SlideShare une entreprise Scribd logo

Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec

Craig Martin
Craig Martin

Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy. Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way. Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome. We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales. Key takeaways: -- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF -> Security strategic planning -> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations -> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture

BusinessTechnologie
1  sur  20
Télécharger pour lire hors ligne
Enterprise Security Architecture Framework BUSINESS-OUTCOME-FOCUSED AND RISK-DRIVEN APPROACH Dr Ana Kukec Lead Enterprise Security Consultant 1 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Enterprise Security Architecture Framework Business-outcome-focused and risk-driven approach Enterprise Security Architecture, Frameworks and Standards 3 The Open Group’s view of an ESAF 7 EA’s view of an ESAF 9 Case Study at the University of New South Wales 13 Value Proposition 19 2 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Enterprise Security Architecture Framework Security Architecture, Frameworks and Standards 3 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Security Architecture, Frameworks & Standards Enterprise security architecture as seen by practitioners Existing security architecture-related frameworks & standards Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Enterprise security architecture is a methodology for securing an enterprise by optimising operational risks. 4 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Many of the ESA programmes have been failing… Security What are we doing wrong? What should we be doing? Architecture, Too much emphasis on technology Silo approach to security and risk Security as an enabler of business strategy Business risk is the key driver for security Frameworks Siloed security organisation Cohesive security organisation & Standards Silo approach to EA and ESA Single team, common framework 5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3 R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005
Enterprise Architecture Information Security Management Risk Business Security Information Systems Security Management Management Business Continuity Physical Security Environmental Security Enterprise Value Security Management Value Governance Architecture Portfolio Management Investment Management Security Architecture, Frameworks & Standards What should we be doing? 6 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Enterprise Security Architecture Framework TOGAF & Enterprise Security Architecture 7 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
TOGAF and Enterprise Security Architecture The Open Group identified goals for Enterprise Security Architecture Framework Guidance on producing business and risk management-based security architectures. The Open Group Architecture Forum and Security Forum agree that the coverage of security and Guidance on developing secure architectures to support business risk can be updated and improved. outcomes. The Open Group and SABSA Institute agreed to use the TOGAF ADM as a Guidance on producing architectures basis for the ESA Framework. that enable the efficient management of security. Specific goals include [1]: 8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011 [1]
EA’s view: Implications of the identified goals define the cornerstones for an effective Enterprise Security Architecture Framework Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes Business security motivation • Architecture asset identification • Business security requirements • Security capability-based • Architecture asset evaluation management planning • Architecture asset risk • Architecture asset threat, • Security architecture and assessment vulnerability and risk analysis management maturity • Architecture asset classification monitoring • Risk-driven opportunities and solutions • Controls determination Business & risk-driven security strategies, tactics & operations Risk-driven portfolio TOGAF and The cornerstones have been identified based on our practical experience and the best practice Enterprise Security industry standards and frameworks. Architecture 9 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
EA’s view: The cornerstones can be delivered through integration of existing information security management and architecture frameworks and standards Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes SABSA Business Attributes Profiling, COBIT 5 Goals Cascade & Risk IT • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • ISO/IEC 31000 standards • COBIT 5 for Information Security • COBIT 5 for Information Security • SABSA Risk Management Model • Data security classification & Enablers: Principles, Policies, • COBIT 5 Balanced Scorecard Risk information system controls Processes, People, Information, Management Model standards (ISO, FIPS, NIST, Services, Infrastructure and Government frameworks) Applications • COBIT 5 Enablers: Processes, People, Services, Infrastructure and • Jericho Forum Models/Whitepapers • O-ISM3: Information Security Applications • Application security standards Management Maturity Standard • Platform/Network security standards • ITIL v3 security service management • ISO/IEC 27000 standards • ISO/IEC 31000 standards TOGAF and The challenge is in the integration of existing security architecture frameworks, information Enterprise Security security management standards and information Architecture systems security standards. 10 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
