Your SlideShare is downloading. ×
John A. Anderson
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

John A. Anderson

286

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
286
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Modernization and transformation programs require consistent enterprise-wide architectural guidance for information security to support the development and deployment of multiple concurrent integrated solutions. Clinger-Cohen and OMB A-130 mandates use of Enterprise Architectures (EAs) to manage IT and IT investments Current Enterprise Architecture (EA) methods do not prescribe architecture content to support implementation of security or Information Assurance (IA) policies, operations, and infrastructures. Enterprise and solution architects/engineers require structured guidance to integrate security into their agency’s enterprise architecture. Management level for better acquisition strategy and effective investment of budgets and resources Technical level to design secure, interoperable and standardized systems.
  • 05/25/10
  • Transcript

    • 1. Information Security Guidance for Enterprise Transformation John A. Anderson Principal Enterprise Engineer The MITRE Corporation [email_address] SecurE-Biz Summit 20 November 2003 The content of this presentation is the opinion of the presenter and does not necessarily reflect positions of the MITRE Corporation.
    • 2. Where we’ll go today…
      • The problem and why?
        • Urgent need for transformation
        • Upgrading Information security is critical to the entire enterprise and requires rapid change
        • Government acquisition communities have limited understanding of the implications (often considered a job for specialists)
      • The solution…
        • Improved awareness and orientation
        • Leveraging our best practices
        • Enterprise problem => enterprise solution
      • Some directions
        • Key areas of concern
        • Resources to leverage
    • 3. Problem: Insufficient Information Security Guidance for Enterprise Transformation
      • Many government agencies (and businesses) are undertaking modernization and transformation programs based on a variety of drivers:
        • Government Performance Results Act (GPRA)
        • Clinger-Cohen Act
        • New technologies
        • New business drivers…
      • But change is our most difficult challenge!
      • And new security threats continue to arise:
          • Changes in modes of warfare
          • National Security and September 11 Attacks
          • Creative hacking
    • 4. And so, we depend on mandates and guidance… Enterprise Architectures!
      • Structured guidance is needed to plan and orchestrate transformations and to ensure that the results are integrated and meet the needs of the taxpayer
      • Guidance is required for all levels of the enterprise—executive, management and technical
        • Agency and/or corporate officers (e.g., CEO, CIO, CFO, CTO)
        • Enterprise architects and engineers
        • Project managers, architects, and engineers require to integrate security into their agency’s enterprise architecture:
      • And our government responds:
        • Clinger-Cohen and OMB mandates use of Enterprise Architectures (EAs)
        • Federal agencies and organizations, e.g.,
          • OMB/Federal Enterprise Architecture Program
          • CIO Council
          • National Institute of Standards and Technology (NIST)
    • 5. Federal Management Reform © 2003 The MITRE Corporation. All rights reserved. THE BIG PICTURE of Federal Management Reform* *permission requested for use of image from FDC
    • 6. Enterprise Architecture—A tool for transformation Business Operations Deployed Solutions Improved Operations $$ $$ Integrated Portfolio Vision & Strategy Transformation! Drivers Guidance Enterprise Architecture Sequencing Plan/Release Architecture Target Architecture Ops View Systems View Baseline Architecture Ops View Systems View Project PM Project PM Project PM Project PM O&M Mgmt
    • 7. Managing the cost of IT became the focus:
      • Enterprise Architecture (EA) defined*
        • A strategic information asset base that defines the
          • Mission
          • Information necessary to perform the mission
          • Technologies necessary to perform the mission, and
          • Transitional processes for implementing new technologies in response to the changing mission needs.
        • An EA includes a baseline architecture, target architecture, and a sequencing plan.
        • The EA defines where the enterprise is today… and where it plans to be in the future.
      But accountability for performance and results (including security) was the goal! CIO Council—FEAF & Practical Guide to FEA
    • 8. Information Security is NOT completely an IT issue! And not an issue of Cost!
      • Information Security is primarily a FIDUCIARY responsibility:
