developping a semantic mapping between togaf and …€¦ · developping a semantic mapping between...

26
Developping a Semantic Mapping between TOGAF and BSI-IT-Grundschutz Delin Mathew, [email protected]

Upload: letram

Post on 05-Jun-2018

224 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Developping a Semantic Mapping between TOGAF and BSI-IT-Grundschutz

Delin Mathew, [email protected]

Page 2: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Background

• Enterprise Architecture (EA)

• Enterprise Architecture Framework (EAF)

Zachman Framework, FEA, TOGAF

• Incorporation of Information Security into EA

• Information Security Management (ISM) Standards

ISO series, BSI series

2

Page 3: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

TOGAF & BSI-IT-Grundschutz

3

TOGAF

BSI-IT-Grundschutz

Page 4: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

IT-Grundschutz Catalogues

4

Uses

IT-Grundschutz Catalogues

M1: Gen. asp. S1.1 Org. S1.2 Personnel

M2: Infra S2.1 Building S2.2 Cabling

M3: IT-Sys S3.1 Server S3.2 Client

M4: N/W S4.1 LAN S4.2 WLAN

M5: App’s S5.1 DB S5.2 Web app

S1.2 Personnel T1.1 Loss T3.2 Negligence … S3.50 Selection S3.5 Training …

Page 5: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Mapping between TOGAF and BSI-IT-Grundschutz Components

5

IT-Grundschutz Catalogues

M1: Gen. asp. S1.1 Org. S1.2 Personnel

M2: Infra S2.1 Building S2.2 Cabling

M3: IT-Sys S3.1 Server S3.2 Client

M4: N/W S4.1 LAN S4.2 WLAN

M5: App’s S5.1 DB S5.2 Web app

S1.2 Personnel T1.1 Loss T3.2 Negligence … S3.50 Selection S3.5 Training …

Page 6: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Real-World Scenario

• Mapping between a company’s Enterprise Architecture and BSI-IT-Grundschutz

• Uses ArchiMate to model it’s Enterprise Architecture

6

‘ArchiMate’ is an Enterprise Architecture modelling language to support the description, analysis & visualization

of architecture within & across business domains

Page 7: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Archimate

7

Page 8: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Thesis Goals

8

TOGAF & BSI-IT-Grundschutz Process

TOGAF & BSI-IT-Grundschutz Components

Archimate & BSI-IT-Grundschutz Components

Company’s EA model & BSI-IT- Grundschutz Components

Page 9: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Why TOGAF and BSI-IT-Grundschutz

• TOGAF

Most commonly employed EAF

EA model of the company developed using TOGAF

9

• BSI-IT-Grundschutz Same content as of other

standards Solely for IT-Security of

organizations in Germany ISO certification

Page 10: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Motivation

• Adaptation of security safeguards of BSI-IT-Grundschutz in TOGAF

• Re-use of identified TOGAF components in future

(Ex: while developing an automated tool)

10

Page 11: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

1. Mapping TOGAF and BSI-IT-Grundschutz Process

11

Initiation

Creation

Implementation

Improvement

Page 12: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

1. Mapping TOGAF and BSI-IT-Grundschutz Process

12

Initiation of Security Process

Creation of Security Process

Implementation of Security Concept

Maintenance and Improvement

Page 13: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

• Manual Mapping

• Specific mapping – A rare occurrence

• J. König et. al. “Mapping the Substation Configuration Language of IEC 61850 to ArchiMate” Identified the SCL objects having the relation “is a kind of” or “is a part

of” to any entity of ArchiMate

13

2. Mapping TOGAF and BSI-IT-Grundschutz Components

Page 14: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

2. Mapping TOGAF and BSI-IT-Grundschutz Components

• 1:1 and 1:N mapping

14

TOGAF

Databases

Data Server

Telephone

BSI-IT-Grundschutz

Databases

General Server

Telecommunication Systems and Mobile phone

Page 15: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Evaluation

• Chose 14 mappings after Stratified Random Sampling

• Evaluators: Prof. Reudiger Grimm, Paul C. Johannes

• Each mapping evaluated on a 5 point scale

• Summary & Feedback

15

Participant 1 Participant 2

SA 11 8

A 2 4

U/N - -

D 1 -

SD - 2

Page 16: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

3. Mapping Archimate and BSI-IT-Grundschutz Components

• Manual mapping

• Specific mapping – Non-Existent

• 1:1 and 1:N mapping

• Served as a metamodel for the next mapping

16

BSI-IT-Grundschutz

Server Room

Security Management

Archimate

Facility

Business Service, Technology Function

Page 17: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

4. Mapping of Company’s EA model with BSI-IT-Grundschutz Components

A. Identify the EA components from ITERGO’s Archi-Template & the relationships between components

B. Map it to the BSI-IT-Grundschutz components using the tool ‘Verinice’

17

Page 18: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Verinice – Introduction

• Used for the creation and management of ISMS

• Consists of 9 groups Applications, Buildings, IT-Systems: Clients, IT-Systems: Network

Components/others, IT-Systems: PBX Components, IT Systems: Servers, Network Connections, Rooms and Staff

• Example Laptop -> IT-Systems: Clients

Web server/File Server/Mail Server -> IT Systems: Servers

Business actors/departments -> Staff

18

Page 19: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Modeling Elements in Verinice

• Not all elements could be grouped in Verinice technology functions, technology services, business functions, business

processes, products

• Buuren et. al. - “Composition of Relations in Enterprise Architecture Models”

19

Page 20: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Modeling Relationships in Verinice

• Not every element can be related to every other element in Verinice Example: Elements under the group IT-Systems: Clients can only have a

relationship with the elements included under the groups Applications, Staff and Room

20

Page 21: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Relationship Types in Verinice

• The ArchiMate relationship types doesn’t exist in Verinice

• Verinice has own set of relationship types depends on, responsible for, necessary for, located in, accountable for,

consulted for, informed about

• Bidirectional Relationships Verinice derives relationships from existing relationships

• Non-Bidirectional Relationships

21

A A S S Depends on Necessary for

A A N N Necessary for

Page 22: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Mapping EA Model Elements and BSI-IT-Grundschutz Modules

• Mapping of BSI-IT-Grundschutz modules to EA model elements by simple drag-and-drop

• Security safeguards are automatically assigned Set the implementation status of the security safeguards as per need

22

Page 23: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Verinice – Advantages and Disadvantages

23

Advantages

Only available tool for creation of ISMS

Easy mapping by drag-and-drop method

Easy implementation of safeguards

Allows relationship modeling

Provides protection requirements

Basic security check and risk analysis

Disadvantages

Not all elements can be modeled

Difficulty in modeling relationships

Not every element can be related to every other element

Cannot model ArchiMate relationship types

Page 24: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Evaluation

• Evaluator: Internal person from the company

• Feedback Useful Mapping

Could be adapted and done by an internal person

A setback that some elements cannot be modeled

Categorization of modules in Verinice for easier searching

24

Page 25: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Summary

25

Process Mapping

TOGAF-BSI ArchiMate-BSI

Archi-Verinice

Page 26: Developping a Semantic Mapping between TOGAF and …€¦ · Developping a Semantic Mapping between TOGAF ... developed using TOGAF 9 ... Developping a Semantic Mapping between TOGAF

Future Work

• Automating the mapping using identified components Manual Mapping is time consuming

Reduces human error

• Customization of the Verinice tool To model all the elements

To model the ArchiMate relationship types

Categorization of the modules

26