enterprisesecurityarchitecture-140302122809-phpapp02

8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02

1/54

ENTERPRISE SECURITY ARCHITECTUREWITH INFORMATION GOVERNANCEby Kris Kimmerle


2/54

ABOUT THE AUTHO

ENTERPRISE SEC


3/54

Hi.

My name is Kris Kimmerle.

I have 9 years of comprehensive and international experience in the following dom

I have

Cer

Disaster Recovery Planning

Risk Management

Vulnerability Management

Threat Profiling

Compliance Management

Auditor

Information Security Instructor

Business Continuity Planning

Network Operations

Asset Management

Third Party Risk Management

Information Security Instructor

Business Operations Management

Security Operations Management

Physical Security Management

Project ManagementSecurity Intelligence Technician

Agile Project Management

SharePoint Administrator

Enterprise Application Development

Enterprise Architecture

Enterprise Security Architecture

Security Analyst

Cloud Computing

Chain of Custody

Change Management

IdM Solutions

Repudiation

Automation

Security Awareness

Access Control

MySQL

ENTERPRISE SEC


4/54

Let’s get started.

ENTERPRISE SEC


5/54

PURPOSE

ENTERPRISE SEC


6/54

Basic understanding of enterprise architecture frame✔

Basic understanding of enterprise architecture frame

✔Basic understanding of information governance✔

Ability to measure the effectives of your efforts

✔Ability to build an effective information security manageme✔

ENTERPRISE SEC


7/54

TERMINOLOGY

ENTERPRISE SEC


8/54


9/54

Standardization

The act of checking or adjusting (bycomparison with a standard) the

accuracy of a measuring instrument

Tax

The scienaccording t

system whoseused to pro

fr

Deliverables

Any measureable, tangible,verifiable outcome, result, or item

that must be produced to complete

a project or part of a project

ENTERPRISE SEC


10/54

Risk Management

The systematic application ofmanagement policies, procedures,

and practices to the tasks ofcommunicating, establishing thecontext, identifying, analyzing,

evaluating, treating, monitoring,and reviewing risk.

Busin

A resource, that is vita

success and

Risk

An uncertain event or set of eventswhich, should it occur, will have an

effect on the achievement ofobjectives. A risk consists of a

combination of the probability of a

perceived threat or opportunityoccurring and the magnitude of its

impact on objectives.

ENTERPRISE SEC


11/54

Metamodel

The analysis, construction anddevelopment of the frames, rules,constraints, models and theories

applicable and useful for modelinga predefined class of problems.

M

A matrix is anumbers, sym

arranged in

Metadata

“Data about data". Structuralmetadata is about the design andspecification of data structures andis more properly called "data aboutthe containers of data"; descriptive

metadata, on the other hand, isabout individual instances of

application data, the data content.

ENTERPRISE SEC


12/54

ENTERPRISE SEC

OVERVIEW


13/54

Why is it important?

Enterprise Security Architecture is not about developing for a prediction. itis about ensuring that we develop in a way that allows us to maintain andsustain our agility to change. We don’t know where we are going or howwe are going to get there but we need to be ready.

What is Enterprise Security Architecture?Enterprise Security Architecture is the process of translating business securityvision and strategy into effective enterprise change by creating, communicating

and improving the key security requirements, principles and models that describethe enterprise’s future security state and enable its evolution.

ENTERPRISE SEC


14/54

ARCHITECTURE FRAMEWO

ENTERPRISE SEC


15/54

ZACHMAN

The Zachman Framework is an enterprise architecture framework which provides a formal andviewing and defining an enterprise. It consists of a two dimensional classification matrix based

communication questions (What, Where, When, Why, Who and How) with five levels of retransforming the most abstract ideas (on the Scope level) into more concrete ideas (at th

TOGAF

The Open Group Architecture Framework (TOGAF) is a framework for enterprise architectcomprehensive approach for designing, planning, implementing, and governing an ent

architecture. TOGAF is a high level and holistic approach to design, which is typically modeledApplication, Data, and Technology. It tries to give a well-tested overall starting model to inforcan then be built upon. It relies heavily on modularization, standardization, and already existi

and products.

