Upload
veronica-patricia-pinto
View
216
Download
0
Embed Size (px)
Citation preview
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
1/54
ENTERPRISE SECURITY ARCHITECTUREWITH INFORMATION GOVERNANCEby Kris Kimmerle
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
2/54
ABOUT THE AUTHO
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
3/54
Hi.
My name is Kris Kimmerle.
I have 9 years of comprehensive and international experience in the following dom
I have
Cer
Disaster Recovery Planning
Risk Management
Vulnerability Management
Threat Profiling
Compliance Management
Auditor
Information Security Instructor
Business Continuity Planning
Network Operations
Asset Management
Third Party Risk Management
Information Security Instructor
Business Operations Management
Security Operations Management
Physical Security Management
Project ManagementSecurity Intelligence Technician
Agile Project Management
SharePoint Administrator
Enterprise Application Development
Enterprise Architecture
Enterprise Security Architecture
Security Analyst
Cloud Computing
Chain of Custody
Change Management
IdM Solutions
Repudiation
Automation
Security Awareness
Access Control
MySQL
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
4/54
Let’s get started.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
5/54
PURPOSE
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
6/54
Basic understanding of enterprise architecture frame✔
Basic understanding of enterprise architecture frame
✔Basic understanding of information governance✔
Ability to measure the effectives of your efforts
✔Ability to build an effective information security manageme✔
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
7/54
TERMINOLOGY
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
8/54
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
9/54
Standardization
The act of checking or adjusting (bycomparison with a standard) the
accuracy of a measuring instrument
Tax
The scienaccording t
system whoseused to pro
fr
Deliverables
Any measureable, tangible,verifiable outcome, result, or item
that must be produced to complete
a project or part of a project
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
10/54
Risk Management
The systematic application ofmanagement policies, procedures,
and practices to the tasks ofcommunicating, establishing thecontext, identifying, analyzing,
evaluating, treating, monitoring,and reviewing risk.
Busin
A resource, that is vita
success and
Risk
An uncertain event or set of eventswhich, should it occur, will have an
effect on the achievement ofobjectives. A risk consists of a
combination of the probability of a
perceived threat or opportunityoccurring and the magnitude of its
impact on objectives.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
11/54
Metamodel
The analysis, construction anddevelopment of the frames, rules,constraints, models and theories
applicable and useful for modelinga predefined class of problems.
M
A matrix is anumbers, sym
arranged in
Metadata
“Data about data". Structuralmetadata is about the design andspecification of data structures andis more properly called "data aboutthe containers of data"; descriptive
metadata, on the other hand, isabout individual instances of
application data, the data content.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
12/54
ENTERPRISE SEC
OVERVIEW
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
13/54
Why is it important?
Enterprise Security Architecture is not about developing for a prediction. itis about ensuring that we develop in a way that allows us to maintain andsustain our agility to change. We don’t know where we are going or howwe are going to get there but we need to be ready.
What is Enterprise Security Architecture?Enterprise Security Architecture is the process of translating business securityvision and strategy into effective enterprise change by creating, communicating
and improving the key security requirements, principles and models that describethe enterprise’s future security state and enable its evolution.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
14/54
ARCHITECTURE FRAMEWO
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
15/54
ZACHMAN
The Zachman Framework is an enterprise architecture framework which provides a formal andviewing and defining an enterprise. It consists of a two dimensional classification matrix based
communication questions (What, Where, When, Why, Who and How) with five levels of retransforming the most abstract ideas (on the Scope level) into more concrete ideas (at th
TOGAF
The Open Group Architecture Framework (TOGAF) is a framework for enterprise architectcomprehensive approach for designing, planning, implementing, and governing an ent
architecture. TOGAF is a high level and holistic approach to design, which is typically modeledApplication, Data, and Technology. It tries to give a well-tested overall starting model to inforcan then be built upon. It relies heavily on modularization, standardization, and already existi
and products.
