Information Security by Design
Nalneesh Gaur, CISSP
Diamond Management and Technology Consultants
Nalneesh.gaur@diamondconsultants.com,
April 10, 2008

By the end of this course, you should be able to…
 Understand the need to think early about Information
Security
 Learn how to align Information Security and business
 Capture Information Security capabilities
 Define security services and mechanisms
 Apply an integrated Information Security EA framework
to your practice
Page 1

Businesses are transforming to address information risks
Management Pressure Points Transformational Change
Numerous regulations
Establishment of Chief
and control standards
Information Security
Office (CISO)
Distributed operations organization and
and relationships governance structures Implementation of
risk-based
Development of
risk intelligence Information
Increased accountability
Security roadmap
Fragmented information Raise Awareness
Establishment of
security organization of the importance
Information
structure of information
Security
security and best
Increased globalization, architecture
practices
crime and cyber
terrorism
Implementation of
Heightened privacy
controls and
Purchase of Cyber-
awareness among
insurance reporting
consumers
automation
Today’s topic
Board-level visibility
Page 2

Information Security bridges the gap between Operational Risk and IT
Security
Operational Risk Areas
Overarching framework for addressing risk
Business
Operations & Employee & Physical Business Financial
Legal Regulatory Vendor External
Process Culture Asset Continuity Reporting
Information Security Areas
Focuses on risk to information in all of the operational risk areas
Systems
Incident/Business
Policy, Org & Asset Personnel Physical Security Development
Comm. & Ops Compliance Continuity
Governance Management Security /Access Control Life
Management
Cycle
Examples of issues addressed - Financial Integrity, Trust, Fraud, Access Management, Intellectual Property, Privacy
Technology
IT Security
Focuses on Information technology risks alone in all of the Information Security areas
IT Threats Audits & Assessments Security Operations Controls
e.g. Virus and Spyware, e.g. Penetration testing, e.g. Patch Applications, e.g. System Hardening,
Hackers Security Assessments Provision User/Access Firewalls, Anti-virus
Page 3

To address information risks, the Enterprise Architect must align
business, operational risk and technology
CISO/CRO
Business
wants to
wants to know
know
Enterprise Architect
Are our assets protected? What is our exposure?
How do we prevent the next attack? How do we comply with regulations?
How much does it cost? Which controls do I prioritize?
How do we improve security? How do I automate controls reporting?
How do I gain executive buy-in?
Technical Staff
wants to know
How do I prioritize between IT and Security?
How do I integrate Security into the Infrastructure?
How do I ensure consistency?
Page 4

But, roadblocks often thwart alignment
 Information Security does not engage the business
– Technology driven solutions “offered” to the business
– Solutions looking for problems to solve
– Organizational anomalies
 Business strategy is too vague
– Mission, vision, goals exist
– Then what?
 Complexity of the business
– Do we plan for the whole enterprise?
 Enterprise Architecture considered “too complex\" and
“too costly”
Page 5

Alignment can be achieved through collaboration on a business-driven
plan
 Business owns
Business Architecture – Leadership
(strategy & operations) – Business SMEs
 Infosec Facilitates
 Infosec owns
 Business approves
Solution Architecture
(platform independent)
 IT Security owns
 Governed by Business and
Technical Architecture
Solution Architecture
(infrastructure & processes)
Suggested Approach
Page 6

The result is a business-capability driven blueprint that integrates
business strategy, operational risks and Information Security solutions
Components of a Security Blueprint
Business Architecture
Strategic Business Architecture (SBA)
Security Specific Goals,
Objectives and Capabilities
Blueprint &
Operational Business Architecture (OBA)
Key Functions, Control
Objectives, Trust Model
Roadmap
Solutions Architecture
Security Privilege Security
Policies Associations Services
Technical Architecture
Security Reference Security Standards
Mechanisms Architecture and Guidelines
Page 7

