Internet DRAFT - draft-li-saag-data-security-maturity-model
draft-li-saag-data-security-maturity-model
SAAG Working Group K. Li
Internet-Draft Alibaba Group
Intended status: Standards Track Mar 20, 2016
Expires: September 21, 2016
Data Security Maturity Model
draft-li-saag-data-security-maturity-model-00
Abstract
Data Security Maturity Model (DSMM) provides a multi-level maturity
model to help organizations to measure their data security capability
maturity level, identify issues related to data security capability,
and improve their data security capability.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 21, 2016.
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Li Expires September 21, 2016 [Page 1]
�
Internet-Draft scjwt Mar 2016
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Notational Conventions . . . . . . . . . . . . . . . . . . 3
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Maturity Level . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Model Framework . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Data Lifecycle . . . . . . . . . . . . . . . . . . . . . . . . 4
6. Capability Dimension . . . . . . . . . . . . . . . . . . . . . 5
7. Assessment Method . . . . . . . . . . . . . . . . . . . . . . . 6
8. Model Domains . . . . . . . . . . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
12. Normative References . . . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 7
Li Expires September 21, 2016 [Page 2]
�
Internet-Draft scjwt Mar 2016
1. Introduction
The overall goal of Data Security Maturity Model (DSMM) is to provide
a multi-level maturity model to help organizations solving the
problems of data security management in big data era, including:
o How to build organizations data security capability
o How to measure the data security capability maturity level of an
organization
o How to identify issues about data security capability
o How to improve data security capability for organizations
1.1. Notational Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
2. Overview
The DSMM is a process management and improvement maturity model for
the development and management of data security services. It
consists of best practices that address the security issues in the
lifecycle of data management from creation to delivery and
maintenance. The practices related to the DSMM model are extensible
and applicable to any organization objectives. The model presents an
organized set of practices and goals necessary for the data security.
The DSMM defines the requirements for organization responsibilities,
institution processes, technology tools, and staff skills, to ensure
data security management in the organizations. It does not describe
how organizations must do something, but rather what they must do in
order to achieve high capabilities or maturity of data security
management. By providing a structured and standard framework of
practices, the DSMM can be used by organizations to build their own
roadmap of data security maturity management. The DSMM has an
accompanying standardized methodology for conducting objective
appraisals of capability and maturity levels within the organizations
data security management practice.
The DSMM applies to all kinds of organizations, including industry
enterprises, governments and research institutes.
Li Expires September 21, 2016 [Page 3]
�
Internet-Draft scjwt Mar 2016
3. Maturity Level
Data Security Maturity Model can be indicated by 5 levels, as
described below:
o Level 1: Performed Informally
o Level 2: Planned and Tracked
o Level 3: Well Defined
o Level 4: Quantitatively Controlled
o Level 5: Level 5: Continuously Improving
4. Model Framework
/- - - - - - - - - - - - - - - - -/- - -/ - -/- -/ - /- - /|
/ Staff Skil / D / D / D / D / D / |
/- - - - - - - - - - - - - - - - -/ a / a / a / a / a / |
/ Technology Tools / t / t / t / t / t / |
/- - - - - - - - - - - - - - - - -/ a / a / a / a / a / |
/ Institution Process / / / / / / |
/_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _/ / / / / / |
/ Organization Responsibilities / / / / / D / |
/_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ / | | | | e / |
|Level 5: Continuously Improving | | | | | s | /
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | C | | | T | t | /
|Level 4: Quantitatively Controlled| r | S | | r | r | /
|- - - - - - - - - - - - - - - - - | e | t | | a | u | /
|Level 3: Well Defined | a | o | | n | c | /
|- - - - - - - - - - - - - - - - - | t | r | U | s | t | /
|Level 2: Planned and Tracked | i | a | a | m | i | /
|- - - - - - - - - - - - - - - - - | o | g | g | i | o | /
|Level 1: Performed Informally | n | e | e | t | n |/
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |_ _ |_ _ |_ _| _ |_ _/
Figure 1 Model Framework
5. Data Lifecycle
The high-level descriptions for data lifecycle are:
Li Expires September 21, 2016 [Page 4]
�
Internet-Draft scjwt Mar 2016
o 1) Data Creation: Data creation is the generation of new digital
content, or the significant alteration/updating of existing
content, either structured or unstructured.
o 2) Data Usage: Data usage refers to the combination of a series of
activities towards active data.
o 3) Data Transmission: Data transition refers to the process that
data flows from one entity to another through the network.
o 4) Data Storage: Data storage refers to inactive data, which is
stored physically in any digital form.
o 5) Data Sharing: Data sharing refers to data exchanging between
organizations, customers and partners.
o 6) Data Destruction: Data destruction refers to the process of
permanently or temperately making the data unavailable using
physical or digital means (e.g., crypto-shredding, freezing data
under business context).
6. Capability Dimension
The DSMM model defines the organization capability in four
dimensions, namely:
o 1) Organization Responsibilities: The first and most important
capability the organization should build is its data security
organization, including its function and responsibility, security
consciousness. It addresses the need to drive organizational data
security management from the top down effort, and in this way,
organizations can be open and transparent, break down silos and
get internal teams to collaborate. It is important to get
executive support, to champion data security adoption from the top
down.
o 2)Institution Process: This capability involves the creation of
process. This means that organizations need to put processes and
frameworks in place to operationalize data security management
internally and externally. It enables tight collaboration between
different teams and entities like legal teams, IT, Crisis PR,
various business units and external business parties.
o 3)Technology Tools: Organizations have to invest in security
technology to facilitate the data security controls it employed,
especially under current big data era. Manual controls or
management controls have been verified inefficient. One of the
Li Expires September 21, 2016 [Page 5]
�
Internet-Draft scjwt Mar 2016
challenges within this capability is that there are various
technologies available to choose thus organizations need to think
strategically with proper assessment before investing. Ensuring
that the technology can scale and integrate with existing
applications that already exist in the enterprise is imperative.
o 4)Staff Skills: Organizations have to educate their staffs, to get
more security awareness training, and improve their security
skills.
7. Assessment Method
The DSMM model uses bottom-up method to assess and determine the data
security maturity level of an organization. Each domain in one data
lifecycle phase should be assessed and be given a single maturity
level as the assessment result of the domain. Then, take the minimum
level of these domains as the assessment result of the data lifecycle
phase. Finally, the minimum maturity level of all 6 data lifecycle
phases is the overall maturity of the organization.
8. Model Domains
TBD
9. IANA Considerations
This draft does not require any IANA registrations.
10. Security Considerations
TBD.
11. Acknowledgements
TBD
12. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
Li Expires September 21, 2016 [Page 6]
�
Internet-Draft scjwt Mar 2016
Author's Address
Kepeng Li
Alibaba Group
Email: kepeng.lkp@alibaba-inc.com
Li Expires September 21, 2016 [Page 7]
�
