General structure of the Taxonomy
It is essential to decide on a structure of standards and decide which security topics, themes or areas are described in a standard. This is subject to the so-called ESARIS Security Taxonomy. The Taxonomy is an essential element of the Enterprise Security Architecture for Reliable IT Services (ESARIS) and shown in Figure 2. The Taxonomy has been developed based on a set of criteria outlined in chapter 1 (called critical success factors). There are a total of 31 areas (and IT Security Standards on the central level). This chapter gives an overview of them, outlines their content and describes their interrelation. The specification of criteria (called critical success factors) is continued.
There are 31 smaller rounded rectangles in the ESARIS Security Taxonomy, each representing one area and one IT Security Standard. ESARIS and its standards in the Taxonomy are totally modular and structured. The Taxonomy is explained by considering modules in different levels of magnification or detail. There is
- 1 map of the IT Security Standards comprising:
- 3 groups of IT Security Standards or
- 6 clusters of IT Security Standards, which in turn comprise in total
- 31 IT Security Standards that provide
- a considerable number of security measures.
There are three groups of standards associated with
- genuine IT services, i.e., IT functions generated by hardware and software,
- IT service management services that produce and maintain those genuine IT services, and
- overarching practices concerning the other two groups.
In other words, Group A relates to the primary IT services for users, Group B for the secondary IT management services, and Group C to overarching aspects.
These three groups can be seen in the Taxonomy as follows:
- Group C with the overarching practices (at the top of Figure 3) is formed by the long rounded rectangle and comprises two standard areas (small rounded rectangles). This group and the IT Security Standards it contains are associated with all standards of the other two groups A and B.
- Group B is formed by the long rounded rectangle in the middle and comprises 12 standard areas. This group and the IT Security Standards it contains are associated with general IT management services common to several IT services (Group A).
- The third group (lowest in Figure 3) comprises 17 standards. This Group A and the IT Security Standards it contains are associated with IT services and their functionality.
The separation of technical standards (Group A) on the one hand and IT service management standards on the other (Group B) is a major requirement for using the Taxonomy in the context of an industrialized IT production. All IT services and technical components shall be developed, implemented and managed according to the same unique processes and practices. The relation to common practices of IT service management (ITIL, ISO 20000) is made apparent, although the Taxonomy only deals with aspects of information security. This forms the sixth critical success factor.
The Taxonomy appears clearly structured and understandable for any IT-aware person. This is why IT-related terms are preferably used. Moreover, the lower half of the Taxonomy (Group A) is based on simple principles of IT architecture. It uses a model formerly called “client-server-model”: The users’ equipment is shown on the left; the IT components residing in data centers are shown on the right hand side, and the network elements are in between. The more complex data center infrastructure is organized into elements of a primary IT stack and a second supporting one. Boundaries (especially the interface of the data center to the outer networks) are important in terms of security and therefore defined as extra areas. Note that the lower half contains four areas for four different types of networks because their nature and protection requirements are quite different. The upper half of the Taxonomy (Group B+C) shows the supporting activities. There is a generalized life-cycle with four areas in the middle. Four more technical disciplines are – due to their importance for IT security – on the right hand side. Another four disciplines – primarily related to IT security – are on the left hand side.
Note that there are two important areas: one, concerning the interface to the customer and the other, concerning the relation to suppliers. Such basics form the seventh critical success factor.
Hence, the areas and associated IT Security Standards are clustered as follows (refer to Figure 4). Each cluster comprises areas. Each area is described thoroughly in the following chapters; references are indicated. The clusters are:
- Risk Management and Certification (◊ described in Section 4),
- Evidence and Customer Relation (◊ described in Section 5),
- Service Management (◊ described in Section 6), and
- IT Service Provisioning (described in Section 7) with the subgroups
- Networks ◊,
- Data Center ◊, and
- Customer and Users ◊.
Note: The interface to the customer does not actually exist, either in ITIL or in security standards, such as ISO/IEC 27001/27002 and ISO/IEC 27017. For instance, sales, deal management, migration activities and provider-customer relationships in Service Delivery Management during Operations do not exist in ITIL. The ISO security standards do not offer guidance for managing a customer-provider relationship in these phases. For further details, please see the following.
This organization into six clusters is primarily service-oriented.
This clustering of the 31 areas or IT Security Standards is shown in Figure 5:
- Evidence and Presentation ◊,
- Design and Management ◊,
- Workplace and User LAN ◊,
- Network and DC Access ◊, and
- Computing Services ◊.
This organization of the IT Security Standards uses five clusters. It does not overlap and is strictly purpose-oriented.
These examples of clusters and their explanation emphasize another principle of the Taxonomy. Areas which are related to each other are near one another in the above figure; if areas are not in close proximity to one another within a group, they have a lower degree of interrelation. This all leads towards the formation of the eighth critical success factor.
IT and information security are subject to development and change. New innovative technologies and practices arise, and the threat landscape undergoes change as well. This, indeed, requires continuous modification and improvement of the security measures (technical, procedural, personnel). It is the ninth critical success factor which tries to sustain the taxonomy as steadily as possible over time while changing the underlying security standards.
It has been mentioned that the Taxonomy is used to organize the security standards on the central level and at least the next one below. The central level standards (IT Security Standards) play a major role, since they are utilized by the supplying and consuming party for discussing, negotiating and contractually agreeing on information security. That’s why this level constitutes the so-called ESARIS Orchestration Layer. As a consequence and in order to create a unique whole, the structure and diction of the IT Security Standards is standardized.
Each IT Security Standard is organized as follows (refer to Figure 6):
- general context and the situation (*),
- security problems, issues or threats,
- the origin of requirements, the security goals (*),
- subject and scope,
- dependencies (*) and limitations.
- security measures (characteristics, features etc. with specification of the measure/control itself plus an implementation guidance and a short rationale),
- deviations, exceptions.
- literature, and
This structure incorporates concepts from ISO/IEC 15408 for the development of a so-called security target.
The items marked with an asterisk (*) are outlined throughout this document. Note that the description of the security goals provides information on the solution specified in each IT Security Standard due to the fact that the security measures must be suitable in order that the security objectives be met.
The core part of each IT Security Standard includes the security-measure specification elaborated on in chapter 4 (see Figure 6). An example of a security measure is depicted in Figure 7. The measure is specified by stating a fact; there is no “must”, “have to”, “should”, or “shall”. Confusion and redundant user-inquiries can be avoided, hence the focus on real content matters is facilitated.
The security measures shall cover all aspects of information security related to IT service provisioning. This means these steps cover:
- measures of protection (directly generating security by counteracting a threat, i.e., it closes a vulnerability, reduces the likelihood of a real impact or even decreases the impact),
- measures of detection (providing information about “measures of protection”, threats and successful attacks, malicious activity, suspicious activity, misuse and the like),
- measures of reaction (course of action to remediate vulnerabilities, mitigate risks or reduce impacts).
It is important to specify all three types of security measures in one set of documents. This requirement provides the tenth critical success factor.