In This Corner, the Business Reference Model

Posted September 5th, 2007 by

He’s a bit bloated but still remains the undeniable champion of business lines that the US Government operates. It’s the “business driver” of the Federal Enterprise Architecture. He’s the Business Reference Model and he’s not just for the federal-types to justify their existence. Let me explain….

The Business Reference Model is basically a hierarchy of all the functions that the US Government performs. The “short list” is the following:

  • Services for Citizens
  • Mode of Delivery
  • Support of Delivery
  • Management of Government Resources

And then underneath these broad headings is the fun things that we’re really interested in:

  • User Fee Collection
  • Contingency Planning
  • IT Security
  • Accounts Receivable

The BRM is fairly exhaustive so if you take any given government agency and what they do will fit somewhere on the chart. Every IT system I’ve seen fits somewhere, usually about 10 different places.

Now that we know how the government is supposed to work, I know what you’re thinking: how does this pass the “Dilligaf test?

Well, to you and me, security dweebs at the core, a list of business functions means different types of information that each business activity needs. The BRM is in actuality a guide to the various data types that you’ll find throughout the government. When I say “Central Records and Statistics” what I really mean to say is “Data that supports Central Records and Statistics”.

But why do we care? We’re not the government, right? Well, we can take the same approach for a commercial enterprise.

Armed with this little bit of knowledge, I have my own business reference model and data types for what I do on a daily basis:

  • Customer Mission Data
  • Security Incident Data
  • Internal Purchasing Data
  • IT Infrastructure Management Data
  • Contracts Collateral Data
  • Billing Data
  • HR Data

This started out as the “holy three”: customer data, contracts/collateral data, and NOC/SOC data. Then I expanded from there. You could just as easily start with something like this: purchasing, selling/marketing, and billing. Or maybe something like this: making money, spending money, and order fulfillment.

And then I have a matrix that says where this data is, here are some of the obvious locations:

  • Corporate Email System
  • Knowledge Management System
  • Shared Directories
  • Laptops
  • Web Site
  • Trouble Ticket System

Well, once you define what things you accomplish as a business, you can start to list where it’s at, or at least the majority of it. Occasionally you’ll get a shocker. =)

Coming up next: What you can do with BRM and Data Types and the fait accompli.



Similar Posts:

Posted in FISMA, The Guerilla CISO, What Works | 4 Comments »

4 Responses

  1.  The Guerilla CISO » Blog Archive » And in This Corner, Special Publication 800-60 Says:

    […] Comments The Guerilla CISO » Blog Archive » In This Corner, the Business Reference Model on DILLIGAF!!!Darren Couch on Debian and WPASaso on Marketers and Security Peoplerybolov on Lousy […]

  2.  Tying Security To The Business: Guerilla CISO Style | securosis.com Says:

    […] out his posts here and […]

  3.  The Guerilla CISO » Blog Archive » Blow-By-Blow Commentary Says:

    […] Comments Tying Security To The Business: Guerilla CISO Style | securosis.com on In This Corner, the Business Reference ModelThe Guerilla CISO » Blog Archive » And in This Corner, Special Publication 800-60 on In […]

  4.  New SP 800-60 is Out, Categorize Yerselves Mo Better | The Guerilla CISO Says:

    […] for those of you who don’t know what 800-60 is, go check out my 3-part special on the Business Reference Model (BRM), a primer on how SP 800-60 aligning FIPS-199 with the BRM, and a post on putting it all together […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.


Visitor Geolocationing Widget: