SlideShare a Scribd company logo

Security Patterns How To Make Security Arch Easy To Consume

J
Jeff Johnson

A challenge security professionals often face is ensuring security is aligned with the business strategy. Enterprise Security Architecture can solve that problem, but to do so you need a way to make it easy for the rest of IT to follow the security architecture. Security Patterns is one solution to that problem.

Technology
1 of 18
Download to read offline
Security Patterns: How to Make Security Architecture Easy to Consume Enterprise Risk/Security Management Conference Jeff L. Johnson, CISSP Insurance Americas Enterprise S E i Security A hi i Architect Minneapolis, MN – 06.10.2010 www.ing.com
Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 2
ING Insurance Americas 8th Largest Co. in the World1 Dutch Origins 107,000 107 000 employees 40 countries 10,000 Employees 29 mil Customers 500+ Applications pp 3,000+ Servers 2nd largest provider of Pensions 15,000 Employees 1 FORTUNE 2009 Global 500 List Retirement - Insurance - Investments 3 www.ing.com/us
Define - Step 3 Customers Drive Business Goals Easy to Use – Transparent – Compliant 4
Define - Step 3 Market Trends Competitors Legal Regulations Technology 5
Define - Step 3 Architecture Frameworks Togaf, Zachman, SABSA, etc. SABSA etc Challenges • Complex • Sequential Process • Time to Value • Resources 6
ISM Structure Risk Area Building Building Block Block Component Component Building Control Control Block Component 7
Define - Step 3 Risk Areas and Building Blocks User Access Platform IT Resilience Change Sourcing Security Security Management Monitoring User Access OS Hardening Hardware Infrastructure Change Management Vendor Management Security Event Management Resilience Monitoring Segregation of Duties Network Hardening Business and Generic Separation of Supplier Management Security Incident Application Resilience Environments Management Info. Access Generic App. & DB Data Centre Resilience System Plan.& Technical State Restrictions Security Acceptance Compliance Identify & Access Business App. Security Security & Penetration Management Testing Workstation & Mob. Devices Hardening Foundation Asset Ownership Information Asset IT-Architecture Configuration Op. Procedures & Compliance with ING Security Awareness Classification Management Responsibilities Policies 8
Define - Step 3 Risk Area, Building Blocks and Components Platform Security y OS Hardening Business Applications Security Network Hardening Critical Impact Assets Generic App. & DB Security Business App. High Impact Security S it Assets Workstation & Mob. Devices Hardening Medium Impact Assets Low Impact Assets 9
Building Block, Components and Controls Critical Impact Assets Business Applications Platform Security Controls overview Security No Control criteria Dependency Critical Impact 1 Asset Ownership Assets 2 Information Asset Classification 1 3 Manufacturer Supported Asset 1+2 High Impact 4 OSG Documented & Approved 1+2 Assets 5 OSG Implemented 1+2 6 Application of Security Patches 1+2 7 Tech. Vulnerability Management 1+2 Medium Impact Assets 8 Manufacturer Support Tooling 1+2 9 Security A S it Assessment & Risk A l i t Ri k Analysis 1+2 1 2 10 Data Protection 1+2 Low Impact Assets 10
Capabilities Matrix Current State 11
Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 12
Security Patterns A Security Pattern is a well-understood solution to a rec rring information sec rit problem recurring security Time to Value ∗ Easy ∗ Build Once, Use Many Cookbooks are a collection of related security patterns l t d it tt 13
Security Pattern Framework Open Security Architecture • Security Patterns Catalog • Based on Capabilities and ISM • Prioritize - security projects and operational needs 14
Data Protection Security Pattern Example Controls • Media Labeling • Information Leakage • Continuous Monitoring • Use of Cryptography • Etc. 15
Data Protection Security Pattern Example • Guidance on data protection • Repeatable and Consumable steps for end users • Maps to industry standards and enterprise capabilities 16
Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 17
References • Open Security Architecture www.opensecurityarchitecture.org • Security Patterns http://www.securitypatterns.org/ • The Open Group http://www.opengroup.org/security/gsp.htm • A Survey on Security Patterns http://www.nii.ac.jp/pi/n5/5_35.pdf • Data Security Pattern from OSA http://www.opensecurityarchitecture.org/cms/library/patte rnlandscape/259-pattern-data-security p p y 18

