
User LAN Periphery
Wide Area Network Security
Remote User Access
User Identity Management
Mobile Work-place Security
Office Work-place Security
Corporate Provider Access
Gateway and Central Services
Provider Identity Management
Data Center Security
Data Center Networks
Computer Systems Security
Application and AM Security
Database and Storage Security
VM and S/W Image Mngt.
Networks
Asset and Configu-ration Management
Business Continuity Management
Security Patch Management
Hardening, Provisio-ning & Maintenance
Change and Problem Management
Customer Communi-cation and Security
System Development Life-Cycle
Systems Acquisition and Contracting
Risk Management
Logging, Monitoring & Security Reporting
Incident Handling and Forensics
Vulnerability Assess-ment, Mitigation Plan
Release Mngt. and Acceptance Testing
Operations Support Security
Certification and 3rd Party Assurance
Administration Network Security
wwwwwwwww
LogonLogonLogon
01100110101110001110110010110
Logon
01100110101110001110110010110
LogonLogon
Fig. 89: Clusters of ICT Security Standards (Fig. 32)
ESARIS Security Specification Concept
The ESARIS Security Specification Concept provides guidance for the au-thors of ICT Security Standards and ensures that the latter have the same structure and content and integrate into the overall ESARIS Security Tax-onomy while describing dependencies etc. All standards have the follow-ing structure and content: security problem definition, security objective identification, scope and coverage clarification, identification of external support (dependencies with other standards), definition of security measures with implementation guidance and rationale. The approach is related to the one described in Common Criteria (ISO/IEC 15408).
B.4 Major concepts and models at a glance 271
who is responsible? deviations? exceptions?
security characteristics, features or measures control (specification) implementation guidance rationale
understand external support define limitations
define subject (scope?)
understand the origin of requirements understand the goal (where to?)
understand context and situation (where I am?) understand security problem, issues or threats
Anal
ysis
Solu
tion
Appe
ndix
Anal
ysis
Solu
tion
Appe
ndix
Table of Contents
Fig. 90: ESARIS Security Specification Concept (Fig. 34)
Compliance
ESARIS Scope of Control
ESARIS Scope of Control describes a method for selecting the right and relevant information for a customer, an individual service or a specific deal. This starts with selecting the technological elements and the re-lated ICT Security Standards that are associated with the delivered ICT service. Then operations and the division of labor between the ICT Ser-vice Provider and the customer are considered, and specifically, services
Evid
ence
and
C
usto
mer
Rel
atio
n
Serv
ice
Man
agem
ent
Customer and users Data center
User LAN Periphery
Wide Area Network Security
Remote User Access
User Identity Management
Mobile Work-place Security
Office Work-place Security
Corporate Provider Access
Gateway and Central Services
Provider Identity Management
Data Center Security
Data Center Networks
Computer Systems Security
Application and AM Security
Database and Storage Security
VM and S/W Image Mngt.
Networks
Asset and Configu-ration Management
Business Continuity Management
Security Patch Management
Hardening, Provisio-ning & Maintenance
Change and Problem Management
Customer Communi-cation and Security
System Development Life-Cycle
Systems Acquisition and Contracting
Risk Management
Logging, Monitoring & Security Reporting
Incident Handling and Forensics
Vulnerability Assess-ment, Mitigation Plan
Release Mngt. and Acceptance Testing
Operations Support Security
Certification and 3rd Party Assurance
Administration Network Security
wwwwwwwww
LogonLogonLogon
01100110101110001110110010110
Logon
01100110101110001110110010110
LogonLogon
Security Patch Management
Customer Communi-cation and Security
Systems Acquisition and Contracting
Certification and 3rd Party Assurance
Office Work-place Security
LogonLogonLogon Office Work-place Security
LogonLogonLogon Remote User AccessRemote User Access
Fig. 91: ESARIS Scope of Control (example, Fig. 64)
272 B Terms and definitions
are selected with the related ICT Security Standards. Next, specific re-sponsibilities are checked which provides additional filters. Finally, pa-rameters such as ownership and contractual details are taken into ac-count. The method of selection works at the level of security measures.