Start by understanding the environment and security drivers
 Understand the environment enablers and constraints
 Understand the Security drivers – regulations, policies,
business strategy, recent incidents, mergers and
acquisitions
 Determine the organizations appetite for Security
– Sr. Mgmt commitment to security
– Available resources: people, money
– Management expectations
 Involve business to develop guiding principles
– A collection of position statements used to assist decision making
– Positions unlikely to change over the next two to three years
– Filters for decision-making . . . guidelines, not hard and fast rules
Page 8

Engage the business by documenting and driving additional
detail into the business strategy
Strategic Business Architecture (SBA)
 A comprehensive statement covering
the major functions and operations
MISSION
that the program addresses
ENVIRONMENT, SECURITY DRIVERS &
 An inspirational, forward-thinking
view of what the program wants to
VISION
GUIDING PRINCIPLES
achieve
 The top priorities that would achieve
the vision
GOAL GOAL GOAL GOAL
 A set of realistic outcomes tracked by
performance indicators that
PERFORMANCE
OBJECTIVE
collectively support goal attainment
INDICATORS
 A description of how the business
CAPABILITIES
plans to achieve the objectives
 A description of what should be
REQUIREMENTS
implemented
Page 9

Engage the business by documenting and developing the
details of the business operations
Operational Business Architecture (OBA)
 Entities
 Trust Hierarchy
Trust
 Trust Domains
Model
Organization  Level 0/1 Functions
 Capabilities
Key
Business
Functions Mapping
Context  Gap Analysis
 Stakeholders  Information Risks
Control  Likelihood and
 Locations
Impact
Objectives
 Control Standards
Page 10

Starting with the business context view, identify the
organizational aspects and then the respective functions
Level 0/1 Functions Capability Mapping Gap Analysis
What it is
Top-down description of level 0 and level 1 LOB functions. Each level has 5-
10 steps. Use it to assess any gap with detailed processes. These functional
maps serve as inputs in understanding/defining trust relationships and
control objectives.
Trust
Model
Sample Deliverable How to do it
Organization
 Use IDEF-0 to develop
Key
Business
Functions
Context
functional maps and
relationships. IDEF-0 allows
simple visualization of Input,
Control
Objectives
Output, Controls and
Mechanisms.
 Define best-in-class, end-to-
end IDEF-0 maps and
definitions for relevant level 0
and level 1 business functions
Level 0/1 Functions
Page 11

For each function map the SBA capabilities
Level 0/1 Functions Capability Mapping Gap Analysis
What it is
Detailed mapping of SBA business capabilities to their supporting level 1
functions. Mapping assists in identifying capability gaps
Trust
Model
Sample Deliverable How to do it
Organization
 Use a spreadsheet to organize
Key
Business
Functions
Context
capabilities and then match
functions to capabilities.
Control
 Examine the level 1 functions
Objectives
and identify the characteristics
that enable the business
capabilities (already captured
from the SBA)
Capabilities Mapping
Page 12

Identify gaps in capabilities by comparing the current and
future capabilities
Level 0/1 Functions Capability Mapping Gap Analysis
What it is
Observations, risks, implications and planned resolutions for capability gaps
in functions
Trust
Model
Sample Deliverable How to do it
 Compare the high-level
Organization
Key
Business
functions with the current state
Functions
Context
detailed functions
 Identify new capabilities and
Control
Objectives
the functions required to
support them
Gap Analysis
Page 13

Employ the knowledge of key functions to document and
define the Trust Model – start by identifying the entities
Entities Trust Hierarchy Trust Domains
What it is
An entity is a subject that takes an action in a business environment. Entities
can be external (e.g. vendors, partners, customers) or internal (e.g. business
units, employees).
Trust
Model
Sample Deliverable How to do it
Organization
Use the key functions and
Key
Business
Functions
Context
identify the subjects involved in
those functions
Control
Objectives
Entities
Page 14

