DBSy in a Commercial Services Context ♦ Brian Monahan, Frederic Gittler, William Horne, Simon Shiu, Adrian Baldwin, Chris I. Dalton, Patrick Goldsack, Richard Taylor, Chris Tofts, Mike Yearworth Trusted Systems Laboratory HP Laboratories Bristol HPL-2005-141 August 4, 2005* DBSy, domain based security, information security, information assurance, commercial ICT services management, ITIL, ITSM, COBIT, BS 15000 DBSy (Domain Based Security) is a set of notations and techniques developed by QinetiQ specifically for the UK MoD, a large distributed organisation. DBSy provides a way of describing and assessing business- driven information security requirements for network architectures. This focuses upon how the business requires information to be compartmentalised and how that might be achieved by strategic location of network-level security controls. In this paper we consider how DBSy- style modelling may be applied in a more commercial context of ICT (Information Communications Technology) services, defined and managed according to SLAs (Service Level Agreements). Although DBSy was not specifically designed to handle this situation, we discuss how ideas from DBSy can contribute to a broader security requirements and risk analysis approach that encompass the realm of ICT services and their management. We give a model of a commercial example in the style of DBSy and use that to illustrate our observations. * Internal Accession Date Only ♦ 1st DBSy User Conference, QinetiQ Technology Center, Great Malvern, UK. 14 June 2005 Approved for External Publication © Copyright 2005 Hewlett-Packard Development Company, L.P.