Bedrijfszekerheid in ketens
Towards Trustworthy ICT Service Chains
Integrated Assurance framework for ICT enabled service chains
Drs Y.W. (Ype) van Wijk RE RA
Rijksuniversiteit Groningen
Business & ICT – IT auditing
24 november 2011
Risk
Control
Agenda
› Towards Trustworthy ICT service chains (TTISC project)
› Bedrijfszekerheid en trends in ketens
› Content versus Delivery networks
›
Assurance
guidelines
› The
atomic approach
for controls in service chains
Towards Trustworthy ICT Service Chains
› Innovatie samenwerkingsverband
› ICT services chains
› Chain Governance, SaaS, SOA, ICT, IT Audit
› Risk – Control - Assurance
› Bedrijfszekerheid in ketenautomatisering
› Framework Assurance Leading Indicators
Rijksuniversiteit Groningen
Bestuurlijke Informatica
Drs Y.W. van Wijk RE RA
PWC Accountant en IT consulting
Nedlloyd operational audit
Euronext
Amvest BV
Cobalus BV
Bedrijfszekerheid en ICT ketens
Bedrijfszekerheid
€ 44,4 mlrd
Inkomstenbelasting
Miljoenennota 2010
Consument
Techniek ICT – Netwerk - Architectuur
Service leverancier
Enabler
(certificaat)
service request service request
service
Trends ICT ketens
• van Applicaties naar ketens van gekoppelde externe service netwerken
van applicaties (linkedin, maps)
• SaaS en Cloud computing als distributeur
• Toename afhankelijkheid
• Nieuwe risico’s en bedreigingen
• Applicatie leverancier afhankelijk vertrouwen leveranciers van
leveranciers, ad infinitum.
• Need for assurance (e-government, e-business)
• Objectieve methode assurance
• Security, availability, quality of service (QoS)
• Assurance over totale keten.
Service chain Assurance approach
• Risico in service ketens
–
content networks
-
business inhoud–network controls
–delivery networks
- technische ICT control
• Generalisatie en conceptualisatie
Integrated Assurance Framework for ICT enabled service chains
Risk
Control
Assurance
Business content risk
Standards, Guidelines, Frameworks, Best Practices, Architecture theory’s……
›
Standards
ISO 27000 series
ENISA
›
Guidelines
COBIT
IT control objectives for cloud computing
ITAF (IT Assurance Framework)
Val IT
Risk IT
IEEE
Scientific research
Organization theory
Technical ICT research
Architecture
Audit theory
Operations research
Accountancy
Assurance
Conceptualization in service chains?
›
Practitioners research
TEXO SAP research
Project Master
Chain governance
›
Architectures
SOA
SaaS
Cloud computing
Assurance
Het basis Atoom van de service chain
service Risk Control Enactment EnforcementA
B
C
Add value request service request Service Chain Content networkContent
Network
Delivery network Service ChainDelivery
Network
Service chain propagation in content and delivery networks
Content network
Delivery network
Content Network Service Chain Propagation
Service Chain Propagation
Delivery Network Service Chain Propagation
Backward
Chain propagation
Risk
Front
Chain propagation
Risk
3. Service Chain Assurance ∑ inkoop = ∑ service + ∑ service ..
€ € €
Enactment
Enforcement
Risk
Control
Assurance
Organisatie
Organisatie
Organisatie
1. INTRA-organisatie risk-control-assurance
2. INTER-organisatie risk-control-assurance
Skin
Client
Level Technical delivery assurance network
ISP
Mobile
network
Enactment
Enforcement
Risk
Control
Assurance
Availability
Downtime, Mean-time between failure,
Self healing properties
Security
Vulnerability, confidentiality, Integrity,
Authentication
Quality of service (QoS)
Bandwidth, Delay, Jitter, Round-trip
time
Client
Consequences for Architecture
Service chain architecture
• Split content and delivery for chains
• Develop content assurance chain
• Develop delivery assurance chain
• Take care of proper
enactment
in the chain
• Agree on service chain
enforcement
•
Integrate
on specific
assurance indicators
Service Based Auditing
Conclusions
›
Assurance
is a
primary condition
for services business
›
Assurance
in service chains must add
predictive value
› For
Architecture
it is important to integrate
a-priori
the
leading
indicators content and delivery network
assurance
› Integrating
assurance indicators
in the
design phase
of service
oriented architecture can support content and delivery assurance.
›
Assurance
by professional
independent party opinion
can be
Towards Trustworthy ICT Service Chains
Dank voor uw aandacht
Drs Y.W. (Ype) van Wijk RE RA
Rijksuniversiteit Groningen
Business & ICT – IT auditing
Risk
Control
›
Standards
ISO 27000
www.iso.org
ENISA
www.enisa.europa.eu
›
Guidelines
COBIT
www.isaca.org
IT control objectives for cloud computing
www.isaca.org
ITAF (IT Assurance Framework)
www.isaca.org
Val IT
www.isaca.org
Risk IT
www.isaca.org
›
Practitioners research