London 2014: Proceedings - Security Forum

Printer-friendly version

Security Forum Members' Meeting

Objective of Meeting

The members' meeting in London sought to update the status of several key projects, including O-ISM3, risk certification and standards updates, and TNSP. We also undertook a workshop on TNSP to move it forward, in light of changes in the next version of TOGAF® project. We also held an informal meeting with some of the former Jericho Forum members to revisit the “Need for Data Principles” White Paper, and see if there was appetite and interest in bringing this forward as a set of data principles.



Vicente Aceituno provided an overview of the O-ISM3 evolution, the currently available publications (the O-ISM3 standard, mapping White Papers showing how to use the O-ISM3 standard with TOGAF, 20 Critical Security Controls, and ISO-27001) and a current status of the project. Beyond the certification development and standard update, possibilities exist to do work regarding industry maturity levels, and default maturity levels.

Jim Hietala provided an update on the various risk projects, including the risk survey, changes proposed to the O-RA and O-RT standards, and the conformance requirements for a Certified level of Open FAIR Certification. The standards changes are expected to be submitted in a Technical Corrigendum for member review before year-end, as are the conformance requirements.

Jim Hietala provided an overview of the new initiative regarding marketing of Security Forum work and cybersecurity programs, which is about to commence.


(Joint meeting with the Open Platform 3.0™ Forum)

This was an open discussion about how to express security requirements for Open Platform 3.0. Issues that OP3.0 is facing around data provenance and ownership, and IP – given that data in OP3.0 environments may be added to, passed along, etc., and complexities of private data, open data, and combinations of them – present challenging issues.

The Security Forum pointed to the Protecting Information White Paper (W142), from the Security Forum, as a resource which describes some of the relevant issues, and which outlines some (but not all) of the needed capabilities.

Traceability of capabilities and traceability of data were mentioned as things that will be needed. Traceability of business value for OP3.0 was also discussed as something desirable for the platform.

Identity exists upstream of the service catalog. Identity requirements include the need for federations of identity between partners, and careful management of entitlements.

There was a discussion about the TNSP project. Pascal’s proposal is that we write a new White Paper which would describe our approach to integrating security and risk into the TOGAF standard (looking backwards to TOGAF 9.1 and forward to future versions of the TOGAF standard). The document would include:

  • Suggested TNSP Part 1 landing ground
  • The anchor points that we suggest and expect will be adopted in the next version of the TOGAF standard
  • The relationship of these to the basic elements of Part 1 (EA Capability, Core Concepts, the ADM, and the Content Framework)
  • A timeline of work done, beginning with integration of Chapter 21 in TOGAF 9
  • A description of future work (including the Part 2 Security Architecture Practitioners Guide, and the security services catalog)
  • A description of positioning how risk and security were described in TOGAF 9.1, and how risk and security architecture thinking has moved on (including the need for a more integrated approach)

A new White Paper was proposed: Integrated Risk and Security in a TOGAF Enterprise Architecture. The purpose of this document is two-fold. First to provide an update to the (minimal) guidance provided in TOGAF 9.1 regarding security and risk. In this regard, some of the content developed for the Integrating TOGAF and SABSA White Paper will be leveraged. The second purpose is to put a stake in the ground regarding security and risk in future versions of the TOGAF standard, so as to allow the TNSP project team to move forward writing the Part 2 Security Architecture Practitioners Guide (independent of the timeline for the next version of TOGAF).

The consensus of the TNSP members at the London conference was that we should proceed in the near term to produce this White Paper, and should then proceed with development of the Part 2 guide. The group produced in the meeting a table of contents for the document, with plans for where content from the TOGAF/SABSA White Paper will be integrated, as well as the landing ground summary document. 

As a next step, Pascal has offered to produce a draft of this White Paper. The feeling is that it can be produced relatively quickly.


This meeting was hosted by Andrew Yeomans to discuss the Data Principles White Paper.

Consensus was that there is a need for a solid set of data principles, and interest among attendees in contributing to it. Jim and John Sherwood have the action to take the set of inputs captured in the meeting, and from them produce a first draft set of data principles, for broader review and input from the Security Forum.


A set of outline items for the proposed TNSP White Paper were produced, and will be incorporated by Pascal.

Next Steps

See above.