Frameworks

Framework

 Oman eGovernance Framework is a set of standards / best practices and process management systems to enhance the delivery of Government Services in alignment with the Mission of ITA. The framework spells the rules and procedures that ensure that Government IT projects and systems sustain and extend ITA’s strategies and objectives. It is also intended to provide assurance about the value of IT, provide framework for the management of IT-related risks and putting together controls to minimize risks and better deliver IT initiatives.

OGEAF - OMAN Government Enterprise Architecture Framework

OMAN Government Enterprise Architecture Framework

Oman eGovernance Framework is a set of standards / best practices and process management systems to enhance the delivery of Government Services in alignment with the Mission of ITA. The framework spells the rules and procedures that ensure that Government IT projects and systems sustain and extend ITA’s strategies and objectives. It is also intended to provide assurance about the value of IT, provide framework for the management of IT-related risks and putting together controls to minimize risks and better deliver IT initiatives.

The Oman eGovernment Architecture Framework (OeGAF) serves as a guide to the development, deployment and operations of Information Systems of the Oman Government entities. OeGAF contains the principles, strategies and building blocks that support the goals of the government. The architecture can direct the selection, use and operation of technologies needed to support government business requirements and delivery of services. The architecture can reduce the time and cost of deploying applications, while making it easier to integrate information and services.

OeGAF shall help the Government to act as an “Integrated Enterprise” and manage IT as a strategic investment.

OeGAF consists of four main architectures as follows:

(a) Business Architecture

(b) Solution Architecture

(c) Information Architecture

(d) Technical Architecture

Each of the architecture has a corresponding Reference Model. Each Reference Model describes a framework to define and organize the architecture elements.

The Open Group Architecture Framework

The Open Group Architecture Framework, or TOGAF, is intended to provide a structured approach for organizations seeking to organize and govern their implementation of technology, particularly software technology. In that sense, its objective is to employ an encompassing conceptual framework to try to ensure that software development projects meet business objectives, that they are systematic and that their results are repeatable.

TOGAF was created and is maintained by The Open Group, an independent industry association. It builds on an earlier framework known as TAFIM, or Technical Architecture Framework for Information Management, originally devised by the U.S. Defense Dept. In early 2009, The Open Group released TOGAF version 9. The Open Group and others commonly lead TOGAF certification and educational programs today. Typically, enterprise architects lead use of TOGAF within organizations.

TOGAF®, an Open Group Standard, is a proven enterprise architecture methodology and framework used by the world’s leading organizations to improve business efficiency. It is the most prominent and reliable enterprise architecture standard, ensuring consistent standards, methods, and communication among enterprise architecture professionals. Enterprise architecture professionals fluent in TOGAF standards enjoy greater industry credibility, job effectiveness, and career opportunities. TOGAF helps practitioners avoid being locked into proprietary methods, utilize resources more efficiently and effectively, and realize a greater return on investment.

First published in 1995, TOGAF was based on the US Department of Defense Technical Architecture Framework for Information Management (TAFIM). From this sound foundation, The Open Group Architecture Forum has developed successive versions of TOGAF at regular intervals.

Information Technology Infrastructure Library

ITIL is a framework for IT service management that strives for predictable, maintainable services that align with the needs of the corporation or organization. The ITIL (Information Technology Infrastructure Library) framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels. The ITIL framework enables IT to be a business service partner, rather than just back-end support. ITIL guidelines and best practices align IT actions and expenses to business needs and change them as the business grows or shifts direction.

ITIL encompasses a framework of five core publications or ITIL books, which are periodically reviewed and updated as technologies change. Each book collects best practices for each major phase of the IT service lifecycle. ITIL Service Strategy explains business goals and customer requirements. ITIL Service Design shows how to move strategies into plans that help the business. ITIL Service Transition shows how to introduce services into the environment. ITIL Service Operation explains how to manage the IT services. ITIL Continual Service Improvement helps adopters evaluate and plan large and small improvements to IT services.

