Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –
Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate.
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –
Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate.
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
To protect your organization from cyber attacks, you need to implement a robust information security management system (ISMS) and business continuity management system (BCMS) based on international standards, such as ISO/IEC 27001 and ISO 22301.
Amongst others, the webinar covers:
• Why we need a cyber response plan to protect business operations
• Introduction to ISO/IEC 27001 and ISO 22301
• What do we need for a cyber security response plan?
• How do we develop a cyber security response plan?
Presenters:
Nick Frost
Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.
Simon Lacey
Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.
Date: April 26, 2023
Find out more about ISO training and certification services
Training: https://bit.ly/3AyoyYF
https://bit.ly/3LbBVTx
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
YouTube video: https://youtu.be/i4qx5mjEqio
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
To protect your organization from cyber attacks, you need to implement a robust information security management system (ISMS) and business continuity management system (BCMS) based on international standards, such as ISO/IEC 27001 and ISO 22301.
Amongst others, the webinar covers:
• Why we need a cyber response plan to protect business operations
• Introduction to ISO/IEC 27001 and ISO 22301
• What do we need for a cyber security response plan?
• How do we develop a cyber security response plan?
Presenters:
Nick Frost
Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.
Simon Lacey
Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.
Date: April 26, 2023
Find out more about ISO training and certification services
Training: https://bit.ly/3AyoyYF
https://bit.ly/3LbBVTx
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
YouTube video: https://youtu.be/i4qx5mjEqio
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Togaf is a high level and holistic approach to design, which is typically modeled at four levels: business, application, data, and
technology. It tries to give a well-tested overall starting model to information architects, which can then be built upon. It relies heavily
on modularization, standardization, and already existing, proven technologies and products.
For More Information please follow the below link:
http://www.xoomtrainings.com/course/togaf
For Togaf 9.1 Online Training Demo Please Find the below link:
https://www.youtube.com/watch?v=TF-h6yUc9eo
For General Queries Email us at sales@xoomtrainings.com or +1-610-686-8077
Supporting material for my Webinar to the ACS - June2017Daljit Banger
The attached slide deck was used to Support a webinar for the Australian Computer Society (Queensland) on June 1st 2017.
Some previously used slides with modified content and some additional slides to support the webinar theme
Full Webinar Video can be seen at https://youtu.be/_41-izCm5rw
Framework for developed simple architecture enterprise fdsaecsandit
In This article presents a framework for develop de Architecture enterprise based on the
articulation of emerging paradigms for architecture development of information enterprise [1].
The first one comes from the agile methods and it is inspired on the Scrum model which aim to
simplify the complex task of developing a quality software, the second the processes models
whose are oriented the development of Architectures Enterprise as Zachman and TOGAF in a
paradigm of the Model Driven and principles de reference de architecture de Software form the
paradigms Generation (MDG), these approaches are integrated eventually leading to the
formulation and presentation of an framework for developed simple architecture enterprise –
FDSAE- The goal is to present a simple, portable, understandable terms enabling, modeling
and design business information architecture in any organizational environment, in addition to
this, there are important aspects related to the unified Modeling Language UML 2.5 and the
Business Process Modeling BPMn that become tools to obtain the products in the FDSAE
Framework, This framework is an improved version of Framework MADAIKE [2] developed by
the same authors.
Explore the comprehensive CISSP Certification Course syllabus with InfosecTra...InfosecTrain Education
Explore the comprehensive CISSP Certification Course syllabus with InfosecTrain's CISSP Online Training. Covering eight domains essential for Information Security Professionals, our program delves into topics like Security and Risk Management, Asset Security, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, Software Development Security, and Security Architecture and Engineering. With our expert-led training, you'll acquire the knowledge and skills needed to ace the CISSP exam and excel in the field of cybersecurity.
Visualizing BI technical cyber risks. Enterprise Risk and SecurityBiZZdesign
Method for business impact analysis of technical risks is explained, which combines the disciplines of technical risk analysis and Enterprise Architecture. Our method is supported by software tooling to (semi-)automatically import results of a penetration test into an Enterprise Architecture model, and to analyze and visualize the business impact of these technical risks. This both enhances the value of penetration testing and increases the return-on-investment of the Enterprise Architecture effort.
