“ there is a new natural resource, and it is data ” ginni rometty ceo ibm lisbon council 2013
TRANSCRIPT
“ … it needs common data standards and the free flow of data ”
Ginni RomettyCEO IBM
Lisbon Council 2013
“Organizational communication and data flows are mapped”NIST Cybersecurity Framework ID.AM-3
“A baseline of network operations and expected data flows for users and systems is established and managed”NIST Cybersecurity Framework DE.AE-1
Framework for Improving Critical Infrastructure CybersecurityU.S. National Institute for Science & Technology
February 12, 2014Version 1.0
Who is talking about flow - NIST
Payment Card Industry Security Standards Council - 2015
“1.1.3 Current diagram that shows all cardholder data flows across systems and
networks.”OBASHI puts your card holder data-flows in context
Who is talking about flow – PCI SSC
OBASHI is...
... a methodology
... a professional accreditation
... a fully scalable software product
OBASHI MethodologyA framework for mapping and modelling:
• People• Process• Technology
Increased context for assets and resources:• Makes decision making clearer• Creates the proof for budgetary
investment• Visibility of weaknesses and
vulnerabilities
Infrastructure - Routers , Switches, Hubs etc
Hardware – PC, Servers etc.
System – Windows 2000, Windows NT, etc
Application – Excel, Sage or bespoke software
Business Process – Monthly Balance
Owner – Accounts
The OBASHI Framework …
OBASHI - Core principles
1. The understanding of the flow of data is fundamental to an organization’s financial well-being.
2. Business resources (which include human resources) and IT assets are either providers of data, consumers of data, or they provide the conduit through which the data can flow.
3. IT exists for one reason, namely, to enable the flow of data between business assets.
4. Business risk cannot be fully assessed qualitatively or quantitatively unless the cause and effects of interruptions to a flow of data, or changes to any data contained in that flow of data, have been evaluated in the context of the flow of data in question.
5. A data security model cannot be fully assessed unless the cause and effects of interruptions to a flow of data, or changes to any data contained in that flow of data, have been evaluated in the context of the flow of data in question.
Excerpt From: “The OBASHI Methodology.” v1.0. iBooks
Published by The Stationery Office
Specialising in publishing official and regulatory information The Stationery Office is the Government’s printers.
All Government Best Management Practice is published by TSO.
Understanding Dataflow is becoming mainstream
Major international bodies now recognise that understanding how an organisations data flows is a fundamental requirement
• NIST ( ID.AM-3 & DE.AE-1)
• PCI DSS v3 ( requirement 1.1.3)
• Basel 3 (Creation of Dataflow charts is a 'supervisory expectation')• CDCAT - Cyber Defence Capability Assessment Tool
UK MoD / DSTL / Ploughshare Innovations Ltd. (APMG)
• European Commission: EU-US data flow discussions separate from TTIP negotiations http://ow.ly/KI10c (Law, Insurance, Politics, Human Rights, Security/Defence)
• UCAS
We believe this is just the start and more will follow....
Certified Information Security Manager (CISM)
• ISACA revised course work documentation now includes OBASHI
• OBASHI officially recognised as an alternative to other Architecture Frameworks
• Understanding how your business architecture is connected is fundamental
“As I create the support documentation I constantly refer back to the updated B&IT as the single reference document to allow me to create the simplistic support diagrams. Without the B&IT this task
would involve network diagrams, spreadsheets and word documents, all of which have their place – but the B&IT provides a
multi-dimensional view of the estate that is far simpler and quicker to navigate on a single diagram.”
“From my point of view, the B&IT diagram that was done before I arrived allowed me to easily see the relationships with business processes and the systems, hardware and infrastructure in use. This context is critical when it comes to the security aspect of
software revision level and network segmentation. I have created simple traditional network diagrams to include in some of the
support documentation, but these are purely functional diagrams and lack the subtleties of layering that the OBASHI B&IT provides.”
– Alan Goodall, Project Manager, Flight Centre (UK)
– Alan Goodall, Senior Project Manager, Flight Centre (UK)
“The defining of the data flows really showed how poor our understanding of our own system was. Box A talks to Box B and writes to Box C is easy
to draw on a diagram, but it is tricky to include each component, down to switch level, and how this flow interacts with multiple other
components.
In terms of PCIDSS compliance this is extremely important for identifying security considerations – such as data at rest, or vulnerable processing
servers, or other unrelated services that might interact unintentionally – and this then provides the information required to
know whether patching, segregation, or whatever is required. In short – the DAVs make processes explicit and communicable in a way that
removes doubt and speculation.”
With OBASHI you create a simple visual map, a holistic view, which shows:
• how your business works• the assets and resources that make it
work• the inter-dependencies between your
people, processes and technology
Uniquely, with OBASHI you can model the flows of data that
make up your business, applying cost /value and risk
attributes.
With OBASHI you create clarity, enabling IT and business people
to have a shared vision and a clear understanding of how the business works, and how data
flows around it.
With OBASHI, better, more-informed, decisions can be made
about cyber security, risk, investment and other key
business drivers.
Professional Accreditation
Accreditation, certification and qualifications are growing in importance
globally, as more organisations and individuals seek to demonstrate their
capability and competence.
Through a global network of Training Organisations. APMG act as
international accreditors for The OBASHI Methodology.