Information Technology Reference
In-Depth Information
original rationale for the existence of a solution may have been lost (institutional
memory can and does fail), and the consequences of removing a solution from
operations are difficult to predict. In some circumstances, the only recourse is to
remove the operation from production and wait to see who complains. However,
there is never 100 percent certainty that someone actually does need the ser-
vice, but does not know whom to contact to ask for it back. Moreover, failure to
recognize the end of an operation's useful life means that the organization pays
overhead to keep services running that may be vastly underutilized and have a
negative operating ROI.
A formal enterprise architecture provides alignment from business drivers
through to operations and maintenance. Such a formal alignment permits evalu-
ation of the implications for removing a business service. Moreover, such a formal
alignment provides the ability to identify business objectives that no longer exist. If
the business objective is no more, then the business services that fulfill that business
objective are no longer necessary either.
12.12
Security Framework
A security framework consists of the following nine IA core principles:
n
n
n
n
n
n
n
n
n
Confidentiality—nondisclosure
Integrity—accuracy
Availability—usable on demand
Possession—owner/custodian maintains custody
Authenticity—conforms to reality
Utility—accessible for use
Privacy—individual rights
Nonrepudiation—nondeniability
Authorized use—appropriate access to services
Table 12.2 presents business risk motivations for the security framework.
More details on these core security principles are in chapter 2. This security
framework finds basis in the traditional CIA triad—confidentiality, integrity, and
availability—as well as in the Parker model, which adds possession, authenticity,
and utility. The IA core principles include privacy, nonrepudiation, and authorized
use because the risks they mitigate are not adequately covered by the other six. Per-
sonal privacy and civil liberties are of great concern to commercial organizations as
well as government and the citizenry. Balancing personal privacy and civil liberties
with security and safety of citizens is an ongoing difficult challenge.
Nonrepudiation means that a person or system cannot deny having per-
formed an action or made a request. Online activities include commercial pur-
chases, offers and acceptance (contracts), banking transactions, commercial