The contents of this presentation were originally created as part of comprehensive datacentre relocation planning activities.
The presentation depicts the key focus areas for creating a technical and solution based workshop agenda to extract relevant information as quickly as possible.
Architecture Series 5-4 Solution Architecture DraftFrankie Hsiang
Use Solution Architecture as a tool to produce solid solutions that fully meet business needs, within budget, deploy on schedule, easy to maintain, and use fewer resources.
Similar to Enterprise Security Architecture Design (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. Enterprise Architecture
• A field born about 30 years ago
• Initially targeted to address two problems
– System complexity
– Inadequate business alignment
– Resulting into
• More Cost, Less Value
4. A Brief History of Enterprise Architecture
Zachman’s first article
1987
TAFIM released
1994
Clinger-Cohen bill passed
1996 1998
TAFIM retired
FEAF 1.2 released
1999 2002
FEA replaces FEAF
TOGAF EE 8.0 released
2003 2003
FEA mostly complete
2011
TOGAF 9.1
5. Zachman Framework (1)
• The Zachman "Framework" is actually a taxonomy for organizing
architectural artifacts (in other words, design documents, specifications,
and models) that takes into account both who the artifact targets (e.g.
business owner and builder) and what particular issue (e.g. data and
functionality) is being addressed
• Two dimensions
– Players in the game
– Architectural Artifacts
• Players in the game: Actors
• Architectural Artifacts: the What, How, Where, When, Who and Why
• The second dimension is independent of the first
– Both the Builder and the Owner need to know the ‘What’
– But, they need to know different ‘What’
• From a Business Owner’s perspective, ‘Data’ means business entity
– Example: Customer, Product, Demographic Groups, Inventory
• From the developer’s perspective i.e. Builder’s perspective, ‘Data’ means
rows and columns organized into table, mathematical joins to implement
relationships
6. Zachman Framework (2)
• Zachman Framework is typically depicted as a 6 x 6 matrix
– Columns: Communication Interrogatives
– Rows: Reification Transformation
– The Framework Classification is represented by 36 cells
– Each cell represents a player’s perspective (e.g. business owner) and a
descriptive focus (e.g. data)
• Moving horizontally changes description of the system from
same player’s perspective
• Moving vertically pin down to single focus but changes players
8. How Zachman Taxonomy can help building a system
architecture
• First: use Zachman Taxonomy to the fact that every
architecture artifact must live in one and only one cell
• Second: achieve architectural completeness by completing
every cell
• Third: cells in columns should be related to each other.
9. Five Ways Zachman Taxonomy can help building
enterprise architecture
• Five ways Zachman Taxonomy can help:
– Ensure that every stakeholder's perspective has been
considered for every descriptive focal point
– Improve the Enterprise Architecture artifacts themselves
by sharpening each of their focus points to one particular
concern for one particular audience
– Ensure that all of CxO’s business requirements can be
traced down to some technical implementation
– Convince Business function of the organization that the
technical team isn't planning on building a bunch of
useless functionality
– Convince Technology team that the business folks are
including IT teams in their planning
10. What Zachman Taxonomy does not
provide
• Does not provide step-by-step process to create new
architecture
• Does not provide much help in validating an
architecture
• Does not provide help in deciding future architecture
11. Cyber Security Frameworks
• A Cyber Security Framework is a risk-based
compilation of guidelines designed to help
organizations assess current capabilities and
draft a prioritized roadmap toward
improved cybersecurity practices
Source: NIST
12. Well Known Cyber Security
Frameworks
• ISO/IEC 27001 & 27002 (formerly ISO 17799)
• NIST SP 800-53: Security and Privacy Controls
for Federal Information Systems and
Organizations
• Sherwood Applied Business Security
Architecture (SABSA)
• NIST SP 800-39: Risk Management Framework
• Security in Major IT Management Frameworks
13. What is SABSA
• Methodology for:
– Developing business-driven, risk and opportunity focused enterprise
security & information assurance architectures
– Delivering security infrastructure & service management solutions
that traceably support critical business initiatives
• Comprised of a number of integrated frameworks, models, methods and
processes, including:
– Business Requirements Engineering Framework (also known as
Attributes Profiling)
– Risk & Opportunity Management Framework
– Policy Architecture Framework
– Security Services-Oriented Architecture Framework
– Governance Framework
– Security Domain Framework
– Through-life Security Service & Performance Management
15. How is SABSA Used
• Information Assurance
• Governance, Compliance & Audit
• Policy Architecture
• Security service management
• IT Service management
• Security performance
management, measures &
metrics
• Service performance
management, measures &
metrics
• Over-arching decision-making
framework for end-to-end
solutions
• Enterprise Security Architecture
• Enterprise Architecture
• Individual solutions-based
Architectures
• Seamless security integration &
alignment with other frameworks
(including TOGAF, ITIL, ISO27000
series, Zachman, DoDAF, CobIT,
NIST, etc.)
