“ There is a new natural resource, and it is Data ”

Ginni RomettyCEO IBM

Lisbon Council 2013

“ … it needs common data standards and the free flow of data ”

Ginni RomettyCEO IBM

Lisbon Council 2013

Every natural resource has a process for managing and governing its flow

OBASHI does this for data

“Organizational communication and data flows are mapped”NIST Cybersecurity Framework ID.AM-3

“A baseline of network operations and expected data flows for users and systems is established and managed”NIST Cybersecurity Framework DE.AE-1

Framework for Improving Critical Infrastructure CybersecurityU.S. National Institute for Science & Technology

February 12, 2014Version 1.0

Who is talking about flow - NIST

Payment Card Industry Security Standards Council - 2015

“1.1.3 Current diagram that shows all cardholder data flows across systems and

networks.”OBASHI puts your card holder data-flows in context

Who is talking about flow – PCI SSC

IBM has started talking about flow

What is OBASHI?A whistle stop overview

OBASHI is...

... a methodology

... a professional accreditation

... a fully scalable software product

OBASHI MethodologyA framework for mapping and modelling:

• People• Process• Technology

Increased context for assets and resources:• Makes decision making clearer• Creates the proof for budgetary

investment• Visibility of weaknesses and

vulnerabilities

Infrastructure - Routers , Switches, Hubs etc

Hardware – PC, Servers etc.

System – Windows 2000, Windows NT, etc

Application – Excel, Sage or bespoke software

Business Process – Monthly Balance

Owner – Accounts

The OBASHI Framework …

…generates B&IT Diagrams

Dataflow Analysis View

OBASHI - Core principles

1. The understanding of the flow of data is fundamental to an organization’s financial well-being.

2. Business resources (which include human resources) and IT assets are either providers of data, consumers of data, or they provide the conduit through which the data can flow.

3. IT exists for one reason, namely, to enable the flow of data between business assets.

4. Business risk cannot be fully assessed qualitatively or quantitatively unless the cause and effects of interruptions to a flow of data, or changes to any data contained in that flow of data, have been evaluated in the context of the flow of data in question.

5. A data security model cannot be fully assessed unless the cause and effects of interruptions to a flow of data, or changes to any data contained in that flow of data, have been evaluated in the context of the flow of data in question.

Excerpt From: “The OBASHI Methodology.” v1.0. iBooks

Published by The Stationery Office

Specialising in publishing official and regulatory information The Stationery Office is the Government’s printers.

All Government Best Management Practice is published by TSO.

A little background

Understanding Dataflow is becoming mainstream

Major international bodies now recognise that understanding how an organisations data flows is a fundamental requirement

• NIST ( ID.AM-3 & DE.AE-1)

• PCI DSS v3 ( requirement 1.1.3)

• Basel 3 (Creation of Dataflow charts is a 'supervisory expectation')• CDCAT - Cyber Defence Capability Assessment Tool

UK MoD / DSTL / Ploughshare Innovations Ltd. (APMG)

• European Commission: EU-US data flow discussions separate from TTIP negotiations http://ow.ly/KI10c (Law, Insurance, Politics, Human Rights, Security/Defence)

• UCAS

We believe this is just the start and more will follow....

Certified Information Security Manager (CISM)

• ISACA revised course work documentation now includes OBASHI

• OBASHI officially recognised as an alternative to other Architecture Frameworks

• Understanding how your business architecture is connected is fundamental

“As I create the support documentation I constantly refer back to the updated B&IT as the single reference document to allow me to create the simplistic support diagrams. Without the B&IT this task

would involve network diagrams, spreadsheets and word documents, all of which have their place – but the B&IT provides a

multi-dimensional view of the estate that is far simpler and quicker to navigate on a single diagram.”

“From my point of view, the B&IT diagram that was done before I arrived allowed me to easily see the relationships with business processes and the systems, hardware and infrastructure in use. This context is critical when it comes to the security aspect of

software revision level and network segmentation. I have created simple traditional network diagrams to include in some of the

support documentation, but these are purely functional diagrams and lack the subtleties of layering that the OBASHI B&IT provides.”

– Alan Goodall, Project Manager, Flight Centre (UK)

– Alan Goodall, Senior Project Manager, Flight Centre (UK)

“The defining of the data flows really showed how poor our understanding of our own system was. Box A talks to Box B and writes to Box C is easy

to draw on a diagram, but it is tricky to include each component, down to switch level, and how this flow interacts with multiple other

components.

In terms of PCIDSS compliance this is extremely important for identifying security considerations – such as data at rest, or vulnerable processing

servers, or other unrelated services that might interact unintentionally – and this then provides the information required to

know whether patching, segregation, or whatever is required. In short – the DAVs make processes explicit and communicable in a way that

removes doubt and speculation.”

Where OBASHI is used...

Key Messages

OBASHI puts business policies in context and is the practical

method for implementing them.

With OBASHI you create a simple visual map, a holistic view, which shows:

• how your business works• the assets and resources that make it

work• the inter-dependencies between your

people, processes and technology

Uniquely, with OBASHI you can model the flows of data that

make up your business, applying cost /value and risk

attributes.

With OBASHI you create clarity, enabling IT and business people

to have a shared vision and a clear understanding of how the business works, and how data

flows around it.

With OBASHI, better, more-informed, decisions can be made

about cyber security, risk, investment and other key

business drivers.

Professional Accreditation

Accreditation, certification and qualifications are growing in importance

globally, as more organisations and individuals seek to demonstrate their

capability and competence.

Through a global network of Training Organisations. APMG act as

international accreditors for The OBASHI Methodology.

www.obashi.co.uk