WSSRA Security Architecture: Definitions
Feb 23rd, 2007 by Jesper Kråkhede
IT-Architecture is all about having a common language to describe an IT-environment. WSSRA SA defines a few words that are commonly used throughout the document: Assets, People, Process.
Assets are divided into two groups: Data asset and Tier Asset.
Data assets are the information stored within your databases, your spreadsheets and your worddocuments. That is the data you are aware of. But you also have the data stored in printer buffers on large printers, backup tapes, test environments and probably also on several laptops throughout your company.
Tier assets are hosts (servers or clients) or devices (singel use appliance like a firewall och printer). You could spell it out as every gadget that either stores, transports or consumes data.
When looking at WSSRA it derivates the protection of data from the following letters: CIA, confidentiality, integrity and availability. To be able to understand this you should include the three phases data can exist in: storage, transport or consumption (used). On every piece of information or on every piece of hardware you should always ask yourself: Is the data stored, transported or used here? If any of the answers is yes you should apply either confidentiality, integrity or availability here in form of encryption, signing or clustering to give some easy examples.
People are the guys and gals working within your company. You have all the operators/administrators who possible will have access to all your information, management who probably also has all access, the common employee that has limited access, the customers that should have none or limited access, the service personel who should have no or limited access, the consultants that should have access depending on their task and everybody else that moves within the corridors. All of these should be adressed by a policy dictating what is allowed and what is not allowed. They should also be responsible to abide and keep updated of changes in policy.
Process is all the task that are pointed to keep everything secure: Asset Assesment and Valuation, Security Risk Identification, Security Risk Analysis and Security Risk Remediation and Development.
Asset Assesment and Valuation is about finding the data and gadgets to protect and setting a price on the information and gadgets in your company. Everything has a price. It could be the value of your company but it still has a price. Almost all data are recreatable. But it could take your staff to the longest 75% of the time it took to produce it the first time.
Security Risk Identification is the process to identify the risk currently in effect and keeping updated on new risks.
Security Risk Analysis is the process to analyse the risks and set a figure for them to actually happen, like once in five years or 20%.
Security Risk Remediation and Development is about handling the risk identified as a threat. Not doing anything is actually a way to handle a risk. Determine which risks to handle is a complete other issue that I will write about another day.