SABSA

SABSA (Sherwood Applied Business Security Architecture) is a framework and methodologyArchitecture and Service Management. It was developed independently from the Zachmansimilar structure. SABSA is a model and a methodology for developing risk-driven enterpri

architectures and for delivering security infrastructure solutions that support critical bu

ENTERPRISE SEC


16/54

ENTERPRISE SEC

ZACHMAN SABSA

This is the traditional frameworkintegration for SABSA and oldest. Thisframework integration is not nearly as

effective as it used to be.

TOGAF

This is the new framewfor SABSA. This framewit many tools that expon

its effectiven

The Zachman and TOGAF are true Enterprise Architecture frameworks however SABSA is the main frameworArchitecture. More importantly The SABSA framework is most effective when integrated or linked with one

Enterprise Architecture frameworks. Today we will be talking about the integration to the Zachman and T


17/54

ZACHMAN SABSA

Matrix

There was a time when a co

leverage a single matrix for thsecurity risk management p

today’s rapidly changing and world, this is no longer

ENTERPRISE SEC


18/54

TOGAF SABSA

Lifecycle

Metamodel

Taxonomy

Matrix

This level of insight, allows our business

competitive in

ENTERPRISE SEC


19/54

Let’s start with the taxonomy.

ENTERPRISE SEC


20/54

Business Attributes

Risk Management

Private

Access Controlled

Accountable

Assurance

Integrity

Auditable

Capturing New Risks

Confidential

Crime-Free

Flexibly Secure

Authenticated

Authorized

Identified

Independently Secure

In our sole possession

Non-Repudiable

Owned

Trustworthy

Legal / Regulato

Admissible

Compliant

Enforceable

Insurable

Liability Managed

Resolvable

Time-bound

Operational

Available

Detectable

Error-Free

Interoperable

Productive

Recoverable

Technical Strategy

Architecturally Open

COTS/GOTS

Extendible

Flexible / Adaptable

Future-Proof

Legacy-Sensitive

Migration Capable

Multi-Sourced

Scalable

Simple

Standards Compliant

Traceable

Upgradable

Management

Automated

Change Managed

Controlled

Cost-Effective

Efficient

Maintainable

Measured

Supportable

Business Strategy

Brand Enhancing

Business-Enabled

Competent

Confident

Credible

Governable

Good Provider

Good Stewardship

Good Custody

Investment

Reuse

Reputable

ENTERPRISE SEC


21/54

Business Attributes

Legal / RegulatoOperationalTechnical StrategyManagementBusiness Strategy Risk Management

Private

Access Controlled

Accountable

Assurance

Integrity

Auditable

Capturing New Risks

Confidential

Crime-Free

Flexibly Secure

Authenticated

Authorized

Identified

Independently Secure

In our sole possession

Non-Repudiable

Owned

Trustworthy

Admissible

Compliant

Enforceable

Insurable

Liability Managed

Resolvable

Time-bound

Available

Detectable

Error-Free

Interoperable

Productive

Recoverable

Architecturally Open

COTS/GOTS

Extendible

Flexible / Adaptable

Future-Proof

Legacy-Sensitive

Migration Capable

Multi-Sourced

Scalable

Simple

Standards Compliant

Traceable

Upgradable

Automated

Change Managed

Controlled

Cost-Effective

Efficient

Maintainable

Measured

Supportable

Brand Enhancing

Business-Enabled

Competent

Confident

Credible

Governable

Good Provider

Good Stewardship

Good Custody

Investment

Reuse

Reputable

The highlighted areas are the items that we normally have thegreatest interest and focus in when we consider information security

ENTERPRISE SEC


22/54

Matrix.

