Security Forum : Newsletters

As a part of enhancing how The Open Group communicates with members and other interested parties, we will be periodically publishing a newsletter on our security activities. Questions about any of our security-related programs or activities can be directed to Jim Hietala or Ian Dobson

Open Group Security Newsletter, Nov. 2010

In this edition:

Security Forum Projects Update

ISM3 standard: This project is working to publish ISM3 as a technical standard for information security management. Current status of the project is that all change requests have been approved, and the draft standard is nearly ready for submission to The Open Group governing board for approval to publish as a standard. We expect follow-on efforts to describe maturity models, and to explore certification possibilities.

TOGAF and SABSA project: This project, which is being done collaboratively with the SABSA Institute, Security Forum, and Architecture Forum, is working to align the SABSA and TOGAF frameworks, and has a goal to publish a white paper describing how the frameworks can be used together. Estimated date for delivery of the white paper is some time after the San Diego conference.

Enterprise Security Architecture update: This project is very close to having an updated and revised final ESA document to publish.

XDAS update: After being a little dormant, there has been renewed activity on updating XDAS, with document drafts of several chapters newly available on the project site. Interest is being fueled by convergence with the Cloud Security Alliance and their A6 draft standard.

Automated Compliance Expert Markup Language standard: The ACEML project team is working through change requests from the company review process. After these are complete, the draft standard will be ready for submission to The Open Group governing board for approval to publish as a standard.

Risk Management project: The third publication in our risk management series, a cookbook guide showing how to use the Risk Taxonomy Standard with ISO27005, has been approved and is now available on our publications site here.

Secure Mobile Architecture standard: The project continues to evolve the draft standard, having created a new draft .7 document, available from the project web page. The current schedule estimates final review of SMA occurring in July, 2011.

For more information on these and other current projects, please visit the individual projects pages, accessible to members by logging in from this page.

Amsterdam Security Conference and Forum Meetings Recap

Note: All conference presentations can be downloaded at:

Andrea Servida, Deputy Head, Internet: Network and Information Security, EC, delivered a presentation on "Modernizing Network and Information Security Policy in Europe".

Andras Szakal, IBM, provided a presentation which introduced the newly formed Trusted Technology Forum. This new Open Group forum has created the Trusted Technology Provider Framework, which seeks to identify a set of best practices in use by technology manufacturers that help produce trusted technologies. The TTF will also explore certification programs for suppliers. 

Nick Mansfield, security consultant to the OECD, presented an overview of what many of the OECD nations are doing with respect to information security policies.

Lars Minth, Chief Architect, Swiss Army, gave a case study presentation on using ISM3 to gain management acceptance for the information security function. The Swiss Army reviewed available security frameworks and came to the conclusion that ISM3 best met their objectives.

David Janmaat, Deloitte, gave a presentation describing how Governance, Risk, and Compliance relate to and can be used to improve information security management. 

Monday afternoon wrapped up with two security architecture presentations. The first, by Bob Weisman, CEO of Build the Vision, described his methodology for reflecting security requirements in TOGAF, and developing relevant security artifacts when designing architectures using TOGAF. The second presentation was from John Sherwood of the SABSA Institute. John provided an overview of SABSA, and he described the progress being made by the joint TOGAF/SABSA workgroup to better align these frameworks.

Tuesday morning saw an ISM3 workshop, presented by Vicente Aceituno.

The Security Forum also held joint meetings with the Real Time Forum on Secure Mobile Architecture, with the Cloud Computing workgroup on the cloud security reference architecture, and with the Architecture Forum on TOGAF & SABSA integration.

News from the Jericho Forum

The Jericho Forum has now become a regular forum of The Open Group.

Jericho Forum founding board member Paul Simmonds was quoted prominently in Financial Times "Risk Management" special supplement Tues Nov 9th 2010 article "The rats that gain access by their click of a mouse", where Paul explains how the impact of the Stuxnet worm is the result of a flawed approach to security. You can read the article by registering free with the FT (allows up to 30 free downloads per month).

Have you looked at the Jericho Forum Blog "Another Brick from the Wall - Leadership thoughts", hosted by ComputerWord UK? See the latest blog - titled "Zero network trust' should mean exactly what it says - another security principle that is being misunderstood"

To contribute to the Jericho Forum blog, send your blog to Ian Dobson

CW+ features selected Jericho Forum published papers

Search on "CW+ Jericho" to see leading Jericho Forum position papers featured as major addition to ComputerWorld's CW+ library of reference papers. More additions are planned in this series. CW+ managing editor Bill Goodwin advises that the "Vision" paper already figures as one of the highest dowload hits in the CW+ library.

The next Jericho Forum members meeting (in London on November 25th 2010) features 2 guest experts from IBM on Identity and Access Management - IAM expert Andreas Wespi from IBM Zurich Research Labs, and Global IAM Competency Leader Mari Heiser from San Francisco. With such strong IBM experts joining our Jericho Forum member experts, this promises to be an especially compelling meeting. Numbers are limited so if you haven't yet registered to attend, avoid disappointment by doing so without delay by email to Ian Dobson (

Call for Speakers, San Diego and London Conferences

Our next two conferences and members meetings will be held in San Diego (February 7-11) and London (May 9-13). The presentation proposals site for these upcoming Open Group Conferences are open for submissions and can be found here

Our conferences feature information security plenary and track sessions, and we are encouraging presentation submissions on these topics and themes:

San Diego Theme: Cybersecurity: Frameworks for Building Trust

Cybersecurity has become a “front and center” issue for IT organizations in every industry around the globe. Security of our cyber-connected infrastructure is critical to many aspects of our daily life - water, electricity, gas, oil, transport, telecommunications, food, health, government, security services (police, military), financial banking services, and more – most of which depend on IT systems to control and deliver them.

All of these rely on reducing the risks, vulnerabilities and threats to our IT systems and the Internet, to achieve adequate cybersecurity.

The San Diego conference will broadly explore trust, frameworks, and their impact upon cybersecurity.

Presentation proposals are solicited in the following specific areas for San Diego:

  • Building Trusted Solutions: Frameworks to Build Trust
  • CyberSecurity: Government and Legal Considerations
  • CyberSecurity: The Connection to Architecture and Information Security Management
  • Identity Management Frameworks
  • Compliance, Risk Management, and Audit
  • Approaches to Assurance with Sufficient Evidence
  • Cloud Security and Security Architecture

Presentation proposals will be considered for both plenary sessions and tracks. Marketing and product pitches are prohibited in presentations; exhibit space is available for that purpose. Submissions not meeting these guidelines risk rejection without consideration of their merits.

London Theme is to be determined, but we welcome presentation proposals on a broad variety of topics.