SABSA
SABSA (Sherwood Applied Business Security Architecture) is a framework and methodologyArchitecture and Service Management. It was developed independently from the Zachmansimilar structure. SABSA is a model and a methodology for developing risk-driven enterpri
architectures and for delivering security infrastructure solutions that support critical bu
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
16/54
ENTERPRISE SEC
ZACHMAN SABSA
This is the traditional frameworkintegration for SABSA and oldest. Thisframework integration is not nearly as
effective as it used to be.
TOGAF
This is the new framewfor SABSA. This framewit many tools that expon
its effectiven
The Zachman and TOGAF are true Enterprise Architecture frameworks however SABSA is the main frameworArchitecture. More importantly The SABSA framework is most effective when integrated or linked with one
Enterprise Architecture frameworks. Today we will be talking about the integration to the Zachman and T
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
17/54
ZACHMAN SABSA
Matrix
There was a time when a co
leverage a single matrix for thsecurity risk management p
today’s rapidly changing and world, this is no longer
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
18/54
TOGAF SABSA
Lifecycle
Metamodel
Taxonomy
Matrix
This level of insight, allows our business
competitive in
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
19/54
Let’s start with the taxonomy.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
20/54
Business Attributes
Risk Management
Private
Access Controlled
Accountable
Assurance
Integrity
Auditable
Capturing New Risks
Confidential
Crime-Free
Flexibly Secure
Authenticated
Authorized
Identified
Independently Secure
In our sole possession
Non-Repudiable
Owned
Trustworthy
Legal / Regulato
Admissible
Compliant
Enforceable
Insurable
Liability Managed
Resolvable
Time-bound
Operational
Available
Detectable
Error-Free
Interoperable
Productive
Recoverable
Technical Strategy
Architecturally Open
COTS/GOTS
Extendible
Flexible / Adaptable
Future-Proof
Legacy-Sensitive
Migration Capable
Multi-Sourced
Scalable
Simple
Standards Compliant
Traceable
Upgradable
Management
Automated
Change Managed
Controlled
Cost-Effective
Efficient
Maintainable
Measured
Supportable
Business Strategy
Brand Enhancing
Business-Enabled
Competent
Confident
Credible
Governable
Good Provider
Good Stewardship
Good Custody
Investment
Reuse
Reputable
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
21/54
Business Attributes
Legal / RegulatoOperationalTechnical StrategyManagementBusiness Strategy Risk Management
Private
Access Controlled
Accountable
Assurance
Integrity
Auditable
Capturing New Risks
Confidential
Crime-Free
Flexibly Secure
Authenticated
Authorized
Identified
Independently Secure
In our sole possession
Non-Repudiable
Owned
Trustworthy
Admissible
Compliant
Enforceable
Insurable
Liability Managed
Resolvable
Time-bound
Available
Detectable
Error-Free
Interoperable
Productive
Recoverable
Architecturally Open
COTS/GOTS
Extendible
Flexible / Adaptable
Future-Proof
Legacy-Sensitive
Migration Capable
Multi-Sourced
Scalable
Simple
Standards Compliant
Traceable
Upgradable
Automated
Change Managed
Controlled
Cost-Effective
Efficient
Maintainable
Measured
Supportable
Brand Enhancing
Business-Enabled
Competent
Confident
Credible
Governable
Good Provider
Good Stewardship
Good Custody
Investment
Reuse
Reputable
The highlighted areas are the items that we normally have thegreatest interest and focus in when we consider information security
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
22/54
Matrix.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
23/54
Component
Physical
Logical
Concept
Context
Products, ToolsSpecific Standards, Technologies
Data, MechanismsInfrastructure, Platforms
Information, ServicesProcesses, Applications
The “Big Picture”Business Attributes, Risk Objectives
Business WisdomBusiness Decision Making
S E R V I C E
Assets(what)
Business AssetTaxonomy, Goals,
Objectives
BusinessAttributes Profile
Inventory ofInformation
Assets
Data Dictionary &Data Inventory
Products, Data,Repositories,Processors
Motivation(why)
OpportunitiesExploitsThreats
Enablement &Control
Objectives
Domain Policies
Risk ManagementProcedures &
Guidelines
Risk Analysis,Reports, Registers,
Process(how)
Inventory OfOperationalProcesses
Process MappingFramework,Strategies
Information Flows,Service
Architecture
ApplicationsSystems, Security
Mechanisms
Tools, Protocols,Process Delivery
People(who)
OrganizatioStructure Extension
OwnersCustodian
Service Prov
Entity ScheTrust Mod
Privilege Pro
User InterfaSystems, AcControl Sys
Identities, JDescriptio
Roles, Funct
Business Decisions Business Risk Business Processes Business Governa
B us in es s Knowl edge R is k Ma na ge me nt Obj ec t iv es Strategies for Assurance Roles & Respo nsib
Information Assets Risk Management Policies Process Maps Entity & Trust
Data Assets Risk Management Practices Process Mechanisms Human Interfac
Compute Risk Management Tools Process Tools Tools & Standa
Context
Conceptual
Logical
Physical
Component
Assurance ofOperationalContinuity
Risk Assessments,Monitoring,Treatment
Management &Support of
Systems
AccountProvisioning,
Support
Service Delivery Operational Risk Process Delivery Personnel Manage
Service
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
24/54
Metamodel.