ENTERPRISE SEC


23/54

Component

Physical

Logical

Concept

Context

Products, ToolsSpecific Standards, Technologies

Data, MechanismsInfrastructure, Platforms

Information, ServicesProcesses, Applications

The “Big Picture”Business Attributes, Risk Objectives

Business WisdomBusiness Decision Making

S E R V I C E

Assets(what)

Business AssetTaxonomy, Goals,

Objectives

BusinessAttributes Profile

Inventory ofInformation

Assets

Data Dictionary &Data Inventory

Products, Data,Repositories,Processors

Motivation(why)

OpportunitiesExploitsThreats

Enablement &Control

Objectives

Domain Policies

Risk ManagementProcedures &

Guidelines

Risk Analysis,Reports, Registers,

Process(how)

Inventory OfOperationalProcesses

Process MappingFramework,Strategies

Information Flows,Service

Architecture

ApplicationsSystems, Security

Mechanisms

Tools, Protocols,Process Delivery

People(who)

OrganizatioStructure Extension

OwnersCustodian

Service Prov

Entity ScheTrust Mod

Privilege Pro

User InterfaSystems, AcControl Sys

Identities, JDescriptio

Roles, Funct

Business Decisions Business Risk Business Processes Business Governa

B us in es s Knowl edge R is k Ma na ge me nt Obj ec t iv es Strategies for Assurance Roles & Respo nsib

Information Assets Risk Management Policies Process Maps Entity & Trust

Data Assets Risk Management Practices Process Mechanisms Human Interfac

Compute Risk Management Tools Process Tools Tools & Standa

Context

Conceptual

Logical

Physical

Component

Assurance ofOperationalContinuity

Risk Assessments,Monitoring,Treatment

Management &Support of

Systems

AccountProvisioning,

Support

Service Delivery Operational Risk Process Delivery Personnel Manage

Service

ENTERPRISE SEC


24/54

Metamodel.

ENTERPRISE SEC

A hit t P i i l Vi i d R i t


25/54

Architecture Principles, Vision, and Requirements

Preliminary

Architecture Principles

Architecture Realization

Business Architecture Information Systems Architecture

Data

Physical Data Components

Logical Data Components

Data Entities

Application

Physical Application Components

Logical Application Components

Information System Services

Architecture Vision

Business Strategy Technology Strategy Business Principles Vision Statem

Architecture Requirements

Requirements Constraints Assumptions

Motivation

Drivers Goals Objectives Measures

Organization

Organization Location Actor, Role

Function

Services, Contracts Processes, Controls Functions

Opportunities, Solutions, and Migration Planning

Capabilities Work Packages Architecture Contracts

Implementation Governan

Standards Guidelines

ENTERPRISE SEC


26/54

Lifecycle.

ENTERPRISE SEC


27/54

A.Architecture

Vision

RequirementsC.

InformationSystems

Architecture

G.ImplementGovernance

E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning

D.TechnologyArchitecture

Security Stakeholders

Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework

Security Organization

Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

ENTERPRISE SEC


28/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

Requirements management plays a centraboth TOGAF and SABSA. The TOGAF metin every stage of an architecture developmconcrete technique for describing or docupresents its unique Business Attribute Profrequirements. This section describes the usecurity requirements management, along

requirements management in general. Togarchitecture and validating and updating rduring the development of the architecturimprove requirements management, trace

Architecture in general should provide congoals and support achieving these goals inenvironment or business goals change. Thfor using methodologies such as TOGAF aa requirements management process to e

Req

ENTERPRISE SEC


29/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

To build the security context, the followingthis phase. These artifacts can be integrateis important that they be properly identifieto make quality decisions:

Business Drivers for Security – the subset opresented as an integral part of the overal

deliverable.

Security Principles – the subset of Businesspresented as an integral part of the overalSecurity principles like other architecture pbusiness decisions to comply with the ente

Key Risk Areas – the list of the key risk areshould be related to the business opportuthe risk appetite artifact which informs thearea should be included in the overall archduring the Preliminary Phase.

Risk Appetite – describes the enterprise’s amaking guidance to the organization to bexpected outcome. The risk appetite couldrisk/business impact and likelihood grid, p(zero tolerance for loss of life or regulatoryrepresented by suitably worded security pif a key stakeholder exists who needs to sp(damage) that the organization is willing tolevel. For risks above this acceptable level,(transference, avoidance).

