Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec
 

Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec

on

  • 3,181 views

Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia ...

Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture

Statistics

Views

Total Views
3,181
Views on SlideShare
1,743
Embed Views
1,438

Actions

Likes
7
Downloads
219
Comments
0

7 Embeds 1,438

http://enterprisearchitects.com 1417
http://127.0.0.1 10
http://translate.googleusercontent.com 5
http://webcache.googleusercontent.com 2
https://twitter.com 2
http://enterprisearchitects.deependmelbourne.com.au 1
https://www.google.co.uk 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec Risk-driven and Business-outcome-focused Enterprise Security Architecture Framework by Ana Kukec Presentation Transcript

  • EnterpriseSecurityArchitectureFrameworkBUSINESS-OUTCOME-FOCUSEDAND RISK-DRIVEN APPROACHDr Ana KukecLead Enterprise Security Consultant1 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Enterprise Security Architecture Framework Business-outcome-focused and risk-driven approach Enterprise Security Architecture, Frameworks and Standards 3 The Open Group’s view of an ESAF 7 EA’s view of an ESAF 9 Case Study at the University of New South Wales 13 Value Proposition 192 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Enterprise Security Architecture Framework Security Architecture, Frameworks and Standards3 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Security Architecture, Frameworks & StandardsEnterprise security architecture as seen by practitionersExisting security architecture-related frameworks & standards Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Enterprise security architecture is a methodology for securing an enterprise by optimising operational risks. 4 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Security Architecture Contextual Business Architecture Conceptual Enterprise Data Architecture Logical SECURITY SERVICE MANAGEMENT Application Architecture Physical Component Technology Architecture Many of the ESA programmes have been failing…Security What are we doing wrong? What should we be doing?Architecture, Too much emphasis on technology Silo approach to security and risk Security as an enabler of business strategy Business risk is the key driver for securityFrameworks Siloed security organisation Cohesive security organisation& Standards Silo approach to EA and ESA Single team, common framework5 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R PSources: [1]C H I T E C T SSABSA 0 1 3 R I S E A R TOGAF and © 2 Integration Whitepaper (W117), Oct 2011 [2] SABSA Blue Book, Nov 2005
  • Enterprise Architecture Information Security Management Risk Business Security Information Systems Security Management Management Business Continuity Physical Security Environmental SecurityEnterprise ValueSecurity Management Value GovernanceArchitecture Portfolio Management Investment ManagementSecurity Architecture, Frameworks & StandardsWhat should we be doing? 6 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Enterprise Security Architecture Framework TOGAF & Enterprise Security Architecture7 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • TOGAF and Enterprise Security Architecture The Open Group identified goals for Enterprise Security Architecture Framework Guidance on producing business and risk management-based security architectures. The Open Group Architecture Forum and Security Forum agree that the coverage of security and Guidance on developing secure architectures to support business risk can be updated and improved. outcomes. The Open Group and SABSA Institute agreed to use the TOGAF ADM as a Guidance on producing architectures basis for the ESA Framework. that enable the efficient management of security. Specific goals include [1]:8 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | E N T E R P R I S E A R C H I T E C T S © 2 0 1 3 TOGAF and SABSA Integration Whitepaper (W117), Oct 2011 [1]
  • EA’s view: Implications of the identified goals define the cornerstones for an effective Enterprise Security Architecture Framework Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes Business security motivation • Architecture asset identification • Business security requirements • Security capability-based • Architecture asset evaluation management planning • Architecture asset risk • Architecture asset threat, • Security architecture and assessment vulnerability and risk analysis management maturity • Architecture asset classification monitoring • Risk-driven opportunities and solutions • Controls determination Business & risk-driven security strategies, tactics & operations Risk-driven portfolioTOGAF and The cornerstones have been identified based on our practical experience and the best practiceEnterprise Security industry standards and frameworks.Architecture9 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • EA’s view: The cornerstones can be delivered through integration of existing information security management and architecture frameworks and standards Business and risk Secure architectures Efficient management of management based security supporting the business security architectures outcomes SABSA Business Attributes Profiling, COBIT 5 Goals Cascade & Risk IT • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • TOGAF ADM & Content Meta-model • ISO/IEC 31000 standards • COBIT 5 for Information Security • COBIT 5 for Information Security • SABSA Risk Management Model • Data security classification & Enablers: Principles, Policies, • COBIT 5 Balanced Scorecard Risk information system controls Processes, People, Information, Management Model standards (ISO, FIPS, NIST, Services, Infrastructure and Government frameworks) Applications • COBIT 5 Enablers: Processes, People, Services, Infrastructure and • Jericho Forum Models/Whitepapers • O-ISM3: Information Security Applications • Application security standards Management Maturity Standard • Platform/Network security standards • ITIL v3 security