TBM Framework & Taxonomy

Should the costs (labor/non-labor) to provide network security be classified as Resource Tower=Network or Resource Tower=Security & Compliance? 

In ATUM 4.0...

• The definitions of Network are silent on security being in or out of scope
• The definition of Security & Compliance/Security includes:
  • "Responding to security breaches and providing real-time operational security such as vulnerability scanning, managing firewalls, intrusion prevention systems, and SIEM"
  • but also "The implementation actions defined by security policies are not included...and are part of the respective towers where the actions take place (e.g. Compute, Storage, Network)"

Does anyone have examples of activities that would be included in Security & Compliance as "real-time operational security" vs. what would be in Network as an "implementation action"?

Is there any work in the definition of ATUM 5.0 that will make these explicit?

My interpretation is that any activity or expense related to Network enablement/maintenance inclusive of securing the network environment is included in the network tower. As examples: mitigating security breaches by applying patches are included in the Network tower.  Network management and engineering, including planning for cybersecurity, are also included int the network tower cost. Provisioning and governance to ensure security standards and policies are incorporated into the Network design and development processes, as well as the day-to-day operations should be included in the network tower cost. As well as cybersecurity architecture, network boundaries definition, access controls, interconnections, active monitoring, automation, reliable detection, and proper procedures and resources to respond to incidents, tactics, techniques, and procedures to stop, mitigate, and respond effectively to network incidents.

The security tower includes cost associated to defining and maintaining current security policies. Providing technical standards and best practices for developing a strong
network security posture resulting in a defensible, resilient network.

See https://dodcio.defense.gov/Portals/0/Documents/Library/CSResourceReferenceGuide.pdf

Should the costs (labor/non-labor) to provide network security be classified as Resource Tower=Network or Resource Tower=Security & Compliance? 

In ATUM 4.0...

• The definitions of Network are silent on security being in or out of scope
• The definition of Security & Compliance/Security includes:
  • "Responding to security breaches and providing real-time operational security such as vulnerability scanning, managing firewalls, intrusion prevention systems, and SIEM"
  • but also "The implementation actions defined by security policies are not included...and are part of the respective towers where the actions take place (e.g. Compute, Storage, Network)"

Does anyone have examples of activities that would be included in Security & Compliance as "real-time operational security" vs. what would be in Network as an "implementation action"?

Is there any work in the definition of ATUM 5.0 that will make these explicit?

My interpretation is that any activity or expense related to Network enablement/maintenance inclusive of securing the network environment is included in the network tower. As examples: mitigating security breaches by applying patches are included in the Network tower.  Network management and engineering, including planning for cybersecurity, are also included int the network tower cost. Provisioning and governance to ensure security standards and policies are incorporated into the Network design and development processes, as well as the day-to-day operations should be included in the network tower cost. As well as cybersecurity architecture, network boundaries definition, access controls, interconnections, active monitoring, automation, reliable detection, and proper procedures and resources to respond to incidents, tactics, techniques, and procedures to stop, mitigate, and respond effectively to network incidents.

The security tower includes cost associated to defining and maintaining current security policies. Providing technical standards and best practices for developing a strong
network security posture resulting in a defensible, resilient network.

See https://dodcio.defense.gov/Portals/0/Documents/Library/CSResourceReferenceGuide.pdf

Should the costs (labor/non-labor) to provide network security be classified as Resource Tower=Network or Resource Tower=Security & Compliance? 

In ATUM 4.0...

• The definitions of Network are silent on security being in or out of scope
• The definition of Security & Compliance/Security includes:
  • "Responding to security breaches and providing real-time operational security such as vulnerability scanning, managing firewalls, intrusion prevention systems, and SIEM"
  • but also "The implementation actions defined by security policies are not included...and are part of the respective towers where the actions take place (e.g. Compute, Storage, Network)"

Does anyone have examples of activities that would be included in Security & Compliance as "real-time operational security" vs. what would be in Network as an "implementation action"?

Is there any work in the definition of ATUM 5.0 that will make these explicit?

Should the costs (labor/non-labor) to provide network security be classified as Resource Tower=Network or Resource Tower=Security & Compliance? 

In ATUM 4.0...

• The definitions of Network are silent on security being in or out of scope
• The definition of Security & Compliance/Security includes:
  • "Responding to security breaches and providing real-time operational security such as vulnerability scanning, managing firewalls, intrusion prevention systems, and SIEM"
  • but also "The implementation actions defined by security policies are not included...and are part of the respective towers where the actions take place (e.g. Compute, Storage, Network)"

Does anyone have examples of activities that would be included in Security & Compliance as "real-time operational security" vs. what would be in Network as an "implementation action"?

Is there any work in the definition of ATUM 5.0 that will make these explicit?

Hi @Amy Foltz. ATUM is an Apptio specific model whereas Cost Pools, Resource Towers, and Solutions are taxonomies maintained by the TBM Council.

For specific revision to ATUM, I recommend asking your Apptio CSM or posting on Apptio Community.

On the TBM side, some research was recently completed regarding TBM and NIST which resulted in a minor revision being considered for v4. I recommend following up with @Ed Hayman, @Mina Han, and @Antonio Mitchell regarding their presentation on the topic and status of the v4 revision. I believe the v4 revision will provide the necessary clarification you're seeking.

A recording of the Standards Committee's Open Forum regarding TBM and NIST is available below:
https://community.tbmcouncil.org/viewdocument/q4-2023-standards-open-forum-on-t

Should the costs (labor/non-labor) to provide network security be classified as Resource Tower=Network or Resource Tower=Security & Compliance? 

In ATUM 4.0...

• The definitions of Network are silent on security being in or out of scope
• The definition of Security & Compliance/Security includes:
  • "Responding to security breaches and providing real-time operational security such as vulnerability scanning, managing firewalls, intrusion prevention systems, and SIEM"
  • but also "The implementation actions defined by security policies are not included...and are part of the respective towers where the actions take place (e.g. Compute, Storage, Network)"

Does anyone have examples of activities that would be included in Security & Compliance as "real-time operational security" vs. what would be in Network as an "implementation action"?

Is there any work in the definition of ATUM 5.0 that will make these explicit?