The Open Group Conference - Amsterdam 2010


Track: Security Architecture

Host: Jim Hietala, VP Security, The Open Group

Monday, October 18 — 2:00 - 5:30

2:00 - 2:45
Using ISM3 to Gain Management Acceptance for the Security Business
Lars Minth, Chief Architect, Armed Forces Command Support Organisation, Swiss Army

Information Security Management Systems have a severe lack of management attention since they just organize activities which in its best sense are invisible and transparent for doing business. However there is a shift in thinking since the diverse trials to provide silo-based secure transport services and information exchange becomes too expensive and insecure to continue further on. The "not-invented-here" syndrome is quite popular and "Security as a Service" is far away.

So what`s the solution? A proven, traditional and not to be ignored way of the Office of Security is to comply with ISO 27k and ISO 31000 but since reaching business requirements are as important as gaining Confidentiality, Integrity and Availability we need another view onto security to gain management attention and support. We will look through the eyes of several stakeholders to understand the business requirements concerning security. Here we will see what it needs to position and sell security management.

ISM3 is not a new invention but a straight forward and currently unique approach to comprehend existing security frameworks in order to make security understandable for the rest of the (business) world. Searching for an establishment of a Security Service Management which is highly integrated into the Armed Forces Command Support Organization`s transformation into an ICT Service Provider complying with ITILv3 the Information Security Management Maturity Model ISM3 could be the framework of choice. The content is based on the work developed by the ISM3 Consortium and the Open Group Security Forum and will try to integrate this approach into business areas which have a need for managing High Secure Environments.

Audience:
Chief Security Officers, Enterprise Architects, Security Architects, ISMS Managers

Key takeaways:

  1. as a Security Expert - start to think business-oriented; as a Business Expert - start to understand security
  2. gain impressions of the practical use of ISM3
  3. test/prove yourself that this approach helps to ease your work

Lars Minth, Chief Architect, Armed Forces Command Support Organisation, Swiss Army
Lars MinthLars Minth holds a Master in Information Security and Computer Science, postgraduate Master in business administration and a graduate degree in Economics. Lars is a Senior Subject Matter Expert in Enterprise Architecture Management and Security (Service) Management.

Lars holds Chief Architect position with the Armed Forces Command Support Organisation of the Swiss Army. His latest research interests include "ISM3 as a supplementary framework to reach compliance with ISO 27k, ISO31000, EFQM and ITILv3 in the context of Network Enabled Operations" as well as "Content Based Security in Information Exchange Gateways".


2:45 - 3:30
How GRC helps improve Information Security Management

Jacques Buith, Managing Partner, Enterprise Risk Services, Deloitte

Deloitte closely monitors developments of the information security space also by means of annual security surveys. The survey results indicate that organizations increasingly recognize Information security as a strategic business asset instead of an information technology issue. Results show a tendency that information security and (IT) risk management are converging. However organizations still do have challenges with topics like information security governance, business involvement or measurement of information security effectiveness. In the second part, Jacques will touch upon some recent developments in GRC tooling and experiences with GRC implementations. These experiences will used to describe how GRC can be used to support an Information Security Management process.

Audience:
Information Security Officers, Compliance managers, Risk managers, ISMS managers, IT managers

Jacques Buith, Managing Partner, Enterprise Risk Services, Deloitte
Jacques BuithJacques has recently been appointed as the Managing Partner of Enterprise Risk Services of the Dutch firm.

He has more than 19 years experience in risk management and IT auditing within Deloitte with specific expertise in advising on and auditing of SAP and other ERP systems.

He is experienced in working in highly complex organizations with equally complex IT systems landscapes that combines SAP with home grown applications.

In addition, he has wide experience in advisory and assessment roles in the field of Information & Communication Technology, Enterprise Resource Planning systems and financial & operational auditing.

University of Amsterdam, Information Systems Auditing
PostDoc EDP Auditor (RE)
Certified Information Systems Auditor (CISA)
Certified Information Systems Security professional (CISSP)

3:30 - 4:00
BREAK

4:00 - 4:45
Security Architecture Integration into a TOGAF™ Based EA
Robert Weisman, CEO, Build the Vision Inc., Canada

Enterprise Architecture needs an integrated and comprehensive security architecture (including privacy, confidentiality and protection) to be effectively implemented. Corporations and governments are entrusted with information and related technology and have to ensure that it is shared in a responsible and legal manner; Boundaryless Information Flow is only realizable with a well-thought out enterprise architecture that engenders trust. Security Architecture is not easily conceived of as a stand-alone architecture phase rather it is pervasive throughout the Architecture Development Method (ADM). This presentation illustrates how Security Architecture (including Privacy, Confidentiality and Protection) can be integrated into a TOGAF based EA Development cycle based upon actual case studies in government.

Robert Weisman, CEO, Build the Vision Inc., Canada
Robert WeismanRobert Weisman, MSc, PEng, PMP, CD, has a Masters in Computer Science (Decision Support) and has specialized in Business Strategic Planning and Enterprise Architecture. Over the past 30 years he has worked in Plans, Operations and IM/IT Strategic Direction in National Defence as well as in Government Service Delivery, Revenue Collection and National Health in Canada, the US and Australia. In all of these innovative endeavours, there was extensive information sharing between different departments, levels of government, industry and nations based on strong trust relationships formalized in the security architectures integral to the respective enterprise architectures.

4:45 - 5:30
TOGAF™ and SABSA - Frameworks to Develop Security Architectures
John Sherwood, SABSA Institute (Sherwood Applied Business Security Architecture

A new joint working group has been formed between The Open Group and the SABSA Institute to explore synergies between TOGAF™ and SABSA. The Work Group will deliver a white paper to help guide implementers of both frameworks on how to use them together to develop better security architectures. This conference session will provide an overview of the work planned by this working group, progress to date, and opportunities for involvement from other interested parties.

Speakers:

  • Pascal de Koenig, Getronics
  • John Sherwood, SABSA#
  • Dave Hornford, The Open Group Architecture Forum Chair

John Sherwood, SABSA Institute (Sherwood Applied Business Security Architecture)


Go to Return to previous page

   
   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page