Secure by Design using Enterprise Security Architecture by applying TOGAF and SABSA

1. Securing Ever Growing and Complex
Business Systems, For Tomorrow
18th August 2016
Maganathin Marcus Veeraragaloo

2. Security Domains
Digital Security
Cyber Security
Information Security
IT Security
Physical Security
IoT Security
OT Security
Smart Grid
Security
Network Perimeter
Disappearing

3. Impact on Security Disciplines
Infrastructure
Security
Network
Security
IAM Security
Application
Security
Data and
Information
Security
SOC Security
Cloud
Security
Endpoint
Security
Mobile
Security
Threat
Intelligence
Threat and
Vulnerability
Management
Public Key
Infrastructure
Cyber
Security
Digital Security
Digital Security
DigitalSecurity
DigitalSecurity

4. Impact of South African Legislation
1. Electronic Communications
and Transactions Act 2002
2. Regulation of Interception of
Communications and
Provision of
Communication-Related
Information Act 2002
3. Protection of Personal
Information Act 4 2013
4. National Cybersecurity
Policy Framework 2012
5. Cybercrimes and
Cybersecurity Bill
6. Protection of Critical
Infrastructure Bill
7. General Intelligence Laws
Amendment Bill
8. Interception and Monitoring
Bill
9. Copyrights Act 98 of 1978
10. Intelligence Services
Oversight Act 40 of 1994
11. Promotion of Access to
Information Act 2 of 2000
12. Protection of Information
Act 84 of 1982

5. Varying Standards and Guides
1. ISO/IEC 27001:2013 - Information security management
2. ISO/IEC 27002:2013 - Information technology -- Security techniques -- Code of
practice for information security controls
3. NISTIR 7628 Guidelines for Smart Grid Cyber Security
4. IEEE 1588 Annex K describes a security mechanism for clock synchronization
5. ISO 27019:2013 - Information Security for the Energy Utility Industry
6. ISO/IEC 27018:2014 - Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors
7. 240-55410927 – Cyber Security Standard for Operational Technology
8. NERC CIP V 5
9. The Critical Security Controls for Effective Cyber Defence (SANS)
10. NIST Cyber Security Framework
11. NERC CIP / IEC 62443

6. Cyber Security CIACR
Confidentiality
Cyber Resilience
AvailabilityIntegrity
Cyber Resilience
Cyber Resilience is to maintain the entity´s ability
to deliver the intended outcome continuously at
all times. This means even when regular delivery
mechanisms have failed, such as during a crisis
and after a security breach. The concept also
includes the ability to restore regular delivery
mechanisms after such events as well as the
ability to continuously change or modify these
delivery mechanisms if needed in the face of new
risks.
Availability
Information systems and the
content they contain should be
available for appropriate use.
The failure of an important
system, or even a data center,
should not cause long-term
outage. Redundancy in storage,
processing, and network paths
can be used in conjunction with
business continuity and disaster
recovery (DR) procedures to
maintain appropriate availability
levels.
Confidentiality
Prevent intentional or unintentional
unauthorized or inappropriate disclosure of
information.
Integrity
Security technologies and
processes should prevent
unauthorized or inappropriate
modification of information and
processes, and ensure that
information or IT systems—such
as structured databases,
operating system software, or
websites that have many critical
and inter-related objects—
maintain internal consistency
and correctness. Where
possible, information should be
kept externally consistent with
the real-world situations it
represents.

7. Enterprise Security Architecture – Secure by Design

8. SABSA Meta Model

9. Alignment, Integration & Compliance Strategy
Strategy & Planning Phase Alignment Risk Management Method Alignment
Performance & Reporting Methods Control Objectives Libraries & Standards

10. Controls Frameworks & Libraries

11. SABSA Risk & Opportunity Model

12. SABSA Controls & Enablers Derivation