A risk-driven security analysis method and modelling language

The BT Security Research Centre has defined and continues to develop a modelling language and method for representing and analysing ICT security requirements. The language is used to create a model that serves as a medium for communication between consultant and customer, a guide in making decisions, and the basis of a specification for implementing a solution. Three sub-models deal with business and technical requirements of the ICT system; threats, vulnerability and risks; and security measures and processes. The modelling process is iterative, with decisions being driven by optimisation of business value, trading off risk against cost. This paper focuses on aspects of the method dealing with assessment of risk and analysis of requirements for operational risk management.     

Trustguide — trust in ICT

The Trustguide project builds on previous work completed under the Foresight Cyber Trust Project, and seeks to set guidelines for the research, development and delivery of trustworthy ICT. Trustguide extends this earlier work by continuing the dialogue through a series of workshops at which individuals can experience new technologies under development, and understand the related trust issues first-hand. The research laboratories of HP and BT are providing technologies (proof-of-concepts and on-going research) to enable attendees to engage more fully with the issues. Trustguide is partly funded by the DTI under the Sciencewise initiative. The work is being carried out by HP and BT through a collaborative fifteen-month project that is ongoing. This paper describes the work originally begun by Foresight and the latest phase being undertaken now by Trustguide. HP     

Security risk management in the BT HP alliance

This paper describes the way BT and HP have agreed to collaboratively manage security risks within the BT HP alliance. BT and HP have worked together to establish an environment of mutual trust. A rigorous alignment of policy, coupled with an effective governance framework, has enabled the development of an agreed risk assessment and mitigation process. This paper examines the way in which the foundations of mutual trust were developed and how these enabled the development of a federated security model. The challenge within any outsource arrangement is to determine how security risk assessment and management, built up through policy compliance and developed best practice in a single company in-house environment, should change when the responsibility for a significant part of the delivery and future development of service capability is transferred to a third party. The additional challenge to BT and HP was to ensure that the solution should be scalable and enduring in the context of a strategic alliance. The initial work of the security communities in the two companies was focused on the assessment and management of the risk associated with the managed service agreement to transfer the management responsibility from BT to HP for the mid-range server estate and the end-user workspace (or desktop). This managed service agreement was one of the three core agreements included within the strategic alliance agreement entered into by the two companies. There was a clear objective of ensuring applicability to the other work streams and scalability across all commercial activities of the BT HP alliance. The main focus of the work was to build on top of the technical capabilities of both companies to ensure that formal governance processes were put in place and that security risks were consistently measured, assessed and managed. The trust established between HP and BT as result of the adoption of a common risk assessment methodology and creation of a robust governance framework enabled a swift resolution of early issues concerning HP agent access to BT systems. A Security Federation model was established to facilitate the accreditation of users within their home domains, which delivered significant operational savings to both parties. The paper describes the value obtained from this approach with respect to security issues during the first twenty-four months of the BT HP alliance. HP     

The BT HP alliance — integrated service delivery

The BT HP alliance was established to address the challenges that arise with global ICT outsourcing, bringing together the world-class capabilities of BT and HP to provide a full service outsource capability — where such an arrangement would yield benefit to BT, HP and clients. This paper will look at some of these challenges and in particular those which relate to the provision of ‘end-to-end’ service management. It describes the BT HP alliance’s approach to the delivery of an integrated service, and how the issues raised can be addressed using an integrated service architecture (ISA). The core components of the ISA, namely the customer portal, the service catalogue, the joint service delivery model (JSDM), the joint service delivery architecture (JSDA), and the supporting data storage, are identified and described. In order to describe the approach taken to develop the ISA, incident management is used as an example to show how the existing service delivery processes are aligned in the joint service delivery model. It is recognised that there are existing process standards and frameworks within both companies, and hence, in the early stages of establishing a joint service delivery capability, the approach is to rely on these existing processes and identify and harmonise the necessary interfaces between them. The overall effect of this is to provide a seamless view of service delivery from the customer perspective. As well as aligning these processes, in some cases they are also bonded together, where it is appropriate and where there is an identified benefit. The paper will also describe the infrastructure and systems that have been put in place in order to electronically bond and automate processes by using the JSDA, taking the incident management process as an example. HP     

Hosted financial services — a case study

This paper looks at how BT and Hewlett Packard (HP) were able to use the BT HP alliance to address a key customer hosting requirement, as part of a major outsourcing opportunity in the finance sector. It shows how the two organisations collaborated to develop the solution and outlines the way the bid was put together. The paper illustrates how the strengths of both organisations contributed to developing a sound proposition and describes the service model and technologies which make up the solution. This is achieved by looking at the commercial context of the bid and the technical solution. The transfer of the service to HP’s premises, using their TTM methodology is considered, as is the ongoing support through the joint BT and HP service model. Finally the lessons learned from the bid are examined. HP     

