Over the weekend I found some time to had a look at presentations from the OMG conference I had found out about last week. In a presentation from a guy named Matt Hettinger I have found out excellent compilation of questions that go straight to the heart of many security issues in multi-organisation IT deployments.

• What is the nature of the relationship between enterprises doing business?
• Degree of coupling and coherency?
• What is the degree of trust?
• What are the boundaries between enterprises?
• Who owns what?  What are the expections placed on each enterprise doing business with each other?
• What kind of liability risks are there?
• At what points, in the process of doing business, is there a liability risk to each enterprise?
• Are there shared risks?
• Who’s accountable?
• What processes can be put in place to ensure quality of service expections are met?

Some of the questions are rather obvious, but can be hard to answer as the size of the organisation involved grows and their governance gets poorer. Have quite a few horror storries with "who owns what" from the time when I was doing some work for government. One agency initially financed infrastructure that later on became shared and relied upon for day-day operations by half dozen of others. Lacking people to run the infrastructure, not claiming accountability, but using initial investment as a leverage in political infights with others meant that otherwise intelligent insiders had real difficulty answering to the simple question of "who owns what". In the end we had about three different "ownerhips" covering organisational, operational and political angles.

10:04:55 PM