The SMI Characteristics tree has a multi-level structure, with up to three levels of details related to each main characteristic.
Refers to the ease with which a Service can be restored to a normal operational state by common means (such as existing knowledge, manuals, and techniques).
Refers to the ability for the service provider to make modifications to the service to keep the service in a condition of good repair.
Refers to the time it takes the service provider to repair identified issues and return the service to an operational state.
Refers to the degree to which a service maintains uninterrupted availability due to risk and mitigation planning.
Refers to the percentage of time that the service is available and in the expected state of operation.
Reflects a measure of how a service operates without failure under given conditions during a given time period.
Refers to the degree to which the service is resistance to change, deterioration, or displacement.
The degree to which a service can return to its authorized configuration state after a planned or unplanned event.
The degree to which a service is able to resume a normal state of operation after an unplanned disruption.
The ability to identify the cause of a service's particular behavior within a stated degree of certainty and time.
Functionality is a measure of the appropriateness, completeness, and accuracy of the service; it is a measure of how suited the service is to its purpose.
A measure of the service's ability to fulfill its intended purpose.
Refers to the ability of a service to provide accurate information.
A measure of how capable a service is of being subjected to a set of tests and coming up with similar results.
Refers to the ability for services to operate effectively together, and their ability to support other or existing systems in the organization.
Refers to any change to a service, such as new feature or component, if the change adheres to previous external interfaces while modifying only its internal behavior.
Refers to the ability of the service to make a discernible difference in achieving an identified purpose or outcome.
Refers to the ability of the service to support a specific business strategy, objective, or outcome.
Reflects the ability of the service to execute specific tasks without waste.
The time taken to execute a given function delivered by the service.
Measures the use and source of energy and materials that comprise the service, against the goal of minimizing environmental impact and preserving resources.
Denotes the ease with which the Service can be used to achieve a specific goal.
Refers to the degree to which a service can be put in working order, with minimum risk, through the automated configuration of its components.
Refers to the nature of a service to support a set of features that is easy to adopt in the everyday course of a specific set of job requirements.
Refers to how easy it is to use the functionality provided by the service.
Refers to the ability of a service to achieve the expected behavior under a given set of circumstances.
Denotes the ability to successfully build and enter into a legal arrangement with a provider in a timely manner.
Capability is the set of features and functions that make up the service functionality, and describe the service. These characteristics vary on the capabilities of the specific service or service category.
Awareness and Visibility measures the impact of the service upon the organizations insight into their IT operations.
Portability refers to the relative ease with which the organizations data, applications, processes, or procedures can be transferred from one service to another like service
Refers to the ability of an organization to move from one provider of a service to another provider of the same service easily, with little or no impact to business operations.
The use of abstracted services, from either an internal or external service provider, can affect the ability of the organization to rapidly respond to business events.
A highly desirable feature for many services is the ability to expand capacity on demand, either through a manual request or an automatic process. Additionally, the ability to scale down resource use and reduce the operations expense is also desirable.
Provider risk is a collection of existential risks related to the service provider, and the manner in which they conduct business.
Refers to the consistency and likely continuity of the service provider, and consists of capacity, financials, organizational structure and processes. Other stability issues, such as quality assurance and performance, are dealt with separately within the scoring process. Financially under-performing organizations are more likely to suffer service disruptions due to inability to contract or fulfill payments to vendors, inability to attract or retain personnel, and inability to increase the scale of operations to respond to changing customer needs. Smaller organizations in emerging markets are often the target of merger and acquisition activity, the results of which may be increased stability at the cost of strategic or price risk, and a possible period of service instability during integration.
Refers to the risk that the service provider does not have appropriate industry standard certifications for IT security and operations. Typical certifications would be ISO 27000, PCI DSS and SAS 70. Service providers that have these current certifications would expect to be less risky than those that do not because they would have a number of documented controls that cover the scope of the certification and that are audited by third party organizations.
Refers to the risk that the service provider, regardless of whether they are an internal or external provider, does not provide the full spectrum of required service level commitments within their SLA and/or does not provide easily accessible and current metrics that can be used as performance indicators of the required service levels. All the important requirements of a service must be identified within an SLA with a description of the metric that are used to prove that the service level is being met. Access (programmatic or web portals) to these metrics must be convenient for the customer so that they can verify that the service levels are continually being met over time periods.
A server provider may outsource certain specialized tasks of its ‘production’ chain to third parties. In such a situation the level of security and reliability of the provider may depend on the level of security and reliability of each one of the links and the level of dependency of the provider on the third parties. Any interruption or corruption in the chain or a lack of coordination of responsibilities between the parties involved can lead to: unavailability of services, loss of data confidentiality, integrity and availability, economic and reputational losses due to failure to meet customer demand, violation of SLA, cascading service failure, and so on.