Service assurance across organisational boundaries with semantic mediation

This paper describes an approach to support OSS integration across organisational boundaries. The requirement for such B2B interfaces is expected to increase as is the need to carry out integration in a much more flexible way. Existing approaches for integration tend to be implementation specific, operate at the syntactic level, and are realised by program code. Consequently they are inflexible due to their highly coupled nature and are costly to set up and maintain. An approach to decouple B2B interfaces is introduced, which allows them to be flexibly coupled as required with the use of scalable, semantic mediation. A prototype based on an assurance integration scenario for BT Wholesale’s B2B gateway is described.     

Community research activities in secure and trustworthy ICT infrastructures

Secure and trusted Information and Communication Technology (ICT) infrastructures are key enablers for the development of a trustworthy Information Society. The European Union, recognising this, has launched over the last few years a number of research initiatives aiming at designing and building secure and dependable ICT systems and networks, which respect citizens’ rights and protect their privacy and personal data. The European Commission is already funding more than 37 R&D projects in this area under the IST programme, which is part of the 6th Framework Programme (2002 to 2006). The paper first presents the main research challenges in the development of secure, dependable and trusted ICT infrastructures. It then describes a representative set of these IST projects dealing with advanced research in network and service security. The paper also presents upcoming opportunities for research funding in this area under the newly launched ICT programme, part of the 7th Framework Programme that extends from 2007 to 2013.     

A compound real option and AHP methodology for evaluating ICT business alternatives

After the liberalization of information and communication technology (ICT) markets many potential providers have appeared. Thus, business complexity, for ICT decision makers, has increased. In this paper, we focus on the problem of selecting the optimal business evolution path for ICT, focusing on the broadband technology (BT) field. Traditional quantitative cost–benefits analysis, such as net present value (NPV), is by no means sufficient for capturing the complexity of the problem in its entire. Researchers suggest the real options (ROs) for valuating ICT investments. However, RO models are strictly quantitative and very often ICT investments may also contain qualitative factors, which cannot be quantified in monetary terms. In addition, ROs analysis itself brings to the “surface” some factors that can be more efficiently treated qualitatively. We combine the ROs and analytic hierarchy process (AHP) into a common decision analysis framework providing an integrated multicriteria model, called ROAHP, for prioritizing ICT business alternatives. The proposed model is applied to a real life BT business case, showing how it can be formulated and solved.     

Family Life in the Digital Home — Domestic Telecommunications at the End of the 20th Century

This paper describes results from the first stage of a long-term study of people's use of ICT (information and communications technology) products and services in the domestic environment. It is part of BT's ongoing commitment to understanding, modelling and meeting the needs of its residential customers. At one level the research has already generated significant knowledge that has led directly to commercial benefit; at a second it has validated a number of research methods needed to capture the data to build a rich picture of people's actual as well as reported behaviour. At a third level it has also generated significant new scientific knowledge about the use of ICT products.The next step is to build on these successes using a 1000 strong UK househo d panel to build an unprecedented and unparalleled understanding of how and why people purchase, adaptand adaptto ICT as UK society moves into the 21st century.     

Family life in the digital home — domestic telecommunications at the end of the 20th century

This paper describes results from the first stage of a long-term study of people’s use of ICT (information and communications technology) products and services in the domestic environment. It is part of BT’s ongoing commitment to understanding, modelling and meeting the needs of its residential customers. At one level the research has already generated significant knowledge that has led directly to commercial benefit; at a second it has validated a number of research methods needed to capture the data to build a rich picture of people’s actual as well as reported behaviour. At a third level it has also generated significant new scientific knowledge about the use of ICT products. The next step is to build on these successes using a 1000 strong UK household panel to build an unprecedented and unparalleled understanding of how and why people purchase, adapt and adapt to ICT as UK society moves into the 21st century.     

How benchmarking can mitigate risk in business transformation

BT has a long history of benchmarking IT and has used it to drive improvements in infrastructure management and applications development. Benchmarking can be used to compare results within the same company, within the same industry or even between totally dissimilar industries. The essence of IT benchmarking is to perform comparisons that create opportunities for improvement, often with external peers. BT aims to bring together the expertise in IT from the different divisions in the company into one world-leading ICT organisation. The paper describes how BT has used benchmarking as an improvement tool historically, how it is being used to measure the progress of the current transformation activity, and the challenges faced by the benchmarking team in coming to terms with the new ‘Agile’ development methodology.     

网络与信息安全标准研究现状及热点问题探讨

网络与信息安全标准作为信息安全保障体系的重要组成部分,政府部门、产业界都对此高度关注.本文将介绍当前国内外网络与信息安全标准研究现状,分析当前网络与信息安全标准研究热点,探讨通信行业网络与信息安全标准体系建设思路.     

基于可视化的安全态势感知

可视化技术为安全态势感知、大规模网络安全预警提供了十分现实的解决方法.人作为信息保障的一个重要环节,可视化技术提供了让人有效参与安全态势分析并做出正确决策的有效途经.文章重点研究了基于业务影响度进行安全态势评估的方法,并提出多种3D可视化模型进行相关数据的分析和展现,从不同的角度加强人对安全态势的感知能力.最后给出构建安全感知系统所经常采用的体系结构和数据流程.     

Smart-Grid-Architekturen in Österreich: Eine Bewertung der IKT-Sicherheitsaspekte relevanter Pilotprojekte

ICT will be a cornerstone of future electricity provision, and therefore our power supply system will be affected by cyber security risks. The research project Smart Grid Security Guidance (SG) ² aims at analyzing such risks and developing appropriate countermeasures. In a first step the ICT security aspects of Smart Grid pilot projects in Austria have been analyzed, for which their system architecture has been mapped to the Smart Grid Architecture Model, a European reference architecture for the validation of Smart Grid use cases. Thus, an ICT architecture model for Smart Grids in Austria can be defined as a basis for further security investigations within the (SG)² project.     

Security Management Standard — ISO 17799/BS 7799

BS 7799, the standard for information security management, covers the appropriateness and effective use of security controls following a risk analysis that identifies the relevant assets and the security threats to them. This paper describes how one unit approached certification and became the first in BT to gain it. It then goes on to discuss what has been learned, the technical implications and how that could be applied for competitive advantage.     

电子政务中的安全管理研究

论文依据安全管理的模型和标准,对我国电子政务中的安全管理进行了研究。通过对我国电子政务中安全问题的分析,将电子政务的安全管理分为政务网安全管理和政务信息安全管理,使管理更有针对性,并对如何实现电子政务中的安全管理,从管理对象、安全策略、管理措施和安全评估等方面作了详细的描述。文中提出的安全管理体系可为我国电子政务安全保障建设提供参考。     

Model-driven systems development and integration environment

Telecommunications operators are undergoing massive transformations in order to metamorphose themselves into the ICT world and compete with agile, lean IT organisations. The main challenges facing telecommunications operators, such as BT, are to reduce costs and increase agility in deploying software systems for provisioning ICT services. Despite using reusable capabilities and COTS packages, the major source of increased cost lies in the heavy integration tax we incur for integrating diverse systems implemented on diverse platforms and middleware, with heterogeneous data and process models. This paper looks at cost implications of lengthy and often manual migration to-and-from systems and platforms, and shows the clear business benefits of model-driven development (MDD) as defined by the Object Management Group (OMG). It is clearly demonstrated that model-driven development has matured into a practical, industrialised, scalable and evolvable technology, culminating from decades of R&D on specification and design languages, executable formalisms and domainspecific languages and language transformations.     

Emergent Properties of the BT SDH Network

When planning an SDH network, explicit structure, such as rings or a network hierarchy, is often imposed to allow for easier network protection and management. Decisions on node connectivity are also heavily dependent on available transmission capacity and network geography, as well as the demands placed on the SDH transport layer. The strictly imposed structure therefore makes it unlikely for unplanned properties to appear but here we describe how the BT SDH network exhibits emergent power-law properties in a range of metrics. These properties are similar to those previously found in the Internet, but the Internet in contrast is not globally planned, has adaptive elements such as dynamic routing and peering agreements, lacks explicit imposed structure, and is less coupled to transmission topologies.This paper shows that even with a wide range of restrictions and controls the BT SDH network topology follows power-laws and we offer possible sources for them, concentrating on the possible effect of adjacent network layers. The existence of these properties has wide implications in network modelling, as well as network scaling, growth, and robustness analysis.     

The BT Risk Cockpit — a visual approach to ORM

As a global company with networks and consultancy arms that span most of the world, BT has many years of experience in operational risk management. This paper looks at the evolution from BT’s simple security risk management tools to an operational risk management cockpit — a highly interactive and visual tool for C-level executives addressing governance, risk and compliance in their organisations.     

企业信息安全的基本要素

企业信息安全保障体系分为基本安全环节、增强环节和扩充的安全机制三个层次,其中又细分为身份标识和鉴别、访问控制、审计、防火墙、实时监控、信息加密等具体环节,有些是基本的,有些则并非一定要部署。企业可根据自己的情况决定取舍。