Upload
bill-ross
View
541
Download
1
Embed Size (px)
DESCRIPTION
Describes the problems of defining a security architect.
Citation preview
DRAFT ………………. by Bill Ross
1
Title:
“ The Invisible Person …. the Security Architect “
A paper by INFOSECFORCE
804-855-4988
DRAFT ………………. by Bill Ross
2
The Invisible Person …. The Security Architect 10 August 2012
An open letter and personal thoughts on Security Architecture to all the great security
professionals who devote so much energy to our mission to predict, prevent, detect, and
respond. Since this original letter was composed, I have received 436 global requests for
same. 10/1/2013
We are in a CYBER War and corporations and governments are being clobbered by an invisible
enemy that, at times, seems to own numerous private networks. Information Security Teams
across the globe are fighting the good fight and win and lose in this battle. Every year
thousands of articles and conferences across the globe address the tactics and procedures to
address this challenge and when one reads the literature and attends the meetings, one knows
that the most fundamental and missing piece to orchestrating and defining the arsenal that each
institution that manages data is the cohesive risked-based methodology that needs to define
solutions to the sometimes chaotic response to threats and that is the systematic and
strategically planned and tactically executed security architecture thoughtfully and professionally
managed by a dedicated and multi talented Information Security Professional with business
savvy, technically astute with threat awareness and with a dose of the Ninja instinct.
Until industry and organizations “embrace it”, they will flounder in defining the roles,
responsibilities and implementation of a cohesive and hardened environment that beats cyber
crooks and miscreants. This is the environment we face and where this paper begins.
There are numerous and conflicting concepts of the roles and responsibilities of a Security
Architect within industry and government. This short and quick paper is designed to examine
the definitions of Information Security Architecture (ISA) and what the role of a Security
Architect is. These two questions seem harder to define as the separation between Security
Architecture and Infrastructure Architecture begins to dissolve. Thank you for reading this as it
is an issue I often struggle with.
I have designed this paper to examine the various interpretations of what an Information
Security Architect is, the essence of Information Security Architecture, and suggested best
models and references for Security Architecture modeling. I also offer a suggested Security
DRAFT ………………. by Bill Ross
3
Architecture framework for aligning business requirements to the security solution, optimizing
technology to protect data, and creating a strategic, operational, and tactical defense in depth
layering approach that will ensure that the classic Information Security Community (ISC) tenets
of confidentiality, integrity, and availability are designed, implemented and monitored within the
layered ISA solution. ISA is as much an art form as it is a VISIO diagram of trust zones and
firewall placement.
The ISC does not have a consistent and recognized approach to define what an Information
Security Architecture is and as such, the ISC does not seem to have recognized standards for
what an Information Security Architecture (ISA) should accomplish in advancing both the
financial or business success of an organization let alone defeating cyber criminals. Given the
lack of an ISA standard, the Security Architect sometimes struggles in his role to adequately
protect an organization’s vital information assets as what he thinks he should do is not what the
company thinks they hired him for.
While great writers and thinkers have published a plethora of ISA frameworks and white papers
discussing what an ISA is, there does not seem to be one unifying agreement of what an ISA
should address and on how to define and implement an ISA. As such, when a government or
private sector organization is trying to hire an Information Security Architect, they publish wide
ranging and variable job descriptions that cover almost every aspect of Information Security
roles and responsibilities. These Security Architect job descriptions could include requirements
for anything from an actual Security Architect, to a highly sophisticated and brilliant security
engineer, to the Chief Information Security Officer, or to simply being a Firewall or Security
System Administrator who some organizations think can also create an ISA. In other words, will
the real Information Security Architect step out of the shadows and reveal him/her self so we all
know who and what we are.
It is actually rare that when an organization advertises its Security Architect requirement that the
advertisement really reflects what they need the “Security Architect” to do to create and
implement the organization’s ISA. For example, as we shall see in the sample job descriptions
below, the Security Architecture job description often does not align with the end-to-end
strategic, operational, and tactical benefits that an Information Security Architect can contribute
to the success of an organization.
