Hi all,

We (a state government) are trying to move our taxonomy closer to the ATUM subtowers and definitions. In doing so, we have several questions related to the distinction between the Security and the Compliance subtowers under the Security & Compliance tower.  Specifically, to us, we wondered if the Compliance tower is designed to be more broadly applicable to the private sector.  As well, we wondered into which subtower we would place the following types of costs/activities:

1) penetration testing

2) response to data breach

3) required security training (whether for compliance with internally or externally imposed standards or requirements)

4) cybersecurity insurance

5) fines levied for non-compliance in event of audit

Escalated to @apptiosupport for subject matter expertise on recommended ATUM best practice application

Escalated to Apptio Support

Some of these items seem like a good fit as additional sub-towers under Security & Compliance.  Pen testing, for example, is common to both private and public sector companies and is a requirement for any security compliance program.  Data breach is an incident response, so it seems like a good candidate to develop an additional sub-tower for Security & Compliance labeled Security Incident Response.  That, too, is a common activity to both private and public sector firms.

Training, insurance, and fines are all part of the compliance sub-tower in my view.  But, they are good examples of security program elements required across any industry be it private or public.  In that case, they may also be good candidates for additional sub-towers. 

It appears that the existing ATUM structure has places to put all of these items, but it also appears that the framework might be extended in this area to provide greater granularity.  All of the items you listed are very common and apply to both private and public sector firms. 

Curious to get feedback from the TBM Council about building additional detail into the S&C Tower to account for these common elements of a security program.

Looping @Neal Mulnick in this thread to add perspective.

Hi Mary,

Great question. These Sub Towers are meant to apply to the Private and Public Sectors, but they will evolve over time as technology changes. Would love to hear any feedback you have. As Chris mentioned, if there are costs that do not fit into an existing Sub Tower (e.g., Industry specific costs), additional Sub Towers can be added to extend the ATUM Taxonomy.

Definitions for the Security and Compliance Sub Towers:

• Security:  IT Security resources setting policy, establishing process & means, measuring compliance and responding to security breaches.
• Compliance:  IT Compliance resources setting policy, establishing controls and measuring compliance to relevant legal and compliance requirements.

I would map the costs you mentioned into the following Sub Towers:

1. Penetration testing --> Security
2. Response to data breach --> Security
3. Required security training (whether for compliance with internally or externally imposed standards or requirements) --> Security
4. Cybersecurity insurance --> Security
5. Fines levied for non-compliance in event of audit --> Compliance (although this is an interesting