Taxonomy of Service Models
In ESARIS, the Taxonomy of Service Models is helps to determine the ESARIS Scope of Control. It relates the Service Model to the possession of elements in the ICT stack (provider or user organization). The model al-so differentiates between the dedicated and shared mode of production and helps to discuss the location of production. The taxonomy consid-erably helps to characterize an ICT service to the required level of detail.
ICT stack (distribution)top: elements of providerbottom: elements of user
Modeof production
Locationof production
Appl
icat
ion
Serv
er, R
TE, D
B
Har
dwar
e, O
S
Dat
a C
ente
r Inf
rast
r., N
etw
orks
Shar
edD
edic
ated
Use
rPr
emis
esD
ata
Cen
ter
of P
rovi
der
Com
posi
te
of D
ata
Cen
ters
Provisioning of IaaS, PaaS, SaaS
Cloud-Computing
ERP, CRM, SCM, Office etc. from provider
Software-as-a-Service
RTE (e.g. .Net, Java) from provider
Platform-as-a-Service
Customer system in provider’s data center
Hosting
maintenance and reporting by provider
Managed Services
support and monitoring by provider
Monitoring & Support
MIPS, storage, bandwidth from provider
Infrastructure-as-a-Service
Service Model(typical modelswith characteristic)
Fig. 92: Taxonomy of Service Models (Fig. 65)
ESARIS Customer Fulfillment Model
The ESARIS Customer Fulfillment Model describes a method to demon-strate that the customer’s security requirements are met and how. Large enterprises in particular take a comprehensive risk-oriented approach. Customer Requirements
R1R2
R3R4
R5
C1 C2 C3 C4 C5 C6 C7Set of Controls(contractual )
Requirements are met (Suitability)
Controls of ESARIS and itsICT Security Standards
AA
CC
BB
DD
Fig. 93: ESARIS Customer Fulfillment Model (Fig. 66)
B.4 Major concepts and models at a glance 273
They have different requirements due to the fact that their business dif-fers. The model describes four steps: requirement collection and analy-sis, selection of relevant ICT Security Standards and security measures us-ing the ESARIS Scope of Control methodology, selection of those security measures and details which are required to address a requirement, and finally checking completeness.
ESARIS Compliance Attainment Model
The ESARIS Compliance Attainment Model describes a method to verify if and to what extent an ICT service complies with ESARIS and its ICT Se-curity Standards. It first filters the legacy business and extension of busi-ness using legacy practices. Partial compliance is possible here. For other (new) business, the model describes a step-by-step adoption process of ESARIS practices. Here, three activities result in partial or full compli-ance. First the relevant ICT Security Standards and security measures are selected using the ESARIS Scope of Control methodology. Then it is de-termined if the ICT service and its parts are part of the standard portfo-lio. If so, ESARIS practices are valid and used. Finally, the contract may allow and provide for enhancements or downgrades in order to address specific requirements of the customer. It is checked if these result in de-viations from ESARIS practices.
existing business(built in the past)
extension of businessusing legacy practices
current businessusing prevalent practices
ESARIS
voluntaryconsideration
compulsorytreatment
intermediateapplication
determine ESARIS Scope of Control
portfolio deviation(results in exemption)
history case-by-case assessment and match
not compliant partly compliant compliant
Contractual up/downgrades?(enhancement or step-out)
standard portfolio(consistency)match with
ESARIS controls
BA C D E
F
G
H
Fig. 94: ESARIS Compliance Attainment Model (Fig. 67)
274 C Literature
C Literature
Standards
[1] COBIT 5, A Business Framework for the Governance and Management of Enterprise IT; ISACA, 2012
[2] ISO/IEC 27000 - Information technology — Security techniques — Infor-mation security management systems — Overview and vocabulary; as of 2009-05-01
[3] ISO/IEC 27001 – Information technology – Security techniques – Informa-tion security management systems – Requirements, as of 2005-10-15
[4] ISO/IEC 27002 – Information technology – Security techniques – Code of practice for information security management, as of 2008-09
[5] BS ISO/IEC 27005 – Information technology — Security techniques — Information security risk management, as of June 2008
[6] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model; July 2009, Version 3.1
[7] Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance requirements; July 2009, Version 3.1
[8] Common Criteria for Information Technology Security Evaluation, Part 3: Security assurance requirements; July 2009, Version 3.1
[9] BS 25999-1:2006 – Business continuity management – Code of practice; British Standards Institution; and BS 25999-2:2007 – Business continuity management – Specification; British Standards Institution
[10] PCI Standards Council: PCI DSS (PCI Data Security Standard); current version 2.0 as of 10/28/2010