EA’s view: An Enterprise Security Architecture Framework as a process of iterations through the ADM tailored for enterprise security, risk and compliance BUSINESS SECURITY INF. SYS. SECURITY TECH. SECURITY SECURITY OPPORTUNITIES & SOLUTIONS ARCHITECTURE ARCHITECTURE ARCHITECTURE SECURITY CHANGE MANAGEMENT ADOPT OPERATING MODEL Business Inf. systems Technology Business Service Architecture Risk reference reference reference motivation catalogue roadmap profiles model model model Domain Classify enterprise assets security Assess BDAT risks architecture (Business & risk management based Define controls roadmap SECURE BDAT ARCHITECTURES MANAGE PORTFOLIO security architectures) (Secure architectures supporting the business outcomes) Business Architecture security risk motivation roadmap ARCHITECT/TRANSFORM SECURITY PRACTICE (Efficient & effective management of security) Identify security assets Security Assess security capability risks capability Define security policies roadmap 11 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
EA’s view: ESA Content Meta-model (In addition to the TOGAF Content Meta- model) SECURITY ARCHITECTURE PRINCIPLES, REQUIREMENTS AND ROADMAP Information Security External Compliance Internal Compliance Continuity Security Security Principle Requirement Requirement Requirement Capability Gap Capability BUSINESS SECURITY ARCHITECTURE Motivation Organization Function Security Goal Actor Security Attribute Security Service Security Service Business Service Security Objective Policy Criticality Business Service Risk Appetite Strategic Security Risk Sensitivity Risk Tolerance DATA SECURITY ARCHITECTURE APPLICATION SECURITY ARCHITECTURE TECHNOLOGY SECURITY ARCHITECTURE Security Classification Security Control Security Standard (CIA) Information Risk Security Guideline Technology Risk Continuity Procedure Policy Framework ES Motivation Application Risk ES Requirements Risk Management 12 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Enterprise Security Architecture Framework TOGAF-based ESAF: Case Study at the University of New South Wales 13 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
THE SITUATION Business, IT & Enterprise Architects described their vision for the security organisation. Case Study: UNSW security organisation relies on the security operations, and is seeking to establish ESAF at • An enterprise security architecture capability University of • An enterprise security architecture framework New South Wales to help revise the security strategic plan, information security plan and transform the security practice. 14 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
TAILORED ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK BUSINESS SECURITY MOTIVATION & BUSINESS CAPABILITY ANCHOR MODEL CURRENT STATE ASSESSMENT Security capability maturity assessment Architecture risk assessment Architecture asset security classification ASPIRATIONAL TARGET STATE Target security capability model w/ functional roles to fulfil, policies, standards, regulations Application security guidelines and continuity procedures BUSINESS RISK-DRIVEN SECURITY STRATEGIES Case Study: ESAF at University of New South Wales Our Approach 15 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
SECURITY CAPABILITY ROADMAP BUSINESS SECURITY MOTIVATION SECURITY CAPABILITY MODEL BUSINESS CAPABILITY MODEL W/ SECURITY CLASSIFICATION ARCHITECTURE RISK ROADMAP EA’s Enterprise Security Architecture Framework Artefacts (Samples) 16 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
• Inability to communicate value of security architecture, • Common language and framework compliance and risks to business, services & projects • Governance & mgt security capabilities integrated into • Lack of consistency in providing security support the IT operating model across the SDLC • Security classifications, internal compliance, regulatory • Operational imbalance compliance • Organically grown information security and • Better alignment to service management and projects technology security architecture • Revised security strategy & informed application • Low maturity of the risk management capability security portfolio management • Ineffective IT audits • Revised risk management capability, disaster recovery and business continuity plans • IT audit planning framework CHALLENGES OUTCOMES Case Study: ESAF at University of New South Wales Outcomes 17 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
Enterprise Security Architecture Framework TOGAF-based ESAF: Value proposition 18 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
TOGAF-based Enterprise Security Architecture Framework Value Proposition COMMON LANGUAGE & FRAMEWORK STRATEGIC ALIGNMENT • Business, security, risk and IT • Better investment management in security • EA and ESA • Shift from gap-control operations to strategic • Various security functions initiatives HOLISTIC APPROACH & STRATEGIC SECURITY EFFICIENT MANAGEMENT OF SECURITY SOLUTIONS • Cohesive security organisation • Holistic approach to security solutions • Integration of standards and regulations • Strategic security solutions enabling business & • Positioning within business & IT operating model improving customer experience (strategic or segment – • Clarity around security functional roles and work cloud., BYOD, mobile, outsourcing, …) products • Reusable & scalable security building blocks • Alignment to service management office & projects GOVERNANCE, RISK & COMPLIANCE • Effective IT audits • Compliance with industry regulations • Cost-effective operational risk management 19 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
20 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3