• Filling the security architecture
and security service management
gaps in other frameworks
• Business requirements
engineering
• Solutions traceability
• Risk & Opportunity Management
16. Sherwood Applied Business Security Architecture
(SABSA) Model
SABSA Model
The SABSA Model comprises six layers. It is based on the well-known Zachman framework1
for developing
model for enterprise architecture, although it has been adapted somewhat to a security view of the world.
17. SABSA Model
• Comprises of six layers
• Based on Zachman framework/taxonomy
• The Security Service Management Architecture has been
placed vertically across the other five layers
– Security management issues arises in every horizontal layer
• Each horizontal layers are made of a series of vertical
communication interrogatives
– What (Assets)
– Why (Motivation)
– How (Process and Technology)
– Who (People)
– Where (Location)
– When (Time)
23. Approach of Discussing SABSA
• Business Context and Requirements
• Policy Architecture
• Architecture Strategies
• Planning and Performance Management
• Scope of current discussion
– Business context and requirements
– Architecture strategies
– Planning and performance management
• They would be discussed in terms of framework
and implementation
26. Scope: Strategy & Planning Phase -
Assets
Business Driver Development
BAP with KPI’s and KRI’s
27. Business Driven Architecture
• Being business-driven means never losing site of the
organisation’s goals, objectives, success factors and
targets, and ensuring that the security strategy
demonstrably supports, enhances and protects them
• The contextual architecture captures and presents the
full set of relevant requirements for the scope of the
assignment
– Including conflicts in business strategy, risks & priorities
– At this stage we are confirming that they are complete and
we understand them
– The conceptual layer will later resolve these conflicts by
delivering an appropriate, measurable security strategy
28. Credible Abstraction is Key
• Meaningful traceability is enabled by credible abstraction from business context
(assets, goals & objectives) to a business security context
• Traceability therefore starts by delivering two slightly different sets of
requirements:
29. Business Attributes
• An Attribute is a conceptual abstraction of a real
business requirement (the goals, objectives,
drivers, targets, and assets confirmed as part of
the business contextual architecture)
• The Attributes Profiling technique enables any
unique set of business requirements to be
engineered as a standardized and re-usable set
of specifications
• The Attributes are modeled into a normalized
language that articulates requirements and
measures performance in a way that is
instinctive to all stakeholders
30. Attributes Profiling Rules & Features
• Attributes can be tangible or intangible
• Each attribute requires a meaningful name and detailed definition
customized specifically for a particular organization
• Each attribute requires a measurement approach and metric to be
defined during the SABSA Strategy & Planning phase to set
performance targets for security
• Attributes must be validated (and preferably created) by senior
management & the business stake-holders by report, interview or
facilitated workshop
• The performance targets are then used as the basis for reporting
and/or SLAs in the SABSA Manage & Measure phase
• Powerful requirements engineering technique
• Populates the vital ‘missing link’ between business requirements
and technology / process design
33. Sample of Business Drivers
Driver # Business Drivers
BD1
Protecting the reputation of the Organization, ensuring that it is perceived as
competent in its sector
BD2
Providing support to the claims made by the Organization about its competence
to carry out its intended functions
BD3
Protecting the trust that exists in business relationships and propagating that
trust across remote electronic business communications links and distributed
information systems
BD4
Maintaining the confidence of other key parties in their relationships with the
Organization
BD5 Maintaining the operational capability of the Organization’s systems
BD6
Maintaining the continuity of service delivery, including the ability to meet the
requirements of service level agreements where these exist
BD7 Maintaining the accuracy of information
BD8 Maintaining the ability to govern
36. Business Attributes
Business
Attributes
User Attributes
Management
Attributes
Risk
Management
Attributes
Legal/Regulatory
Attributes
Technical
Strategy
Attributes
Operational
Attributes
Business
Strategy
Attributes
Business
Attribute Business Attribute Definition Suggested Measurement Approach Metric Type
User Attributes
Accessible Information to which the user is entitled to gain access
should be easily found and accessed by that user.
