Download as PDF, PPTX
![Security Architecture
Contextual Business Architecture
Conceptual
Enterprise
Data Architecture
Logical
SECURITY SERVICE MANAGEMENT Application Architecture
Physical
Component Technology Architecture
Many of the ESA programmes have been failing…
Security What are we doing wrong? What should we be doing?
Architecture, Too much emphasis on technology
Silo approach to security and risk
Security as an enabler of business strategy
Business risk is the key driver for security
Frameworks Siloed security organisation Cohesive security organisation
& Standards
Silo approach to EA and ESA Single team, common framework
5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3
R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005](https://image.slidesharecdn.com/togenterprisesecurityarchitectureframeworkv1-0-0-130417005805-phpapp01/75/Risk-driven-and-Business-outcome-focused-Enterprise-Security-Architecture-Framework-by-Ana-Kukec-5-2048.jpg)
![TOGAF and Enterprise
Security Architecture
The Open Group identified goals for
Enterprise Security Architecture
Framework Guidance on producing business and
risk management-based security
architectures.
The Open Group Architecture
Forum and Security Forum agree
that the coverage of security and Guidance on developing secure
architectures to support business
risk can be updated and improved. outcomes.
The Open Group and SABSA Institute
agreed to use the TOGAF ADM as a
Guidance on producing architectures
basis for the ESA Framework. that enable the efficient management
of security.
Specific goals include [1]:
8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011
[1]](https://image.slidesharecdn.com/togenterprisesecurityarchitectureframeworkv1-0-0-130417005805-phpapp01/75/Risk-driven-and-Business-outcome-focused-Enterprise-Security-Architecture-Framework-by-Ana-Kukec-8-2048.jpg)
![Security Architecture
Contextual Business Architecture
Conceptual
Enterprise
Data Architecture
Logical
SECURITY SERVICE MANAGEMENT Application Architecture
Physical
Component Technology Architecture
Many of the ESA programmes have been failing…
Security What are we doing wrong? What should we be doing?
Architecture, Too much emphasis on technology
Silo approach to security and risk
Security as an enabler of business strategy
Business risk is the key driver for security
Frameworks Siloed security organisation Cohesive security organisation
& Standards
Silo approach to EA and ESA Single team, common framework
5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3
R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005](https://crownmelresort.com/image.slidesharecdn.com/togenterprisesecurityarchitectureframeworkv1-0-0-130417005805-phpapp01/75/Risk-driven-and-Business-outcome-focused-Enterprise-Security-Architecture-Framework-by-Ana-Kukec-5-2048.jpg)
![TOGAF and Enterprise
Security Architecture
The Open Group identified goals for
Enterprise Security Architecture
Framework Guidance on producing business and
risk management-based security
architectures.
The Open Group Architecture
Forum and Security Forum agree
that the coverage of security and Guidance on developing secure
architectures to support business
risk can be updated and improved. outcomes.
The Open Group and SABSA Institute
agreed to use the TOGAF ADM as a
Guidance on producing architectures
basis for the ESA Framework. that enable the efficient management
of security.
Specific goals include [1]:
8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011
[1]](https://crownmelresort.com/image.slidesharecdn.com/togenterprisesecurityarchitectureframeworkv1-0-0-130417005805-phpapp01/75/Risk-driven-and-Business-outcome-focused-Enterprise-Security-Architecture-Framework-by-Ana-Kukec-8-2048.jpg)
Uploaded byCraig Martin
Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec
The document outlines an enterprise security architecture framework (ESAF) that is focused on business outcomes and risk management. It addresses the need for cohesive security organizations and emphasizes the integration of existing security frameworks to support efficient management of security. A case study at the University of New South Wales illustrates the application of the framework to improve security strategies and governance.
