Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security

In this IBM® Redguide™ publication, we first explore some of the concerns that characterize security requirements of, and threats to, business and information technology (IT) systems. We then identify a number of business drivers that illustrate these concerns, including managing risk and cost, and compliance to business policies and external regulations. We describe how security is a major consideration in the way that business and information technology systems are designed, built, operated, and managed.

In the past decades, industry groups and standards bodies have developed frameworks that serve as a baseline for some aspects of security. We discuss two common frameworks: CoBiT and ISO27002.
Security for information technology can be complex and confounding. Therefore, IBM has created a pair of complementary views to bridge the communication gap between the business and the technical perspectives of security to enable convergence in thought and process.
The IBM Security Framework addresses the business view, and the IBM Security Blueprint addresses the technical view.

The IBM Security Framework was developed to describe security in terms of the business resources that need to be protected, and looks at the different resource domains from a business point of view. It divides IT security into the following six resource domains:

- People and Identity
- Data and Information
- Application and Process
- Network, Server, and Endpoint
- Physical Infrastructure
- Security Governance, Risk Management, and Compliance

The IBM Security Blueprint expands on the business oriented view of the IBM Security Framework by mapping the domains into a core set of security capabilities and services. These capabilities and services serve as a starting point for design, development, integration, operation, and management of an enterprise IT environment that has security at its core.

With the security domains, capabilities, and services as a backdrop, this guide covers two business scenarios, the first concerning password management related costs, and the second discussing PCI compliance to illustrate how the IBM Security Framework and IBM Security Blueprint can be best used.

This guide is a valuable resource for business leaders, security officers, consultants and architects who wish to understand and implement enterprise security following architectural guidelines.

• PowerVM Virtualization on IBM System p: Introduction and Configuration Fourth Edition, SG24-7940-03
• TCP/IP Tutorial and Technical Overview, GG24-3376-07

Publish Date
23 July 2009

Rating:
(based on 13 reviews)

Rate this paper

Author(s)

Axel Buecker is a Certified Consulting Software IT Specialist at the International Technical Support Organization, Austin Center. He writes extensively and teaches IBM classes worldwide on areas of Software Security Architecture and Network Computing Technologies. He holds a degree in Computer Science from the University of Bremen, Germany. He has 22 years of experience in a variety of areas related to Workstation and Systems Management, Network Computing, and e-business Solutions. Before joining the ITSO in March 2000, Axel worked for IBM in Germany as a Senior IT Specialist in Software Security Architecture.

• Axel Buecker

David Crowther has 30 years experience in the IT industry, the last 23 working for IBM. During his IBM career, he has worked in technical pre-sales, services, and support, and currently works in IBMs BetaWorks, where he manages early beta programs for Tivoli Security and Provisioning products. In addition, he runs enablement workshops, provides technical support, and acts as a subject matter expert for new products. He also has wide experience in running beta programs on and supporting products from many of the other IBM brands, including large systems, networking, pervasive, Lotus, voice, and WebSphere. He is a Consulting IT Specialist, Chartered IT Professional and Chartered Engineer, and holds a Master's degree in Electrical Sciences from Cambridge University.

• David Crowther

Foulques de Valence is a Security and Web IT Architect member of the IBM Systems Lab Services team. He provides consulting services in the USA and worldwide mostly for multinational and Fortune 500 corporations. He focuses on security, SOA, WebSphere products, and IBM System z infrastructures. Foulques is a co-author of multiple publications about IBM security solutions. He also teaches classes and speaks at conferences about security. Previously he worked as an IT Architect with IBM France, specialized in SOA, J2EE, and z/OS. He received a Master's degree in Computer Science and Engineering from Ensimag in France. He furthered his education at the State University of New York in Buffalo and at Stanford University in California, USA.

• Foulques de Valence

Guilherme Monteiro is an IT Security Architect with Companhia de Sistemas, an IBM Business Partner in Brazil, with a strong focus on security solutions. He has been involved with IBM security solutions since 1999, implementing directories, access management, identity management, directory integration, risk management, and developing custom solutions for key Brazilian private companies. His company also has a strong position in Linux security solutions, with several successful implementations on this platform.

• Guilherme Monteiro

Michel Oosterhof is a Senior IT Specialist with IBM Tivoli Software in the Netherlands. He has 11 years of experience in the IT industry. He holds a Master's of Science degree in Applied Physics from the University of Twente. His main areas of expertise include identity and access management. He is currently working as a Technical Sales Specialist for Tivoli security products.

• Michel Oosterhof

Andrew Quap is a Software Engineer within the IBM Software Group in Austin, Texas. He has worked with IBM security products for over 10 years and is currently the level 2 tech lead for the Tivoli Federated Identity Manager product and works on the team that supports Tivoli Access Manager, Tivoli Access Manager for OS, Tivoli Security Policy Manager, and the Virtual Member Manager component. He has developed introduction materials for customers for the Managed Beta program. He holds a Bachelor of Science degree in Electrical Computer Engineering from the University of Texas at Austin.

• Andrew Quap

Maria Schuett is a Security Architect with AdminWorks, Inc., an IBM Business Partner in Saint Paul, Minnesota, USA. She has over 15 years of technical experience in information security and technology. She has been involved with IBM Tivoli Security solutions since 2004 and specifically with IBM Tivoli Access Manager for e-business since 2000 by delivering solutions in the state government, health care, and insurance industries. She holds a Bachelor's degree in Computer Science from Eastern Michigan University and an Associate's degree in Engineering from Schoolcraft College. Her areas of expertise include ITIL and Archer SmartSuite Framework for GRC. She has written, for her clients, whitepapers about infrastructure resilience strategies, including the support of Tivoli Identity and Access Manager with ITIL.

• Maria Schuett

Kai Stockmann is an IT Security Specialist from IBM Germany. He has been working in Security Competency in Germany for five years, where he is the responsible architect for compliance and regulatory programs. In this role, he gained much experience in the security and compliance field, specializing in the areas of IT risk assessment, governance, and compliance management. In addition to this role, Kai is involved in audits and reviews in IMT Germany. He holds a Bachelor's degree in Business Informatics from the University of Stuttgart (Germany) and is CobiT and ITIL certified.

• Kai Stockmann

IBM Form Number
REDP-4528-00

Number of pages

38