Recommandé

Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Modelling Security Architecture
Modelling Security ArchitectureModelling Security Architecture
Modelling Security Architecturenarenvivek
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 

Contenu connexe

Tendances

SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Enterprise Architecture - TOGAF Overview
Enterprise Architecture - TOGAF OverviewEnterprise Architecture - TOGAF Overview
Enterprise Architecture - TOGAF OverviewMohamed Sami El-Tahawy
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSAcourses
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSAcourses
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Doing Enterprise Architecture
Doing Enterprise ArchitectureDoing Enterprise Architecture
Doing Enterprise ArchitectureJohn Macasio
 
What is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAFWhat is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAFxavblai
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?Ulf Mattsson
 
Bringing Architecture Thinking to the People - An introduction into the PEOPL...
Bringing Architecture Thinking to the People - An introduction into the PEOPL...Bringing Architecture Thinking to the People - An introduction into the PEOPL...
Bringing Architecture Thinking to the People - An introduction into the PEOPL...Craig Martin
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architectureVladimir Jirasek
 
ArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the modelsArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the modelsCOMPETENSIS
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 

Tendances (20)

SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0SABSA Implementation(Part VI)_ver1-0
SABSA Implementation(Part VI)_ver1-0
 
SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0SABSA Implementation(Part III)_ver1-0
SABSA Implementation(Part III)_ver1-0
 
Enterprise Architecture - TOGAF Overview
Enterprise Architecture - TOGAF OverviewEnterprise Architecture - TOGAF Overview
Enterprise Architecture - TOGAF Overview
 
SABSA - Business Attributes Profiling
SABSA - Business Attributes ProfilingSABSA - Business Attributes Profiling
SABSA - Business Attributes Profiling
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating Model
 
SABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summarySABSA: Key features, advantages & benefits summary
SABSA: Key features, advantages & benefits summary
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0SABSA Implementation(Part I)_ver1-0
SABSA Implementation(Part I)_ver1-0
 
Doing Enterprise Architecture
Doing Enterprise ArchitectureDoing Enterprise Architecture
Doing Enterprise Architecture
 
What is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAFWhat is the Value of Mature Enterprise Architecture TOGAF
What is the Value of Mature Enterprise Architecture TOGAF
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
Bringing Architecture Thinking to the People - An introduction into the PEOPL...
Bringing Architecture Thinking to the People - An introduction into the PEOPL...Bringing Architecture Thinking to the People - An introduction into the PEOPL...
Bringing Architecture Thinking to the People - An introduction into the PEOPL...
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
ArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the modelsArchiMate technology layer - Simplify the models
ArchiMate technology layer - Simplify the models
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0SABSA Implementation(Part IV)_ver1-0
SABSA Implementation(Part IV)_ver1-0
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Similaire à Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec

Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Soa Governance And Security V1.1
Soa Governance And Security V1.1Soa Governance And Security V1.1
Soa Governance And Security V1.1Dr. Mehmet Yildiz
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...IBM Sverige
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Briefmageeb
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...christophefeltus
 
Reducing IT Security Breaches Through Skills Development
Reducing IT Security Breaches Through Skills DevelopmentReducing IT Security Breaches Through Skills Development
Reducing IT Security Breaches Through Skills DevelopmentCompTIA
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trendswardell henley
 

Similaire à Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec (20)

Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 
Soa Governance And Security V1.1
Soa Governance And Security V1.1Soa Governance And Security V1.1
Soa Governance And Security V1.1
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
 
Is3 Capabilities Brief
Is3 Capabilities BriefIs3 Capabilities Brief
Is3 Capabilities Brief
 
Dataplex Company Overview
Dataplex Company OverviewDataplex Company Overview
Dataplex Company Overview
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
 
Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...Conceptual integration of enterprise architecture management and security ris...
Conceptual integration of enterprise architecture management and security ris...
 
