KK
Uploaded byKris Kimmerle
40,334 views

Enterprise Security Architecture

The document discusses enterprise security architecture, including its purpose and importance. It provides an overview of common architecture frameworks like Zachman, TOGAF, and SABSA that can be used for enterprise security architecture. It also discusses key concepts like taxonomy, matrix, metamodel, and lifecycle that are part of developing an enterprise security architecture. The document emphasizes the value of integrating the SABSA security framework with broader enterprise architecture frameworks like TOGAF to develop effective and agile security architectures.

Embed presentation

Downloaded 3,395 times
ENTERPRISE SECURITY ARCHITECTURE WITH INFORMATION GOVERNANCE by Kris Kimmerle
ABOUT THE AUTHOR ENTERPRISE SECURITY ARCHITECTURE 2
Certifications Hi. I have My name is Kris Kimmerle. I am training for I have 9 years of comprehensive and international experience in the following domains. Business Continuity Planning Security Intelligence Technician Project Management Chain of Custody Duty Segregation Disaster Recovery Planning Physical Security Management Agile Project Management Change Management Defense-in-Depth Risk Management Security Operations Management SharePoint Administrator IdM Solutions Supply Chain Processes Vulnerability Management Business Operations Management Enterprise Application Development Repudiation Enterprise Risk Management Threat Profiling Information Security Instructor Enterprise Architecture Automation ISO 27000 Family of Standards Compliance Management Third Party Risk Management Enterprise Security Architecture Security Awareness Simplicity in Complex Security Auditor Asset Management Security Analyst Access Control Flexibility in Security Information Security Instructor Network Operations Cloud Computing MySQL Interoperability ENTERPRISE SECURITY ARCHITECTURE 3
Let’s get started. ENTERPRISE SECURITY ARCHITECTURE 4
PURPOSE ENTERPRISE SECURITY ARCHITECTURE 5
✔ ✔ ✔ ✔ ✔ Basic understanding of enterprise architecture framework Basic understanding of enterprise architecture framework Basic understanding of information governance Ability to measure the effectives of your efforts Ability to build an effective information security management program ENTERPRISE SECURITY ARCHITECTURE 6
TERMINOLOGY ENTERPRISE SECURITY ARCHITECTURE 7
🔮🔮 📅📅 Vision Strategic Planning Framework A statement of what the business unit or organization would like to develop into Defining direction and making decisions on allocating resources in pursuit of a strategic goal. Serves as a guide for creating or expanding a structure into something of value. ENTERPRISE SECURITY ARCHITECTURE 8
🎁🎁 Deliverables Any measureable, tangible, verifiable outcome, result, or item that must be produced to complete a project or part of a project 🔃🔃 Standardization Taxonomy The act of checking or adjusting (by comparison with a standard) the accuracy of a measuring instrument The science of classification according to a pre-determined system whose resulting catalogue is used to provide a conceptual framework ENTERPRISE SECURITY ARCHITECTURE 9
💣💣 💼💼 🚌🚌 Risk Risk Management Business Driver An uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives. The systematic application of management policies, procedures, and practices to the tasks of communicating, establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing risk. A resource, process or condition that is vital for the continued success and growth of a business. ENTERPRISE SECURITY ARCHITECTURE 10
Metadata Metamodel Matrix “Data about data". Structural metadata is about the design and specification of data structures and is more properly called "data about the containers of data"; descriptive metadata, on the other hand, is about individual instances of application data, the data content. The analysis, construction and development of the frames, rules, constraints, models and theories applicable and useful for modeling a predefined class of problems. A matrix is a rectangular array of numbers, symbols, or expressions, arranged in rows and columns. ENTERPRISE SECURITY ARCHITECTURE 11
OVERVIEW ENTERPRISE SECURITY ARCHITECTURE 12
What is Enterprise Security Architecture? Enterprise Security Architecture is the process of translating business security vision and strategy into effective enterprise change by creating, communicating and improving the key security requirements, principles and models that describe the enterprise’s future security state and enable its evolution. Why is it important? Enterprise Security Architecture is not about developing for a prediction. it is about ensuring that we develop in a way that allows us to maintain and sustain our agility to change. We don’t know where we are going or how we are going to get there but we need to be ready. 💡💡 💪💪 ENTERPRISE SECURITY ARCHITECTURE 13
ARCHITECTURE FRAMEWORKS 📐📐 ENTERPRISE SECURITY ARCHITECTURE 14
ZACHMAN The Zachman Framework is an enterprise architecture framework which provides a formal and highly structured way of viewing and defining an enterprise. It consists of a two dimensional classification matrix based on the intersection of six communication questions (What, Where, When, Why, Who and How) with five levels of reification, successively transforming the most abstract ideas (on the Scope level) into more concrete ideas (at the Operations level). TOGAF The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture which provides a comprehensive approach for designing, planning, implementing, and governing an enterprise information architecture. TOGAF is a high level and holistic approach to design, which is typically modeled at four levels: Business, Application, Data, and Technology. It tries to give a well-tested overall starting model to information architects, which can then be built upon. It relies heavily on modularization, standardization, and already existing, proven technologies and products. SABSA SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for Enterprise Security Architecture and Service Management. It was developed independently from the Zachman Framework, but has a similar structure. SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. ENTERPRISE SECURITY ARCHITECTURE 15
The Zachman and TOGAF are true Enterprise Architecture frameworks however SABSA is the main framework for Enterprise Security Architecture. More importantly The SABSA framework is most effective when integrated or linked with one of these more robust Enterprise Architecture frameworks. Today we will be talking about the integration to the Zachman and TOGAF frameworks. ZACHMAN 🔗🔗 SABSA This is the traditional framework integration for SABSA and oldest. This framework integration is not nearly as effective as it used to be. TOGAF 🔗🔗 SABSA This is the new framework integration for SABSA. This framework carries with it many tools that exponentially increase its effectiveness. ENTERPRISE SECURITY ARCHITECTURE 16
ZACHMAN 🔗🔗 Matrix SABSA 👎👎 There was a time when a company could leverage a single matrix for their information security risk management program but in today’s rapidly changing and agile dependent world, this is no longer possible. ENTERPRISE SECURITY ARCHITECTURE 17
TOGAF Matrix 🔗🔗 SABSA Lifecycle 👍👍 This level of insight, detail, and complexity allows our business to remain agile and competitive in todays world. Metamodel Taxonomy ENTERPRISE SECURITY ARCHITECTURE 18
Let’s start with the taxonomy. ENTERPRISE SECURITY ARCHITECTURE 19
Business Attributes Business Strategy Management Technical Strategy Operational Risk Management Legal / Regulatory User Brand Enhancing Automated Architecturally Open Available Access Controlled Admissible Accessible Business-Enabled Change Managed COTS/GOTS Detectable Accountable Compliant Accurate Competent Controlled Extendible Error-Free Assurance Enforceable Consistent Confident Cost-Effective Flexible / Adaptable Interoperable Integrity Insurable Current Credible Efficient Future-Proof Productive Auditable Liability Managed Duty Segregated Governable Maintainable Legacy-Sensitive Recoverable Authenticated Resolvable Educated & Aware Good Provider Measured Migration Capable Authorized Time-bound Informed Good Stewardship Supportable Multi-Sourced Capturing New Risks Motivated Good Custody Scalable Confidential Protected Investment Simple Crime-Free Reliable Reuse Standards Compliant Flexibly Secure Supported Reputable Traceable Identified Timely Upgradable Independently Secure Usable In our sole possession Non-Repudiable Owned Private Trustworthy ENTERPRISE SECURITY ARCHITECTURE 20
Business Attributes Business Strategy Management Technical Strategy Operational Risk Management Legal / Regulatory User Brand Enhancing Automated Architecturally Open Available Access Controlled Admissible Accessible Business-Enabled Change Managed COTS/GOTS Detectable Accountable Compliant Accurate Competent Controlled Extendible Error-Free Assurance Enforceable Consistent Confident Cost-Effective Flexible / Adaptable Interoperable Integrity Insurable Current Credible Efficient Future-Proof Productive Auditable Liability Managed Duty Segregated Governable Maintainable Legacy-Sensitive Recoverable Authenticated Resolvable Educated & Aware Good Provider Measured Migration Capable Authorized Time-bound Informed Good Stewardship Supportable Multi-Sourced Capturing New Risks Motivated Good Custody Scalable Confidential Protected Investment Simple Crime-Free Reliable Reuse Standards Compliant Flexibly Secure Supported Reputable Traceable Identified Timely Upgradable Independently Secure Usable In our sole possession Non-Repudiable Owned Private The highlighted areas are the items that we normally have the greatest interest and focus in when we consider information security Trustworthy ENTERPRISE SECURITY ARCHITECTURE 21
Matrix. ENTERPRISE SECURITY ARCHITECTURE 22