DRAFT ………………. by Bill Ross
4
Here is my suggested ISA Job Description
An information security architect should have at least 10 years experience in information
security and at one point in his/her career should have had hands on technical experience in
anything from help desk support to being a UNIX or data base administrator. This person
should have extensive knowledge of security platforms, has managed acquisition efforts,
identity access management, cyber warfare, governance as it is translated from security
standards and policies into an operational technical environment that is aligned with the core
business processes be they financial institutions like JP Morgan or e-commerce giants like
Amazon or Best Buy. This person should have served on the front lines of cyber battles such
as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an EE degree, is a
visionary, and understands security supports business objectives. Ultimately, the Security
Architect is a perfect blend of a highly skilled security engineer, a governance and policy expert,
an enterprise architect, a business savvy professional with a Ninja spirit.
Background
It has been my experience that generally an information Security Architect role is confused with
a superior “top gun” level four information security engineer. Within the last 13 years, I have
built Security Architectures strategies, hired Security Architects and mentored them to become
fully trained and empowered Security Architect professionals. As examples of my experiences,
I was chosen by the Air Force during Desert Storm to combine two war fighting commands’
intelligence architectures. I led the team to baseline the global IT Architecture for a global Army
logistics command, I appointed the first Information Security Architect for the Federal Reserve
Information Technology (FRIT) organization. Also, I was one of the principles in hiring the
Security Architect for the Virginia Information Technology Agency-Northrop Grumman
Partnership. Additionally, I was selected to become the Director of Security Architecture for
AXA Technology which is the IT support function for AXA which is one of the world’s largest
insurance firms. Even though I was hired as the Security Architect, my real job description
should have been the Director of Information Security and developing the ISA was just one of
my numerous responsibilities. Lastly, I was hired in my current job as the Security Architect for
United Guaranty Corporation.
DRAFT ………………. by Bill Ross
5
So, considering my prior experiences from both a hands-on Security Architecture perspective
and from the fact that in the past several months, I have reviewed numerous a Security
Architect Position job descriptions from a host of excellent organizations, it has been my
experience that these fine organizations were really looking for the above referenced “top gun”
security engineer and not the person that can comprehensively build the business-based,
requirements driven and risk management solution for the overall security architecture
requirement. I can understand their deep engineering requirements even to the point of
needing a fully qualified Security Electrical Engineer (EE) but, being an EE is not the same thing
as developing an ISA as defined above.
Please see the following job descriptions as a recent sample of a corporate Security Architect
position job board advertisement. The first one sounds like a great job but as one reads the job
description, it is very specific about the technologies that the possible candidate must have
knowledge of. My observations for this job description are that while a candidate could have
knowledge of these technologies and etc, there is no indication of the much needed requirement
of how the person should integrate the technologies into a cohesive layered security program
providing a comprehensive defense in depth strategy to ensure that the mentioned security
tools work synergistically and cohesively in a defense-in-depth layered configuration. Nor is
there any indication that the person should have business savvy and the ability to develop and
link business requirements to the Security Architecture and the overall success of the
organization. The job description does not discuss integrating the overall Security Architecture
with the organization’s Enterprise Architecture planning. The job sounds more like a CISO
position. Interestingly though, this is one of the better Security Architecture job descriptions I
have seen on the job boards. Note what is in red as this is where I think it starts to diverge from
being a security architect. Now, in addition to being a Security Architect, the company wants
the person to be the threat manager.
Security Architect job description from a recognized job board.
“ Specifically, this resource will lead and set architecture strategy for security in close
partnership with the Global Information Security and Global Infrastructure organizations.
Functional responsibilities include but are not limited to the following:
DRAFT ………………. by Bill Ross
6
Ability to build and maintain constructive working relationships with a diverse community (in
and outside of technology); ability to effectively communicate (both written and verbal) with
and influence both technical and non-technical audiences.