Recommended

Security Information and Event Management
Security Information and Event ManagementSecurity Information and Event Management
Security Information and Event Management
UTD Computer Security Group
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205
Magdalena Anna Fas
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 

Recommended

Security Information and Event Management
Security Information and Event ManagementSecurity Information and Event Management
Security Information and Event Management
UTD Computer Security Group
 
How To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete DeckHow To Present Cyber Security To Senior Management Complete Deck
How To Present Cyber Security To Senior Management Complete Deck
SlideTeam
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205Contingency%20planning%20lecture%205
Contingency%20planning%20lecture%205
Magdalena Anna Fas
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
New CISO - The First 90 Days
New CISO - The First 90 DaysNew CISO - The First 90 Days
New CISO - The First 90 Days
Resilient Systems
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
Don Murdoch GSE CyberGuardian CISSP
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and Forwards
DATAVERSITY
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
SABSAcourses
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
Birendra Negi ☁️
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
WAJAHAT IQBAL
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
xKinAnx
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
Management Events
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
Ariel Evans
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
Flevy.com Best Practices
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
Sarah Cortes
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
Hamisi Kibonde
 

More Related Content

What's hot

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and Forwards
DATAVERSITY
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
PECB
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 

What's hot (20)

Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAse
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Data Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and ForwardsData Governance Trends - A Look Backwards and Forwards
Data Governance Trends - A Look Backwards and Forwards
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Presentation cisco iron port email & web security
Presentation cisco iron port email & web securityPresentation cisco iron port email & web security
Presentation cisco iron port email & web security
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Cyber security investments 2021
Cyber security investments 2021Cyber security investments 2021
Cyber security investments 2021
 
DLP Data leak prevention
DLP Data leak preventionDLP Data leak prevention
DLP Data leak prevention
 
IT Security & Governance Template
IT Security & Governance TemplateIT Security & Governance Template
IT Security & Governance Template
 

Viewers also liked

Is awareness government
Is awareness governmentIs awareness government
Is awareness government
Hamisi Kibonde
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
7wounders
 

Viewers also liked (6)

COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
IT Policy
IT PolicyIT Policy
IT Policy
 
1. security management practices
1. security management practices1. security management practices
1. security management practices
 
Super CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your JobSuper CISO 2020: How to Keep Your Job
Super CISO 2020: How to Keep Your Job
 
IT Governance
IT GovernanceIT Governance
IT Governance
 

Similar to Security Patterns How To Make Security Arch Easy To Consume

Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
Satish Hemachandran
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS UK
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
Indu Kodukula
 
2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez
Reenergize
 

Similar to Security Patterns How To Make Security Arch Easy To Consume (20)

Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...International approaches to critical information infrastructure protection ...
International approaches to critical information infrastructure protection ...
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011SunGard Enterprise Cloud Services @ Cloud Connect 2011
SunGard Enterprise Cloud Services @ Cloud Connect 2011
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
 
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBMArrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
Arrow ECS IBM Partner Jam - Security Update - Vicki Cooper - IBM
 
Secure Enterprise Cloud
Secure Enterprise CloudSecure Enterprise Cloud
Secure Enterprise Cloud
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Sw keynote
Sw keynoteSw keynote
Sw keynote
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
 
VSD Infotech
VSD InfotechVSD Infotech
VSD Infotech
 
2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez
 
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
Integrated Cloud Framework: Security, Governance, Compliance, Content Applica...
 