Assets (what) SERVICE Logical Information, Services Processes, Applications Physical Data, Mechanisms Infrastructure, Platforms Component Products, Tools Specific Standards, Technologies Physical Business Risk Business Processes Business Governance Business Geography Business Time Depends Business Asset Taxonomy, Goals, Objectives Opportunities Exploits Threats Inventory Of Operational Processes Organizational Structure & Extensions Buildings, Sites Jurisdictions, Territories Time Dependencies with Objectives Risk Management Objectives Strategies for Assurance Roles & Responsibilities Domain Framework Time Management Business Attributes Profile Enablement & Control Objectives Process Mapping Framework, Strategies Owners, Custodians, Service Providers Security Domain Concepts & Framework Through-Life Risk Management Framework Risk Management Policies Process Maps Entity & Trusts Domain Maps Calendar & Timetables Inventory of Information Assets Domain Policies Information Flows, Service Architecture Entity Schema, Trust Models, Privilege Profiles Domain Definitions and Associations Start Times, Lifetimes, Deadlines Risk Management Practices Process Mechanisms Human Interface Infrastructure Processing Schedule Data Dictionary & Data Inventory Risk Management Procedures & Guidelines Applications Systems, Security Mechanisms User Interface, Systems, Access Control System Host Platforms, Layouts, Network Topologies Timing & Sequencing of Processes Compute Logical Time (when) Data Assets The “Big Picture” Business Attributes, Risk Objectives Concept Location (where) Information Assets Conceptual People (who) Business Knowledge Business Wisdom Business Decision Making Context Process (how) Business Decisions Context Motivation (why) Risk Management Tools Process Tools Tools & Standards Locator Tools Step Timing & Sequences Nodes, Addresses, & other Locations Time Schedules, Clocks, Timers, Interrupts Service Risk Analysis, Reports, Registers, Tools, Protocols, Process Delivery Identities, Job Descriptions, Roles, Functions Service Delivery Component Products, Data, Repositories, Processors Operational Risk Process Delivery Personnel Management Environment Time & Performance Assurance of Operational Continuity Risk Assessments, Monitoring, Treatment Management & Support of Systems Account Provisioning, User Support Management of Building, Sites, Networks Management of Calendar and Timetable ENTERPRISE SECURITY ARCHITECTURE 23
Metamodel. ENTERPRISE SECURITY ARCHITECTURE 24
Architecture Principles, Vision, and Requirements Preliminary Architecture Vision Architecture Principles Business Strategy Technology Strategy Business Principles Vision Statement Stakeholders Architecture Requirements Requirements Constraints Assumptions Business Architecture Drivers Organization Services, Contracts Goals Motivation Objectives Organization Location Function Processes, Controls Gaps Information Systems Architecture Technology Architecture Data Application Data Entities Information System Services Logical Data Components Logical Application Components Physical Data Components Physical Application Components Measures Actor, Role Functions Platform Services Logical Technology Components Physical Technology Components Architecture Realization Opportunities, Solutions, and Migration Planning Capabilities Work Packages Architecture Contracts Implementation Governance Standards Guidelines Specifications ENTERPRISE SECURITY ARCHITECTURE 25
Lifecycle. ENTERPRISE SECURITY ARCHITECTURE 26
Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Trust Framework H. Architecture Change Management Security Governance Security Domain B. Business Architecture Security Organization Security Policy Security Services Business Attributes Security Awareness Security Audit G. Implement Governance C. Information Systems Architecture Requirements Security Management Security Services Classification Control Objectives Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 27
Requirements Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Requirements management plays a central role in architecture work. This is recognized in both TOGAF and SABSA. The TOGAF method validates and updates business requirements in every stage of an architecture development project. However, TOGAF does not provide a concrete technique for describing or documenting requirements. In contrast, SABSA presents its unique Business Attribute Profiling technique as a means to effectively describe requirements. This section describes the use of Business Attribute Profiling with respect to security requirements management, along with the added value this technique offers for requirements management in general. Together, the TOGAF concept of validating architecture and validating and updating requirements based upon information uncovered during the development of the architecture and SABSA’s Business Attribute Profiling improve requirements management, traceability, and architecture development. Architecture in general should provide continuous alignment of capabilities with business goals and support achieving these goals in an effective and efficient manner, even when the environment or business goals change. This alignment is in many cases the major rationale for using methodologies such as TOGAF and SABSA and therefore both frameworks define a requirements management process to ensure this continuous alignment. Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 28
Preliminary Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite To build the security context, the following security artifacts need to be determined during this phase. These artifacts can be integrated into existing architecture documentation, but it is important that they be properly identified and that they convey the necessary information to make quality decisions: Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning E. Opportunity and Solutions Security Standards Business Drivers for Security – the subset of TOGAF business drivers impacting security, presented as an integral part of the overall architecture business drivers artifact or deliverable. Security Principles – the subset of Business Principles addressing security architecture. This is presented as an integral part of the overall Architecture Principles artifact or deliverable. Security principles like other architecture principles will provide valuable guidance to making business decisions to comply with the enterprise’s risk appetite. Key Risk Areas – the list of the key risk areas within the architecture scope. The key risk areas should be related to the business opportunities which the security architecture enables using the risk appetite artifact which informs the balance of risk versus opportunity. The key risk area should be included in the overall architecture risk management deliverable produced during the Preliminary Phase. Risk Appetite – describes the enterprise’s attitude towards risk and provides decisionmaking guidance to the organization to balance the amount of risk taken to achieve an expected outcome. The risk appetite could be expressed as, for example, a boundary on a risk/business impact and likelihood grid, profit, and loss measures or qualitative measures (zero tolerance for loss of life or regulatory compliance breaches). Risk appetite can also be represented by suitably worded security principles or produced as a stand-alone deliverable if a key stakeholder exists who needs to specifically approve it. It defines the level of risk (damage) that the organization is willing to accept and what their strategy is in defining this level. For risks above this acceptable level, it defines the strategy used for mitigation (transference, avoidance). Security Resource Plan – based on the content of the artifacts and the characteristics of the planned architecture project, it must be decided during the Preliminary Phase which security resources are required to deliver the security elements. Finding answers to the following questions through sufficient stakeholder analysis in the Preliminary Phase can help determine the security-related effort required: ENTERPRISE SECURITY ARCHITECTURE 29
A. Architecture Vision Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Architecture Vision describes enough of the TOGAF ADM Phases B, C, and D to ensure that key stakeholders can agree to the end-state which represents a solution to a defined problem. In Phase A sufficient security-specific architecture design is carried out to… 1. Satisfy the security stakeholders that the end-state does not represent any unknown or unacceptable risk and aligns with corporate policies, standards, and principles and 2. Satisfy business stakeholders – in particular those who control the budget – that the security architecture is instrumental in enabling and supporting the overall architecture required to deliver the business opportunities and benefits identified. Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 30
B. Business Architecture Business Driver Security Principles Preliminary Key Risk Areas The security elements of Phase B: Business Architecture comprise business level trust, risk, and controls, independent from specific IT or other systems within the specific scope of the architecture engagement. Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning E. Opportunity and Solutions Security Standards • Business Risk Model – the business risk model determines the cost (both qualitative and quantitative) of asset loss/impact in failure cases. It is the result of a risk assessment, based on identified threats, likelihood of materializing, and impact of an incident. Business impact should be aligned with the definitions in the Business Attribute Profile which act as pseudo-assets. Security classification should be carried out at this stage based on the risks identified. The business risk model is a detailing of the risk strategy of an organization. All information in the enterprise should have an owner and be classified against a business-approved classification scheme. The classification of the information determines the maximum risk the business is willing to accept, and the owner of the information decides what mitigation is enough for his/her information. These two aspects determine the context for the business risk model. • Applicable Law and Regulation – determines the specific laws and regulations that apply within the scope of the enterprise architecture engagement. • Control Frameworks – determine the suitable set of control frameworks that would best satisfy the requirements and address the risks related to the engagement scope and context. • Security Domain Model – a security domain represents a set of assets in the engagement scope which could be described by a similar set of business attributes (i.e., a security domain has a set of very similar business attributes for all entities in that domain). The security domain model describes the interactions between the various domains, parties, and actors and must be aligned with the Business Architecture model. This includes defining all people, processes, and system actors known at this stage, including third parties and external actors. The security domain model helps in defining responsibility areas, where responsibility is exchanged with external parties and distinguishes between areas of different security levels and can inform the engagement scope. • Trust Framework – the trust framework describes trust relationships between various entities in the security domain model and on what basis this trust exists. Trust relationships can be unidirectional, bidirectional, or non-existent. The onus for assessing trust is the responsibility of those choosing to enter into the contracts and their legal counsel. It is important to note that technology (e.g., digital certificates, SAML, etc.) cannot create trust, but can only convey in the electronic world the trust that already exists in the real world through business relationships, legal agreements, and security policy consistencies. • Security Organization – the corporate organization of risk management and information security which assigns ownership of security risks and defines the security management responsibilities and processes. Security management processes include risk assessment, the definition of control objectives, the definition and proper implementation of security measures, reporting about security status (measures defined, in place, and working) and the handling of security incidents. • Security Policy – the security policy addresses the alignment of operational risk management in general with the various security aspects such as physical security, information security, and business continuity. Within the scope of the architecture engagement, decide which existing policy elements can be re-used or have to be developed new. • Security Services – a list of security-related business services, defined as part of the Business Services. ENTERPRISE SECURITY ARCHITECTURE 31