Providing architectural and technical guidance to support information system and
infrastructure design, improvements, and planning.
Assessing current and planned information systems, identifying Security Architecture issues,
and designing solutions for gaps.
Review, assess, and mitigate penetration tests and vulnerability assessments on information
systems and infrastructure.
Participating in infrastructure projects to develop, plan, and implement specifications for
network and distributed system security technologies in support of key information systems.
Preparing and presenting information on infrastructure plans, progress, and resolution of
security gaps to leadership.
The ideal candidate should have 5-8 years of experience with the following:
Bachelor's Degree required. Master's in Information Security (or related field) is a plus.
Identity and Access Management (e.g., LDAP, Sun Access Manager, MS Active Directory,
Sun Identity Manager, Tivoli Access Manager, and Unix Account Centralization tools such as
Power Broker and other PAM-based tools)
Remote Access Authorization and Authentication (RADIUS, SecurID, IPSEC and SSL VPN)
Operating System Security Configurations (Windows, Unix (HPUX and AIX), and Linux)
Operating System and Application Vulnerability and Patch Analsysis Vulnerability Scanning
and Penetration Testing Tools (Tripwire, Foundstone, etc)
Web Proxies and URL/Content Filtering (e.g., products from WebWasher, and the ICAP
protocols)
Secure File Transfers (e.g., Sterling, Forum Systems, Ipswitch, sftp, ftps, https, and ftp with
PGP)
Wireless Security (e.g., 802.1x, Cisco and Aruba Wireless)
Encryption and Key Management (whole disk, file-level, network, database, PGP, MS
Certificate Services, and backup tapes)
Incident Response and Forensic Analysis Support
Application and Web Layer Security (e.g., Web 2.0, SOAP, SOA, Secure Messaging)
Code Security Analysis (manual and leveraging automated scanning tools)
Risk Assessments, methodologies, and compensating controls
DRAFT ………………. by Bill Ross
7
Endpoint Protection (e.g., Anti-Virus, Personal Firewall, and Application Executable Control
from vendors such as Symantec and McAfee)
Network and Host-based Intrusion Detection and Prevention (e.g. external monitoring
integration as well as Cisco Mars)
Firewalls, Routers, and Load-Balancers
Data Loss Prevention (for databases/storage, the network, and endpoints e.g. Symantec
Vontu)
Email Filtering (e.g., Anti-virus, Anti-Spam, Content Filtering)
Log Monitoring (e.g., Windows, Unix, Linux, Networking, and Applications leveraging tools
such as Kiwi, Snare, Arcsight, and LogLogic)
Audit and Regulatory Issues (e.g., SOX)
Normal duties include, but are not limited to; Security Architecture analysis and design;
network, desktop, server, and application security risk analysis; recommendations of
procedural and technological compensating controls; project management; policy and
procedure development; incident management, and forensic analysis.
Solid organizational, interpersonal and communication skills and the ability to thrive in a fast-
paced, deadline-oriented environment are a must. Job will AT LEAST include hands on
experience in the technologies and products listed above. “
Security Architect description two
I included this Security Architect definition as a contrast to the above job description. I extracted
this Information Security Architect Description from the “Wise Geek” site. It is not nearly as
technical as the above job description and it sounds much more like a security manager than a
Security Architect.
“ A Security Architect is a computing professional who focuses on maintaining security in a
computer system. Security Architects work in a variety of settings, securing corporate networks,
government computer systems, and websites, and they are part of an overall information
technology staff which is designed to keep a computer system relevant, current, and useful. To
work as a Security Architect, it is usually necessary to have a bachelor's degree in computer
science or computer engineering, along with specific training and certification in Security
Architecture.
