Service Oriented Architecture (SOA) Design Checklist:
- Are the service interfaces using message formats from the canonical model?
- Have initial service contracts been defined between all known service consumers?
- Has the project established service contracts with services being provided by other teams, third-party packages, or external providers?
- Do the service contracts include release schedules for milestone builds that are synchronized with the schedule for service consumer development?
- Have service types been identified for all services, and appropriate service implementation platforms chosen based on those types?
Information Security Assessment Methodology
Critical to a successful security assessment, the planning phase is used to gather information needed for assessment execution—such as the assets to be assessed, the threats of interest against the assets, and the security controls to be used to mitigate those threats—and to develop the assessment approach. A security assessment should be treated as any other project, with a project management plan to address goals and objectives, scope, requirements, team roles and responsibilities, limitations, success factors, assumptions, resources, timeline, and deliverables.
Primary goals for the execution phase are to identify vulnerabilities and validate them when appropriate. This phase should address activities associated with the intended assessment method and technique. Although specific activities for this phase differ by assessment type, upon completion of this phase assessors will have identified system, network, and organizational process vulnerabilities.
The primary purpose of RIPA was to give law enforcement and the security services greater powers of surveillance. Here is the summary:
"...Any interception of a communication which is carried out at any place in the United Kingdom by, or with the express or implied consent of, a person having the right to control the operation or the use of a private telecommunication system shall be actionable at the suit or instance of the sender or recipient, or intended recipient, of the communication if it is without lawful authority and is either
1. an interception of that communication in the course of its transmission by means of that private system; or
Security Professionals Skills Matrix - Comparison between Security Specialits, Architecs and Professional
Security Professionals Skills Matrix - Comparison between Security Specialists, Architects and Professional. The skill set for Security Specialists, Architects and Professionals is slightly different. Below typical task of each career path.
Typical Tasks for Security Specialists:
- Respond to security incidents
- Report on security threats, conduct investigations
- Maintain security infrastructure, including risk and vulnerability assessments
- Research trends and issues related to security threats and control technologies
Typical Tasks for Security Architects:
- Scope and manage projects involving network security resources
So what is Gramm-Leach-Bliley Act (GLBA) requirement for Protection of Customer Information. Here is simple guidelines based on section V and the ammendment of appendix B. This act require the institution not only to protect but also assess and then control the IT risk.
Section V of the Gramm-Leach-Bliley Act of 1999
Governs privacy in the context of Financial Institution Safeguards.
Section 501(a): It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic information.
Section 501(b): Establish appropriate standards for the financial institutions subject to their jurisdictions relating to administrative, technical, and physical safeguards
1. To insure the security and confidentiality of customer records and information;
2. To protect against anticipated threats or hazards to the security or integrity of such records; and
3. To protect against unauthorized access to use of such records or information which could result in substantial harm or inconvenience to any customer.
2. Appendix B to Part 570
Outlines the Agency’s expectations for the creation, implementation, and maintenance of an information security program. This program must include administrative, technical complexity of the institution and the nature and scope of its activities. The guidelines describe the oversight role of the board of directors in this process and management’s continuing duty to evaluate and report to the board on the overall status of this program.