Linker IT Software
menubar-top-links menubar-top-rechts
Home Help Search Login
Welcome, Guest. Please Login.
SQL*XL: Database to Excel bridge litLIB: Excel power functions pack ExcelLock: Locking and securing your valuable Excel spreadsheets encOffice: Protect your Excel file easy and safe encOffice: Protect your Excel file easy and safe
Pages: 1
a business driven approach to secure e-mail (Read 5046 times)
YaBB Newbies


Posts: 5
a business driven approach to secure e-mail
06.02.08 at 14:22:51
A business driven approach to secure e-mail
Secure e-mail is about confidentiality, integrity and sender identity. There are many different solutions for secure e-mail, e.g. encrypted attachments, PKI, PGP, encrypted network channels,etc.. To assure that the solution fits the business needs a business driven approach should be taken. The SABSA framework offers a business driven approach for security architecture. This article describes how SABSA can be used to achieve the design of a secure e-mail solution that supports the business process.
  • too difficult to use for end users  
  • encryption protocol not allowed by e-mail gateway filter (anti-virus)  
  • does not have a business case: pure an IT-party  
  • expensive solution in relation to merits  
  • not justified by security policy  

  • enables/supports a business process  
  • fit-for-purpose to requirements of business process  
  • level of security is appropriate for type of information that is exchanged.  
  • fits in existing IT-infrastructure of sending and receiving parties or can fit with few changes  
  • cost-effective / return on investment  
  • become part of security policy and business procedures  
Business process
Describe and understand the business process.
  • Business goals  
  • Success factors  
  • Which information is or should be exchanged by e-mail?  
  • What would be the benefit of secure e-mail?  
  • How much would that be worth?  

Case description
The diagram is coloured according to a case where officers of a HRM department exchange employee salary information in Excel files by e-mail once a day.  
  • The information per e-mail is a copy of information in the HRM system, so e-mail back-up is not needed.  
  • The business driver for secure e-mail is to keep the personal private information confidential. The current problem is that unencrypted Excel files (sent by e-mail) are copied to local hard drives, internal file servers and USB sticks and get out of control over a longer period of time.  
  • Integrity and non-repudiable are not of special importance (not mentioned by the business).  
  • It is a wish to be compliant with the law on protection of personal private information, although this has never been an issue.  
  • The e-mail is exchanged within the same organization by a small group of people, so the technical strategy attributes are not important.  
Back to top
  IP Logged
YaBB Newbies


Posts: 5
Re: a business driven approach to secure e-mail
Reply #1 - 06.02.08 at 14:27:31
Business attributes
Classify the information
What information is important and should be confidential, integrity-assured or sender-identified? Examples:
Human Resources Management  
- salary, payroll, personal private information  
- Account information, transactions, personal private information  
- Proposals, price list, contracts, credit card information  
IT management  
- System passwords, source code, security incident  
Common business attributes for secure e-mail
The type of information and the information exchange channel determine the business attributes. The business attributes specify the security requirements to the e-mail service. For simplicity group together all information for all e-mail communication channels, unless there is reason to make an exception for specific information or a specific channel due to a big difference in security requirements.  
Common business attributes for secure e-mail are shown below. This list can be adapted to fit in a specific situation.  
For each attribute a metric and minimum required value should be defined. Only the business attributes are listed that apply to the secure e-mail service. The map can be coloured with the required levels. This depends entirely on the business processes. Instead of metrics we just use green (important), yellow (nice to have) and white (not needed). Metrics might be added in the future when we refine this approach.
The diagram is coloured according to the HRM-case.
Next steps
This is where the business requirements end. In the following section common secure e-mail solutions are described including a business attributes map per solution. These can be compared directly to the required business attributes to determine which one matches best.
Back to top

  IP Logged
YaBB Newbies


Posts: 5
Re: a business driven approach to secure e-mail
Reply #2 - 25.02.08 at 00:15:04
Back to top
  IP Logged
Pages: 1