C. Information Systems Architecture Business Driver Security Principles Preliminary Key Risk Areas The security elements of Phase C: Information Systems Architectures comprise information system-related security services and their security classification. Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy • Classification of Services – the assignment of a security classification to the list of services in the Information System Services catalog according to the enterprise classification scheme. In most cases this scheme is defined and described in the corporate information security policy and is based on the information processed or stored by the service. • Security Rules, Practices, and Procedures – are relevant artifacts for solutionlevel architectures. They are mentioned here because at the solution architecture level guidelines and designs for rules, practices, & procedures are expected to be produced in Phase C & D. Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 32
D. Technology Architecture Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite The security elements of Phase D: Technology Architecture comprise security rules, practices and procedures, and security standards: Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization • Security Rules, Practices, and Procedures – artifacts mainly relevant for solutionlevel architectures, mentioned here because at solution architecture level guidelines and designs for rules, practices, and procedures are expected to be produced in Phase C and D. • Security Standards – guide or mandate the use of technical, assurance, or other relevant security standards. The artifact is expected to comprise publicly available standards such as Common Criteria, TLS, and SAML. Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 33
E. Opportunity and Solutions Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management No specific security-related architecture artifacts are produced in this phase. However, in defining the roadmap and deciding which architecture elements must be implemented first, it is imperative that the security risks are evaluated and that risk owners are consulted when defining the place on the roadmap for high priority mitigations. This phase could also be used to verify the process and results, feeding back to the business goals and drivers. Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 34
F. Migration Planning Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite No specific security architecture aspects apply to this phase; however, as part of the overall planning care must be taken to ensure that, for each stage on the roadmap, appropriate risks and associated controls are identified. Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 35
G. Implement Governance Business Driver Security Principles Preliminary Key Risk Areas Security architecture implementation governance provides assurance that the detailed design and implemented processes and systems adhere to the overall security architecture. This ensures that no unacceptable risk is created by deviations from Architecture Principles and implementation guidelines. Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services • Security Management – definition of the detailed security roles and responsibilities, implementation of security governance, definition of security key performance and risk indicators, etc. • Security Audit – reports which include security reviews of implemented processes, technical designs, and developed code against policies and requirements, and security testing comprising functional security testing and penetration testing. • Security Awareness – implement necessary training to ensure correct deployment, configuration, and operations of security-relevant subsystems and components; ensure awareness training of all users and non-privileged operators of the system and/or its components. Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 36
G. Implement Governance Business Driver Security Principles Preliminary Key Risk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Change is driven by new requirements or changes in the environment. Changes in security requirements can, for instance, be caused by changes in the threat environment, changed compliance requirements, or changes due to discovered vulnerabilities in the existing processes and solutions. Changes required due to security-related causes are often more disruptive than a simplification or incremental change. • Risk Management – the process in which the existing architecture is continuously evaluated regarding changes to business opportunity and security threat. If based on the results of this process, the current architecture is deemed unsuitable to mitigate changed or new risks or constrains the business too much in exploiting new opportunities, a decision on architecture change must be made. • Security Architecture Governance – the process in which decisions are made on changes to the existing architecture, either by minor changes in the current iteration or by means of a completely new iteration. Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 37
INFORMATION GOVERNANCE 👑👑 ENTERPRISE SECURITY ARCHITECTURE 38
🎯🎯 Why is Information Governance important? Architecture will define the way. Governance will keep you on the path. ENTERPRISE SECURITY ARCHITECTURE 39
📑📑 Simple. What does Information Governance mean? Organized. Consistent. Reliable. Educated. Measured. ENTERPRISE SECURITY ARCHITECTURE 40
Simple. Policy High-level statement of requirements. A security policy is the primary way in which management’s expectations for security are provided to the builders, installers, maintainers, and users of an organization’s information systems. ✔ Standards Specify how to configure devices, how to install and configure software, and how to use computer systems and other organizational assets, to be compliant with the intentions of the policy. Procedures Specify the step-by-step instructions to perform various tasks in accordance with policies and standards. Guidelines Advice about how to achieve the goals of the security policy, but the are suggestions, not rules. They are an important communication tool to let people know how to follow the policy’s guidance or They convey best practices ENTERPRISE SECURITY ARCHITECTURE 41
Standard Organized. 📂📂 Objectives Responsibilities Scope Measurement Procedures Procedures for Activity 1 Procedures for Activity 2 Procedures for Activity 3 Procedures for System 1 Procedures for System 2 Procedures for Process 1 Procedures for Process Guidelines Templates Flowcharts Best Practice Research Scenarios Visual Aids ENTERPRISE SECURITY ARCHITECTURE 42
Consistent. 🎾🎾 📄📄 📄📄 Data Type 📣📣 Data Storage Communication ENTERPRISE SECURITY ARCHITECTURE 43
Reliable. Consistent Performance Metrics 📶📶 Reduction in Risks Proactive Users 📊📊 📉📉 🙋🙋 ENTERPRISE SECURITY ARCHITECTURE 44
Educated. Clear and Concise Definitions 🎓🎓 Effective Communicating End User Awareness 🔤🔤 💬💬 👂👂 ENTERPRISE SECURITY ARCHITECTURE 45
Measured. 🍶🍶 Level 5 CAPABILITY MATURITY MODEL Level 4 Level 5 Optimizing It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements. Level 4 Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 3 Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Enterprise Wide Level 3 Business Objectives Mapped Structured Detailed Procedures Measured Tested Reactive Activities Documented Monitored Automated Ad Hoc Disorganized Repeatable Process Managed Process Optimized Process Level 2 Level 1 Level 2 Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. Level 1 Initial (Chaotic) It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. No Process ENTERPRISE SECURITY ARCHITECTURE 46
Let’s recap. ENTERPRISE SECURITY ARCHITECTURE 47
What is Enterprise Security Architecture? ENTERPRISE SECURITY ARCHITECTURE 48
The translation of the businesses vision and strategy into effective enterprise change by creating, communicating and improving the key requirements, principles and models that describe the enterprise’s future information security state and enable its evolution. ENTERPRISE SECURITY ARCHITECTURE 49
What is Information Governance? ENTERPRISE SECURITY ARCHITECTURE 50
The discipline and framework to ensure simplicity, organization, consistency, reliability, education, and measurements are well-articulated and achievable. ENTERPRISE SECURITY ARCHITECTURE 51
Enterprise Security Architecture + Information Governance = Successful & Robust Information Security Management Program ENTERPRISE SECURITY ARCHITECTURE 52
REFERENCES The American Institute of Architects 2004 Security Planning and Design 🔗🔗 National Institute of Standards and Technology 2013 NIST Special Publication 800-16 Rev. 1 🔗🔗 H. Tipton and M. Krause 2006 Information Security Management Handbook 🔗🔗 Cramsession.com 2007 Building a Defense in Depth Toolkit 🔗🔗 The Open Group 2013 TOGAF and SABSA Integration White Paper 🔗🔗 (ISC)2 2011 Official Guide to the ISSAP CBK, Second Edition 🔗🔗
Send me a message. 🔻🔻 @KrisKimmerle kris.kimmerle@outlook.com http://1drv.ms/1cgfZn0 http://www.linkedin.com/in/kriskimmerle

