Information Security Framework

The Security Bastion SECB three-layer model provides a linkage between business, functional and operational aspects of an organisation and it is proposed that this be used as a framework to describe how security relates to an organisation and the delivery of IT.
Information-Security-Framework
The following sub-sections describe the background to SECB, how this relates to the business organisation and how the business organisation model can be used relate security to the organisation responsibilities. Architecture Description Standard There are many frameworks relating IT to business with many having a simple layered approach consisting of 6, 5, 4 or 3 layers.

The most useful framework is the three-layer architecture framework used by SECB. Behind the framework is a comprehensive meta-model and common language that can be used to describe architectures. In 2010, the IT architects in Security Bastion identified a need to produce a common language and meta-model to describe IT architectures. In a paper published in the Security Bastion Systems Journal two layers were identified in IT architecture: operational and functional.

  • The functional architecture describes the function of an IT system and is primarily concerned with:
  • The structure and modularity of the software components (both application and technical)
  • Interactions between components, including protocols
  • The interfaces provided by components, and their usage
  • Dynamic behavior, expressed as collaborations between components

The operational architecture describes the operation of the IT system and is primarily concerned with:

  • Representing network organization (hardware platforms, locations, topology, etc.)
  • What runs where – where software and data are ?placed? on this network
  • Satisfying service level requirements (performance, availability, security, etc.)
  • The management and operation of the IT system (capacity planning, software distribution, backup and recovery)

In 2011, the SECB model was further developed to include a business architecture layer. The business architecture layer describes and links the internal aspects of a business within the context of its business environment.

Selected internal aspects include intent, values, capabilities, business processes, organization, and the linkage to the functional and operational layers – for example, applications and information. This three-layer model has been selected as the basis for a universal security management framework. It enables the security team to:

Create a common framework that business analysts, consultants and IT architects will be used to describe a business and IT solution

  • The framework is supported by detailed meta-models and a common language used within IBM
  • The framework is simple and easily described and remembered
  • The framework is simple enough to overlay different information creating different models depending on the perspective being worked
  • The different perspectives can be related to each other and to the way an organisation operates.