O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Using the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security

Book Description

Security is a major consideration in the way that business and information technology systems are designed, built, operated, and managed. The need to be able to integrate security into those systems and the discussions with business functions and operations exists more than ever.

This IBM® Redbooks® publication explores concerns that characterize security requirements of, and threats to, business and information technology (IT) systems. This book identifies many business drivers that illustrate these concerns, including managing risk and cost, and compliance to business policies and external regulations. This book shows how these drivers can be translated into capabilities and security needs that can be represented in frameworks, such as the IBM Security Blueprint, to better enable enterprise security.

To help organizations with their security challenges, IBM created a bridge to address the communication gap between the business and technical perspectives of security to enable simplification of thought and process. The IBM Security Framework can help you translate the business view, and the IBM Security Blueprint describes the technology landscape view. Together, they can help bring together the experiences that we gained from working with many clients to build a comprehensive view of security capabilities and needs.

This book is intended to be a valuable resource for business leaders, security officers, and consultants who want to understand and implement enterprise security by considering a set of core security capabilities and services.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Foreword
    1. Preface
      1. The team who wrote this book
      2. Now you can become a published author, too!
      3. Comments welcome
      4. Stay connected to IBM Redbooks
  4. Summary of changes
    1. April 2013 (previous editions published in Redpaper format)
  5. Chapter 1. Introducing the IBM Security Framework and IBM Security Blueprint
    1. 1.1 Business context for IT security
    2. 1.2 Drivers that influence security
      1. 1.2.1 Business drivers that influence security
      2. 1.2.2 IT drivers that influence security
    3. 1.3 Common industry approaches to IT security management
    4. 1.4 IBM Security Framework
      1. 1.4.1 Advanced Security and Threat Research
      2. 1.4.2 People
      3. 1.4.3 Data
      4. 1.4.4 Applications
      5. 1.4.5 Infrastructure
      6. 1.4.6 Security Intelligence and Analytics
      7. 1.4.7 Security maturity model
    5. 1.5 IBM Security Blueprint
      1. 1.5.1 Foundational Security Management
      2. 1.5.2 Security Services and Infrastructure
      3. 1.5.3 Architectural principles
  6. Chapter 2. The components of the IBM Security Blueprint
    1. 2.1 Foundational Security Management
    2. 2.2 Subcomponents
      1. 2.2.1 Command and Control Management
      2. 2.2.2 Security Policy Management
      3. 2.2.3 Risk and Compliance Assessment
      4. 2.2.4 Identity, Access, and Entitlement Management
      5. 2.2.5 Data and Information Protection Management
      6. 2.2.6 Software, System, and Service Assurance
      7. 2.2.7 Threat and Vulnerability Management
      8. 2.2.8 IT Service Management
      9. 2.2.9 Physical Asset Management
    3. 2.3 Conclusion
  7. Chapter 3. IT security frameworks and standards
    1. 3.1 Industry information security and privacy standards profile model
    2. 3.2 TOGAF
      1. 3.2.1 What is architecture in the context of TOGAF
      2. 3.2.2 Architecture types that are supported by TOGAF
      3. 3.2.3 Industry guidance and techniques
      4. 3.2.4 IBM Security Blueprint mapping
    3. 3.3 IBM Unified Method Framework
      1. 3.3.1 Industry guidance and techniques
      2. 3.3.2 IBM Security Blueprint mapping
    4. 3.4 Sherwood Applied Business Security Architecture
      1. 3.4.1 Common strategy and terminology
      2. 3.4.2 Industry guidance and techniques
      3. 3.4.3 IBM Security Blueprint mapping
    5. 3.5 Control Objectives for Information and Related Technology
      1. 3.5.1 COBIT 4.1
      2. 3.5.2 COBIT 5
      3. 3.5.3 Maturity model and assessment using COBIT
      4. 3.5.4 IBM capability mapping
    6. 3.6 ISO/IEC 27002:2005
      1. 3.6.1 IBM Security Blueprint mapping
    7. 3.7 Payment Card Industry Data Security Standard
      1. 3.7.1 IBM Security Blueprint mapping
    8. 3.8 Sarbanes-Oxley Act
      1. 3.8.1 Common strategy and terminology
      2. 3.8.2 Industry guidance and techniques
      3. 3.8.3 IBM capability mapping
    9. 3.9 Health Insurance Portability and Accountability Act
      1. 3.9.1 Common strategy and terminology
      2. 3.9.2 Industry guidance and techniques
      3. 3.9.3 IBM capability mapping
    10. 3.10 Conclusion
  8. Chapter 4. Using O-ESA to develop an enterprise security architecture
    1. 4.1 Introduction to O-ESA
    2. 4.2 Alignment of the IBM Security Blueprint and O-ESA
    3. 4.3 O-ESA based approach to develop an enterprise security architecture
      1. 4.3.1 Introduction
      2. 4.3.2 Governance
      3. 4.3.3 Architecture
      4. 4.3.4 Operations
    4. 4.4 Conclusion
  9. Chapter 5. Business scenario for the Mobile Device Security solution pattern
    1. 5.1 Company overview
    2. 5.2 Business vision
    3. 5.3 Business requirements
      1. 5.3.1 IBM Security Framework mapping to business requirements
    4. 5.4 Security requirements
      1. 5.4.1 IBM Security Blueprint mapping to security requirements
    5. 5.5 Security architecture
      1. 5.5.1 Gathering requirements
      2. 5.5.2 Defining strategy, planning, and policies from the requirements (program management and governance)
      3. 5.5.3 Defining security domains (logical architecture)
      4. 5.5.4 Defining security services placement in the security domains
      5. 5.5.5 Defining a component model for the security services (logical architecture)
      6. 5.5.6 Use case
      7. 5.5.7 Operational model
      8. 5.5.8 Defining security operations for the concerned security services
    6. 5.6 Conclusion
  10. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. Help from IBM
  11. Back cover