Reducing IT Security Breaches Through Skills Development
Reducing IT Security Breaches Through Skills DevelopmentReducing IT Security Breaches Through Skills Development
Reducing IT Security Breaches Through Skills Development
 
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
IS Unified "Digital Enterprise Management System" (ERP for IT, ITIL, CMMI,PMI...
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
Axxera Ppt
Axxera PptAxxera Ppt
Axxera Ppt
 
Jeffrey Nick
Jeffrey NickJeffrey Nick
Jeffrey Nick
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 

Plus de Craig Martin

The need for Business design to underpin strategic and operational agility
The need for Business design to underpin strategic and operational agility The need for Business design to underpin strategic and operational agility
The need for Business design to underpin strategic and operational agility Craig Martin
 
DesignChain Business-by-Design Workshop Pack for IIBA
DesignChain Business-by-Design Workshop Pack for IIBADesignChain Business-by-Design Workshop Pack for IIBA
DesignChain Business-by-Design Workshop Pack for IIBACraig Martin
 
Creating Agile Organizations by Combining Design, Architecture and Agile Thin...
Creating Agile Organizations by Combining Design, Architecture and Agile Thin...Creating Agile Organizations by Combining Design, Architecture and Agile Thin...
Creating Agile Organizations by Combining Design, Architecture and Agile Thin...Craig Martin
 
Design of Business in an Age of Disruption
Design of Business in an Age of DisruptionDesign of Business in an Age of Disruption
Design of Business in an Age of DisruptionCraig Martin
 
Looking for Disruptive Business Models in Higher Education
Looking for Disruptive Business Models in Higher EducationLooking for Disruptive Business Models in Higher Education
Looking for Disruptive Business Models in Higher EducationCraig Martin
 
Re-Positioning the value of the architecture practice
Re-Positioning the value of the architecture practiceRe-Positioning the value of the architecture practice
Re-Positioning the value of the architecture practiceCraig Martin
 
Driving your BA Career: From Business Analyst to Business Architect
Driving your BA Career: From Business Analyst to Business ArchitectDriving your BA Career: From Business Analyst to Business Architect
Driving your BA Career: From Business Analyst to Business ArchitectCraig Martin
 
Business by Design
Business by DesignBusiness by Design
Business by DesignCraig Martin
 
Using Business Architecture to enable customer experience and digital strategy
Using Business Architecture to enable customer experience and digital strategyUsing Business Architecture to enable customer experience and digital strategy
Using Business Architecture to enable customer experience and digital strategyCraig Martin
 
Leading Business Disruption Strategy with EA - Hugh Evans
Leading Business Disruption Strategy with EA - Hugh EvansLeading Business Disruption Strategy with EA - Hugh Evans
Leading Business Disruption Strategy with EA - Hugh EvansCraig Martin
 
An Introduction into the design of business using business architecture
An Introduction into the design of business using business architectureAn Introduction into the design of business using business architecture
An Introduction into the design of business using business architectureCraig Martin
 
Architecture for the masses - An Open Group Webinar
Architecture for the masses - An Open Group WebinarArchitecture for the masses - An Open Group Webinar
Architecture for the masses - An Open Group WebinarCraig Martin
 
A Business Interoperability Framework for Government by Christine Stephenson
A Business Interoperability Framework for Government by Christine StephensonA Business Interoperability Framework for Government by Christine Stephenson
A Business Interoperability Framework for Government by Christine StephensonCraig Martin
 
Building a more cohesive organisation using business architecture
Building a more cohesive organisation using business architectureBuilding a more cohesive organisation using business architecture
Building a more cohesive organisation using business architectureCraig Martin
 
Bridging business analysis and business architecture - The Open Group webinar
Bridging business analysis and business architecture - The Open Group webinarBridging business analysis and business architecture - The Open Group webinar
Bridging business analysis and business architecture - The Open Group webinarCraig Martin
 

Plus de Craig Martin (15)

The need for Business design to underpin strategic and operational agility
The need for Business design to underpin strategic and operational agility The need for Business design to underpin strategic and operational agility
The need for Business design to underpin strategic and operational agility
 
DesignChain Business-by-Design Workshop Pack for IIBA
DesignChain Business-by-Design Workshop Pack for IIBADesignChain Business-by-Design Workshop Pack for IIBA
DesignChain Business-by-Design Workshop Pack for IIBA
 
Creating Agile Organizations by Combining Design, Architecture and Agile Thin...
Creating Agile Organizations by Combining Design, Architecture and Agile Thin...Creating Agile Organizations by Combining Design, Architecture and Agile Thin...
Creating Agile Organizations by Combining Design, Architecture and Agile Thin...
 