Security Resource Plan – based on the conplanned architecture project, it must be deresources are required to deliver the securquestions through sufficient stakeholder adetermine the security-related effort requi

Pre

ENTERPRISE SEC


30/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

Architecture Vision describes enoughensure that key stakeholders can agresolution to a defined problem. In Phadesign is carried out to… 1. Satisfy thedoes not represent any unknown or upolicies, standards, and principles andparticular those who control the budginstrumental in enabling and supportdeliver the business opportunities and

Arc

ENTERPRISE SEC


31/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

The security elements of Phase B: Business Architeindependent from specific IT or other systems wit

• Business Risk Model – the business risk model deasset loss/impact in failure cases. It is the result of materializing, and impact of an incident. Business Attribute Profile which act as pseudo-assets. Securon the risks identified. The business risk model is ainformation in the enterprise should have an owne

classification scheme. The classification of the infowilling to accept, and the owner of the informationThese two aspects determine the context for the b

• Applicable Law and Regulation – determines thethe enterprise architecture engagement.

• Control Frameworks– determine the suitable setrequirements and address the risks related to the e

• Security Domain Model – a security domain reprbe described by a similar set of business attributeattributes for all entities in that domain). The securvarious domains, parties, and actors and must be adefining all people, processes, and system actors kactors. The security domain model helps in defininwith external parties and distinguishes between arengagement scope.

• Trust Framework – the trust framework describedomain model and on what basis this trust exists.

non-existent. The onus for assessing trust is the reand their legal counsel. It is important to note thatcreate trust, but can only convey in the electronic wbusiness relationships, legal agreements, and secu

• Security Organization– the corporate organizatassigns ownership of security risks and defines theSecurity management processes include risk assesand proper implementation of security measures, and working) and the handling of security incident

• Security Policy – the security policy addresses thethe various security aspects such as physical securscope of the architecture engagement, decide whdeveloped new.

• Security Services – a list of security-related busin

ENTERPRISE SEC

BArc


32/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

The security elements of Phase C: Infoinformation system-related security s

• Classification of Services – the assigservices in the Information System Seclassification scheme. In most cases thcorporate information security policy or stored by the service.

• Security Rules, Practices, and Procedlevel architectures. They are mentionelevel guidelines and designs for rules,produced in Phase C & D.

InfS

Arc

ENTERPRISE SEC


33/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

The security elements of Phase D: Tecrules, practices and procedures, and

• Security Rules, Practices, and Procedlevel architectures, mentioned here beguidelines and designs for rules, pracproduced in Phase C and D.

• Security Standards – guide or mandrelevant security standards. The artifastandards such as Common Criteria, T

TeArc

ENTERPRISE SEC


34/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

No specific security-related architectuHowever, in defining the roadmap anmust be implemented first, it is imperaand that risk owners are consulted whhigh priority mitigations. This phase cresults, feeding back to the business g

Op

S

ENTERPRISE SEC


35/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

No specific security architecture aspethe overall planning care must be takroadmap, appropriate risks and assoc

MP

ENTERPRISE SEC


36/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

Security architecture implementation detailed design and implemented prosecurity architecture. This ensures thadeviations from Architecture Principle

• Security Management – definition oresponsibilities, implementation of secperformance and risk indicators, etc.

• Security Audit – reports which incluprocesses, technical designs, and devrequirements, and security testing compenetration testing.

• Security Awareness – implement nedeployment, configuration, and operacomponents; ensure awareness trainiof the system and/or its components.

ImGo

ENTERPRISE SEC


37/54

A.Architecture

Vision

Requirements

C.Information

SystemsArchitecture


E.Opportunity

andSolutions

Preliminary

B.Business

Architecture

H.Architecture

ChangeManagement

F.MigrationPlanning



Business Driver

Security Principles

Key Risk Areas

Risk Appetite

Assessment Plan

Business Risk Model

Law and Regulation

Control Frameworks

Security Domain

Trust Framework


Security Policy

Security Services

Security Services

Classification

Procedures

Security Standards

Guidelines

Security Management

Security Audit

Security Awareness

Security Governance

Risk Management

Control Objectives

Business Attributes

Change is driven by new requirementin security requirements can, for instaenvironment, changed compliance revulnerabilities in the existing processesecurity-related causes are often morincremental change.