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
DSS ITSEC Conference 2012 - Lumension Intelligent Application Whitelisting & ...
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Security Patterns How To Make Security Arch Easy To Consume

  • 1. Security Patterns: How to Make Security Architecture Easy to Consume Enterprise Risk/Security Management Conference Jeff L. Johnson, CISSP Insurance Americas Enterprise S E i Security A hi i Architect Minneapolis, MN – 06.10.2010 www.ing.com
  • 2. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 2
  • 3. ING Insurance Americas 8th Largest Co. in the World1 Dutch Origins 107,000 107 000 employees 40 countries 10,000 Employees 29 mil Customers 500+ Applications pp 3,000+ Servers 2nd largest provider of Pensions 15,000 Employees 1 FORTUNE 2009 Global 500 List Retirement - Insurance - Investments 3 www.ing.com/us
  • 4. Define - Step 3 Customers Drive Business Goals Easy to Use – Transparent – Compliant 4
  • 5. Define - Step 3 Market Trends Competitors Legal Regulations Technology 5
  • 6. Define - Step 3 Architecture Frameworks Togaf, Zachman, SABSA, etc. SABSA etc Challenges • Complex • Sequential Process • Time to Value • Resources 6
  • 7. ISM Structure Risk Area Building Building Block Block Component Component Building Control Control Block Component 7
  • 8. Define - Step 3 Risk Areas and Building Blocks User Access Platform IT Resilience Change Sourcing Security Security Management Monitoring User Access OS Hardening Hardware Infrastructure Change Management Vendor Management Security Event Management Resilience Monitoring Segregation of Duties Network Hardening Business and Generic Separation of Supplier Management Security Incident Application Resilience Environments Management Info. Access Generic App. & DB Data Centre Resilience System Plan.& Technical State Restrictions Security Acceptance Compliance Identify & Access Business App. Security Security & Penetration Management Testing Workstation & Mob. Devices Hardening Foundation Asset Ownership Information Asset IT-Architecture Configuration Op. Procedures & Compliance with ING Security Awareness Classification Management Responsibilities Policies 8
  • 9. Define - Step 3 Risk Area, Building Blocks and Components Platform Security y OS Hardening Business Applications Security Network Hardening Critical Impact Assets Generic App. & DB Security Business App. High Impact Security S it Assets Workstation & Mob. Devices Hardening Medium Impact Assets Low Impact Assets 9
  • 10. Building Block, Components and Controls Critical Impact Assets Business Applications Platform Security Controls overview Security No Control criteria Dependency Critical Impact 1 Asset Ownership Assets 2 Information Asset Classification 1 3 Manufacturer Supported Asset 1+2 High Impact 4 OSG Documented & Approved 1+2 Assets 5 OSG Implemented 1+2 6 Application of Security Patches 1+2 7 Tech. Vulnerability Management 1+2 Medium Impact Assets 8 Manufacturer Support Tooling 1+2 9 Security A S it Assessment & Risk A l i t Ri k Analysis 1+2 1 2 10 Data Protection 1+2 Low Impact Assets 10
  • 11. Capabilities Matrix Current State 11
  • 12. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 12
  • 13. Security Patterns A Security Pattern is a well-understood solution to a rec rring information sec rit problem recurring security Time to Value ∗ Easy ∗ Build Once, Use Many Cookbooks are a collection of related security patterns l t d it tt 13
  • 14. Security Pattern Framework Open Security Architecture • Security Patterns Catalog • Based on Capabilities and ISM • Prioritize - security projects and operational needs 14
  • 15. Data Protection Security Pattern Example Controls • Media Labeling • Information Leakage • Continuous Monitoring • Use of Cryptography • Etc. 15
  • 16. Data Protection Security Pattern Example • Guidance on data protection • Repeatable and Consumable steps for end users • Maps to industry standards and enterprise capabilities 16
  • 17. Security Architecture Roadmap Business Goals Market Trends Security Architecture Information Security Roadmap Management Business Goals The future state of the enterprise security program Capabilities Matrix Security P tt S it Patterns 17
  • 18. References • Open Security Architecture www.opensecurityarchitecture.org • Security Patterns http://www.securitypatterns.org/ • The Open Group http://www.opengroup.org/security/gsp.htm • A Survey on Security Patterns http://www.nii.ac.jp/pi/n5/5_35.pdf • Data Security Pattern from OSA http://www.opensecurityarchitecture.org/cms/library/patte rnlandscape/259-pattern-data-security p p y 18