Publications of governmental agencies
[11] Pauline Bowen, Joan Hash and Mark Wilson: Information Security Hand-book: A Guide for Managers, Recommendations of the National Institute of Standards and Technology; NIST Special Publication 800-100, October 2006
[12] Kissel, Richard (ed.): Glossary of Key Information Security Terms; Na-tional Institute of Standards and Technology, U.S. Department of Com-merce, NIST IR 7298, Rev. 1, Feb. 2011
C Literature 275
[13] Gary Stoneburner, Alice Goguen, Alexis Feringa: Risk Management Guide for Information Technology Systems; NIST Special Publications 800-30, Gaithersburg, July 2002
[14] Peter Mell, Tiffany Bergeron, David Henning: Creating a Patch and Vul-nerability Management Program, Recommendations of the National Insti-tute of Standards and Technology; NIST Special Publication Special 800-40 Version 2.0, November 2005
[15] Karen Scarfone, Tim Grance and Kelly Masone: Computer Security Inci-dent Handling Guide, Recommendations of the National Institute of Standards and Technology; NIST Special Publication 800-61 Revision 1, March 2008
[16] Richard Kissel, Kevin Stine, Matthew Scholl, Hart Rossman, Jim Fahlsing, and Jessica Gulick: Security Considerations in the System Development Life Cycle; National Institute of Standards and Technology, NIST Special Publication 800-64 Revision 2, October 2008
[17] NIST Special Publication 800-34 Rev. 1: Contingency Planning Guide for Federal Information Systems; National Institute of Standards and Tech-nology, U.S. Department of Commerce, May 2010
[18] European Network and Information Security Agency (ENISA): Cloud Computing – Benefits, risks and recommendations for information secu-rity; November 2009
[19] European Network and Information Security Agency (ENISA): Cloud Computing – Information Assurance Framework; November 2009
[20] Federal Office for Information Security (BSI): White Paper Security Rec-ommendations for Cloud Computing Providers (Minimum information security requirements); 2011
[21] Federal Ministry of Economics and Technology (BMWi): The Standardisa-tion Environment for Cloud Computing; An analysis from the European and German point of view, including the ‘Trusted Cloud Technology Pro-gramme’; Trusted Cloud initiative, www.trusted-cloud.de, February 2012
Industry associations and initiatives
[22] Information Security Forum (ISF): The 2011 Standard of Good Practice for Information Security; June 2011
[23] Information Security Forum (ISF): Security Architecture, Workshop Re-port; 2006
276 C Literature
[24] Information Security Forum (ISF): Information Security Incident Man-agement, Establishing a Security Incident Management Capability; 2006
[25] Aligning Business Continuity and Information Security; Information Se-curity Forum (ISF), Special Project Report, March 2006
[26] Information Security Forum (ISF): Security Implications of Cloud Com-puting; July 2009
[27] Information Security Forum (ISF): Securing Cloud Computing: Address-ing the seven deadly sins; January 2011
[28] Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing; Version 3.0, 2011
[29] Cloud Security Alliance (CSA) Trusted Cloud Initiative (TCI): TCI Refer-ence Architecture; Quick guide, 2011
[30] BITKOM: Cloud Computing – Was Entscheider wissen müssen, Ein ganzheitlicher Blick über die Technik hinaus Positionierung, Vertrags-recht, Datenschutz, Informationssicherheit, Compliance; Leitfaden; 2010
Books
[31] Chrissis, Mary Beth; Mike Konrad and Sandy Shrum: CMMI – Guidelines for Process Integration and Product Improvement; Addison-Wesley, 2003, ISBN 0-321-15496-7
[32] Ahmad K. Shuja: ITIL: Service Management Implementation and Opera-tion; Auerbach Publications, 2010
[33] TOGAF Version 9.1 Enterprise Edition; Van Haren Publishing, 2011
[34] The Open Group Security Forum: Guide to Security Architecture in TOGAF ADM; November 2005
[35] Eberhard von Faber: How Economy and Society affect Enterprise Security Management; in: N. Pohlmann, H. Reimer, W. Schneider (Editors): Secur-ing Electronic Business Processes, Vieweg (2009), ISBN 978-3-8348-0958-2, p. 17–26
[36] Eberhard von Faber and Michael Pauly: User Risk Management Strategies and Models – Adaption for Cloud Computing; in: N. Pohlmann, H. Rei-mer, W. Schneider (Editors): Securing Electronic Business Processes, Vieweg (2010), ISBN-10: 3834814385, p. 80–90
C Literature 277
[37] Michael Howard and Steve Lipner: The Security Development Lifecycle, A Process to Develop Demonstrably More Secure Software; Microsoft Press, 2006, ISBN-10: 0-7356-2214-0
[38] Microsoft Application Guide, Patterns and Practices; Microsoft, 2nd Edi-tion, 2009
[39] A Guide to Building Secure Web Applications and Web Services 2.0; The Open Web Application Security Project (OWASP), Black Hat Edition July 27, 2005