• Risk Management – the process in wcontinuously evaluated regarding chathreat. If based on the results of this punsuitable to mitigate changed or newin exploiting new opportunities, a dec

• Security Architecture Governance –changes to the existing architecture, eiteration or by means of a completely

ImGo

ENTERPRISE SEC


38/54

INFORMATION GOVERNA

ENTERPRISE SEC


39/54

Why is Information Governance imp

Architecture will define the way. Governance will keep you o

ENTERPRISE SEC


40/54

What does Information Governance

ENTERPRISE SEC

Organized. Consistent. Reliable. Educated.Simple.

lHigh-level statement of requirements A secur


41/54

Policy

Standards

Procedures

Guidelines

High level statement of requirements. A securwhich management’s expectations for securityinstallers, maintainers, and users of an organ

Specify how to configure devices, how to install to use computer systems and other organizatio

the intentions of the

Specify the step-by-step instructions to performpolicies and standa

Advice about how to achieve the goals of thsuggestions, not rules. They are an important c

know how to follow the policy’s guidance o

Simple.

✔

ENTERPRISE SEC

dStandard


42/54

Organized.

Standard

Procedures

Guidelines

Objectives Responsibilities Scope

Proceduresfor Activity 3

Proceduresfor System 1

Proceduresfor System 2

Procedfor Pro



Templates Flowcharts Best Practice Research Scenarios

ENTERPRISE SEC

Data

C i


43/54

Type

Communication

ENTERPRISE SEC

Consistent.

C i P f M iR li bl


44/54

Consistent Performance Metrics

Proactive Users

Reduction in Risks

ENTERPRISE SEC

Reliable.

Cl d C i D fi itiEd t d


45/54

Clear and Concise Definitions

End User Awareness

Effective Communicating

ENTERPRISE SEC

Educated.

CAPABILITY MATURITY MODELM d


46/54

ENTERPRISE SEC

NoProcess

Ad HocDisorganized

ReactiveActivities

RepeatableProcess

Documente

DetailedProcedures

Level

Level 2

Level 1

It is characteristic of processes at this level that they are (typically)undocumented and in a state of dynamic change, tending to be

driven in an ad hoc, uncontrolled and reactive manner by users orevents. This provides a chaotic or unstable environment for the

processes.

Level 1Initial

(Chaotic)

Level 2Repeatable

It is characteristic of processes at th is level that some processes arerepeatable, possibly with consistent results. Pr ocess discipline is

unlikely to be rigorous, but where it exists it may help to ensure thatexisting processes are maintained during times of stress.

It is characteristic of processes at this level that there are sets ofdefined and documented standard processes established and subjectto some degree of improvement over time. These standard processesare in place (i.e., they are the AS-IS processes) and used to establish

consistency of process performance across the organization.

Level 3Defined

Level 4Managed

It is characteristic of processes at this level that, using process metrics,management can effectively control the AS-IS process (e.g., for

software development ). In particular, management can identify waysto adjust and adapt the process to particular projects withoutmeasurable losses of quality or deviations from specifications. Process

Capability is established from this level.

Level 5Optimizing

It is a characteristic of processes at this level that the focus is oncontinually improving process performance through both incremental

and innovative technological changes/improvements.

Measured.


47/54

Let’s recap.

ENTERPRISE SEC


48/54

What is Enterprise Security Architecture?

ENTERPRISE SEC


49/54

The translation of the businesses vision and strategy into effective enterprise ccreating, communicating and improving the key requirements, principles and m

describe the enterprise’s future information security state and enable its evo

ENTERPRISE SEC


50/54

What is Information Governance?

ENTERPRISE SEC


51/54

The discipline and framework to ensure simplicity, organization, consistency, reducation, and measurements are well-articulated and achievable.

ENTERPRISE SEC


52/54

Enterprise Security Architecture + Information Governance

= Successful & Robust Information Security Management Program

ENTERPRISE SEC


53/54

REFERENCES

National Institute of Standards and Technology

The American Institute of Architects

H. Tipton and M. Krause

Cramsession.com

The Open Group

(ISC)2

2013

2004

2006

2007

2013

2011

NIST Special Publication 800-16

Security Planning and Desig

Information Security Management H

Building a Defense in Depth To

TOGAF and SABSA Integration Whi

Official Guide to the ISSAP CBK, Seco


54/54

Send me a message

@KrisKimmerle

http://1drv.ms/1cgfZn0 http://www.linkedin.c

kris.kimmerle@

Documents

enterprisesecurityarchitecture-140302122809-phpapp02