DRAFT ………………. by Bill Ross
8
There are a number of aspects to a Security Architect's job. He or she must first review the
system, gaining an understanding of how the system is used, who is using it, and where the
weak points in the system may be located. The Security Architect thinks about how to improve
an outdated system after reviewing it, or makes recommendations to toughen security on a
relatively new system. These recommendations can include hardware and software upgrades
as well as new protocols for the system's users.
Security Architects set policies and enforce them, regularly checking for compliance. These
policies can range from never leaving a workstation unattended while someone is logged into
the computer system to always using an encryption protocol to collect sensitive information from
customers over the Internet. The Security Architect wants basic security measures in place at all
times and wants people to observe the protocols he or she establishes, and the system also has
countermeasures in place which can become active when someone attempts to breach the
system.
A good Security Architect is able to think like an attacker. He or she can look at a system and
not only see conventional weak points, but potential areas which someone thinking outside the
box can exploit. He or she also knows that the work of developing a good Security Architecture
is never finished, because security needs are constantly evolving and changing, and it is
necessary to be highly adaptable, and to avoid getting attached to particular approaches.
Every computer system and website has unique security needs which must be addressed.
While some software suites provide basic security, for large or sensitive systems, it is necessary
to hire a Security Architect to protect the system. As a member of the permanent staff of an
organization, the Security Architect keeps the organization strong by keeping up with changes
and trends in the security and computing fields. “
SOURCE: http://www.wisegeek.com/what-is-a-security-architect.htm#discussions
What is an Architecture, what is a Security Architecture and what is a Security
Architecture framework ….
Classical Architecture Definition
DRAFT ………………. by Bill Ross
9
Given that the ISC has integrated the concept of “architecture” into its lexicon, let’s examine one
of many definitions for what “architecture” means. We will reference this in relationship to an
ISA.
“ Architecture (Latin architectura, from the Greek ἀρχιτέκτων – arkhitekton, from ἀρχι- "chief"
and τέκτων "builder, carpenter, mason") is both the process and product
of planning, designing and construction. Architectural works, in the material form of buildings,
are often perceived as cultural symbols and as works of art. Historical civilizations are often
identified with their surviving architectural achievements.
"Architecture" can mean:
A general term to describe buildings and other physical structures.
The art and science of designing and erecting buildings and other physical structures.
The style and method of design and construction of buildings and other physical structures.
The practice of the architect, where architecture means the offering or rendering of
professional services in connection with the design and construction of buildings, or built
environments.[1]
The design activity of the architect, from the macro-level (urban design, landscape
architecture) to the micro-level (construction details and furniture).
The term "architecture" has been adopted to describe the activity of designing any kind of
system, and is commonly used in describing information technology.
In relation to buildings, architecture has to do with the planning, designing and constructing
form, space and ambience that reflect functional, technical, social, environmental, and aesthetic
considerations. It requires the creative manipulation and coordination of material, technology,
light and shadow. Architecture also encompasses the pragmatic aspects of realizing buildings
and structures, including scheduling, cost estimating and construction administration. As
documentation produced by architects, typically drawings, plans and technical specifications,
architecture defines the structure and/or behavior of a building or any other kind of system that
is to be or has been constructed. “
SOURCE: http://en.wikipedia.org/wiki/Architecture
I think the lessons to take from the above classical architecture definitions is that architecture
(security architecture) is a comprehensive macro to micro art form and science “building”
process that includes detailed planning, designing and then construction. Using example one
DRAFT ………………. by Bill Ross
10
above, it is not just having a stack of building materials such as having numerous parts and
pieces but it is the art and science of designing a comprehensive solution that enables all the
pieces to smoothly integrate into a cohesive whole of information security protection.
Information Security Architect descriptions
I have listed two similar and complimentary definitions of what an ISA is. These were created
by experts with far greater insight than myself. Interestingly, while the definitions are similar and
describe the essence of end-to-end Security Architecture development, it is rare that job
descriptions for organizational Information Security Architects align with these descriptions. The
first concept is excellent but rarely used in corporate hiring requirements. May I suggest we
embrace these ideas in the ISC.