More Related Content

PDF
Security-by-Design in Enterprise Architecture
byThe Open Group SA
 
PDF
SABSA vs. TOGAF in a RMF NIST 800-30 context
byDavid Sweigert
 
PPTX
Enterprise Security Architecture
byPriyanka Aash
 
PPTX
Modelling Security Architecture
bynarenvivek
 
PPTX
Adaptive Enterprise Security Architecture
bySABSAcourses
 
PPTX
Security architecture frameworks
byJohn Arnold
 
PPTX
Enterprise Security Architecture Design
byPriyanka Aash
 
PDF
Practical Enterprise Security Architecture
byPriyanka Aash
 
Security-by-Design in Enterprise Architecture
byThe Open Group SA
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
byDavid Sweigert
 
Enterprise Security Architecture
byPriyanka Aash
 
Modelling Security Architecture
bynarenvivek
 
Adaptive Enterprise Security Architecture
bySABSAcourses
 
Security architecture frameworks
byJohn Arnold
 
Enterprise Security Architecture Design
byPriyanka Aash
 
Practical Enterprise Security Architecture
byPriyanka Aash
 

What's hot

PDF
Security review using SABSA
byMaganathin Veeraragaloo
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
byAllen Baranov
 
PPTX
SABSA Implementation(Part I)_ver1-0
byMaganathin Veeraragaloo
 
PDF
SABSA white paper
bySABSAcourses
 
PDF
Security architecture
byDuncan Unwin
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PPTX
SABSA overview
bySABSAcourses
 
PPTX
SABSA Implementation(Part II)_ver1-0
byMaganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part VI)_ver1-0
byMaganathin Veeraragaloo
 
PPTX
SABSA Implementation(Part III)_ver1-0
byMaganathin Veeraragaloo
 
PDF
Enterprise Security Architecture
byPriyanka Aash
 
PDF
SABSA: Key features, advantages & benefits summary
bySABSAcourses
 
PDF
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
PPTX
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PDF
Enterprise Cybersecurity: From Strategy to Operating Model
byEryk Budi Pratama
 
PPT
Enterprise Architecture Frameworks
byStephen Lahanas
 
PPT
The Gartner IAM Program Maturity Model
bySarah Moore
 
PDF
Cyber Security For Organization Proposal Powerpoint Presentation Slides
bySlideTeam
 
Security review using SABSA
byMaganathin Veeraragaloo
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
byAllen Baranov
 
SABSA Implementation(Part I)_ver1-0
byMaganathin Veeraragaloo
 
SABSA white paper
bySABSAcourses
 
Security architecture
byDuncan Unwin
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
SABSA overview
bySABSAcourses
 
SABSA Implementation(Part II)_ver1-0
byMaganathin Veeraragaloo
 
SABSA Implementation(Part VI)_ver1-0
byMaganathin Veeraragaloo
 
SABSA Implementation(Part III)_ver1-0
byMaganathin Veeraragaloo
 
Enterprise Security Architecture
byPriyanka Aash
 
SABSA: Key features, advantages & benefits summary
bySABSAcourses
 
Cybersecurity roadmap : Global healthcare security architecture
byPriyanka Aash
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
byEdureka!
 
Security Operation Center Fundamental
byAmir Hossein Zargaran
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Enterprise Cybersecurity: From Strategy to Operating Model
byEryk Budi Pratama
 
Enterprise Architecture Frameworks
byStephen Lahanas
 
The Gartner IAM Program Maturity Model
bySarah Moore
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
bySlideTeam
 

Viewers also liked

PDF
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
byCraig Martin
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Security models for security architecture
byVladimir Jirasek
 
PDF
TOGAF 9 - Security Architecture Ver1 0
byMaganathin Veeraragaloo
 
PDF
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
PDF
Enterprise Security Architecture: From access to audit
byBob Rhubart
 
PDF
NIST Cybersecurity Framework - Mindmap
byWAJAHAT IQBAL
 
PPTX
Capability Model_Data Governance
bySteve Novak
 
PDF
Industrial Control System Cyber Security and the Employment of Industrial Fir...
bySchneider Electric
 
PDF
It governance & cobit 5
byLaddawan Rattanaruang
 
PPTX
Governance and Management of Enterprise IT with COBIT 5 Framework
byGoutama Bachtiar
 
PDF
What is IT Governance?
byMansoor Adenwala
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
byCraig Martin
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Security models for security architecture
byVladimir Jirasek
 
TOGAF 9 - Security Architecture Ver1 0
byMaganathin Veeraragaloo
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
byWAJAHAT IQBAL
 
Enterprise Security Architecture: From access to audit
byBob Rhubart
 
NIST Cybersecurity Framework - Mindmap
byWAJAHAT IQBAL
 
Capability Model_Data Governance
bySteve Novak
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
bySchneider Electric
 
It governance & cobit 5
byLaddawan Rattanaruang
 
Governance and Management of Enterprise IT with COBIT 5 Framework
byGoutama Bachtiar
 
What is IT Governance?
byMansoor Adenwala
 

Similar to Enterprise Security Architecture

PPTX
Conceptual security architecture
byMubashirAslam5
 
PPTX
Does Anyone Remember Enterprise Security Architecture?
byrbrockway
 
PPT
Security architecture analyses brief 21 april 2015
byBill Ross
 
PPTX
Enterprise architecture
bySamah SAFI, MBA
 
PPTX
ESA for Business
byMaganathin Veeraragaloo
 
PPTX
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
PPTX
Enterprise Architecture and Information Security
byJohn Macasio
 
