Why have OSA?
OSA is of value to you for 4 reasons
- A single, consistent, clearly defined control catalog provides an excellent means to simplify requirements from numerous standards, governance frameworks, legislation and regulations.
- Patterns are a great way to show the best practice set of controls that should be specified for a given situation.
- Many eyes make for better security, the OSA community helps create high quality material through the experience of the group.
- Applying OSA patterns in your work gives you a fast start, improves the quality of the solution you deploy, and reduces overall effort.
Longer term strategic considerations
OSA can provide significant benefits in the longer term due to the nexus of a number of trends that are playing out at the moment in the IT industry.
1) The IT world is changing to an environment where services will be provided and consumed in complex webs. Companies prefer to buy IT services rather than implement, build and operate.
- Many large IT consumers have already outsourced the specification, creation, implementation, operation and management of IT systems to other providers, and these providers also often subcontract further e.g. (India to China).
- Software as a Service is becoming a viable model given ubiquitous access to high bandwidth connections, and the economies of scale that be derived from common hardware and software platforms. Service oriented Architectures provide the means for IT consumers to access complex combinations of these services.
2) Assuring the appropriate security of IT services become ever more important as we place more reliance on them for critical tasks.
- The confidentiality of a chain of components is only as good as the weakest link.
- The availability of a chain of components is the availability of each component multiplied together (therefore lower than any individual component)
- The integrity of a chain of components is only as good as the weakest link.
3) In addition IT consumers need to assure that an IT service will meet the Governance, Risk and Compliance (GRC) requirements for the business process that is being supported. If the service is provided by one or more suppliers it can be intuitively appreciated that the complexity of this task increases. Furthermore this is a task that must be repeated to ensure that the IT service continues to meet these requirements. GRC requirements are often hard to articulate and can be specified by multiple, inconsistent, and often overlapping standards.
- There are many security standards such as ISO27001, ISF SOGP.
- There are many Governance standards such as COBIT, COSO and ITIL.
- Legal and regulatory standards vary by jurisdiction.
By mapping regulations and legislation against a standard controls catalog we can reduce duplication, increase clarity and improve the ability to implement within specific systems. Additionally by linking the Open Controls catalog to Implementation specific problems we can provide a standard set of "use cases" that show the controls needed to provide conformant and performant services.
- GRC requirements can be easily mapped to the control objectives.
- Control objectives can be easily mapped into solution architectures, with links to the underlying implementation standards.
- Efficiency and effectiveness is increased by creating a standard set of very high quality artifacts that can be deployed many times.
OSA can provide benefits to IT service consumers, IT service suppliers and IT vendors, giving the entire IT community an interest in using and improving.
- IT service consumers need to integrate diverse architectures from many suppliers in complex chains. They win using OSA because they can better specify or assess services or products they purchase, and improve the quality of products they build. They can reduce knowledge risks from the architecture being in the suppliers control. Additionally they increase confidence in the ability to integrate services, improve conformance with GRC requirements and reduce audit costs.
- IT service suppliers want to supply services to the maximum number of consumers, minimizing the cost to specify, implement and operate, while ensuring that the services meet the consumers requirements. They win using OSA as they can provide conformant solutions at the least cost to the largest market.
- IT vendors want to supply products that meet market needs and have a low TCO for the IT service supplier that will operate. They win using OSA as they are able to build systems with relevant and appropriate controls.
But why Open?
The reason we believe an open approach is best is because we do not think any one party can represent the interests of all parties who will participate in these complex webs of services. An open approach means that the patterns and catalogues will benefit the whole community and can be more quickly improved and refined by the common experience of participants.
In the same way that the Internet uses design standards for communication protocols and applications, we feel that the time has come to apply these same concepts at a higher abstraction level i.e. architecture.
By implementing as a closed system we would simply perpetuate "Yet Another Control Standard" and would fail to win the real prize of unifying the control standards with architecture patterns and implementation standards.