ENTERPRISE SEC
A hit t P i i l Vi i d R i t
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
25/54
Architecture Principles, Vision, and Requirements
Preliminary
Architecture Principles
Architecture Realization
Business Architecture Information Systems Architecture
Data
Physical Data Components
Logical Data Components
Data Entities
Application
Physical Application Components
Logical Application Components
Information System Services
Architecture Vision
Business Strategy Technology Strategy Business Principles Vision Statem
Architecture Requirements
Requirements Constraints Assumptions
Motivation
Drivers Goals Objectives Measures
Organization
Organization Location Actor, Role
Function
Services, Contracts Processes, Controls Functions
Opportunities, Solutions, and Migration Planning
Capabilities Work Packages Architecture Contracts
Implementation Governan
Standards Guidelines
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
26/54
Lifecycle.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
27/54
A.Architecture
Vision
RequirementsC.
InformationSystems
Architecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
28/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
Requirements management plays a centraboth TOGAF and SABSA. The TOGAF metin every stage of an architecture developmconcrete technique for describing or docupresents its unique Business Attribute Profrequirements. This section describes the usecurity requirements management, along
requirements management in general. Togarchitecture and validating and updating rduring the development of the architecturimprove requirements management, trace
Architecture in general should provide congoals and support achieving these goals inenvironment or business goals change. Thfor using methodologies such as TOGAF aa requirements management process to e
Req
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
29/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
To build the security context, the followingthis phase. These artifacts can be integrateis important that they be properly identifieto make quality decisions:
Business Drivers for Security – the subset opresented as an integral part of the overal
deliverable.
Security Principles – the subset of Businesspresented as an integral part of the overalSecurity principles like other architecture pbusiness decisions to comply with the ente
Key Risk Areas – the list of the key risk areshould be related to the business opportuthe risk appetite artifact which informs thearea should be included in the overall archduring the Preliminary Phase.
Risk Appetite – describes the enterprise’s amaking guidance to the organization to bexpected outcome. The risk appetite couldrisk/business impact and likelihood grid, p(zero tolerance for loss of life or regulatoryrepresented by suitably worded security pif a key stakeholder exists who needs to sp(damage) that the organization is willing tolevel. For risks above this acceptable level,(transference, avoidance).
Security Resource Plan – based on the conplanned architecture project, it must be deresources are required to deliver the securquestions through sufficient stakeholder adetermine the security-related effort requi
Pre
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
30/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
Architecture Vision describes enoughensure that key stakeholders can agresolution to a defined problem. In Phadesign is carried out to… 1. Satisfy thedoes not represent any unknown or upolicies, standards, and principles andparticular those who control the budginstrumental in enabling and supportdeliver the business opportunities and
Arc
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
31/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
The security elements of Phase B: Business Architeindependent from specific IT or other systems wit
• Business Risk Model – the business risk model deasset loss/impact in failure cases. It is the result of materializing, and impact of an incident. Business Attribute Profile which act as pseudo-assets. Securon the risks identified. The business risk model is ainformation in the enterprise should have an owne
classification scheme. The classification of the infowilling to accept, and the owner of the informationThese two aspects determine the context for the b
• Applicable Law and Regulation – determines thethe enterprise architecture engagement.