PDF
The foundations of EA
byyazilimmimarisi
 
PPTX
Introduction to Enterprise Architecture
byMohammed Omar
 
PDF
Information security-integration-part-1-of-2
bywardell henley
 
PPT
Ea Relationship To Security And The Enterprise V1
bypk4
 
PDF
Enterprise%20 security%20architecture%20 %20business%20driven%20security
bywardell henley
 
PPTX
Lecture -4-Enterprise-Security-Zachman-Framework.pptx
byAboodOod
 
PPTX
The Role of Architecture in the Enterprise
byPeter Nikitser
 
PPTX
CISSPills #3.03
byPierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
PDF
A Method To Define An Enterprise Architecture Using The Zachman Framework
byKim Daniels
 
PDF
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
byUBM_Design_Central
 
PPTX
Week 2-What is Enterprise Architecure (1).pptx
byRizalPrambudi3
 
PDF
تواصل_تطوير المحاضرة رقم 199 مهندس / محمود الديب عنوان المحاضرة Enterprise A...
byEgyptian Engineers Association
 
PDF
Week-2_LectureA1_701.pdf
byssuserc3fe80
 
Conceptual security architecture
byMubashirAslam5
 
Does Anyone Remember Enterprise Security Architecture?
byrbrockway
 
Security architecture analyses brief 21 april 2015
byBill Ross
 
Enterprise architecture
bySamah SAFI, MBA
 
ESA for Business
byMaganathin Veeraragaloo
 
Chapter 1 Security Framework
byKarthikeyan Dhayalan
 
Enterprise Architecture and Information Security
byJohn Macasio
 
The foundations of EA
byyazilimmimarisi
 
Introduction to Enterprise Architecture
byMohammed Omar
 
Information security-integration-part-1-of-2
bywardell henley
 
Ea Relationship To Security And The Enterprise V1
bypk4
 
Enterprise%20 security%20architecture%20 %20business%20driven%20security
bywardell henley
 
Lecture -4-Enterprise-Security-Zachman-Framework.pptx
byAboodOod
 
The Role of Architecture in the Enterprise
byPeter Nikitser
 
CISSPills #3.03
byPierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
A Method To Define An Enterprise Architecture Using The Zachman Framework
byKim Daniels
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
byUBM_Design_Central
 
Week 2-What is Enterprise Architecure (1).pptx
byRizalPrambudi3
 
تواصل_تطوير المحاضرة رقم 199 مهندس / محمود الديب عنوان المحاضرة Enterprise A...
byEgyptian Engineers Association
 
Week-2_LectureA1_701.pdf
byssuserc3fe80
 

Recently uploaded

PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
PDF
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PDF
Cloud Infrastructure monitoring with Grafana Cloud
byImma Valls Bernaus
 
PDF
Think global, run local: when self-hosted LLMs actually win
byFrancesco Corti
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):富士通株式会社 テーマ3「FUJITSU-MONAKA series: Arm-based pro...
byPC Cluster Consortium
 
PPTX
4_ii_Analysis of Indeterminate Structures (Slope-Deflection Method).pptx
byrohitpatel130020
 
PDF
PCCC25(設立25年記念PCクラスタシンポジウム):富士通株式会社 テーマ2「AI Computing Broker: Make your GPUs ...
byPC Cluster Consortium
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
PPTX
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
PPTX
System Software_CIE_AS_LEVEL_CS_9618 .pptx
byJawaad BM
 
PDF
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
PPTX
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
PPTX
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
Mulesoft Meetup Online Portuguese: MCP e IA
byPedro Baroni
 
ODSC AI West: Agent Optimization: Beyond Context engineering
byShashikant Jagtap
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
Cloud Infrastructure monitoring with Grafana Cloud
byImma Valls Bernaus
 
Think global, run local: when self-hosted LLMs actually win
byFrancesco Corti
 
PCCC25(設立25年記念PCクラスタシンポジウム):富士通株式会社 テーマ3「FUJITSU-MONAKA series: Arm-based pro...
byPC Cluster Consortium
 
4_ii_Analysis of Indeterminate Structures (Slope-Deflection Method).pptx
byrohitpatel130020
 
PCCC25(設立25年記念PCクラスタシンポジウム):富士通株式会社 テーマ2「AI Computing Broker: Make your GPUs ...
byPC Cluster Consortium
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
Accessibility & Inclusion: What Comes Next. Presentation of the Digital Acces...
byAssociazione Digital Days
 
MuleSoft AI Series : Introduction to MCP
byMulesoftMunichMeetup
 
System Software_CIE_AS_LEVEL_CS_9618 .pptx
byJawaad BM
 
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
Leon Brands - Intro to GPU Occlusion (Graphics Programming Conference 2024)
byleonbrands1998
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
The partnership effect: Libraries and publishers on collaborating and thrivin...
byBookNet Canada
 
Leon Brands - Methodical GPU Profiling (Graphics Programming Conference 2025)
byleonbrands1998
 