Design of Business in an Age of Disruption
Design of Business in an Age of DisruptionDesign of Business in an Age of Disruption
Design of Business in an Age of Disruption
 
Looking for Disruptive Business Models in Higher Education
Looking for Disruptive Business Models in Higher EducationLooking for Disruptive Business Models in Higher Education
Looking for Disruptive Business Models in Higher Education
 
Re-Positioning the value of the architecture practice
Re-Positioning the value of the architecture practiceRe-Positioning the value of the architecture practice
Re-Positioning the value of the architecture practice
 
Driving your BA Career: From Business Analyst to Business Architect
Driving your BA Career: From Business Analyst to Business ArchitectDriving your BA Career: From Business Analyst to Business Architect
Driving your BA Career: From Business Analyst to Business Architect
 
Business by Design
Business by DesignBusiness by Design
Business by Design
 
Using Business Architecture to enable customer experience and digital strategy
Using Business Architecture to enable customer experience and digital strategyUsing Business Architecture to enable customer experience and digital strategy
Using Business Architecture to enable customer experience and digital strategy
 
Leading Business Disruption Strategy with EA - Hugh Evans
Leading Business Disruption Strategy with EA - Hugh EvansLeading Business Disruption Strategy with EA - Hugh Evans
Leading Business Disruption Strategy with EA - Hugh Evans
 
An Introduction into the design of business using business architecture
An Introduction into the design of business using business architectureAn Introduction into the design of business using business architecture
An Introduction into the design of business using business architecture
 
Architecture for the masses - An Open Group Webinar
Architecture for the masses - An Open Group WebinarArchitecture for the masses - An Open Group Webinar
Architecture for the masses - An Open Group Webinar
 
A Business Interoperability Framework for Government by Christine Stephenson
A Business Interoperability Framework for Government by Christine StephensonA Business Interoperability Framework for Government by Christine Stephenson
A Business Interoperability Framework for Government by Christine Stephenson
 
Building a more cohesive organisation using business architecture
Building a more cohesive organisation using business architectureBuilding a more cohesive organisation using business architecture
Building a more cohesive organisation using business architecture
 
Bridging business analysis and business architecture - The Open Group webinar
Bridging business analysis and business architecture - The Open Group webinarBridging business analysis and business architecture - The Open Group webinar
Bridging business analysis and business architecture - The Open Group webinar
 

Dernier

How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...SOFTTECHHUB
 
WSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfWSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfJamesConcepcion7
 
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh JiPsychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Jiastral oracle
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Aggregage
 
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...PRnews2
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
Entrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextEntrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextP&CO
 
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdfSherl Simon
 
MEP Plans in Construction of Building and Industrial Projects 2024
MEP Plans in Construction of Building and Industrial Projects 2024MEP Plans in Construction of Building and Industrial Projects 2024
MEP Plans in Construction of Building and Industrial Projects 2024Chandresh Chudasama
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansNugget Global
 
Darshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdfDarshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdfShashank Mehta
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfASGITConsulting
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseSiemens
 

Dernier (20)

How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
How To Simplify Your Scheduling with AI Calendarfly The Hassle-Free Online Bo...
 
WSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdfWSMM Technology February.March Newsletter_vF.pdf
WSMM Technology February.March Newsletter_vF.pdf
 
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh JiPsychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
WAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdfWAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdf
 
Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
Strategic Project Finance Essentials: A Project Manager’s Guide to Financial ...
 
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
Introducing the AI ShillText Generator A New Era for Cryptocurrency Marketing...
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
Entrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider contextEntrepreneurial ecosystem- Wider context
Entrepreneurial ecosystem- Wider context
 
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
5-Step Framework to Convert Any Business into a Wealth Generation Machine.pdf
 
MEP Plans in Construction of Building and Industrial Projects 2024
MEP Plans in Construction of Building and Industrial Projects 2024MEP Plans in Construction of Building and Industrial Projects 2024
MEP Plans in Construction of Building and Industrial Projects 2024
 
Simplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business LoansSimplify Your Funding: Quick and Easy Business Loans
Simplify Your Funding: Quick and Easy Business Loans
 
Darshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdfDarshan Hiranandani (Son of Niranjan Hiranandani).pdf
Darshan Hiranandani (Son of Niranjan Hiranandani).pdf
 
Authentically Social - presented by Corey Perlman
Authentically Social - presented by Corey PerlmanAuthentically Social - presented by Corey Perlman
Authentically Social - presented by Corey Perlman
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
Types of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdfTypes of Cyberattacks - ASG I.T. Consulting.pdf
Types of Cyberattacks - ASG I.T. Consulting.pdf
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverse
 

Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec

  • 1. Enterprise Security Architecture Framework BUSINESS-OUTCOME-FOCUSED AND RISK-DRIVEN APPROACH Dr Ana Kukec Lead Enterprise Security Consultant 1 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 2. Enterprise Security Architecture Framework Business-outcome-focused and risk-driven approach Enterprise Security Architecture, Frameworks and Standards 3 The Open Group’s view of an ESAF 7 EA’s view of an ESAF 9 Case Study at the University of New South Wales 13 Value Proposition 19 2 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 3. Enterprise Security Architecture Framework Security Architecture, Frameworks and Standards 3 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 4. Security Architecture, Frameworks & Standards Enterprise security architecture as seen by practitioners Existing security architecture-related frameworks & standards Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Enterprise security architecture is a methodology for securing an enterprise by optimising operational risks. 4 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 5. Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Many of the ESA programmes have been failing… Security What are we doing wrong? What should we be doing? Architecture, Too much emphasis on technology Silo approach to security and risk Security as an enabler of business strategy Business risk is the key driver for security Frameworks Siloed security organisation Cohesive security organisation & Standards Silo approach to EA and ESA Single team, common framework 5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3 R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005
  • 6. Enterprise Architecture Information Security Management Risk Business Security Information Systems Security Management Management Business Continuity Physical Security Environmental Security Enterprise Value Security Management Value Governance Architecture Portfolio Management Investment Management Security Architecture, Frameworks & Standards What should we be doing? 6 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 7. Enterprise Security Architecture Framework TOGAF & Enterprise Security Architecture 7 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 8. TOGAF and Enterprise Security Architecture The Open Group identified goals for Enterprise Security Architecture Framework Guidance on producing business and risk management-based security architectures. The Open Group Architecture Forum and Security Forum agree that the coverage of security and Guidance on developing secure architectures to support business risk can be updated and improved. outcomes. The Open Group and SABSA Institute agreed to use the TOGAF ADM as a Guidance on producing architectures basis for the ESA Framework. that enable the efficient management of security. Specific goals include [1]: 8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011 [1]
  • 9. EA’s view: Implications of the identified goals define the cornerstones for an effective Enterprise Security Architecture Framework Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes Business security motivation • Architecture asset identification • Business security requirements • Security capability-based • Architecture asset evaluation management planning • Architecture asset risk • Architecture asset threat, • Security architecture and assessment vulnerability and risk analysis management maturity • Architecture asset classification monitoring • Risk-driven opportunities and solutions • Controls determination Business & risk-driven security strategies, tactics & operations Risk-driven portfolio TOGAF and The cornerstones have been identified based on our practical experience and the best practice Enterprise Security industry standards and frameworks. Architecture 9 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 10. EA’s view: The cornerstones can be delivered through integration of existing information security management and architecture frameworks and standards Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes SABSA Business Attributes Profiling, COBIT 5 Goals Cascade & Risk IT • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • ISO/IEC 31000 standards • COBIT 5 for Information Security • COBIT 5 for Information Security • SABSA Risk Management Model • Data security classification & Enablers: Principles, Policies, • COBIT 5 Balanced Scorecard Risk information system controls Processes, People, Information, Management Model standards (ISO, FIPS, NIST, Services, Infrastructure and Government frameworks) Applications • COBIT 5 Enablers: Processes, People, Services, Infrastructure and • Jericho Forum Models/Whitepapers • O-ISM3: Information Security Applications • Application security standards Management Maturity Standard • Platform/Network security standards • ITIL v3 security service management • ISO/IEC 27000 standards • ISO/IEC 31000 standards TOGAF and The challenge is in the integration of existing security architecture frameworks, information Enterprise Security security management standards and information Architecture systems security standards. 