Business Products and Services |Information Security Risk management

Each of the business divisions then implements the group strategies and policies. They define the business products and services to be delivered to meet the guidance received from the group. The business products and services will be delivered using information assets and business processes to customers through different delivery channels. The types of products and services define the value of the business transactions and the delivery channels define the threats that the organization will be exposed to.

Working with the business divisions to identify the security risks and impacts to their products and services should happen at an early stage in their development.

The security of the products and services can have a significant cost and needs to be assessed as early as possible in the development. In organizations that adopt a more distributed approach to decision-making the level of investment in security related to each product and service will vary. It is important then that these separate levels of risk appetite not impact other areas. A decision to do a minimal investment in a product or service, to ?try the market out? should be defined to ensure it does not impact other products and services and their established risk levels. Controls may be have to be put in place to enable to group to override investment in security to ensure the whole group is protected and not just the individual division.

Applications

The business products and services are supported by various service delivery capabilities. These can include business processes supported by IT applications and systems. These may be unique or shared. They may be proprietary or off-the-shelf. The balance often relates to the competitive advantage these unique capabilities bring to the business and will have an impact on the security being provided.

Security Services

The security services support the operation of the business applications through provision of a common infrastructure framework. The services are delivered through technology, processes and people. The degree of sharing will relate to the organisational structure being operated. The five groups of services used have been derived from the Method for Architecting Secure Solutions

  • Flow Control Service – provides security controls to restrict the flow of data according to the way in which the data is transported and the content of the data.
  • Identity and Credentials Service – provides security controls for the generation, distribution and management of an identity and the associated credentials, which convey the rights, or permissions of that identity.
  • Access Control Service – provides security controls for access to data, and execution of processes and services according to the identity and credentials of the subject.
  • Logging and Monitoring Service1 ? provides security controls for the collection, storage, analysis and alerting of security and regulatory events both in real-time and historically.
  • Integrity Service – provides the security controls to support the reliable and correct operation of an IT solution.

The main section on Security Services later describes the common service elements normally found in IT solutions.

IT Components

Infrastructure Managed IT Elements – the Managed IT Elements that need to be secured. This would map to the content in the security standards required for each appendix.

Business and IT Operational Process View

Business-and-IT-Operational-Process-View
Figure 7: Business and IT Operational Process View