How Much Does It Cost To Build Software
bycollinmishell2
 

Enterprise Security Architecture

  • 1.
    ENTERPRISE SECURITY ARCHITECTURE WITHINFORMATION GOVERNANCE by Kris Kimmerle
  • 2.
    ABOUT THE AUTHOR ENTERPRISESECURITY ARCHITECTURE 2
  • 3.
    Certifications Hi. I have My nameis Kris Kimmerle. I am training for I have 9 years of comprehensive and international experience in the following domains. Business Continuity Planning Security Intelligence Technician Project Management Chain of Custody Duty Segregation Disaster Recovery Planning Physical Security Management Agile Project Management Change Management Defense-in-Depth Risk Management Security Operations Management SharePoint Administrator IdM Solutions Supply Chain Processes Vulnerability Management Business Operations Management Enterprise Application Development Repudiation Enterprise Risk Management Threat Profiling Information Security Instructor Enterprise Architecture Automation ISO 27000 Family of Standards Compliance Management Third Party Risk Management Enterprise Security Architecture Security Awareness Simplicity in Complex Security Auditor Asset Management Security Analyst Access Control Flexibility in Security Information Security Instructor Network Operations Cloud Computing MySQL Interoperability ENTERPRISE SECURITY ARCHITECTURE 3
  • 4.
    Let’s get started. ENTERPRISESECURITY ARCHITECTURE 4
  • 5.
  • 6.
    ✔ ✔ ✔ ✔ ✔ Basic understanding ofenterprise architecture framework Basic understanding of enterprise architecture framework Basic understanding of information governance Ability to measure the effectives of your efforts Ability to build an effective information security management program ENTERPRISE SECURITY ARCHITECTURE 6
  • 7.
  • 8.
    🔮🔮 📅📅 Vision Strategic Planning Framework A statementof what the business unit or organization would like to develop into Defining direction and making decisions on allocating resources in pursuit of a strategic goal. Serves as a guide for creating or expanding a structure into something of value. ENTERPRISE SECURITY ARCHITECTURE 8
  • 9.
    🎁🎁 Deliverables Any measureable, tangible, verifiableoutcome, result, or item that must be produced to complete a project or part of a project 🔃🔃 Standardization Taxonomy The act of checking or adjusting (by comparison with a standard) the accuracy of a measuring instrument The science of classification according to a pre-determined system whose resulting catalogue is used to provide a conceptual framework ENTERPRISE SECURITY ARCHITECTURE 9
  • 10.
    💣💣 💼💼 🚌🚌 Risk Risk Management Business Driver Anuncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives. The systematic application of management policies, procedures, and practices to the tasks of communicating, establishing the context, identifying, analyzing, evaluating, treating, monitoring, and reviewing risk. A resource, process or condition that is vital for the continued success and growth of a business. ENTERPRISE SECURITY ARCHITECTURE 10
  • 11.
    Metadata Metamodel Matrix “Data about data".Structural metadata is about the design and specification of data structures and is more properly called "data about the containers of data"; descriptive metadata, on the other hand, is about individual instances of application data, the data content. The analysis, construction and development of the frames, rules, constraints, models and theories applicable and useful for modeling a predefined class of problems. A matrix is a rectangular array of numbers, symbols, or expressions, arranged in rows and columns. ENTERPRISE SECURITY ARCHITECTURE 11
  • 12.
  • 13.
    What is EnterpriseSecurity Architecture? Enterprise Security Architecture is the process of translating business security vision and strategy into effective enterprise change by creating, communicating and improving the key security requirements, principles and models that describe the enterprise’s future security state and enable its evolution. Why is it important? Enterprise Security Architecture is not about developing for a prediction. it is about ensuring that we develop in a way that allows us to maintain and sustain our agility to change. We don’t know where we are going or how we are going to get there but we need to be ready. 💡💡 💪💪 ENTERPRISE SECURITY ARCHITECTURE 13
  • 14.
  • 15.
    ZACHMAN The Zachman Frameworkis an enterprise architecture framework which provides a formal and highly structured way of viewing and defining an enterprise. It consists of a two dimensional classification matrix based on the intersection of six communication questions (What, Where, When, Why, Who and How) with five levels of reification, successively transforming the most abstract ideas (on the Scope level) into more concrete ideas (at the Operations level). TOGAF The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture which provides a comprehensive approach for designing, planning, implementing, and governing an enterprise information architecture. TOGAF is a high level and holistic approach to design, which is typically modeled at four levels: Business, Application, Data, and Technology. It tries to give a well-tested overall starting model to information architects, which can then be built upon. It relies heavily on modularization, standardization, and already existing, proven technologies and products. SABSA SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology for Enterprise Security Architecture and Service Management. It was developed independently from the Zachman Framework, but has a similar structure. SABSA is a model and a methodology for developing risk-driven enterprise information security architectures and for delivering security infrastructure solutions that support critical business initiatives. ENTERPRISE SECURITY ARCHITECTURE 15
  • 16.
    The Zachman andTOGAF are true Enterprise Architecture frameworks however SABSA is the main framework for Enterprise Security Architecture. More importantly The SABSA framework is most effective when integrated or linked with one of these more robust Enterprise Architecture frameworks. Today we will be talking about the integration to the Zachman and TOGAF frameworks. ZACHMAN 🔗🔗 SABSA This is the traditional framework integration for SABSA and oldest. This framework integration is not nearly as effective as it used to be. TOGAF 🔗🔗 SABSA This is the new framework integration for SABSA. This framework carries with it many tools that exponentially increase its effectiveness. ENTERPRISE SECURITY ARCHITECTURE 16
  • 17.
    ZACHMAN 🔗🔗 Matrix SABSA 👎👎 There wasa time when a company could leverage a single matrix for their information security risk management program but in today’s rapidly changing and agile dependent world, this is no longer possible. ENTERPRISE SECURITY ARCHITECTURE 17
  • 18.
    TOGAF Matrix 🔗🔗 SABSA Lifecycle 👍👍 This level ofinsight, detail, and complexity allows our business to remain agile and competitive in todays world. Metamodel Taxonomy ENTERPRISE SECURITY ARCHITECTURE 18
  • 19.
    Let’s start withthe taxonomy. ENTERPRISE SECURITY ARCHITECTURE 19
  • 20.
    Business Attributes Business Strategy Management TechnicalStrategy Operational Risk Management Legal / Regulatory User Brand Enhancing Automated Architecturally Open Available Access Controlled Admissible Accessible Business-Enabled Change Managed COTS/GOTS Detectable Accountable Compliant Accurate Competent Controlled Extendible Error-Free Assurance Enforceable Consistent Confident Cost-Effective Flexible / Adaptable Interoperable Integrity Insurable Current Credible Efficient Future-Proof Productive Auditable Liability Managed Duty Segregated Governable Maintainable Legacy-Sensitive Recoverable Authenticated Resolvable Educated & Aware Good Provider Measured Migration Capable Authorized Time-bound Informed Good Stewardship Supportable Multi-Sourced Capturing New Risks Motivated Good Custody Scalable Confidential Protected Investment Simple Crime-Free Reliable Reuse Standards Compliant Flexibly Secure Supported Reputable Traceable Identified Timely Upgradable Independently Secure Usable In our sole possession Non-Repudiable Owned Private Trustworthy ENTERPRISE SECURITY ARCHITECTURE 20
  • 21.
    Business Attributes Business Strategy Management TechnicalStrategy Operational Risk Management Legal / Regulatory User Brand Enhancing Automated Architecturally Open Available Access Controlled Admissible Accessible Business-Enabled Change Managed COTS/GOTS Detectable Accountable Compliant Accurate Competent Controlled Extendible Error-Free Assurance Enforceable Consistent Confident Cost-Effective Flexible / Adaptable Interoperable Integrity Insurable Current Credible Efficient Future-Proof Productive Auditable Liability Managed Duty Segregated Governable Maintainable Legacy-Sensitive Recoverable Authenticated Resolvable Educated & Aware Good Provider Measured Migration Capable Authorized Time-bound Informed Good Stewardship Supportable Multi-Sourced Capturing New Risks Motivated Good Custody Scalable Confidential Protected Investment Simple Crime-Free Reliable Reuse Standards Compliant Flexibly Secure Supported Reputable Traceable Identified Timely Upgradable Independently Secure Usable In our sole possession Non-Repudiable Owned Private The highlighted areas are the items that we normally have the greatest interest and focus in when we consider information security Trustworthy ENTERPRISE SECURITY ARCHITECTURE 21
  • 22.
  • 23.
    Assets (what) SERVICE Logical Information, Services Processes, Applications Physical Data,Mechanisms Infrastructure, Platforms Component Products, Tools Specific Standards, Technologies Physical Business Risk Business Processes Business Governance Business Geography Business Time Depends Business Asset Taxonomy, Goals, Objectives Opportunities Exploits Threats Inventory Of Operational Processes Organizational Structure & Extensions Buildings, Sites Jurisdictions, Territories Time Dependencies with Objectives Risk Management Objectives Strategies for Assurance Roles & Responsibilities Domain Framework Time Management Business Attributes Profile Enablement & Control Objectives Process Mapping Framework, Strategies Owners, Custodians, Service Providers Security Domain Concepts & Framework Through-Life Risk Management Framework Risk Management Policies Process Maps Entity & Trusts Domain Maps Calendar & Timetables Inventory of Information Assets Domain Policies Information Flows, Service Architecture Entity Schema, Trust Models, Privilege Profiles Domain Definitions and Associations Start Times, Lifetimes, Deadlines Risk Management Practices Process Mechanisms Human Interface Infrastructure Processing Schedule Data Dictionary & Data Inventory Risk Management Procedures & Guidelines Applications Systems, Security Mechanisms User Interface, Systems, Access Control System Host Platforms, Layouts, Network Topologies Timing & Sequencing of Processes Compute Logical Time (when) Data Assets The “Big Picture” Business Attributes, Risk Objectives Concept Location (where) Information Assets Conceptual People (who) Business Knowledge Business Wisdom Business Decision Making Context Process (how) Business Decisions Context Motivation (why) Risk Management Tools Process Tools Tools & Standards Locator Tools Step Timing & Sequences Nodes, Addresses, & other Locations Time Schedules, Clocks, Timers, Interrupts Service Risk Analysis, Reports, Registers, Tools, Protocols, Process Delivery Identities, Job Descriptions, Roles, Functions Service Delivery Component Products, Data, Repositories, Processors Operational Risk Process Delivery Personnel Management Environment Time & Performance Assurance of Operational Continuity Risk Assessments, Monitoring, Treatment Management & Support of Systems Account Provisioning, User Support Management of Building, Sites, Networks Management of Calendar and Timetable ENTERPRISE SECURITY ARCHITECTURE 23
