Weitere ähnliche Inhalte Ähnlich wie Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec (20) Mehr von Craig Martin (14) Kürzlich hochgeladen (20) Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec2. Enterprise Security Architecture
Framework
Business-outcome-focused and risk-driven approach
Enterprise Security Architecture, Frameworks and Standards 3
The Open Group’s view of an ESAF 7
EA’s view of an ESAF 9
Case Study at the University of New South Wales 13
Value Proposition 19
2 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
3. Enterprise Security
Architecture
Framework
Security Architecture,
Frameworks and Standards
3 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
4. Security Architecture, Frameworks & Standards
Enterprise security architecture as seen by practitioners
Existing security architecture-related frameworks & standards
Security Architecture
Contextual Business Architecture
Conceptual
Enterprise
Data Architecture
Logical
SECURITY SERVICE MANAGEMENT Application Architecture
Physical
Component Technology Architecture
Enterprise security architecture
is a methodology for securing an enterprise by optimising operational risks.
4 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
5. Security Architecture
Contextual Business Architecture
Conceptual
Enterprise
Data Architecture
Logical
SECURITY SERVICE MANAGEMENT Application Architecture
Physical
Component Technology Architecture
Many of the ESA programmes have been failing…
Security What are we doing wrong? What should we be doing?
Architecture, Too much emphasis on technology
Silo approach to security and risk
Security as an enabler of business strategy
Business risk is the key driver for security
Frameworks Siloed security organisation Cohesive security organisation
& Standards
Silo approach to EA and ESA Single team, common framework
5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3
R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005
6. Enterprise
Architecture
Information Security Management
Risk Business Security
Information Systems Security
Management Management
Business Continuity
Physical Security
Environmental Security
Enterprise
Value
Security Management Value Governance
Architecture
Portfolio Management
Investment Management
Security Architecture, Frameworks & Standards
What should we be doing?
6 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
7. Enterprise Security
Architecture
Framework
TOGAF &
Enterprise Security Architecture
7 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
8. TOGAF and Enterprise
Security Architecture
The Open Group identified goals for
Enterprise Security Architecture
Framework Guidance on producing business and
risk management-based security
architectures.
The Open Group Architecture
Forum and Security Forum agree
that the coverage of security and Guidance on developing secure
architectures to support business
risk can be updated and improved. outcomes.
The Open Group and SABSA Institute
agreed to use the TOGAF ADM as a
Guidance on producing architectures
basis for the ESA Framework. that enable the efficient management
of security.
Specific goals include [1]:
8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011
[1]
9. EA’s view: Implications of the identified goals define the cornerstones
for an effective Enterprise Security Architecture Framework
Business and risk Secure architectures
Efficient management of
management based security supporting the business
security
architectures outcomes
Business security motivation
• Architecture asset identification • Business security requirements • Security capability-based
• Architecture asset evaluation management planning
• Architecture asset risk • Architecture asset threat, • Security architecture and
assessment vulnerability and risk analysis management maturity
• Architecture asset classification monitoring
• Risk-driven opportunities and
solutions • Controls determination
Business & risk-driven security strategies, tactics & operations
Risk-driven portfolio
TOGAF and The cornerstones have been identified based on
our practical experience and the best practice
Enterprise Security industry standards and frameworks.
Architecture
9 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
10. EA’s view: The cornerstones can be delivered through integration of existing
information security management and architecture frameworks and standards
Business and risk Secure architectures
Efficient management of
management based security supporting the business
security
architectures outcomes
SABSA Business Attributes Profiling, COBIT 5 Goals Cascade & Risk IT
• TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model
• ISO/IEC 31000 standards • COBIT 5 for Information Security • COBIT 5 for Information Security
• SABSA Risk Management Model • Data security classification & Enablers: Principles, Policies,
• COBIT 5 Balanced Scorecard Risk information system controls Processes, People, Information,
Management Model standards (ISO, FIPS, NIST, Services, Infrastructure and
Government frameworks) Applications
• COBIT 5 Enablers: Processes, People,
Services, Infrastructure and • Jericho Forum Models/Whitepapers • O-ISM3: Information Security
Applications • Application security standards Management Maturity Standard
• Platform/Network security standards • ITIL v3 security service management
• ISO/IEC 27000 standards
• ISO/IEC 31000 standards
TOGAF and The challenge is in the integration of existing
security architecture frameworks, information
Enterprise Security security management standards and information
Architecture systems security standards.