Capability Maturity Model Integration

The Capability Maturity Model Integration (CMMI) project is a collaborative effort to provide models for achieving product and process improvement. The primary focus of the project is to build tools to support improvement of processes used to develop and sustain systems and products. The output of the CMMI project is a suite of products, which provides an integrated approach across the enterprise for improving processes, while reducing the redundancy, complexity and cost resulting from the use of separate and multiple capability maturity models (CMMs). CMMI is the successor to CMM (Capability Maturity Model). Both CMM and CMMI were developed at the Software Engineering Institute (SEI) at Carnegie Mellon University in Pittsburgh, Pa. CMM was developed in the late 1980s, and retired a decade later when CMMI was developed. CMMI v1.02 was released in 2000.

CMM was developed as a result of a study financed by the U.S. Air Force as a way to objectively evaluate the work of software subcontractors. The Department of Defense, concerned over escalating software development costs and issues with quality, established the SEI in the early 1980s, and work on the CMM began in 1988. It was first described in the 1989 book, Managing the Software Process, by Watts Humphrey, director of the software process program at the SEI, and in August 1991 the first version of the Capability Maturity Model for Software (SW-CMM) was published by the SEI. 

The CMM was originally intended to be a tool to evaluate the ability of government contractors to perform a contracted software project. Though it was designed to measure software development, it has been, and continues to be, applied as a general model of the maturity of processes in both IT and non-IT organizations.

The model identifies five levels of process maturity for an organization:

1. Initial (chaotic, ad hoc, heroic): The starting point for use of a new process.
2. Repeatable (project management, process discipline): The process is used repeatedly.
3. Defined (institutionalized): The process is defined/confirmed as a standard business process.
4. Managed (quantified): Process management and measurement take place.
5. Optimizing (process improvement): Process management includes deliberate process optimization/improvement.


There are key process areas (KPAs) within each of these maturity levels that characterize that level, and five measures for each KPA:
1. Goals
2. Commitment
3. Ability
4. Measurement
5. Verification

Companies were expected to be formally assessed as to their maturity level. As they achieved each level, they formed a plan to get to the next. However, the rigorous processes required precluded the advancement of many commercial software companies beyond level 1.

 

Risk Management Framework

The selection and specification of security controls for an information system is accomplished as part of an organization-wide information security program that involves the management of organizational risk—that is, the risk to the organization or to individuals associated with the operation of an information system. The management of organizational risk is a key element in the organization’s information security program and provides an effective framework for selecting the appropriate security controls for an information system—the security controls necessary to protect individuals and the operations and assets of the organization.

Risk-Based Approach

The risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. The following activities related to managing organizational risk (also known as the Risk Management Framework) are paramount to an effective information security program and can be applied to both new and legacy information systems within the context of the system development life cycle and the Federal Enterprise Architecture:

Step 1: Categorize-
Categorize the information system and the information processed, stored, and transmitted by that system based on an impact analysis.

Step 2: Select-
Select an initial set of baseline security controls for the information system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.

Step 3: Implement-
Implement the security controls and document how the controls are deployed within the information system and environment of operation.

Step 4: Assess-
Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system (3).

Step 5: Authorize-
Authorize information system operation based upon a determination of the risk to organizational operations and assets, individuals, other organizations and the Nation resulting from the operation of the information system and the decision that this risk is acceptable.

Step 6: Monitor-
Monitor and assess selected security controls in the information system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials .

Cyber Security Framework

The Framework, created through collaboration between industry and government, consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

Information Technology Assurance Framework

ITAF’s design recognizes that IS audit and assurance professionals are faced with different requirements and different types of audit and assurance assignments, ranging from leading an IS-focused audit to contributing to a financial or operational audit. ITAF is applicable to any formal audit or assurance engagement.
ITAF applies to individuals who act in the capacity of IS audit and assurance professionals and are engaged in providing assurance over some components of IT systems, applications and infrastructure. However, these standards, guidelines and IS audit and assurance procedures are designed in a manner that may also be useful, and provide benefits to, a wider audience, including users of IS audit and assurance reports.

Business Model for Information Security

The Business Model for Information Security, provides an in-depth explanation to a holistic business model which examines security issues from a systems perspective. Explore various media, including journal articles, webcasts and podcasts, to delve into the Business Model for Information Security and to learn more about how to have success in the IS field in today’s market.