  • 24.
  • 25.
    Architecture Principles, Vision,and Requirements Preliminary Architecture Vision Architecture Principles Business Strategy Technology Strategy Business Principles Vision Statement Stakeholders Architecture Requirements Requirements Constraints Assumptions Business Architecture Drivers Organization Services, Contracts Goals Motivation Objectives Organization Location Function Processes, Controls Gaps Information Systems Architecture Technology Architecture Data Application Data Entities Information System Services Logical Data Components Logical Application Components Physical Data Components Physical Application Components Measures Actor, Role Functions Platform Services Logical Technology Components Physical Technology Components Architecture Realization Opportunities, Solutions, and Migration Planning Capabilities Work Packages Architecture Contracts Implementation Governance Standards Guidelines Specifications ENTERPRISE SECURITY ARCHITECTURE 25
  • 26.
  • 27.
    Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Trust Framework H. Architecture Change Management Security Governance Security Domain B. Business Architecture Security Organization Security Policy Security Services Business Attributes Security Awareness Security Audit G. Implement Governance C. Information Systems Architecture Requirements Security Management Security Services Classification Control Objectives Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 27
  • 28.
    Requirements Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Requirements management plays a central role in architecture work. This is recognized in both TOGAF and SABSA. The TOGAF method validates and updates business requirements in every stage of an architecture development project. However, TOGAF does not provide a concrete technique for describing or documenting requirements. In contrast, SABSA presents its unique Business Attribute Profiling technique as a means to effectively describe requirements. This section describes the use of Business Attribute Profiling with respect to security requirements management, along with the added value this technique offers for requirements management in general. Together, the TOGAF concept of validating architecture and validating and updating requirements based upon information uncovered during the development of the architecture and SABSA’s Business Attribute Profiling improve requirements management, traceability, and architecture development. Architecture in general should provide continuous alignment of capabilities with business goals and support achieving these goals in an effective and efficient manner, even when the environment or business goals change. This alignment is in many cases the major rationale for using methodologies such as TOGAF and SABSA and therefore both frameworks define a requirements management process to ensure this continuous alignment. Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 28
  • 29.
    Preliminary Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite To build the security context, the following security artifacts need to be determined during this phase. These artifacts can be integrated into existing architecture documentation, but it is important that they be properly identified and that they convey the necessary information to make quality decisions: Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning E. Opportunity and Solutions Security Standards Business Drivers for Security – the subset of TOGAF business drivers impacting security, presented as an integral part of the overall architecture business drivers artifact or deliverable. Security Principles – the subset of Business Principles addressing security architecture. This is presented as an integral part of the overall Architecture Principles artifact or deliverable. Security principles like other architecture principles will provide valuable guidance to making business decisions to comply with the enterprise’s risk appetite. Key Risk Areas – the list of the key risk areas within the architecture scope. The key risk areas should be related to the business opportunities which the security architecture enables using the risk appetite artifact which informs the balance of risk versus opportunity. The key risk area should be included in the overall architecture risk management deliverable produced during the Preliminary Phase. Risk Appetite – describes the enterprise’s attitude towards risk and provides decisionmaking guidance to the organization to balance the amount of risk taken to achieve an expected outcome. The risk appetite could be expressed as, for example, a boundary on a risk/business impact and likelihood grid, profit, and loss measures or qualitative measures (zero tolerance for loss of life or regulatory compliance breaches). Risk appetite can also be represented by suitably worded security principles or produced as a stand-alone deliverable if a key stakeholder exists who needs to specifically approve it. It defines the level of risk (damage) that the organization is willing to accept and what their strategy is in defining this level. For risks above this acceptable level, it defines the strategy used for mitigation (transference, avoidance). Security Resource Plan – based on the content of the artifacts and the characteristics of the planned architecture project, it must be decided during the Preliminary Phase which security resources are required to deliver the security elements. Finding answers to the following questions through sufficient stakeholder analysis in the Preliminary Phase can help determine the security-related effort required: ENTERPRISE SECURITY ARCHITECTURE 29
  • 30.
    A. Architecture Vision Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Architecture Vision describes enough of the TOGAF ADM Phases B, C, and D to ensure that key stakeholders can agree to the end-state which represents a solution to a defined problem. In Phase A sufficient security-specific architecture design is carried out to… 1. Satisfy the security stakeholders that the end-state does not represent any unknown or unacceptable risk and aligns with corporate policies, standards, and principles and 2. Satisfy business stakeholders – in particular those who control the budget – that the security architecture is instrumental in enabling and supporting the overall architecture required to deliver the business opportunities and benefits identified. Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 30
  • 31.
    B. Business Architecture Business Driver Security Principles Preliminary KeyRisk Areas The security elements of Phase B: Business Architecture comprise business level trust, risk, and controls, independent from specific IT or other systems within the specific scope of the architecture engagement. Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning E. Opportunity and Solutions Security Standards • Business Risk Model – the business risk model determines the cost (both qualitative and quantitative) of asset loss/impact in failure cases. It is the result of a risk assessment, based on identified threats, likelihood of materializing, and impact of an incident. Business impact should be aligned with the definitions in the Business Attribute Profile which act as pseudo-assets. Security classification should be carried out at this stage based on the risks identified. The business risk model is a detailing of the risk strategy of an organization. All information in the enterprise should have an owner and be classified against a business-approved classification scheme. The classification of the information determines the maximum risk the business is willing to accept, and the owner of the information decides what mitigation is enough for his/her information. These two aspects determine the context for the business risk model. • Applicable Law and Regulation – determines the specific laws and regulations that apply within the scope of the enterprise architecture engagement. • Control Frameworks – determine the suitable set of control frameworks that would best satisfy the requirements and address the risks related to the engagement scope and context. • Security Domain Model – a security domain represents a set of assets in the engagement scope which could be described by a similar set of business attributes (i.e., a security domain has a set of very similar business attributes for all entities in that domain). The security domain model describes the interactions between the various domains, parties, and actors and must be aligned with the Business Architecture model. This includes defining all people, processes, and system actors known at this stage, including third parties and external actors. The security domain model helps in defining responsibility areas, where responsibility is exchanged with external parties and distinguishes between areas of different security levels and can inform the engagement scope. • Trust Framework – the trust framework describes trust relationships between various entities in the security domain model and on what basis this trust exists. Trust relationships can be unidirectional, bidirectional, or non-existent. The onus for assessing trust is the responsibility of those choosing to enter into the contracts and their legal counsel. It is important to note that technology (e.g., digital certificates, SAML, etc.) cannot create trust, but can only convey in the electronic world the trust that already exists in the real world through business relationships, legal agreements, and security policy consistencies. • Security Organization – the corporate organization of risk management and information security which assigns ownership of security risks and defines the security management responsibilities and processes. Security management processes include risk assessment, the definition of control objectives, the definition and proper implementation of security measures, reporting about security status (measures defined, in place, and working) and the handling of security incidents. • Security Policy – the security policy addresses the alignment of operational risk management in general with the various security aspects such as physical security, information security, and business continuity. Within the scope of the architecture engagement, decide which existing policy elements can be re-used or have to be developed new. • Security Services – a list of security-related business services, defined as part of the Business Services. ENTERPRISE SECURITY ARCHITECTURE 31