10 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
11. EA’s view: An Enterprise Security Architecture Framework as a process of
iterations through the ADM tailored for enterprise security, risk and compliance
BUSINESS SECURITY INF. SYS. SECURITY TECH. SECURITY SECURITY OPPORTUNITIES & SOLUTIONS
ARCHITECTURE ARCHITECTURE ARCHITECTURE SECURITY CHANGE MANAGEMENT
ADOPT OPERATING MODEL
Business Inf. systems Technology
Business Service Architecture Risk
reference reference reference
motivation catalogue roadmap profiles
model model model
Domain
Classify enterprise assets
security
Assess BDAT risks
architecture
(Business & risk management based
Define controls
roadmap
SECURE BDAT ARCHITECTURES
MANAGE PORTFOLIO
security architectures)
(Secure architectures supporting the business outcomes)
Business Architecture
security risk
motivation roadmap
ARCHITECT/TRANSFORM SECURITY PRACTICE
(Efficient & effective management of security)
Identify security assets Security
Assess security capability risks capability
Define security policies roadmap
11 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
12. EA’s view: ESA Content Meta-model (In addition to the TOGAF Content Meta-
model)
SECURITY ARCHITECTURE PRINCIPLES, REQUIREMENTS AND ROADMAP
Information Security External Compliance Internal Compliance Continuity Security Security
Principle Requirement Requirement Requirement Capability Gap Capability
BUSINESS SECURITY ARCHITECTURE
Motivation Organization Function
Security Goal Actor Security Attribute Security Service Security Service
Business Service
Security Objective Policy
Criticality
Business Service
Risk Appetite Strategic Security Risk
Sensitivity
Risk Tolerance
DATA SECURITY ARCHITECTURE APPLICATION SECURITY ARCHITECTURE TECHNOLOGY SECURITY ARCHITECTURE
Security Classification
Security Control Security Standard
(CIA)
Information Risk Security Guideline Technology Risk
Continuity Procedure
Policy Framework ES Motivation
Application Risk
ES Requirements Risk Management
12 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
13. Enterprise Security
Architecture
Framework
TOGAF-based ESAF:
Case Study at the University of
New South Wales
13 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
14. THE SITUATION
Business, IT &
Enterprise
Architects
described their
vision for the
security
organisation.
Case Study: UNSW security organisation relies on the security
operations, and is seeking to establish
ESAF at • An enterprise security architecture capability
University of • An enterprise security architecture framework
New South Wales to help revise the security strategic plan, information security plan
and transform the security practice.
14 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
15. TAILORED ENTERPRISE SECURITY
ARCHITECTURE FRAMEWORK
BUSINESS SECURITY MOTIVATION &
BUSINESS CAPABILITY ANCHOR MODEL
CURRENT STATE ASSESSMENT
Security capability maturity assessment
Architecture risk assessment
Architecture asset security classification
ASPIRATIONAL TARGET STATE
Target security capability model w/ functional roles to fulfil,
policies, standards, regulations
Application security guidelines and continuity procedures
BUSINESS RISK-DRIVEN SECURITY STRATEGIES
Case Study: ESAF at University of New South Wales
Our Approach
15 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
16. SECURITY CAPABILITY ROADMAP
BUSINESS SECURITY MOTIVATION
SECURITY CAPABILITY MODEL
BUSINESS CAPABILITY MODEL W/
SECURITY CLASSIFICATION
ARCHITECTURE RISK ROADMAP
EA’s Enterprise Security Architecture Framework
Artefacts (Samples)
16 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
17. • Inability to communicate value of security architecture, • Common language and framework
compliance and risks to business, services & projects • Governance & mgt security capabilities integrated into
• Lack of consistency in providing security support the IT operating model
across the SDLC • Security classifications, internal compliance, regulatory
• Operational imbalance compliance
• Organically grown information security and • Better alignment to service management and projects
technology security architecture • Revised security strategy & informed application
• Low maturity of the risk management capability security portfolio management
• Ineffective IT audits • Revised risk management capability, disaster recovery
and business continuity plans
• IT audit planning framework
CHALLENGES OUTCOMES
Case Study: ESAF at University of New South Wales
Outcomes
17 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
18. Enterprise Security
Architecture
Framework
TOGAF-based ESAF:
Value proposition
18 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
19. TOGAF-based Enterprise Security Architecture Framework
Value Proposition
COMMON LANGUAGE & FRAMEWORK STRATEGIC ALIGNMENT
• Business, security, risk and IT • Better investment management in security
• EA and ESA • Shift from gap-control operations to strategic
• Various security functions initiatives
HOLISTIC APPROACH & STRATEGIC SECURITY EFFICIENT MANAGEMENT OF SECURITY
SOLUTIONS
• Cohesive security organisation
• Holistic approach to security solutions • Integration of standards and regulations
• Strategic security solutions enabling business & • Positioning within business & IT operating model
improving customer experience (strategic or segment – • Clarity around security functional roles and work
cloud., BYOD, mobile, outsourcing, …) products
• Reusable & scalable security building blocks • Alignment to service management office & projects
GOVERNANCE, RISK & COMPLIANCE
• Effective IT audits
• Compliance with industry regulations
• Cost-effective operational risk management
19 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
20. 20 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3