[40] Eberhard von Faber and Michael Pauly: How Cloud Security strongly depends on Process Maturity, Automation and Scale; in: N. Pohlmann, H. Reimer, W. Schneider (Editors): Securing Electronic Business Processes, Vieweg (2011), ISBN-10: 3834819115, p. 23–33
278 D Abbreviations
D Abbreviations
ATM Asynchronous Transfer Mode
ASP Application Service Providing/Provider
BCM Business Continuity Management
BGP Border Gateway Protocol
CBI Customer Business Impact
CERT Computer Emergency Response Team
CMDB Configuration Management Data Base
CI Configuration Item
CIA Confidentiality, Integrity, Authenticity
CMO Current Mode of Operation
CMS Configuration Management System
CPE Customer Premises Equipment
DDoS Distributed Denial-of-Service Attack
DMZ Demilitarized Zone
DNL Direct Network Link
DoS Denial-of-Service Attack
EISA Enterprise Information Security Architecture
ESA Enterprise Security Architecture
ESARIS Enterprise Security Architecture for Reliable ICT Services
FMO Future Mode of Operation
GRC Governance, risk and compliance
ISMS Information Security Management System
ICT Information and Communication Technology
IDS Intrusion Detection Systems
IaaS Infrastructure-as-a-Service
IPS Intrusion Prevention Systems
IT Information Technology
LAN Local Area Network
D Abbreviations 279
MPLS Multiprotocol Label Switching
PaaS Platform-as-a-Service
RfC Request for Change
OSI Open Systems Interconnection (model)
PE Provider Edge
PoP Point of Presence
SaaS Software-as-a-Service
SDE Service Delivery Element
SDL System Development Life-Cycle
SDM Service Delivery Manager, or Service Delivery Management
SLA Service Level Agreement
SP Service Point
SRC Security, Risk and Compliance
UPS Uninterruptible Power Supply
VPN Virtual Private Network
VLAN Virtual Local Area Network
VM Virtual Machine
VMM Virtual Machine Monitor
WAN Wide Area Network
280 E Index
E Index
— A —
A priori assurance.......................... 30 Access Management .................... 173 Accountability ...................... 253, 254 Acquisition of ICT etc.......... 134, 140 Administration network ..... 186, 199 Administration of ICT........ 178, 184,
186, 198, 199 Applications.......................... 189, 202 Architecture ..........See: ESA, ESARIS Asset....................................... 253, 254 Asset and configuration
management............................. 143 Asset Management .............. 144, 149 Assurance.....254, 255, 28, 32, 79, 210 Audit...................... See: Security audit Audit data, logs, trails
...........................See: Security record Authenticity .......................... 253, 254 Availability ....................253, 254, 258
— B —
Bid phases ............................... 63, 117 Business Continuity Management
............................................ 262, 147
— C —
Capability...................................... 255 Certification .......................... 254, 210 Change........................................... 257 Change Management
.....................................130, 141, 147 Cloud
Enterprise ................................... 40 Private ......................................... 40 Public........................................... 40
Cloud computing ..............17, 26, 218
Cluster of ICT Security Standards.................................................... 272
CMO .................................259, 63, 225 CMO+ ............................................ 259 COBIT .............................................. 13 Common Criteria ......................... 108
Assurance ................................. 134 Computer systems ................179, 194 Confidence model .......................... 33 Confidentiality ..............252, 254, 241 Configuration Item (CI) .... 257f., 144 Configuration Management
.............................................143, 149 Consumerization.......................... 170 Control.............. See: Security measure Costs ...................................26, 44, 185 Critical downtime ........................ 147 Criticality........258, 124, 126, 140, 143 Current Mode of Operation........ 259 Current Mode of Operation plus
.................................................... 259 Customer Business Impact (CBI)
.................................................... 258 Customer Security Manager
.............................................. 66, 228
— D —
Data bases ..............................182, 195 Data center .............................163, 200 Data center networks............178, 192 Data center security ..................... 188 Dependencies ............................... 110 Desktop computer
.................See: Workplace computers Deviations ..................................... 113 Direct Network Link.................... 155 Disaster recovery ......................... 147
E Index 281
Division of labor............... 27, 30, 141 Document IDs............................... 237 Document library ......................... 236 Dynamic computing ............ 151, 180