More Related Content
Similar to Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec
![[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux](https://cdn.slidesharecdn.com/ss_thumbnails/8-120705112239-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec
- 1. Enterprise Security Architecture Framework BUSINESS-OUTCOME-FOCUSED AND RISK-DRIVEN APPROACH DrAna Kukec Lead Enterprise Security Consultant 1 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 2. Enterprise Security Architecture Framework Business-outcome-focused and risk-driven approach Enterprise Security Architecture, Frameworks and Standards 3 The Open Group’s view of an ESAF 7 EA’s view of an ESAF 9 Case Study at the University of New South Wales 13 Value Proposition 19 2 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 3. Enterprise Security Architecture Framework Security Architecture, Frameworks and Standards 3 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 4. Security Architecture, Frameworks& Standards Enterprise security architecture as seen by practitioners Existing security architecture-related frameworks & standards Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Enterprise security architecture is a methodology for securing an enterprise by optimising operational risks. 4 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 5. Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Many of the ESA programmes have been failing… Security What are we doing wrong? What should we be doing? Architecture, Too much emphasis on technology Silo approach to security and risk Security as an enabler of business strategy Business risk is the key driver for security Frameworks Siloed security organisation Cohesive security organisation & Standards Silo approach to EA and ESA Single team, common framework 5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3 R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005
- 6. Enterprise Architecture Information Security Management Risk Business Security Information Systems Security Management Management Business Continuity Physical Security Environmental Security Enterprise Value Security Management Value Governance Architecture Portfolio Management Investment Management Security Architecture, Frameworks & Standards What should we be doing? 6 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 7. Enterprise Security Architecture Framework TOGAF & Enterprise Security Architecture 7 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 8. TOGAF and Enterprise Security Architecture The Open Group identified goals for Enterprise Security Architecture Framework Guidance on producing business and risk management-based security architectures. The Open Group Architecture Forum and Security Forum agree that the coverage of security and Guidance on developing secure architectures to support business risk can be updated and improved. outcomes. The Open Group and SABSA Institute agreed to use the TOGAF ADM as a Guidance on producing architectures basis for the ESA Framework. that enable the efficient management of security. Specific goals include [1]: 8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011 [1]
- 9. EA’s view: Implicationsof the identified goals define the cornerstones for an effective Enterprise Security Architecture Framework Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes Business security motivation • Architecture asset identification • Business security requirements • Security capability-based • Architecture asset evaluation management planning • Architecture asset risk • Architecture asset threat, • Security architecture and assessment vulnerability and risk analysis management maturity • Architecture asset classification monitoring • Risk-driven opportunities and solutions • Controls determination Business & risk-driven security strategies, tactics & operations Risk-driven portfolio TOGAF and The cornerstones have been identified based on our practical experience and the best practice Enterprise Security industry standards and frameworks. Architecture 9 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 10. EA’s view: Thecornerstones can be delivered through integration of existing information security management and architecture frameworks and standards Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes SABSA Business Attributes Profiling, COBIT 5 Goals Cascade & Risk IT • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • ISO/IEC 31000 standards • COBIT 5 for Information Security • COBIT 5 for Information Security • SABSA Risk Management Model • Data security classification & Enablers: Principles, Policies, • COBIT 5 Balanced Scorecard Risk information system controls Processes, People, Information, Management Model standards (ISO, FIPS, NIST, Services, Infrastructure and Government frameworks) Applications • COBIT 5 Enablers: Processes, People, Services, Infrastructure and • Jericho Forum Models/Whitepapers • O-ISM3: Information Security Applications • Application security standards Management Maturity Standard • Platform/Network security standards • ITIL v3 security service management • ISO/IEC 27000 standards • ISO/IEC 31000 standards TOGAF and The challenge is in the integration of existing security architecture frameworks, information Enterprise Security security management standards and information Architecture systems security standards. 