Goals and Conditions
ESARISThere are also several vendor-neutral publications e.g. on the subject of this paper. They all use the term ESARIS, which stands for Enterprise Security Architecture for Reliable ICT Services. Consequently, the term ESARIS is applied here. is a vendor-independent enterprise security architecture built as a sole reference for securing IT services. It is designed to support the discussion, negotiation and contractual agreement on information security in complex businesses. In this way, it takes into account, and thereby supports, the division of labor in today’s IT industry. Larger IT service providers are organized in highly specialized departments or teams, each contributing to the companies’ final products in a specific way. Today’s division of labor goes beyond any company’s boundary. Hence, the architecture focuses on relations between suppliers and their customers in general and helps to manage information security in all contexts. To this end, it is designed in a hierarchical and modular manner.
ESARIS covers different levels in a Hierarchy of Security Standards in which general specifications are refined step by step to form concrete instructions on implementing individual security functions and mechanisms. The hierarchy comprises:
- guiding principles in the upper level(s),
- the ESARIS Orchestration Layer in the central level,
- implementation facts in the lower level(s).
This is shown on the left hand side of Figure 1. The names are not as important as the structure. Organizations can implement the hierarchy differently. However, the central level must exist and be structured as described in this paper. Then, there can be one or more levels above with the “guiding principles”, and at least one level has to exist below that describes how the security measures defined in the central level are actually implemented.
Guiding principles comprise corporate policies containing management direction and expressing commitment and willingness to support. They set out security objectives on a top corporate level. Corporate rules provide more detail and guidance. Areas are identified and general directives are provided. The guiding principles also comprise general policies, rules to develop these compliance declarations, as well as general objectives and strategies to achieve an acceptable level of security.
The ESARIS Orchestration Layer in the central level is of central importance. It contains the IT Security Standards, which are statements about information security used for overall steering and managing supply-chain and contractual relationships.
The lower level(s) comprise all materials that guide teams and individuals in their day-to-day activities. Examples of these materials are work instructions, technical concepts, configuration lists, checklists, procedures, and the like, but also technical design and detailed process descriptions and related manuals.
The gradual refinement of security requirements is crucial and represents the first critical success factorThis document provides ten “critical success factors” in total. Each of them represents a characteristic that is so essential that, if taken away, would cause risk to the overall achievements. Synonymously used for “critical success factors” throughout this document are “critical design factors”, or “critical design criteria”.. Each level is characterized by its scope and by the level of detail (or abstraction) of the security standards contained therein. The upper level(s) ensure integration of information security into the corporate governance and management framework of a (large) company. They also articulate policies, rules and other principles specifically relating to the security of the organization’s IT services/products. (This will be explained in detail later.)
Modularity is the second critical success factor. Modularity is required since the division of labor in the IT industry shall be taken into account and supported (refer to above). The division of labor varies and is different for various businesses and depends on the parties involved. The central level, and at least the one below in the Hierarchy of Security Standards, are organized along the so-called ESARIS Security Taxonomy. It is introduced in order to organize possibly hundreds of security measures (central level) in a way that they can easily be assigned to a supplier. The term “supplier” refers to a department or team in a larger corporation and to a company acting as a supplier in a supplier network. In order to allow the security measures (central level) to be systematically refined step-by-step, at least the next level below (lower level) shall be organized in alignment with the ESARIS Security Taxonomy.
But how shall this organization / Taxonomy look? There are general criteria which build the third critical success factors.
- Each area shall represent a typical service or component (deliverable for the next in the supply chain) or a collection thereof that suit each other. The separation shall reflect technical aspects of IT (“stack” and architecture) as well as the organization of the IT service management services (in development, integration and operations; that is, ITIL in case of this Taxonomy).
- The number of areas shall be limited to fit one page and should be understandable to IT personnel, not only to educated security experts.
- Each area has to be detailed by a specific security standard denoted as IT Security Standards (central level). Other criteria need to be defined to characterize their content and structure (see below).
The ESARIS Security Taxonomy shall be used as a means to manage information security in a supplier-customer relationship, i.e., between parties in a supplier network and even between different specialized organizations of a large organization. This means that the ESARIS Security Taxonomy and the related IT Security Standards:
- are defined as requirements, documents or as directions for the supplying party,
- are the basis for defining the sales promise and the security specification for the customer (consuming party: next party in the supply chain after the supplying party just mentioned) and
- require standardizing the language and structure of security specifications.
The above-mentioned parameters form the fourth critical success factorA supplier/provider uses the same text both for interacting with the consuming party and as directions for securing its own deliverables. This is called the ESARIS Concept of Double Direction Standards.. The security standards (more specifically the IT Security Standards (central level)) are used to manage the exchange of services/products in a supplier network.
The criteria for structure and content of each area (and its related security standard) build the fifth critical success factor. The IT Security Standards (central level; each one or all of them as a whole, respectively) shall:
- respond to customers’ questions and concerns and provide clear and understandable answers,
- provide directions/guidance to the supplying party (company or department) for the implementation of security controls
- in a way that is concrete enough to avoid errors,
- but flexible enough to allow for technical progress and improvements, also regarding security,
- allow the implementation and maintenance in accordance with the supplying company’s internal organization, processes and practices (such as the organization into different specialized production departments),
- be suitable for any IT service designed for being delivered to a user organization (end of the supply chain) and thereby align with the service portfolio offering of a company supplying such a market,
- be comprehensive and complete as a set on security in IT service delivery.