Description 1 (very good by the way)
Enterprise Information Security Architecture
“ Enterprise information Security Architecture (EISA) is the practice of applying a
comprehensive and rigorous method for describing a current and/or future structure and
behavior for an organization's security processes, information security systems, personnel and
organizational sub-units, so that they align with the organization's core goals and strategic
direction. Although often associated strictly with information security technology, it relates more
broadly to the security practice of business optimization in that it addresses business Security
Architecture, performance management and security process architecture as well.
Enterprise information Security Architecture is becoming a common practice within the financial
institutions around the globe. The primary purpose of creating an enterprise information Security
Architecture is to ensure that business strategy and IT security are aligned. As such, enterprise
information Security Architecture allows traceability from the business strategy down to the
underlying technology. “ (my underlines).
Methodology
The practice of Enterprise Information Security Architecture involves developing an architecture
security framework to describe a series of "current", "intermediate" and "target" reference
architectures and applying them to align programs of change. These frameworks detail the
organizations, roles, entities and relationships that exist or should exist to perform a set of
DRAFT ………………. by Bill Ross
11
business processes. This framework will provide a rigorous taxonomy and ontology that clearly
identifies what processes a business performs and detailed information about how those
processes are executed and secured. The end product is a set of artifacts that describe in
varying degrees of detail exactly what and how a business operates and what security controls
are required. These artifacts are often graphical.
Given these descriptions, whose levels of detail will vary according to affordability and other
practical considerations, decision makers are provided the means to make informed decisions
about where to invest resources, where to realign organizational goals and processes, and what
policies and procedures will support core missions or business functions.
A strong enterprise information Security Architecture process helps to answer basic questions
like:
What is the information security risk posture of the organization?
Is the current architecture supporting and adding value to the security of the organization?
How might a Security Architecture be modified so that it adds more value to the
organization?
Based on what we know about what the organization wants to accomplish in the future, will
the current Security Architecture support or hinder that?
Implementing Enterprise Information Security Architecture generally starts with documenting the
organization's strategy and other necessary details such as where and how it operates. The
process then cascades down to documenting discrete core competencies, business processes,
and how the organization interacts with itself and with external parties such as customers,
suppliers, and government entities.
Having documented the organization's strategy and structure, the architecture process then
flows down into the discrete information technology components such as:
Organization charts, activities, and process flows of how the IT Organization operates
Organization cycles, periods and timing
Suppliers of technology hardware, software, and services
Applications and software inventories and diagrams
Interfaces between applications - that is: events, messages and data flows
Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the
organization
DRAFT ………………. by Bill Ross
12
Data classifications, databases and supporting data models
Hardware, platforms, hosting: servers, network components and security devices and where
they are kept
Local and wide area networks, Internet connectivity diagrams
Wherever possible, all of the above should be related explicitly to the organization's
strategy, goals, and operations. The Enterprise Information Security Architecture will document
the current state of the technical security components listed above, as well as an ideal-world
desired future state (Reference Architecture) and finally a "Target" future state which is the
result of engineering tradeoffs and compromises vs. the ideal. Essentially the result is a nested
and interrelated set of models, usually managed and maintained with specialized
software available on the market. “
SOURCE: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture
ISA Description two
“ Security Architecture and Design: architecture and design of security services that
enable business risk exposure targets to be met. The policies, standards and risk
management decisions drive the Security Architecture and the design of the security
processes and ‘defense in depth’ stack.
.
Security Architecture: unifying framework and reusable services that implement policy,
standards and risk management decisions. The Security Architecture is a strategic
framework that allows the development and operations staff to align efforts, in addition
the Security Architecture can drive platform improvements which are not possible to make
at a project level. A given software development project may not be able to make a
business case to purchase an XML Security Gateway for improved web services security,
but at the architecture level, architects can potentially identify several projects that could
leverage such a reusable service. In this instance the Security Architecture delivers
improved XML/ Web services security, a simplified programming model for developers,
and saves development costs, because the wheel is not reinvented multiple times.