— E —
Economies of scale ......................... 27 EISA ...................................... See: ESA Emergency operation................... 147 Enablement Framework for ESARIS
.................................. 266, 49, 52, 74 Enforcement Framework for
ESARIS .......................... 267, 49, 53 Engineering of software images
.................................................... 198 ENISA .............................................. 17 Environmental security ............... 200 ESA........................................... 255, 43 ESARIS..................................... 256, 44 ESARIS Collaboration Model
.......................... 269, 60, 64, 67, 227 ESARIS Compliance Attainment
Model................................. 276, 223 ESARIS Composition Model
.............................................. 265, 58 ESARIS Concept of Double
Direction Standards........... 270, 75 ESARIS Customer Fulfillment
Model................................. 275, 221 ESARIS Dimensions............... 268, 59 ESARIS Duplex Security
Management Concept ....... 263, 47 ESARIS Governance Model
.............................................. 264, 48 ESARIS Industrialization Concept
...................................... 264, 56, 213 ESARIS Platform ............................ 62 ESARIS Scope of Control
.................................... 274, 215, 221
ESARIS Security Specification Concept ............................. 273, 106
ESARIS Security Taxonomy ........................................ 271, 82, 87
ESARIS Standardization Philosophy.............................................. 262, 46
ESARIS Work Areas............... 268, 60 Ethical hacking .. See: Security testing Exceptions ..................................... 113
— F —
FMO ......................................... 259, 63 Forensic analysis .................. 261, 262 Forensics ........................................ 126 Framework for ESARIS ... 265, 49, 82 Full-custom ............................... 51, 58 Future Mode of Operation .......... 259
— G —
GRC...................................... 30, 48, 56
— H —
Hardening, provisioning and maintenance...................... 145
Hierarchy of Security Standards.............................................. 269, 60
Hypervisor ............................ 180, 194
— I —
ICT Security Standards..... 74, 77, 82, 87, 94, 106 Clusters of…......................... 88, 91 Groups of… ................................ 88 Taxonomy of…........................... 87
ICT Service Provider (key figures).................................................... 231
ICT SRC Manager........................... 65 ICT stack........................................ 219 Identity and Access Management
............................................ 161, 186
282 E Index
Identity Management ...161, 172, 198 Incident Management......... 121, 125,
132, 143 Industrialization............................. 27 Information Security Forum (ISF)
.....................................17, 20, 22, 54 Information Security Management
System (ISMS) ...................... 16, 50 Integrity................................. 252, 254 Intellectual property .................... 241 Internet .................................. 158, 166 Intrusion Detection
... See: Intrusion Prevention Systems Intrusion Prevention Systems .... 162 ISACA.............................................. 13 ISMS............................................... 256 ISO/IEC 15408............................... 108 ISO/IEC 27001........................... 16, 73 ISO/IEC 27002........19, 73, 82, 85, 221 IT-Grundschutz.............................. 21 ITIL................................................... 15
— L —
LAN ............................................... 162 Level of detail or abstraction ........ 77 Log data
.... See: Logging, See: Security record Log management ................. 261, 124 Logging ..........................261, 119, 124
— M —
Managed services......................... 219 Maturity......................................... 255 Migration............. 122, See: Transition Mobile.........See: Workplace computers Mobile workplace ........................ 169 Monitoring .....................261, 119, 124 MPLS ..................................... 162, 165
— N —
Naming convention ..................... 240
Network Attached Storage ......... 182 NIST......................................17, 22, 53
— O —
Objective...........See: Security objective Offering manager................... 66, 227 Office computer
.................See: Workplace computers Office workplace .......................... 167 Operations............................... 63, 117 Operations support...............183, 196 Options
ICT services ................................ 58 Security requirements............... 57 Security services ........................ 58
— P —