Once the entities are known, identify the relationships and
the specifics such as information exchanged between them
Entities Trust Hierarchy Trust Domains
What it is
Trust Hierarchies are relationships and may be represented as One-Way vs.
Two-Way, Transitive, External vs. Internal. Business involvement in
identifying the relationship is critical. The trust hierarchy allows for
discrimination between relationships
Trust
Model
Sample Deliverable How to do it
Organization
 Identify the relationships
Key
Business
Functions
Context
between the entities.
 Document the type of
Control
information being exchanged
Objectives
across each relationship.
Trust Hierarchy
Page 15

Develop trust domains by identifying common security
themes
Entities Trust Hierarchy Trust Domains
What it is
Trust Domains consist of entities and relationships that share a common
security theme. Trust Domains are not a rigid construct, they are designed to
make it easy to enforce security policies and may allow grouping of policies
by domains.
Trust
Model
Sample Deliverable How to do it
Organization
 Identify the unique security
Key
Business
Functions
Context
characteristics of each entity
and other entities that it
interacts with to exchange
Control
Objectives
information.
 Group entities that share
common security themes and
depict the relationships
between them to form the Trust
domains.
Trust Domains
Page 16

Develop Control Objectives by identifying the enterprise
assets, threats and vulnerabilities
Likelihood and
Information Risks Control Standards
Impact
What it is
Document Information risks (assets, threats and vulnerabilities) to prioritize
protection measures. Use interviews to gather risk information across the
business and from the interviewee’s vantage point.
Trust
Model
Sample Deliverable How to do it
Organization
 Develop a model to score
Key
Business
Functions
Context
assets based on plausible
impact
Control
 Use interviews and key
Objectives
functions to identify assets,
threats and vulnerabilities
 Prioritize information assets to
focus on the most valuable
assets.
 Identify the vulnerabilities,
threats
Information Risks
Page 17

Assess the impact and likelihood of the threat on assets to
determine the greatest risks to the enterprise assets
Likelihood and
Information Risks Control Standards
Impact
What it is
All risks are not created equal, assess the likelihood and impact of each risk.
Prioritize the risks and then map capabilities to identify the capabilities that
address the greatest risks first.
Trust
Model
Sample Deliverable How to do it
Organization
 Identify the impacts and
Key
Business
Functions
Context
likelihood of the threat to
exploit the vulnerability.
Control
 Rank the assets, threats and
Objectives
vulnerabilities.
 Focus on the greatest risks by
plotting the assets, threats and
vulnerabilities against
likelihood and impact
Likelihood and Impact
Page 18

Prioritize information risks and for each risk identify control
standards
Likelihood and
Information Risks Control Standards
Impact
What it is
Identify Control standards to address the greatest risks. Control Standards
specify a desired end state and are platform agnostic. Control standards may
be selected from ISO 270001, COBIT etc.
Trust
Model
Sample Deliverable How to do it
Organization
 Identify the control standard
Key
Business
Functions
Context
you wish to use
 For each of the prioritized
Control
risks, identify applicable
Objectives
control standards
 Consolidate risks that yield the
exact same control objectives
 Identify the frequently
occurring standards to identify
the priority control standards
Control Standards
Page 19

The Strategic and Operational Business Architectures
provide the necessary input for the Solution Architecture
The Security Policies
The Security
are based on the OBA.
Solution Architecture Mechanisms are
Defines roles and profiles
Policies are hierarchical
mapped to Security
within the organization.
in nature and cross
Services. They
reference other policies
Security represent different ways
Policies of implementing the
Technical Architecture
services.
Once Security
Business Privilege Security Mechanisms are defined
Architecture Model Mechanisms then a set of reference
architecture can be built
for each mechanism. The
Security Reference reference architecture
Services Architectures defines the organizations
• The Security Services best practices for
is a logical construct, implementing a given
Security
used as a stepping Security Mechanism.
These are the platform Standards and
stone to achieve
specific technology
Guidelines
capabilities.
standards and
guidelines. Standards
are linked to specific
Security Policies.
Page 20

