Hi,

I have a startup business focused upon Information Security looking to develop commercial software (without any real budget). I am trying to specify a product architecture but I am having real problems with one specific area and I am hoping that someone can point me in the right direction.

The Requirement:
The application needs to produce a hierarchical structure which represents an organizational structure and all also represents systems and other assets.

For each item within this structure, we will need to capture and record characteristics of the item and we will need to link a relationship between the items and also between activities or events (i.e. risk assessment or auditing activities) where the objects can be used to represent the scope of the activity (i.e. which part of the organization, which systems etc).

Rather than creating this functionality as part of our application we are looking for some form of framework or tool-kit that can become part of our Integrated Development Environment to fulfill this purpose.

The usage:
A user would define the structure as part of initial setup. The user would then perform scheduled activities (Assessments / Audits) which would require the user to input responses to specific questions (regarding the status of security), but then to map where and how the responses relates to the organization structure and to the systems and assets.

Abstract approach:
Potentially the structure and assets would be created utilising some form of object, chosen from an object repository, examples are provided below ;
• Objects given geographical context (region, country, city, town, building etc.)
• Objects given business unit context (department, functions, users etc.)
• Objects given networking context (switch, router, SAN, gateway, firewall etc.)
• Objects with System context (web server, database server, file server, application server, ftp server, messaging server etc.)
And so on..

Ideally the attributes for an object could be specified by completing a form or by selecting objects which represent the same information.
e.g. for field location – type ‘DataCentre A’ or select object DataCentre A

Similarly the scope of activities (Risk Assessment or Audit), can be defined by manually specifying details or by selecting the objects such as geography (which locations to include), departments (to be included), systems (to be included) etc.

We had assumed that the relationship requirements could be addressed through the use of groups and group memberships or by applying rules.
i.e. Create a group to represent scope, group contains object specifying locations, departments and systems etc., however, because each object is also a member of other groups, this automatically specifies further information (such as network infrastructure and applications) which are relevant to that scope.
Or
Rule that is a filter, selecting objects that match a specified criteria to form a group or view

Ideally the structure would be fully editable by the user, allowing functions such as add, delete, drag and drop, link etc. allowing flexibility in changing the structure if and when required. We would also anticipate that when any modification occurs (i.e. change a link from one object to another), all references would automatically update.

Views and Presentation:
Ideally the solution would also provide flexibility in the presentation of the objects or the object information, able to display different views based upon objects, object information or relationship information and also providing different styles of layout to display the information.

Integration:
Ideally the solution would operate and integrate within a web environment for both development and operation based around PHP and Java. Alternatively the solution would operate and integrate with a client / server environment based around .Net, C++ and C#.

Ideally the solution would be able to utilise common database environments (MySQL) in order to store all information on the objects, object attributes and object relationships, alternatively, any embedded database would be accessible by the application utilizing it and the database schema, table structures and keys would be available to aid the integration.

Ideally the solution would provide the necessary libraries and run-time elements for compilation and installer, such that the application is self-contained and is not dependent upon any external component or third party component which is external to the system on which it is installed.

Commercial:
The commercial usage of such a solution would need to allow licensed integration into our product and must assigns unlimited rights of usage for the lifetime of our product and future releases. The license terms and license costs must be sufficiently unrestricted to allow commercial viability of our product.

Any suggestions on what could be used or how this might be achieved, sincerely appreciated.