Comparison

International Standards Organization (ISO) 17799/27001:
International standard for testing the effectiveness of most security systems

Control Objectives for Information Technology (COBIT):
http://www.isaca.org/cobit.htm
Developed by IT auditors and made available through the Information Systems Audit and Control Association (ISACA). COBIT provides a framework for assessing a security program, developing a performance baseline, and measuring performance over time.

SysTrust:
http://www.aicpa.org/assurance/systrust/index.htm
Developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Public Accountants. SysTrust provides a framework for evaluating controls for information systems assurance.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE):
http://www.cert.org/octave
Developed by the Computer Emergency Response Team at Carnegie Mellon University. OCTAVE provides measures based on accepted best practices for evaluating security programs.

To finally understand what a SOA is, it is interesting to understand what it is not. Therefore a brief delimitation from differing architecture alternatives is given.

1. Client Server:
The client-server approach is one of the best established architectures for distributed computing. The approach and the technology available are mature and stable. Systems of this type can be easily implemented and optimized for special application scenarios. On the other hand, once a client-server system is established it is difficult to change the functionality of the system. Therefore its flexibility is limited and best used, if the business process is expected to be stable and changes are seldom

2. J2EE: Java Enterprise Edition (J2EE)
J2EE is also a mature technology and widely used for distributed computing in object-oriented worlds. Objects are typically smaller than services in a SOA and they are more closely intertwined with each other. The technology is independent from the operating system, but of course, not from the programming language. Objects can be inserted, modified or replaced without stopping and restarting the whole system, so J2EE increases the flexibility for adapting business processes compared to client-server systems. The expected reuse factor in a J2EE environment is as high as expected in a SOA. One main difference between objects of a J2EE architecture and services of a SOA is, that distributed objects lack an explicit contract – they only define an interface. rom the conceptual point of view objects are passive and can be used from any other object. Objects don’t commit their functionality to other objects like services do. It is possible to implement a SOA with J2EE

Security by Obscurity Strategy
The basis of the first fundamental strategy is stealth. That is, if no one knows that an organization’s IA baseline and Critical Objects exist, they would not be subject to threats. The intent is that sufficient security can be achieved by hiding an organization’s automated capabilities and the access to these capabilities or at least not advertising their existence. IA does involve the use of stealth to a certain extent. However, the current and growing extent to which organizations have been using their automated capabilities to interact with customers and potential customers does make the strategy option not very practical and realistic.

The Perimeter Defense Strategy
This strategy is more of a concentrated effort of defense and is predominantly technical in nature. Also, this strategy basically focuses on threats from those that are outside the bounds of authorized users to the organization’s IA baseline and Critical Objects. The organization’s IA capabilities are primarily located within a “zone” or “border” of defense between the “insiders” and the “outsiders.” This strategy has been compared to the “Maginot Line” that existed as a defensive perimeter or border between the allied nations and Germany during World War I. An example of this concentrated strategy involves a firewall device that is connected to both the Internet (i.e., outside) side of an organizational border and what is considered to be the organization’s own trusted internal network.

Comparison between 20 IT Governance Tools from Cobit, ITIL to ISO27001. This comparison taken from paper IT Governance: Reviewing 17 IT Governance Tools and Analysing the Case of Novozymes A/S by Michael Holm Larsen. Most of the standard/framework could be used at no cost.