10 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 11. EA’s view: AnEnterprise Security Architecture Framework as a process of iterations through the ADM tailored for enterprise security, risk and compliance BUSINESS SECURITY INF. SYS. SECURITY TECH. SECURITY SECURITY OPPORTUNITIES & SOLUTIONS ARCHITECTURE ARCHITECTURE ARCHITECTURE SECURITY CHANGE MANAGEMENT ADOPT OPERATING MODEL Business Inf. systems Technology Business Service Architecture Risk reference reference reference motivation catalogue roadmap profiles model model model Domain Classify enterprise assets security Assess BDAT risks architecture (Business & risk management based Define controls roadmap SECURE BDAT ARCHITECTURES MANAGE PORTFOLIO security architectures) (Secure architectures supporting the business outcomes) Business Architecture security risk motivation roadmap ARCHITECT/TRANSFORM SECURITY PRACTICE (Efficient & effective management of security) Identify security assets Security Assess security capability risks capability Define security policies roadmap 11 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 12. EA’s view: ESAContent Meta-model (In addition to the TOGAF Content Meta- model) SECURITY ARCHITECTURE PRINCIPLES, REQUIREMENTS AND ROADMAP Information Security External Compliance Internal Compliance Continuity Security Security Principle Requirement Requirement Requirement Capability Gap Capability BUSINESS SECURITY ARCHITECTURE Motivation Organization Function Security Goal Actor Security Attribute Security Service Security Service Business Service Security Objective Policy Criticality Business Service Risk Appetite Strategic Security Risk Sensitivity Risk Tolerance DATA SECURITY ARCHITECTURE APPLICATION SECURITY ARCHITECTURE TECHNOLOGY SECURITY ARCHITECTURE Security Classification Security Control Security Standard (CIA) Information Risk Security Guideline Technology Risk Continuity Procedure Policy Framework ES Motivation Application Risk ES Requirements Risk Management 12 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 13. Enterprise Security Architecture Framework TOGAF-based ESAF: Case Study at the University of New South Wales 13 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 14. THE SITUATION Business, IT& Enterprise Architects described their vision for the security organisation. Case Study: UNSW security organisation relies on the security operations, and is seeking to establish ESAF at • An enterprise security architecture capability University of • An enterprise security architecture framework New South Wales to help revise the security strategic plan, information security plan and transform the security practice. 14 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 15. TAILORED ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK BUSINESS SECURITY MOTIVATION & BUSINESS CAPABILITY ANCHOR MODEL CURRENT STATE ASSESSMENT Security capability maturity assessment Architecture risk assessment Architecture asset security classification ASPIRATIONAL TARGET STATE Target security capability model w/ functional roles to fulfil, policies, standards, regulations Application security guidelines and continuity procedures BUSINESS RISK-DRIVEN SECURITY STRATEGIES Case Study: ESAF at University of New South Wales Our Approach 15 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 16. SECURITY CAPABILITY ROADMAP BUSINESS SECURITY MOTIVATION SECURITY CAPABILITY MODEL BUSINESS CAPABILITY MODEL W/ SECURITY CLASSIFICATION ARCHITECTURE RISK ROADMAP EA’s Enterprise Security Architecture Framework Artefacts (Samples) 16 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 17. • Inability tocommunicate value of security architecture, • Common language and framework compliance and risks to business, services & projects • Governance & mgt security capabilities integrated into • Lack of consistency in providing security support the IT operating model across the SDLC • Security classifications, internal compliance, regulatory • Operational imbalance compliance • Organically grown information security and • Better alignment to service management and projects technology security architecture • Revised security strategy & informed application • Low maturity of the risk management capability security portfolio management • Ineffective IT audits • Revised risk management capability, disaster recovery and business continuity plans • IT audit planning framework CHALLENGES OUTCOMES Case Study: ESAF at University of New South Wales Outcomes 17 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 18. Enterprise Security Architecture Framework TOGAF-based ESAF: Value proposition 18 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 19. TOGAF-based Enterprise SecurityArchitecture Framework Value Proposition COMMON LANGUAGE & FRAMEWORK STRATEGIC ALIGNMENT • Business, security, risk and IT • Better investment management in security • EA and ESA • Shift from gap-control operations to strategic • Various security functions initiatives HOLISTIC APPROACH & STRATEGIC SECURITY EFFICIENT MANAGEMENT OF SECURITY SOLUTIONS • Cohesive security organisation • Holistic approach to security solutions • Integration of standards and regulations • Strategic security solutions enabling business & • Positioning within business & IT operating model improving customer experience (strategic or segment – • Clarity around security functional roles and work cloud., BYOD, mobile, outsourcing, …) products • Reusable & scalable security building blocks • Alignment to service management office & projects GOVERNANCE, RISK & COMPLIANCE • Effective IT audits • Compliance with industry regulations • Cost-effective operational risk management 19 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
- 20. 20 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3