OSA Process Landscape
The OSA process landscape arranges typical IT (security) processes into areas or capabilities. We differentiate between a pattern landscape which defines architectural patterns of interest, and a process landscape where the purpose is to define expected activities by an Information or Cyber Security function in an organisation.
The process areas are defined based on pre-eminent standards. IT Operations and Service Management for instance reflects typical ITIL processes. Governance is inspired by ISACA. Security Engineering Processes are influenced by the NIST CyberSecurity Framework. This framework has been applied by the authors in a number of highly regulated industries.
Please note that the process landscape includes activities that are the direct responsibility of the Cyber Security team (predominantly Engineering and Operations), as well as activities which will be the responsibility of other teams (Service Management or IT Operations). In these cases the Cyber Security team may place reliance on the other teams and provide guidance on operational priorities such as patch management.
In larger regulated organisations with a developed 3 lines of defence model (1st line operate controls, 2nd line govern and oversee controls operation, 3rd line audit the controls framework) the governance activities will likely be performed by the second line.