• Control Frameworks– determine the suitable setrequirements and address the risks related to the e
• Security Domain Model – a security domain reprbe described by a similar set of business attributeattributes for all entities in that domain). The securvarious domains, parties, and actors and must be adefining all people, processes, and system actors kactors. The security domain model helps in defininwith external parties and distinguishes between arengagement scope.
• Trust Framework – the trust framework describedomain model and on what basis this trust exists.
non-existent. The onus for assessing trust is the reand their legal counsel. It is important to note thatcreate trust, but can only convey in the electronic wbusiness relationships, legal agreements, and secu
• Security Organization– the corporate organizatassigns ownership of security risks and defines theSecurity management processes include risk assesand proper implementation of security measures, and working) and the handling of security incident
• Security Policy – the security policy addresses thethe various security aspects such as physical securscope of the architecture engagement, decide whdeveloped new.
• Security Services – a list of security-related busin
ENTERPRISE SEC
BArc
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
32/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
The security elements of Phase C: Infoinformation system-related security s
• Classification of Services – the assigservices in the Information System Seclassification scheme. In most cases thcorporate information security policy or stored by the service.
• Security Rules, Practices, and Procedlevel architectures. They are mentionelevel guidelines and designs for rules,produced in Phase C & D.
InfS
Arc
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
33/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
The security elements of Phase D: Tecrules, practices and procedures, and
• Security Rules, Practices, and Procedlevel architectures, mentioned here beguidelines and designs for rules, pracproduced in Phase C and D.
• Security Standards – guide or mandrelevant security standards. The artifastandards such as Common Criteria, T
TeArc
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
34/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
No specific security-related architectuHowever, in defining the roadmap anmust be implemented first, it is imperaand that risk owners are consulted whhigh priority mitigations. This phase cresults, feeding back to the business g
Op
S
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
35/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
No specific security architecture aspethe overall planning care must be takroadmap, appropriate risks and assoc
MP
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
36/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
Security architecture implementation detailed design and implemented prosecurity architecture. This ensures thadeviations from Architecture Principle
• Security Management – definition oresponsibilities, implementation of secperformance and risk indicators, etc.
• Security Audit – reports which incluprocesses, technical designs, and devrequirements, and security testing compenetration testing.
• Security Awareness – implement nedeployment, configuration, and operacomponents; ensure awareness trainiof the system and/or its components.
ImGo
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
37/54
A.Architecture
Vision
Requirements
C.Information
SystemsArchitecture
G.ImplementGovernance
E.Opportunity
andSolutions
Preliminary
B.Business
Architecture
H.Architecture
ChangeManagement
F.MigrationPlanning
D.TechnologyArchitecture
Security Stakeholders
Business Driver
Security Principles
Key Risk Areas
Risk Appetite
Assessment Plan
Business Risk Model
Law and Regulation
Control Frameworks
Security Domain
Trust Framework
Security Organization
Security Policy
Security Services
Security Services
Classification
Procedures
Security Standards
Guidelines
Security Management
Security Audit
Security Awareness
Security Governance
Risk Management
Control Objectives
Business Attributes
Change is driven by new requirementin security requirements can, for instaenvironment, changed compliance revulnerabilities in the existing processesecurity-related causes are often morincremental change.
