OpenSecurityArchitecture.org

[Tobias]

History:

Revised the layout of the visual pattern part today 2008-Sept-30

08_09_29_Pattern_010_Identity_Management.zip

(62.57 KiB) Downloaded 106 times

[phaedrus]

This seems a good drawing. Should be there agreement or contract for the business partner?
How do HR and CRM get changed? Is there controls here?

[Tobias]

You are spot on:
a) here are several different ways how the business partner can provide updates for the identities in his "trust domain", they would require different type of agreements.... changed the drawing accordingly (NIST does not cover that, hence I used our "custom control annotations"). Should we be even more specific here?

b) also regarding your comment for the provisioning through HR and CRM there are (IMHO) no good control in NIST 800-53, hence I just added a generic reference.

I also changed the annotation style to the one that is given in the new template style.

New version is attached as svg in zip file.

Waiting for more comments and then post next week as draft into the main site.

Cheers
Tobias

[spinoza]

I've updated the pattern slightly to clean up the svg and set all fonts to Arial per the latest template. I also renamed in line with convention.
Which Inkscape version do you use to create patterns (windows or linux)? The svg is refusing to import the icons with the proper highlights, and I've noticed this before. I think there might be a bug when moving files created between the windows and linux.

I think the pattern is good to go for this release. We can always revisit next year and improve some more if needed.

08_02_Pattern_010_31_Identity_Management.svg.zip

(69.83 KiB) Downloaded 77 times

[Tobias]

Thanks for the good collaboration.
We published the pattern the other week on the main site.
Cheers
Tobias

[JoeV]

I'm new to this site, great work. The ID Mgmt Pattern shows HR actor with controls PS-1, PS-4, and PS-5, I think a good argument could be made for PS-2 & PS-3. Where these omitted by design? Are these patterns intended to be illustrative, not comprehensive?

Thanks.

[Tobias]

Hi Joe,

We are certainly open to arguments why something should be included in a pattern and eager to improve patterns over time.
As a general guideline we try to keep the amount of included controls to a minimum.
The patterns should reflect simplitcity which means that a majority of organizations should be able to live with the proposed baseline but not all organizations.

I would be very interested to hear your experience with PS-02 / PS-03.

Thanks for sharing

Cheers
Tobias

[JoeV]

Thanks. That makes sense, I'm a EA in a government organization so I think we are on the "heavy" side. I'll try my hand at putting a pattern together if I get some free cycles. Are you guys going add the 800 r3 (PM) controls?

[Tobias]

Are you guys going add the 800 r3 (PM) controls?

Yes we are going to do that, this will probably coincide with a revision and alignment of the patterns; as this might be some work we can't yet promise any time-frame.
However in a recent project (outside OSA) I have moved from R2 baseline to a R3 and it was quite straight forward.

Cheers
Tobias