Information Security Services

Whilst the Security Services operate within the operational layer of the model, they have an impact on the functional and business layer that cannot be ignored. Security changes and controls will need to be considered by the application developers and the business.

Here are a couple of examples that show the impact at each layer of the framework:

  • Identity and Credentials – To improve operational efficiency and improve security there may be a project to create a directory service and policy server to enable a single user identity to be used for intranet sign-on. To make this work it will need the application owners to update their applications to use the common directory and policy service being provided. It will also require the support of Human Resources with integration of the starters, leavers and changers process to manage a user identity.

If changes are needed to the applications to support the security service, the service provider needs to consider:

  • How buy-in will be sought from the application owners to integrate the standard security services. Where the development of applications is owned by the individual businesses and not the CIO or IT department, business benefit needs to be demonstrated to enable buy-in. It may help the IT department increase operational efficiency or reduce risk to the business but there needs to be a benefit to the overall business direction.
  • What other business functions need to be involved. For example, if email is being screened the Human Resources and Legal departments need to be involved to ensure appropriate legal requirements are being met.

Security-Service-Layers
Figure 15: Security Service Layers