        • Information is the primary asset of most modern enterprises
        • Government agencies are the stewards of taxpayer and corporate information—not the owners!
        • Government agencies are responsible for the management (and mismanagement) of the assets they control
      • Information security architecture decisions transcend IT financial investment decision support
        • National security risk
        • Sustained operations
        • Financial liability
        • Stakeholder trust
          • Taxpayers
          • Stockholders
          • Customers
          • Partners
      Fiduciary adj : relating to or of the nature of a legal trust (i.e. the holding of something in trust for another; n : a person who holds assets in trust for a beneficiary Source: WordNet ® 1.6, © 1997 Princeton University Comes from Latin fiduciarius, from fiducia, trust and is related to faith and fidelity Source: WordNet ® 1.6, © 1997 Princeton University Security is an operational requirement!
    • 9. An broader definition of EA
      • A comprehensive blueprint of an organization’s business and the infrastructure that supports it. It includes models that describe:
        • the mission of the organization
        • business processes and supporting organizational structure
        • information that supports the business
        • applications that support the business processes
        • infrastructure that supports the applications
        • strategy for managing change
      “ Make no little plans, for they have no place to stir man’s blood… Make big plans, aim high in hope and work!” Daniel H. Burnham American Architect
    • 10. The “evasive” Security Architecture
      • “All or Nothing!” philosophies abound:
        • “Security should be built in from the beginning and permeate throughout the enterprise architecture!”
          • Not an add-on
        • “Security is such a high priority that it must be addressed as its own architecture!”
          • But how do you integrate it with the rest of the architecture?
        • But little practical guidance.
      • Security is a driver and requirement
        • Information Security goes beyond systems and firewalls
        • Traditional “Security Certification” focused on systems and components—but the enterprise is greater than the sum of its IT systems!
        • IT only implements part of the solution!
    • 11. Current EA Guidance may not be sufficient… But emphasis remains on IT! EA’s are only required for IT portfoliio! Additional work on Security Profiles is underway… Business Reference Model (BRM)
      • Lines of Business
      • Agencies, Customers, Partners
      Service Component Reference Model (SRM)
      • Service Layers, Service Types
      • Components, Access and Delivery Channels
      Technical Reference Model (TRM)
      • Service Component Interfaces, Interoperability
      • Technologies, Recommendations
      Data Reference Model (DRM)
      • Business-focused Data Standardization
      • Cross-agency Information Exchanges
      Business-Driven Approach (Citizen-Centered Focus) Performance Reference Model (PRM)
      • Government-wide Performance Measures & Outcomes
      • Line of Business-specific Performance Measures & Outcomes
      Federal Enterprise Architecture (FEA) Component-Based Architectures
    • 12. Enterprise Guidance: Meet the needs of the user at the appropriate level Zachman Framework Owner Planner Designer Builder Subcontractor © John Zachman
    • 13. An Enterprise View of Information Security Management—ISO 17799* Policy Organizational Security Asset Classification & Control Personnel Security Physical & Environmental Security Communications and Operations Management Access Control Systems Development and Maintenance Business Continuity Management Compliance *Organized based on ISO 17799: “Information Technology—Code of practice for information security management Information Security must address the entire enterprise. It incorporates and integrates organizational, personnel, and physical security!
    • 14. Enterprise Guidance: Meet the needs of the user at the appropriate level Zachman Framework Owner Planner Designer Builder Subcontractor © John Zachman
    • 15. Planner & Owner: The greatest challenge is typically “Executive Buy-in”
      • Leveraging:
        • Best Practices
        • Existing Architecture Activities
        • Existing Ownership
      CIO Council—Practical Guide to Federal Enterprise Architecture Obtain Executive Buy-In and Support Establish Management Structure and Control Define an Architecture Process and Approach Develop Baseline Enterprise Architecture Develop Target Enterprise Architecture Develop the Sequencing Plan Use the Enterprise Architecture Maintain the Enterprise Architecture
    • 16. Reinforcing the “Weakest Link”: Responsibility and Authority
      • Clinger-Cohen mandated the institutionalization of the Chief Information Officer (CIO)
        • Responsible for information technology assets (including the information itself)