Search tree depth necessary to find the information
Soft
Accurate
The information provided to users should be accurate
within a range that has been preagreed upon as being
applicable to the service being delivered.
Acceptance testing on key data to demonstrate
compliance with design rules Hard
Anonymous
For certain specialized types of service, the anonymity
of the user should be protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
Consistent
The way in which log-in, navigation, and target services
are presented to the user should be consistent across
different times, locations, and channels of access.
Conformance with design style guides Red team review
Soft
Current
Information provided to users should be current and
kept up to date, within a range that has been pre-
agreed upon as being applicable for the service being
delivered.
Refresh rates at the data source and replication of
source and replication of refreshed data to the
destination.
Hard
37. Attribute Profile
Business
Attributes
User Attributes
Management
Attributes
Risk
Management
Attributes
Legal/Regulatory
Attributes
Technical
Strategy
Attributes
Operational
Attributes
Business
Strategy
Attributes
Business
Attribute
Business
Driver Business Attribute Definition Measurement Approach Metric
Performance
Target
User Attributes
Accessible 5
Information to which the user is entitled to gain
access should be easily found and accessed by that
user.
Search tree depth necessary to find the
information
Soft
Accurate 7
The information provided to users should be accurate
within a range that has been preagreed upon as
being applicable to the service being delivered.
Acceptance testing on key data to
demonstrate compliance with design rules Hard
Anonymous 4
For certain specialized types of service, the
anonymity of the user should be protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
Consistent 23, 41
The way in which log-in, navigation, and target
services are presented to the user should be
consistent across different times, locations, and
channels of access.
Conformance with design style guides
Red team review
Soft
Current 7
Information provided to users should be current and
kept up to date, within a range that has been
preagreed upon as being applicable for the service
being delivered.
Refresh rates at the data source and
replication of source and replication of
refreshed data to the destination.
Hard
40. Alignment, Integration & Compliance Strategy
• Understand what needs to be aligned, to what
purpose, and where it is positioned within the SABSA
framework
• Business model or business process framework
• Legislation, regulation or governance frameworks
• Risk management methods, assurance framework or
audit approach
• IT Architecture framework or method
• Controls framework, library or standard
• Performance management & reporting framework
47. Application of Multi-tiered Controls In Risk
• The multi-tiered controls strategy is modeled against
the risk assessment to determine proportional and
appropriate response
• Contributes to selection of the right control in the right
place at the right time
• Enables further removal of subjectivity in selection of
Risk Treatments
• Facilitates construction of databases and risk
management tools that respond to definitive risk
scenarios with definitive control decisions
• Increases speed and ease of use of Risk Assessment
54. Implementation Phase & Approach
• Implementation is an important part of the lifecycle but the
SABSA Matrix does not define a specific implementation
layer
– No need to re-invent Prince2 or PMI etc.