10 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 11. EA’s view: An Enterprise Security Architecture Framework as a process of iterations through the ADM tailored for enterprise security, risk and compliance BUSINESS SECURITY INF. SYS. SECURITY TECH. SECURITY SECURITY OPPORTUNITIES & SOLUTIONS ARCHITECTURE ARCHITECTURE ARCHITECTURE SECURITY CHANGE MANAGEMENT ADOPT OPERATING MODEL Business Inf. systems Technology Business Service Architecture Risk reference reference reference motivation catalogue roadmap profiles model model model Domain Classify enterprise assets security Assess BDAT risks architecture (Business & risk management based Define controls roadmap SECURE BDAT ARCHITECTURES MANAGE PORTFOLIO security architectures) (Secure architectures supporting the business outcomes) Business Architecture security risk motivation roadmap ARCHITECT/TRANSFORM SECURITY PRACTICE (Efficient & effective management of security) Identify security assets Security Assess security capability risks capability Define security policies roadmap 11 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 12. EA’s view: ESA Content Meta-model (In addition to the TOGAF Content Meta- model) SECURITY ARCHITECTURE PRINCIPLES, REQUIREMENTS AND ROADMAP Information Security External Compliance Internal Compliance Continuity Security Security Principle Requirement Requirement Requirement Capability Gap Capability BUSINESS SECURITY ARCHITECTURE Motivation Organization Function Security Goal Actor Security Attribute Security Service Security Service Business Service Security Objective Policy Criticality Business Service Risk Appetite Strategic Security Risk Sensitivity Risk Tolerance DATA SECURITY ARCHITECTURE APPLICATION SECURITY ARCHITECTURE TECHNOLOGY SECURITY ARCHITECTURE Security Classification Security Control Security Standard (CIA) Information Risk Security Guideline Technology Risk Continuity Procedure Policy Framework ES Motivation Application Risk ES Requirements Risk Management 12 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 13. Enterprise Security Architecture Framework TOGAF-based ESAF: Case Study at the University of New South Wales 13 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 14. THE SITUATION Business, IT & Enterprise Architects described their vision for the security organisation. Case Study: UNSW security organisation relies on the security operations, and is seeking to establish ESAF at • An enterprise security architecture capability University of • An enterprise security architecture framework New South Wales to help revise the security strategic plan, information security plan and transform the security practice. 14 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 15. TAILORED ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK BUSINESS SECURITY MOTIVATION & BUSINESS CAPABILITY ANCHOR MODEL CURRENT STATE ASSESSMENT Security capability maturity assessment Architecture risk assessment Architecture asset security classification ASPIRATIONAL TARGET STATE Target security capability model w/ functional roles to fulfil, policies, standards, regulations Application security guidelines and continuity procedures BUSINESS RISK-DRIVEN SECURITY STRATEGIES Case Study: ESAF at University of New South Wales Our Approach 15 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 16. SECURITY CAPABILITY ROADMAP BUSINESS SECURITY MOTIVATION SECURITY CAPABILITY MODEL BUSINESS CAPABILITY MODEL W/ SECURITY CLASSIFICATION ARCHITECTURE RISK ROADMAP EA’s Enterprise Security Architecture Framework Artefacts (Samples) 16 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 17. • Inability to communicate value of security architecture, • Common language and framework compliance and risks to business, services & projects • Governance & mgt security capabilities integrated into • Lack of consistency in providing security support the IT operating model across the SDLC • Security classifications, internal compliance, regulatory • Operational imbalance compliance • Organically grown information security and • Better alignment to service management and projects technology security architecture • Revised security strategy & informed application • Low maturity of the risk management capability security portfolio management • Ineffective IT audits • Revised risk management capability, disaster recovery and business continuity plans • IT audit planning framework CHALLENGES OUTCOMES Case Study: ESAF at University of New South Wales Outcomes 17 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 18. Enterprise Security Architecture Framework TOGAF-based ESAF: Value proposition 18 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 19. TOGAF-based Enterprise Security Architecture Framework Value Proposition COMMON LANGUAGE & FRAMEWORK STRATEGIC ALIGNMENT • Business, security, risk and IT • Better investment management in security • EA and ESA • Shift from gap-control operations to strategic • Various security functions initiatives HOLISTIC APPROACH & STRATEGIC SECURITY EFFICIENT MANAGEMENT OF SECURITY SOLUTIONS • Cohesive security organisation • Holistic approach to security solutions • Integration of standards and regulations • Strategic security solutions enabling business & • Positioning within business & IT operating model improving customer experience (strategic or segment – • Clarity around security functional roles and work cloud., BYOD, mobile, outsourcing, …) products • Reusable & scalable security building blocks • Alignment to service management office & projects GOVERNANCE, RISK & COMPLIANCE • Effective IT audits • Compliance with industry regulations • Cost-effective operational risk management 19 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 20. 20 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3