        • Often the least empowered chief officer position
          • Unclear relationship to CEO and CFO
          • Limited authority on decisions made by business directors
      CEO But where should the Chief Security Officer (CSO) be? CSO CTO COO and/or Business Directors CIO CFO
    • 17. Reinforcing the “Weakest Link”: Responsibility and Authority
      • Should there be a requirement for a Chief Security Officer?
        • Responsible for enterprise-wide information security
        • Requires enterprise-wide authority
          • Authority over operations (“Shut it down.”)
          • Input into the approval of technologies (“Acceptable or not”)
          • Broader than information
      But where should the Chief Security Officer (CSO) be? CEO CSO CTO COO and/or Business Directors CIO CFO
    • 18. Enterprise Security: What does it mean to be certified?
      • Security certification and accreditation
        • Traditionally focuses on individual systems or components
      • Do enterprise-wide Security Architectures require certification?
        • Based on what criteria?
        • Who should do the certification?
        • What does it buy you?
    • 19. Enterprise Guidance: Meet the needs of the user at the appropriate level Zachman Framework Owner Planner Designer Builder Subcontractor © John Zachman
    • 20. Guidance and Criteria: Modeling Life-Cycle Processes Source: http://www.cta.com/Sec_pdfs/wp_pdfs/Web_SECSem_graphic.pdf NIST 800-64: Security Considerations in the IS Development Cycle Agency specific SDLCs… How does the government do it? Source: http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf
    • 21. Guidance and Criteria: e.g., C OBI T Framework
      • C ontrol Ob jectives for I nformation and related T echnology
      • Consists of 34 high-level Control Objectives
        • One for each of the IT processes , grouped into four broad domains
          • Planning and Organization
          • Acquisition and Implementation
          • Delivery and Support
          • Monitoring
      Source: http://www.cobit.co.za/ Conceptual C OBI T Framework
    • 22. Enterprise Guidance: Meet the needs of the user at the appropriate level Zachman Framework Owner Planner Designer Builder Subcontractor © John Zachman
    • 23. Leveraging Best Practices
      • Information Technology Infrastructure Library (ITIL)
        • Best practices forming a framework for managing complex IT environments and service management
        • A set of guidelines on how to deliver IT service s more efficiently by improving management processes across IT departments that support networks, applications, databases and systems
        • Includes a dedicated volume: “Best Practice for Security Management”
      Source: http://www.tso.co.uk/bookshop
    • 24. Leverage Architecture Patterns Source: Guru Vasudeva Architecture Center of Excellence – Federal IBM Global Services
    • 25. Modeling Security Architecture Detail
      • DoD Architecture Framework 1.0 (DRAFT)
        • Excellent source for a variety of standard models
        • Supports modeling of multiple dimension
        • Enterprise perspective introduced!
        • BUT—models are generic (LCD)
      Builders require specific representation of security mechanisms (e.g., approval processes, access controls, authentication, security meta-data. etc.)
    • 26. Enterprise Guidance: Meet the needs of the user at all level The Greatest Challenge: Communication Architecture = Communication!
    • 27. Summary & Conclusions
      • Maintain the focus of transformation on operations, not just IT
        • Information security will remain a driver for determining requirements
      • Apply enterprise architecture modeling techniques to address enterprise-wide concerns
        • Governance, processes, controls
        • Varied stakeholders and corresponding concerns
        • Separate but integrated perspectives (data, function, network, etc.)
      • Leverage best practices—they are out there!
        • And more each day
      • Network!
      • Share!
      • Integrate!
      • Leverage!
    • 28. Resources
      • Practical Guide to Federal Enterprise Architecture
      • OMG / FEA Reference Models
      • Zachman Framework
      • ISO 17799: IT—Code of practice for information security management
      • NIST Computer Resource Security Center (CRSR)
      • C ontrol Ob jectives for I nformation and related T echnology ( COBIT)
      • IT Infrastructure Laboratory (ITIL)
      • IBM Patterns for e-Business
      • DoD AF v. 1.0 (DRAFT)
      • http://www.cio.gov/documents/bpeaguide.pdf
      • http://www.feapmo.gov
      • http:// www.zifa.com
      • http://www.iso.ch/iso/en/ISOOnline.frontpage
      • http://csrc.nist.gov/publications/nistpubs/
      • http://www.cobit.co.za
      • http:// www.tso.co.uk /bookshop
      • http:// www.ibm.com/developerworks/patterns
      • http:// www.aitcnet.org/dodfw /

    ×