Engage policy, business and application owners to develop
the solution architectures
 Establish the policy catalog based on
the SBA, OBA and the control
objectives:
– Local vs. global versions of policies
– Driven by local regulations as well as
unique business needs
– Trust domain specific policies
Solution
 EA participates in policy development
Architecture
but does not own it.
Security  Include clauses that can be enforced
Policies
immediately or in the near term
Business Privilege
Architecture Model
 Privilege management forms the basis
PRIVILEGE
Security for any sophisticated Identity & Access
ASSOCIATIONS
Services
Management solution.
Asset Asset
 Inventory existing roles and map
Privilege Privilege
individuals to those roles.
 Engage business and application
Profile Profile
owners to develop an abstract construct
such as “profiles”; Use profiles to map
Roles Roles Roles
organization roles.
Individual Individual
 The profiles can be used to grant access
to assets
Page 21

Identify Security services and then develop its building
blocks – security mechanisms
Illustrative
Technical Security Service Security Mechanism
Architecture
• Encryption
Data Security •
Security Digital Signatures
mechanisms
• Access Control
in Transit
• Integrity Verification
Business Reference
Architecture Architectures
Encryption
•
Security
Data Transformation
•
Standards and
Data Security • Data Masking
Guidelines
at Rest Access Control
•
Integrity Verification
•
• Security Policies must be used to
Host-Based Intrusion Protection
•
develop Security services
Anti-Virus
•
Platform
• The Security services vocabulary
Platform Security Updates
•
should suggest a solution to a problem
Security
• Security services should be vetted Patch Management
•
with business and application owners
to ensure they are usable Anti-Spam
•
• Security mechanisms must be Anti-Spyware
•
Messaging
enhanced on a periodic basis to adapt
Anti-Malware
•
to evolving risks Security Anti-Virus
•
• Security mechanisms may be reused
Digital Signatures
•
across services and form the building
blocks for services
Page 22

Complete the technical architecture by defining the remaining
components
Technical
Architecture
Security
mechanisms
Business Reference
Architecture Architectures
Security
Standards and
Guidelines
• Reference Architectures are built for each • Standards are specific to a technology platform,
security mechanism and define the specifics of a service, device or application.
vendor solution, applicability, pros and cons
• Temporary exception to the Standards must be
• Reference Architectures must be periodically
governed through the architecture governance
updated to adapt to the evolving solutions
process.
landscape.
Security
Mechanisms Reference
Architecture 1
Data Masking
Reference
Architecture n
Page 23

Use the Business and Solution Architectures to derive a roadmap of
business capabilities
Operational Business Architecture Strategic Business Architecture Solution Architecture
1H06 2H06 1H07 2H07
Capability 01
Theme 1
Capability 12
Capability 04
Capability 07 Roadmap of when
Theme 2
each capability is
Capability 09
delivered
Capability 02
Capability 03
Theme 3
Capability 05
Capability 08
Business Capabilities
Requiring Infosec ad IT Support
Page 24

Avoid some common pitfalls when building an Information Security
Blueprint
 Do not start with requirements, start with capabilities
– Requirements are good for implementation but bog down the planning
process
– Capabilities provide a manageable level of detail for prioritization and
release planning
 Recognize Information Security as a key component of Operational Risk,
work towards getting the OBA right
– Start with key functions not processes for developing the OBA
– Understand what you want to protect before deciding how you want to
protect
 Differentiate between IT security and Information Security, do not focus
on technology alone
– Hold off on tools until reference architecture
Page 25

Key Takeaways
 Understand the significance of Information Security as a
business enabler by identifying the drivers and appetite for
Information Security early in the planning process
 Information Security must engage the business by developing
the
– guiding principles
– Strategic Business Architecture (SBA)
– Operational Business Architecture (OBA)
 Getting the Security Services right is the first step before
developing the technical architecture artifacts
 Develop Security Mechanisms and corresponding Reference
Architectures for the highest priority Security services
Page 26

Thank You
Questions?
Page 27