Download presentation
Presentation is loading. Please wait.
Published byBerniece Blankenship Modified over 9 years ago
1
“ There is a new natural resource, and it is Data ” Ginni Rometty CEO IBM Lisbon Council 2013
2
“ … it needs common data standards and the free flow of data ” Ginni Rometty CEO IBM Lisbon Council 2013
3
Every natural resource has a process for managing and governing its flow OBASHI does this for data
4
“Organizational communication and data flows are mapped” NIST Cybersecurity Framework ID.AM-3 “A baseline of network operations and expected data flows for users and systems is established and managed” NIST Cybersecurity Framework DE.AE-1 Framework for Improving Critical Infrastructure Cybersecurity U.S. National Institute for Science & Technology February 12, 2014 Version 1.0 Who is talking about flow - NIST
5
Payment Card Industry Security Standards Council - 2015 “1.1.3 Current diagram that shows all cardholder data flows across systems and networks.” OBASHI puts your card holder data-flows in context Who is talking about flow – PCI SSC
6
IBM has started talking about flow
7
What is OBASHI? A whistle stop overview
8
OBASHI is...... a methodology... a professional accreditation... a fully scalable software product
9
OBASHI Methodology A framework for mapping and modelling: People Process Technology Increased context for assets and resources: Makes decision making clearer Creates the proof for budgetary investment Visibility of weaknesses and vulnerabilities
10
Infrastructure - Routers, Switches, Hubs etc Hardware – PC, Servers etc. System – Windows 2000, Windows NT, etc Application – Excel, Sage or bespoke software Business Process – Monthly Balance Owner – Accounts The OBASHI Framework …
11
…generates B&IT Diagrams
12
Dataflow Analysis View
13
OBASHI - Core principles 1.The understanding of the flow of data is fundamental to an organization’s financial well-being. 2.Business resources (which include human resources) and IT assets are either providers of data, consumers of data, or they provide the conduit through which the data can flow. 3.IT exists for one reason, namely, to enable the flow of data between business assets. 4.Business risk cannot be fully assessed qualitatively or quantitatively unless the cause and effects of interruptions to a flow of data, or changes to any data contained in that flow of data, have been evaluated in the context of the flow of data in question. 5.A data security model cannot be fully assessed unless the cause and effects of interruptions to a flow of data, or changes to any data contained in that flow of data, have been evaluated in the context of the flow of data in question. Excerpt From: “The OBASHI Methodology.” v1.0. iBooks
15
Published by The Stationery Office Specialising in publishing official and regulatory information The Stationery Office is the Government’s printers. All Government Best Management Practice is published by TSO.
16
A little background
17
Understanding Dataflow is becoming mainstream Major international bodies now recognise that understanding how an organisations data flows is a fundamental requirement NIST ( ID.AM-3 & DE.AE-1) PCI DSS v3 ( requirement 1.1.3) Basel 3 (Creation of Dataflow charts is a 'supervisory expectation') CDCAT - Cyber Defence Capability Assessment Tool UK MoD / DSTL / Ploughshare Innovations Ltd. (APMG) European Commission: EU-US data flow discussions separate from TTIP negotiations http://ow.ly/KI10c (Law, Insurance, Politics, Human Rights, Security/Defence)http://ow.ly/KI10c UCAS We believe this is just the start and more will follow....
18
Certified Information Security Manager (CISM) ISACA revised course work documentation now includes OBASHI OBASHI officially recognised as an alternative to other Architecture Frameworks Understanding how your business architecture is connected is fundamental
19
“As I create the support documentation I constantly refer back to the updated B&IT as the single reference document to allow me to create the simplistic support diagrams. Without the B&IT this task would involve network diagrams, spreadsheets and word documents, all of which have their place – but the B&IT provides a multi-dimensional view of the estate that is far simpler and quicker to navigate on a single diagram.” “From my point of view, the B&IT diagram that was done before I arrived allowed me to easily see the relationships with business processes and the systems, hardware and infrastructure in use. This context is critical when it comes to the security aspect of software revision level and network segmentation. I have created simple traditional network diagrams to include in some of the support documentation, but these are purely functional diagrams and lack the subtleties of layering that the OBASHI B&IT provides.” – Alan Goodall, Project Manager, Flight Centre (UK)
20
– Alan Goodall, Senior Project Manager, Flight Centre (UK) “The defining of the data flows really showed how poor our understanding of our own system was. Box A talks to Box B and writes to Box C is easy to draw on a diagram, but it is tricky to include each component, down to switch level, and how this flow interacts with multiple other components. In terms of PCIDSS compliance this is extremely important for identifying security considerations – such as data at rest, or vulnerable processing servers, or other unrelated services that might interact unintentionally – and this then provides the information required to know whether patching, segregation, or whatever is required. In short – the DAVs make processes explicit and communicable in a way that removes doubt and speculation.”
21
Where OBASHI is used...
22
Key Messages
23
OBASHI puts business policies in context and is the practical method for implementing them.
24
With OBASHI you create a simple visual map, a holistic view, which shows: how your business works the assets and resources that make it work the inter-dependencies between your people, processes and technology
25
Uniquely, with OBASHI you can model the flows of data that make up your business, applying cost /value and risk attributes.
26
With OBASHI you create clarity, enabling IT and business people to have a shared vision and a clear understanding of how the business works, and how data flows around it.
27
With OBASHI, better, more-informed, decisions can be made about cyber security, risk, investment and other key business drivers.
28
Professional Accreditation Accreditation, certification and qualifications are growing in importance globally, as more organisations and individuals seek to demonstrate their capability and competence. Through a global network of Training Organisations. APMG act as international accreditors for The OBASHI Methodology.
29
www.obashi.co.uk
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.