service management • ISO/IEC 27000 standards • ISO/IEC 31000 standardsTOGAF and The challenge is in the integration of existing security architecture frameworks, informationEnterprise Security security management standards and informationArchitecture systems security standards.10 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • EA’s view: An Enterprise Security Architecture Framework as a process of iterations through the ADM tailored for enterprise security, risk and compliance BUSINESS SECURITY INF. SYS. SECURITY TECH. SECURITY SECURITY OPPORTUNITIES & SOLUTIONS ARCHITECTURE ARCHITECTURE ARCHITECTURE SECURITY CHANGE MANAGEMENT ADOPT OPERATING MODEL Business Inf. systems Technology Business Service Architecture Risk reference reference reference motivation catalogue roadmap profiles model model model Domain Classify enterprise assets security Assess BDAT risks architecture (Business & risk management based Define controls roadmap SECURE BDAT ARCHITECTURES MANAGE PORTFOLIO security architectures) (Secure architectures supporting the business outcomes) Business Architecture security risk motivation roadmap ARCHITECT/TRANSFORM SECURITY PRACTICE (Efficient & effective management of security) Identify security assets Security Assess security capability risks capability Define security policies roadmap11 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • EA’s view: ESA Content Meta-model (In addition to the TOGAF Content Meta- model) SECURITY ARCHITECTURE PRINCIPLES, REQUIREMENTS AND ROADMAP Information Security External Compliance Internal Compliance Continuity Security Security Principle Requirement Requirement Requirement Capability Gap Capability BUSINESS SECURITY ARCHITECTURE Motivation Organization Function Security Goal Actor Security Attribute Security Service Security Service Business Service Security Objective Policy Criticality Business Service Risk Appetite Strategic Security Risk Sensitivity Risk Tolerance DATA SECURITY ARCHITECTURE APPLICATION SECURITY ARCHITECTURE TECHNOLOGY SECURITY ARCHITECTURE Security Classification Security Control Security Standard (CIA) Information Risk Security Guideline Technology Risk Continuity Procedure Policy Framework ES Motivation Application Risk ES Requirements Risk Management12 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Enterprise Security Architecture Framework TOGAF-based ESAF: Case Study at the University of New South Wales13 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • THE SITUATIONBusiness, IT &EnterpriseArchitectsdescribed theirvision for thesecurityorganisation.Case Study: UNSW security organisation relies on the security operations, and is seeking to establishESAF at • An enterprise security architecture capabilityUniversity of • An enterprise security architecture frameworkNew South Wales to help revise the security strategic plan, information security plan and transform the security practice. 14 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • TAILORED ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK BUSINESS SECURITY MOTIVATION & BUSINESS CAPABILITY ANCHOR MODEL CURRENT STATE ASSESSMENT Security capability maturity assessment Architecture risk assessment Architecture asset security classification ASPIRATIONAL TARGET STATE Target security capability model w/ functional roles to fulfil, policies, standards, regulations Application security guidelines and continuity procedures BUSINESS RISK-DRIVEN SECURITY STRATEGIESCase Study: ESAF at University of New South WalesOur Approach 15 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • SECURITY CAPABILITY ROADMAP BUSINESS SECURITY MOTIVATION SECURITY CAPABILITY MODEL BUSINESS CAPABILITY MODEL W/ SECURITY CLASSIFICATION ARCHITECTURE RISK ROADMAPEA’s Enterprise Security Architecture FrameworkArtefacts (Samples) 16 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • • Inability to communicate value of security architecture, • Common language and framework compliance and risks to business, services & projects • Governance & mgt security capabilities integrated into • Lack of consistency in providing security support the IT operating model across the SDLC • Security classifications, internal compliance, regulatory • Operational imbalance compliance • Organically grown information security and • Better alignment to service management and projects technology security architecture • Revised security strategy & informed application • Low maturity of the risk management capability security portfolio management • Ineffective IT audits • Revised risk management capability, disaster recovery and business continuity plans • IT audit planning framework CHALLENGES OUTCOMESCase Study: ESAF at University of New South WalesOutcomes 17 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • Enterprise Security Architecture Framework TOGAF-based ESAF: Value proposition18 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • TOGAF-based Enterprise Security Architecture Framework Value Proposition COMMON LANGUAGE & FRAMEWORK STRATEGIC ALIGNMENT • Business, security, risk and IT • Better investment management in security • EA and ESA • Shift from gap-control operations to strategic • Various security functions initiatives HOLISTIC APPROACH & STRATEGIC SECURITY EFFICIENT MANAGEMENT OF SECURITY SOLUTIONS • Cohesive security organisation • Holistic approach to security solutions • Integration of standards and regulations • Strategic security solutions enabling business & • Positioning within business & IT operating model improving customer experience (strategic or segment – • Clarity around security functional roles and work cloud., BYOD, mobile, outsourcing, …) products • Reusable & scalable security building blocks • Alignment to service management office & projects GOVERNANCE, RISK & COMPLIANCE • Effective IT audits • Compliance with industry regulations • Cost-effective operational risk management19 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3
  • 20 | ENTERPRISE SECURITY ARCHITECTURE FRAMEWORK | ENTERPRISE ARCHITECTS © 201 3