• Risk Management – the process in wcontinuously evaluated regarding chathreat. If based on the results of this punsuitable to mitigate changed or newin exploiting new opportunities, a dec
• Security Architecture Governance –changes to the existing architecture, eiteration or by means of a completely
ImGo
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
38/54
INFORMATION GOVERNA
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
39/54
Why is Information Governance imp
Architecture will define the way. Governance will keep you o
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
40/54
What does Information Governance
ENTERPRISE SEC
Organized. Consistent. Reliable. Educated.Simple.
lHigh-level statement of requirements A secur
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
41/54
Policy
Standards
Procedures
Guidelines
High level statement of requirements. A securwhich management’s expectations for securityinstallers, maintainers, and users of an organ
Specify how to configure devices, how to install to use computer systems and other organizatio
the intentions of the
Specify the step-by-step instructions to performpolicies and standa
Advice about how to achieve the goals of thsuggestions, not rules. They are an important c
know how to follow the policy’s guidance o
Simple.
✔
ENTERPRISE SEC
dStandard
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
42/54
Organized.
Standard
Procedures
Guidelines
Objectives Responsibilities Scope
Proceduresfor Activity 3
Proceduresfor System 1
Proceduresfor System 2
Procedfor Pro
Proceduresfor Activity 2
Proceduresfor Activity 1
Templates Flowcharts Best Practice Research Scenarios
ENTERPRISE SEC
Data
C i
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
43/54
Type
Communication
ENTERPRISE SEC
Consistent.
C i P f M iR li bl
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
44/54
Consistent Performance Metrics
Proactive Users
Reduction in Risks
ENTERPRISE SEC
Reliable.
Cl d C i D fi itiEd t d
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
45/54
Clear and Concise Definitions
End User Awareness
Effective Communicating
ENTERPRISE SEC
Educated.
CAPABILITY MATURITY MODELM d
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
46/54
ENTERPRISE SEC
NoProcess
Ad HocDisorganized
ReactiveActivities
RepeatableProcess
Documente
DetailedProcedures
Level
Level 2
Level 1
It is characteristic of processes at this level that they are (typically)undocumented and in a state of dynamic change, tending to be
driven in an ad hoc, uncontrolled and reactive manner by users orevents. This provides a chaotic or unstable environment for the
processes.
Level 1Initial
(Chaotic)
Level 2Repeatable
It is characteristic of processes at th is level that some processes arerepeatable, possibly with consistent results. Pr ocess discipline is
unlikely to be rigorous, but where it exists it may help to ensure thatexisting processes are maintained during times of stress.
It is characteristic of processes at this level that there are sets ofdefined and documented standard processes established and subjectto some degree of improvement over time. These standard processesare in place (i.e., they are the AS-IS processes) and used to establish
consistency of process performance across the organization.
Level 3Defined
Level 4Managed
It is characteristic of processes at this level that, using process metrics,management can effectively control the AS-IS process (e.g., for
software development ). In particular, management can identify waysto adjust and adapt the process to particular projects withoutmeasurable losses of quality or deviations from specifications. Process
Capability is established from this level.
Level 5Optimizing
It is a characteristic of processes at this level that the focus is oncontinually improving process performance through both incremental
and innovative technological changes/improvements.
Measured.
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
47/54
Let’s recap.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
48/54
What is Enterprise Security Architecture?
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
49/54
The translation of the businesses vision and strategy into effective enterprise ccreating, communicating and improving the key requirements, principles and m
describe the enterprise’s future information security state and enable its evo
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
50/54
What is Information Governance?
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
51/54
The discipline and framework to ensure simplicity, organization, consistency, reducation, and measurements are well-articulated and achievable.
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
52/54
Enterprise Security Architecture + Information Governance
= Successful & Robust Information Security Management Program
ENTERPRISE SEC
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
53/54
REFERENCES
National Institute of Standards and Technology
The American Institute of Architects
H. Tipton and M. Krause
Cramsession.com
The Open Group
(ISC)2
2013
2004
2006
2007
2013
2011
NIST Special Publication 800-16
Security Planning and Desig
Information Security Management H
Building a Defense in Depth To
TOGAF and SABSA Integration Whi
Official Guide to the ISSAP CBK, Seco
8/17/2019 enterprisesecurityarchitecture-140302122809-phpapp02
54/54
Send me a message
@KrisKimmerle
http://1drv.ms/1cgfZn0 http://www.linkedin.c
kris.kimmerle@