Risk management, security policy and standards, and Security Architecture govern the
security processes and defense in depth architecture through design guidance, runtime
DRAFT ………………. by Bill Ross
13
support, and assurance services. Security metrics are used for decision support for risk
management, security policy and standards, and Security Architecture. The security
architecture should have a reference implementation for developers and other IT staff to
review what functions the security mechanisms performs, and how they do it. “
SOURCE: Gunnar Peterson’s excellent article, “ Security Architecture Blueprint “, 2006
http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
Implementing the above examples
Interestingly, GARTNER, almost six years ago,, in its 2006 White Paper “Incorporating Security
Into the Enterprise Architecture (EA) Process” proposes a possible basic process to fulfill the
objectives of the above two ISA descriptions. Interestingly, GARTNER’s outline does not seem
to have gained traction as it should have in the ISC. While the GARTNER’s outline provides a
basically good outline for incorporating security into the EA process, I would probably increase
the outline to include items like technical engineering skills, risk-based ISA decisions, secure
development life cycle management, return on investment, metrics, operational tracking,
software updating, security road maps (N-1 plan) and role and responsibilities.
Gartner Outline for “Incorporating Security Into the Enterprise Architecture (EA) Process”
1.0 The Rationale for Incorporating Security With the EA Process Model
2.0 Security and the EA Process Model in Relation to EA Frameworks
3.0 Environmental Trends
4.0 Business Strategy
5.0 Organize Architecture Effort
6.0 Security in the Future-State Architecture
o 6.1 Develop Requirements
o 6.2 Develop Principles
o 6.3 Develop Models
7.0 Current-State Architecture — Documenting
8.0 Closing the Gap
9.0 Governing and Managing
o 9.1 Governing EA Artifact Creation
o 9.2 Governing EA Compliance and Project/Procurement Management
DRAFT ………………. by Bill Ross
14
o 9.3 Managing
SOURCE: http://www.gartner.com/DisplayDocument?ref=g_search&id=488575
Here is the problem with Industry Interpretations of a Security Architect
As we have seen above, there are various interpretations of what a Security Architect is and
that companies struggle with defining what they want form the ISA.. We have also seen
excellent comprehensive descriptions of what a security architect is. Ultimately, based on
Security Architect job descriptions as seen on job boards or knowing of Security Architects that
are already on the job, it seems that the ISC and/or government and private sector
organizations have about five various interpretations that are advertised concerning what a
Security Architect is and what they need from the Security Architect to meet their data and
enterprise security goals. I believe the Security Architect description seen in items 3 and 4
below will provide the best ISA support to their parent organization and who will fulfill the goals
of a Security Architect as described above in “description one” of a security architect.
1. Extremely technical in one or two security technologies such as Firewalls or intrusion
detection devices. This person gets hired based on the fact it seems since they had a high
degree of expertise in two areas it must mean they are experts in all areas. The problem here is
the organization did not really understand what its Security Architect requirements were and
expected definitions of success were for the Security Architect position. This Security
Architecture type will provide limited overall input to an organization’s strategic ISA plan
2. Extremely technical on all aspects of security but cannot connect the architecture to business
requirements and the overall strategy. The person is more a highly talented senior security
engineer versus an architect. The person can make things fit and work within the context of
what the technology is supposed to do but the person might not have considered the overall
synergistic effects of the technology and the defense in depth aspects of the technology. A
good example of this is that the person could install a HIDS or even a firewall but the person did
not design a strategy on how these systems could operationally and tactically integrate as part
of the intrusion detection framework.
3. Extremely technical engineer and strategists who also has a holistic view of the business
objectives and the requirements definition process. This is the perfect Security Architect.