Refers to the manner in which the service provider conducts business; it includes business practices and ethics outside the scope of regulatory compliance. Ethicality includes fair practices with suppliers, customers, and employees.
Includes the full breadth of legal and regulatory compliance, and the ability of the organization to meet and demonstrate adherence.
Refers to the risk that the services provider [1] cannot provide documentation of the IT controls that are provided within the service and description as to how they are tested [2] cannot provide easily accessible and verifiable data that represents the current and historical results of the testing of the controls [3] will not support regularly scheduled customer internal and external audits of the controls.
Refers to the risk of theft, fraud or misuse of the services or data due to the fact that employees, contractors and third party users are not suitable for their roles. The security positions within a service provider should have adequate job descriptions, hiring and termination processes, and terms and conditions of employment appropriate to sensitive positions. In particular, all security personnel should be adequately screened on hiring and thereafter on a regularly basis. In addition, most security personnel that cover 24x7 operations should be trained and certified as IT security professional.
Refers to the risk of unauthorized physical access, damage, and interference to the service provider’s premises and information. Critical or sensitive information processing facilities should be housed in secure areas, protected by defined security perimeters, with appropriate security barriers and entry controls. They should be physically protected from unauthorized access, damage, and interference. The protection provided should be commensurate with the identified risks.
Refers to risk of the incorrect or insecure operations of service’s IT facilities. The IT management responsibilities of the service provider and the customer must be clearly defined in function and coordination (if needed). The service provider must provide the customer with the required management interfaces, capabilities and processes so that the customer can effectively manage its responsibilities of the service (this involves logging, monitoring of logs and the security of logs). Cloud architectures necessitate certain roles which are extremely high risk, so segregation of duties controls should be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse by malicious insiders.
Refers to the risk that there is inadequate control over the access to the service and data within the service appropriate to the customer’s security policy and regulatory requirements. An access control policy, which involves both the service provider and the customer, with the required associated controls, should be agreed, documented, and reviewed regularly. Access control rules and rights for the service provider and customer user groups should be clearly stated in an access control policy. Access controls are both logical and physical and these should be considered together. This includes: user access management, network access control, o/s access control, application access control, data access control, mobile access control, and so on.
Consists of the measures in place that protect the customer's data. This includes the services provider's adherence to stated policies, geographical or political data location, data ownership, privacy and data loss, and data integrity.
The service provider must have in place a comprehensive set of policies that address the whole of security and data protection, and should have controls in place to ensure the adherence to stated policy. The policy should be available for the customer to review, as well as the demonstrable proof that said policies are being followed on a consistent basis.
The service provider should have an explicit policy for data retention and data destruction. This policy should accommodate the customers' requirements for retention time frames required for compliance, i.e. Sarbanes Oxley or Graham Leach Bliley Act, be able to accommodate extending data retention in response to required legal holds, and provide for secure and complete destruction of data at such time that it is no longer required.
The service provider must be able to demonstrate adherence with stated policies. This includes the availability of logs, reports, internal or external audit results, or any other mechanism that provides evidence that the service provider follows published polices and keeps adequate records.
Refers to the risk that customer data may be held in multiple jurisdictions, some of which may be high risk. If data centers are located in high-risk countries, e.g., those lacking the rule of law and having an unpredictable legal framework and enforcement, autocratic police states, states that do not respect international agreements, etc. In some cases, due to national regulations, the data is not permitted to leave the geopolitical boundaries.
The data stored, created, or processed by the service may be restricted in use or ownership by the terms of the relationship with the service provider. This may impact the users' ability to meet their objectives, transport or reuse the data.
This is the risk that the service provider cannot [1] detect the loss or leakage of a PI due to problems with the Service’s security and/or processes over the complete life cycle of the data within the Service and [2] will not alert the customer (and hence the potential victims of such a loss) of the details of the loss in a time period appropriate to the regulatory requirements and the remediation required by the Customer.
Data integrity refers to the validity, and constancy of the data stored, created or processed by the service, the fitness for use of the data, and the confidence that can be placed in the data.
Refers to those expenses which are incurred by the service subscriber at the time of initial delivery.
Refers to those expenses (e.g. prices) which are incurred by the service subscriber to maintain their subscription entitlement to the service on a perpetual schedule.
The direct indicator measurement for the cost of the service.
|
Copyright © 2012 CA.
All rights reserved.
|
|