  • 32.
    C. Information Systems Architecture Business Driver Security Principles Preliminary KeyRisk Areas The security elements of Phase C: Information Systems Architectures comprise information system-related security services and their security classification. Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy • Classification of Services – the assignment of a security classification to the list of services in the Information System Services catalog according to the enterprise classification scheme. In most cases this scheme is defined and described in the corporate information security policy and is based on the information processed or stored by the service. • Security Rules, Practices, and Procedures – are relevant artifacts for solutionlevel architectures. They are mentioned here because at the solution architecture level guidelines and designs for rules, practices, & procedures are expected to be produced in Phase C & D. Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 32
  • 33.
    D. Technology Architecture Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite The security elements of Phase D: Technology Architecture comprise security rules, practices and procedures, and security standards: Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization • Security Rules, Practices, and Procedures – artifacts mainly relevant for solutionlevel architectures, mentioned here because at solution architecture level guidelines and designs for rules, practices, and procedures are expected to be produced in Phase C and D. • Security Standards – guide or mandate the use of technical, assurance, or other relevant security standards. The artifact is expected to comprise publicly available standards such as Common Criteria, TLS, and SAML. Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 33
  • 34.
    E. Opportunity and Solutions Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management No specific security-related architecture artifacts are produced in this phase. However, in defining the roadmap and deciding which architecture elements must be implemented first, it is imperative that the security risks are evaluated and that risk owners are consulted when defining the place on the roadmap for high priority mitigations. This phase could also be used to verify the process and results, feeding back to the business goals and drivers. Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 34
  • 35.
    F. Migration Planning Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite No specific security architecture aspects apply to this phase; however, as part of the overall planning care must be taken to ensure that, for each stage on the roadmap, appropriate risks and associated controls are identified. Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 35
  • 36.
    G. Implement Governance Business Driver Security Principles Preliminary KeyRisk Areas Security architecture implementation governance provides assurance that the detailed design and implemented processes and systems adhere to the overall security architecture. This ensures that no unacceptable risk is created by deviations from Architecture Principles and implementation guidelines. Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Security Services • Security Management – definition of the detailed security roles and responsibilities, implementation of security governance, definition of security key performance and risk indicators, etc. • Security Audit – reports which include security reviews of implemented processes, technical designs, and developed code against policies and requirements, and security testing comprising functional security testing and penetration testing. • Security Awareness – implement necessary training to ensure correct deployment, configuration, and operations of security-relevant subsystems and components; ensure awareness training of all users and non-privileged operators of the system and/or its components. Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 36
  • 37.
    G. Implement Governance Business Driver Security Principles Preliminary KeyRisk Areas Risk Appetite Assessment Plan Security Stakeholders Business Risk Model Law and Regulation Control Frameworks A. Architecture Vision Risk Management Security Governance H. Architecture Change Management Security Domain Trust Framework B. Business Architecture Security Organization Security Policy Security Services Security Awareness Security Audit Security Management Business Attributes G. Implement Governance C. Information Systems Architecture Requirements Control Objectives Change is driven by new requirements or changes in the environment. Changes in security requirements can, for instance, be caused by changes in the threat environment, changed compliance requirements, or changes due to discovered vulnerabilities in the existing processes and solutions. Changes required due to security-related causes are often more disruptive than a simplification or incremental change. • Risk Management – the process in which the existing architecture is continuously evaluated regarding changes to business opportunity and security threat. If based on the results of this process, the current architecture is deemed unsuitable to mitigate changed or new risks or constrains the business too much in exploiting new opportunities, a decision on architecture change must be made. • Security Architecture Governance – the process in which decisions are made on changes to the existing architecture, either by minor changes in the current iteration or by means of a completely new iteration. Security Services Classification Procedures Guidelines D. Technology Architecture F. Migration Planning Security Standards E. Opportunity and Solutions ENTERPRISE SECURITY ARCHITECTURE 37
  • 38.
  • 39.
    🎯🎯 Why is InformationGovernance important? Architecture will define the way. Governance will keep you on the path. ENTERPRISE SECURITY ARCHITECTURE 39
  • 40.
    📑📑 Simple. What does InformationGovernance mean? Organized. Consistent. Reliable. Educated. Measured. ENTERPRISE SECURITY ARCHITECTURE 40
  • 41.
    Simple. Policy High-level statement ofrequirements. A security policy is the primary way in which management’s expectations for security are provided to the builders, installers, maintainers, and users of an organization’s information systems. ✔ Standards Specify how to configure devices, how to install and configure software, and how to use computer systems and other organizational assets, to be compliant with the intentions of the policy. Procedures Specify the step-by-step instructions to perform various tasks in accordance with policies and standards. Guidelines Advice about how to achieve the goals of the security policy, but the are suggestions, not rules. They are an important communication tool to let people know how to follow the policy’s guidance or They convey best practices ENTERPRISE SECURITY ARCHITECTURE 41
  • 42.
    Standard Organized. 📂📂 Objectives Responsibilities Scope Measurement Procedures Procedures for Activity 1 Procedures forActivity 2 Procedures for Activity 3 Procedures for System 1 Procedures for System 2 Procedures for Process 1 Procedures for Process Guidelines Templates Flowcharts Best Practice Research Scenarios Visual Aids ENTERPRISE SECURITY ARCHITECTURE 42
  • 43.
  • 44.
    Reliable. Consistent Performance Metrics 📶📶 Reductionin Risks Proactive Users 📊📊 📉📉 🙋🙋 ENTERPRISE SECURITY ARCHITECTURE 44
  • 45.
    Educated. Clear and ConciseDefinitions 🎓🎓 Effective Communicating End User Awareness 🔤🔤 💬💬 👂👂 ENTERPRISE SECURITY ARCHITECTURE 45
  • 46.
    Measured. 🍶🍶 Level 5 CAPABILITY MATURITYMODEL Level 4 Level 5 Optimizing It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements. Level 4 Managed It is characteristic of processes at this level that, using process metrics, management can effectively control the AS-IS process (e.g., for software development ). In particular, management can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications. Process Capability is established from this level. Level 3 Defined It is characteristic of processes at this level that there are sets of defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are in place (i.e., they are the AS-IS processes) and used to establish consistency of process performance across the organization. Enterprise Wide Level 3 Business Objectives Mapped Structured Detailed Procedures Measured Tested Reactive Activities Documented Monitored Automated Ad Hoc Disorganized Repeatable Process Managed Process Optimized Process Level 2 Level 1 Level 2 Repeatable It is characteristic of processes at this level that some processes are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress. Level 1 Initial (Chaotic) It is characteristic of processes at this level that they are (typically) undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events. This provides a chaotic or unstable environment for the processes. No Process ENTERPRISE SECURITY ARCHITECTURE 46
  • 47.
  • 48.
    What is EnterpriseSecurity Architecture? ENTERPRISE SECURITY ARCHITECTURE 48
  • 49.
    The translation ofthe businesses vision and strategy into effective enterprise change by creating, communicating and improving the key requirements, principles and models that describe the enterprise’s future information security state and enable its evolution. ENTERPRISE SECURITY ARCHITECTURE 49
  • 50.
    What is InformationGovernance? ENTERPRISE SECURITY ARCHITECTURE 50
  • 51.
    The discipline andframework to ensure simplicity, organization, consistency, reliability, education, and measurements are well-articulated and achievable. ENTERPRISE SECURITY ARCHITECTURE 51
  • 52.
    Enterprise Security Architecture+ Information Governance = Successful & Robust Information Security Management Program ENTERPRISE SECURITY ARCHITECTURE 52
  • 53.
    REFERENCES The American Instituteof Architects 2004 Security Planning and Design 🔗🔗 National Institute of Standards and Technology 2013 NIST Special Publication 800-16 Rev. 1 🔗🔗 H. Tipton and M. Krause 2006 Information Security Management Handbook 🔗🔗 Cramsession.com 2007 Building a Defense in Depth Toolkit 🔗🔗 The Open Group 2013 TOGAF and SABSA Integration White Paper 🔗🔗 (ISC)2 2011 Official Guide to the ISSAP CBK, Second Edition 🔗🔗
  • 54.
    Send me amessage. 🔻🔻 @KrisKimmerle kris.kimmerle@outlook.com http://1drv.ms/1cgfZn0 http://www.linkedin.com/in/kriskimmerle