DRAFT ………………. by Bill Ross
15
4. Highly technical and can combine all aspects of risk management and business
requirements into a cohesive strategy and technical plan. This person can easily work with the
person in number 2 to develop the ISA and deploy and manage an end-to-end Security
Architecture. This is probably the most likely person a company can find when wanting to have
someone that is charge of the organization’s ISA.
5. Some companies actually call the security director or security manager the architect because
they, in essence, are architecting the entire management, governance, and technical solution
for the enterprise. This is what I did at AXA but I ultimately was not a dedicated security
architect focused on all things seen in the two above architect descriptions.
Building an Information Security Architecture Framework
If the Security Architect wants to properly manage their program in accordance with the above
ISA descriptions defined in Wikipedia or by Gunnar Peterson , the Security Architect needs to
define an end-to-end framework that can define the context and game plan that the Security
Architect should use to protect the organization’s vital information assets.
Given how many sources there are in circulation on how to create an ISA focused on layered
security and a defense-in-depth strategy, the fundamental guidance I can provide is keep your
framework very simple but with a sophisticated implementation of same based on risk, threats,
vulnerabilities, regulatory issues and business requirements. I like three fundamental sources
to use to build an ISA framework and the models needed to develop an outstanding ISA. The
secret sauce in using these three fundamental models together is to create an integrated ISA
Framework combining the three systems and tailor it to your organization’s mission or business
product line. Simply put, use your framework to plan, build, test, deploy and operate your
security services within your supporting infrastructure to provide the best layered security
program possible to protect your vital information assets. Here is my ISA trifecta.
1. While the Sherwood Applied Business Security Architecture (SABSA) is not highly technical,
SABSA provides excellent models to define requirements against ISA plans. Please write to me
and I will send you my highly detailed SABSA spread sheet which defines risk management
planning and the appropriate ISA road map.
http://www.sabsa.org/
DRAFT ………………. by Bill Ross
16
2. Open Security Architecture (OSA) is an eloquent technical meta model process the brilliantly
compliments the requirements as defined in SABSA. Develop and use the meta models as your
current state and planning libraries.
http://www.opensecurityarchitecture.org/cms/index.php
3. The Open Group Architecture Framework (TOGAF) is an excellent document that is a
master’s thesis on how to build technical architectures. I strongly recommend reading its
introduction and the entire chapter 21 that is dedicated to ISA.
http://pubs.opengroup.org/architecture/togaf9-doc/arch/
Conclusion
We are at war. A Security Architect can define strategies to defeat the aggressors. The ISC
needs to standardize its doctrine and strategy to define the ISC view concerning what an ISA is
and as such, once defined, it will be easier to define what a Security Architect is and should do
to protect vital business data assets. Not only will this protect your data and business, you will
implement optimized solutions for investment utilization. Organizations need to hire the right
people for ISA jobs and stop confusing the Senior Security Engineers with the roles and
responsibilities of an Information Security Architect. While they are complimentary in nature, the
roles are different. Smart Security Architects always should include brilliant security and
infrastructure engineers in developing their business’ holistic and comprehensive ISA.
I am confident that if the an organization uses the simple framework I described above that it’s
Security Architect will create an outstanding ISA and ISA road map.
Other Great References
See below
http://www.everyspec.com/DoD/DOD-
General/download.php?spec=DISA_TAFIM_VOL4.007538.pdf
http://www.sans.org/reading_room/whitepapers/policyissues/approach-enterprise-security-
architecture_504
http://en.wikipedia.org/wiki/DODAF’
DRAFT ………………. by Bill Ross
17
https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.html
https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.pdf
http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
http://www.webopedia.com/TERM/S/security_architecture.html
http://en.wikipedia.org/wiki/Computer_security
http://www.wisegeek.com/what-is-a-security-architect.htm#discussions
http://en.wikipedia.org/wiki/Enterprise_information_security_architecture