Patch management....................... 146 Patches........................................... 260 PDCA......................................... 16, 52 Penetration testing
..........................See: Security testing Physical security........................... 200 Policies................See: Security policies Portfolio management................... 66 Privileged user access...........186, 198 Problem ......................................... 260 Problem Management ..........130, 143 Procedure ...................................... 255 Process ........................................... 255 Provisioning of ICT systems....... 145 Public network ............................. 158
— R —
Records .................See: Security record Release ........................................... 258 Release Management............129, 137 Remote access ........................156, 159 Remote User Access..................... 170 Report ...................See: Security report Request for Change (RfC) ........... 258
E Index 283
Requirement ............... See: Security requirements
Risk......................................... 253, 260 Risk management....... 31, 37, 55, 213 Risks ............................................... 109 Rollout ........................................... 231
Missions .................................... 232 Project organization................. 232 Timeline and phase ................. 232
— S —
Sales process ................................... 63 Security .......................... 253, 256, 260 Security analysis........................... 107 Security architects .......................... 64 Security architecture
............................See: ESA, ESARIS Security audit................................ 257 Security control
....................... See: Security measure Security Development Life-Cycle
.................................................... 133 Security environment .................. 108 Security evaluation
......................... See: Security testing Security events............................261f. Security experts .............................. 64 Security incident response
............................................ 261, 121 Security incidents ......... 258, 261, 121 Security Manager ................... 64, 227 Security measure ......... 254, 257, 260,
108, 111 Security objective ......... 254, 260, 109 Security patch management ....... 146 Security policies.... 253, 256, 260, 261 Security record.............................. 256 Security report .............. 257, 120, 125 Security reporting
...........................See: Security report
Security requirements ...................................... 254, 260, 56
Security target....................... 254, 108 Security testing ..................... 257, 260 Service continuity
..............See: Business Continuity… Service continuity management
.................................................... 147 Service Delivery Element (SDE)
...................................................... 62 Service Delivery Manager............. 66 Service models ........................ 38, 218 Service restriction......................... 258 SIEM............................................... 124 Smartphone
................ See: Workplace computers Software Development Life-Cycle
.................................................... 133 Special Publications (800-series)... 53 Standardization .............................. 45 Standards
ICT services ................................ 58 Security requirements ............... 57 Security services......................... 58
Storage ................................... 181, 195 Storage Area Network................. 182 System Development Life-Cycle
............................................ 133, 138 Systems acquisition...................... 134
— T —
Taxonomy .....See: ESARIS Security Taxonomy
Taxonomy of Service Models............................................ 275, 218
Threat............. 253, 254, 256, 260, 109 TOGAF ............................................ 18 Training ......................................... 234 Transformation............... 259, 63, 117 Transition ................ 259, 63, 117, 123
284 E Index
— U —
User LAN .............................. 158, 172
— V —
Vendor risks.................................... 37 Virtual Machine.....180, 184, 194, 197 Virtual Machine Monitor ............ 180 Virtual Private Network ............. 155 Virtualization................................ 197 VLAN .................................... 182, 193 VPN................................................ 162
Vulnerability..................253, 260, 261 Vulnerability (general) ................ 260 Vulnerability (technical).............. 260 Vulnerability assessment
.....................................260, 118, 123
— W —
Wide Area Network .....155, 162, 165 Workplace computers
Mobile workplace.................... 158 Office workplace...................... 159
top related