The Open Group : Making Standards Work
About The Open Group The Open Group Forums Certification Collaboration Services
HOME   |   SITE MAP   |   SEARCH  
Sponsor an Event Become a Member of The Open Group The Open Group Member Area
Government Programs Events Bookstore & Downloads Newsroom Contact The Open Group
You are here: Home > Forums > Security Forum
Forums
Architecture
ArchiMate®
Enterprise Management
Identity Management
Platform
Real-Time & Embedded Systems
Security

Customer Council

Supplier Council



The Open Group's Platinum Members

 
Security

The Security Forum works to raise industry confidence levels by defining technical standards and guidelines to counter the whole range of security risks and vulnerabilities, and also addresses business and technology perspectives in its Manager's and Technical Guides.

It draws upon the expertise of its members on both the customer and supply sides of industry, government, and academia, to assess, evaluate and address all aspects of information security in open systems environments. Currently these include risk management, governance (including audit and compliance), confidentiality, integrity, accountability, non-repudiation, copy-protection, availability, privacy, policy, best practice, and frameworks for legal and regulatory issues at global as well as national levels, so as to deliver secure interoperable solutions in today's globally networked business world where mobile and wireless connectivity raise new challenges.


    

ebizQ in Action Webinar
with The Open Group
Evolving Security Architectures and SOA for Better Business Collaboration
August 6, 2008 at 12:00pm US Eastern
to Web Site

NAC transitions into Security Forum
See our Press Release, and NAC Resources page and also the announcement on the NAC home page.

What We Do
The Forum draws upon the expertise of security professionals on both the customer and supply sides of industry, government, and academia, to assess, evaluate and address security issues, including:

Framework for Information-Centric Security Governance
In a major new White Paper, we set out our strategy for future projects, describing a new framework for delivering enterprise-level information security in ways that reflect current realities of business enterprise, network and information sharing, and access. We need to evolve from perimeter-based, proprietary-based enterprise-level security practices to a new framework that delivers information-centric security.

Security Architectures
Developing guides, business rationales and scenarios, use-cases, reference and common system architectures, and support services for including information security in IT systems architectures for the enterprise. Current work includes development of a broader multidisciplinary strategy for addressing security challenges, embracing the Jericho Forum™ approach to our de-perimeterizing world where business operations demand secure operations with our business partners and customers globally over the Internet, and also embracing today's strong business drivers for good  governance – especially compliance with legal, regulatory, and audit/logging requirements.

Risk Management
Management of risk is an essential part of the security practitioner’s work – assessing risk and vulnerability relative to the security, safety, and dependability of IT systems, to enable business managers to arrive at optimum business risk decisions. We are developing the FAIR (Factor Analysis for Information Risk) approach, which takes a completely fresh analysis of the true factors affecting risk evaluations and in doing so clarifies traditional (confusing) risk management terminology.

Our current Risk Management project targets two firm deliverables plus a third proposed deliverable:

  • A standard which defines a rigorous Risk Taxonomy
  • A standard for Risk Assessment Methodologies
  • A recommended Risk Assessment Methodology and Cookbook

Identity and Authentication
Defining identity lifecycle, identity access, and PKI-based identity management from a business perspective. Also advancing with other groups – including ISO JTC1 SC27 – the recommendations on industry adoption of a Common Core Identifier (CCI) system based on our published CCI Business Scenario and CCI Framework Matrix, and evaluating the privacy issues surrounding identity and identifiers. See also Core Identifier Workgroup.

De-perimeterization
Collaborative projects with the Jericho Forum™ to review their position papers and evaluate opportunities for developing new security standards or extending existing standards that will support development of open systems security solutions.

Identity Management
The Security Forum has been a constant contributor to the achievements of the Identity Management Forum, because identity and authentication are core components in information security solutions. Current work includes contributing to an Identity Management Framework standard, and also a Privacy Framework standard, in ISO JTC1 SC27. We are also interested in developing design patterns for architecting identity management systems. See also Identity Management Forum

IT Logging & Audit, & Compliance
This work includes updating our 1998 Distributed Audit Services (XDAS) Preliminary Specification, to revise and extend it to meet today’s much more stringent requirements for logging and auditing of events. We recognize the major impact of Regulatory Compliance as a driver from the Boardroom down, for meeting increasingly stringent audit requirements which are backed by severe penalties for non-compliance. In this work we are again demonstrating our willingness to embrace and leverage existing achievements in other groups, notably in Mitre on their Common Event Expression (CEE) standard, and in the financial community (BITS).

Service Oriented Architectures
Collaboration with the SOA Working Group to evaluate what additional security considerations SOA environments demand, leading to a practitioners Best Practice Guide for Securing SOA Environments.

Safety-Critical Infrastructures
Working with the Real-Time & Embedded Systems Forum to evaluate effectiveness of the safety and security aspects of Real-Time and Embedded Systems specifications that their members develop and propose to adopt in safety-critical systems.

See also the Real-time and Embedded Systems Forum

Liaisons
The Security Forum works with other Open Group Forums, particularly Identity Management, Jericho, Messaging, Real-Time, and Architecture, to ensure security is addressed across our areas of interest. It also has working relationships with other security consortia

 

Liaisons - continued
Currently, active engagements are with

  • American Bar Association Cyberspace Law sub-group
  • ETIS security working group
  • INCITS CS1
  • ISO JTC1 SC27 (Category C liaison status)
  • Mitre
  • BITS

but we establish links with others where it is mutually beneficial to do so

more links

 
Forum Notices
 



EAPC-20

Featuring
20th Enterprise Architecture
Practitioners Conference -
Secure Architectures
The conference will run in parallel with
The Open Group Member Meetings


  Forum members' site 		 
 

Current Projects
The Security Forum has in the past few years become increasingly focused on activities oriented towards security architectures & frameworks, best practices, and governance, and has remained totally committed to full engagement with the Identity Management Forum. Current projects include:

  • Security in Data
  • Standard for an Identity Management Framework, and a Privacy Framework
  • Security Strategy Multi-disciplinary Framework: role of the security architect in architecting the enterprise
  • Standards for a Risk Management Taxonomy and for Evaluating Risk Assessment Methodologies, plus a Guide to  a recommended Risk Assessment Methodology and Cookbook
  • Updated Distributed Audit Standard for 2008 and beyond
  • Collaborative projects with the Jericho Forum
  • Collaboration with the SOA Working Group on security in SOA environments
  • Guide for Security Architects
  • Patterns, views, building blocks, and governance

Key Accomplishments
Development work resulting in the following publications (most recent first)

  • Information Security Strategy, v1.0 (W075)
  • Framework for Control over Electronic Chattel Paper (G061)
  • Security Design Patterns - methodology and approach to architecting secure systems - Introduction (G044); Catalog of Design Patterns (G031)
  • Identity Management - business scenario and white paper
  • Managers Guide to Digital Rights Management (G052)
  • Managers Guide to Data Privacy (G033)
  • Managers Guide to Information Security (G250)
  • Security Architecture in TOGAF ADM (W055)
  • Identity Management White Paper (W041)
  • Identity Management Business Scenario (K023)
  • ALPINE (Active Loss Prevention for ICT eNabled Enterprise)
  • Intrusion Attack and Response workshop (W031)
  • Architecture for PKI (G801)
  • Distributed Security Framework (G410)
  • Secure Mobile Architecture (E041)
  • Common Security Architecture CDSA (C914Y)
  • CDSA Authentication: Biometric Recognition (C013)
  • Authorization API (C908)
  • Generic Security Service (C441)
  • Baseline Security Services (C529)
  • Distributed Audit Service XDAS (P441)
  • Single Sign-On Service XSSO (P702)
  • Guide to Developing Architectures for Identity Management (G072)

Get any of these documents in "Publications".

Publications
The Forum has produced a wide variety of publications, many of which are available online, as well as in hard copy form.
Security publications
list Identity Management publications

More Information
For more information about the Security Forum, please email.
email

 
HOW TO PARTICIPATE
  The Forum welcomes participation by all interested parties. If you would like to influence the direction and outcome of the Forum, have early access to specifications and participate in defining industry standards, join The Open Group.
become a member

    
 

 

 

  
   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page

Copyright © 2008. The Open Group. All Rights Reserved.