• Notoriously difficult to gain business support and budget
for pure infrastructure projects
• Rare that a major strategic enterprise-wide security
architecture is implemented as a single project
• More likely (and more sensible) is that the architecture
provides a blue-print and a road-map that guides a whole
series of separate implementation projects, each of which
is driven by a specific business initiative and funded by a
budget associated with that initiative
55. Manage & Measure Phase – Lifecycle Overlay
• SABSA Architecture traceably abstracts from pure
Business Context to:
– Pure technical deployment in the Component layer
– Pure management in the Service Management layer
• The Service Management layer defines all aspects
of security management and constructs the
means to manage and incorporate change by
being presented vertically across the other layers:
– Strategy (Context & Concept Layers)
– Tactics (Logical, Physical, & Component Layers)
– Operations (Security Service Management Matrix)
61. Process Improvement Framework –
SABSA Maturity Profile (SMP)
• Coordinates SABSA process information from all parts of the business
– Demonstrates due diligence to senior management, auditors and regulators
• Based on Capability Maturity Modeling (CMM) concepts
– Qualitative measurement technique for maturity of processes
– Six domains mapped onto the SABSA Matrix
– Consistent, objective 5-point maturity scale
• Identifies, measures and reports compliance practices
– Against the SABSA framework, model and processes
– Provides a gap analysis to drive a SABSA improvement programme
• Can be implemented through a web-enabled tool for
– Ease of use, wide involvement, quick responses
• Regular use tracks progress and measures changes
– Benchmarking against target maturity
62. SABSA Maturity Profile Process Areas
SMP Process Areas and SMP Process Activities
• Each of the six SMP domains is decomposed into
six SMP Process Areas
• These SMP Process Areas map onto the six cells
of the row of the SABSA
• Matrix corresponding to the particular SMP
domain
• The SMP Process Activities are then derived by
overlaying the SABSA
• Service Management Matrix onto the SMP
Process Areas
66. Architecture Measurement Categories
• Completeness
– Do we have all of the
components?
– Do they form an integrated
system?
• Assurance
– Does the system run
smoothly?
– Are we assured that it is
properly assembled?
– Is the system fit-for-purpose?
• Compliance
– Do we maintain the system?
– Do we follow the architecture
roadmap
– Do we comply with the rules?
• Performance
– Is the system properly tuned?
– Do the components work
together?
– Do we operate the system
correctly?
• Justification & significance
– Does the system have
business value?
67. Measurement Approaches
• High level statements of the approach to
obtaining a measurement
• Appropriate to the business need
• In the language of the intended audience
• Culturally specific
68. Measurement Guidelines
• Measurement should be a repeatable process
(for comparison & prediction)
• Measurement should have a clear
communications role
• Tracking performance
• Assigning resources
• Measurement should yield quantifiable metrics
(percentage, average, numbers, values, etc.)
69. Metrics Guidelines
• Data used to calculate metrics should be readily
obtainable
• Metrics may (should) be calculated
independently of parties with vested interest
• The type of metric used may change in line with
the maturity of the security process e.g. when
you are highly compliant, consider changing from
conformance measure to significance measure
• Performance metric / trend should be tested
prior to going ‘live’
• Expectations management is key
70. Types of Metric
• Soft Metrics
– Usually qualitative
– Subjective
– Open to interpretation and opinion (usually of the
authority setting the target or of an official
compliance agent such as a regulator or auditor)
• Hard Metrics
– Usually quantitative
– Objective
– Fixed, not open to opinion or interpretation
71. Types of Metric
• Descriptive
– Describes the current-state of the object / attribute
being measured
• Comparative
– Describes the current-state of the object / attribute
being measured in comparison with a similar object /
attribute relating to a different place and/or time
• Predictive
– Describes the current-state of the object / attribute
being measured in relation to its trend in order to
project and predict afuture state
Essentially started in 1987 with the publication of in the IBM Systems Journal of an article titled "A Framework for Information Systems Architecture," by J.A. Zachman where he laid out both the challenge and the vision of enterprise architectures that would guide the field for the next 20 years
U.S. DoD Technical Architecture Framework for Information Management (TAFIM) and was introduced in 1994 which had influenced creation of Clinger-Cohen Act of 1996 which was aimed at improving effectiveness of Govt. IT investments
Federal Enterprise Architecture Framework version 1.1 was released in 1999
FEAF renamed to FEA in 2002
TAFIM was retired in 1998 and the work done was turned over to The Open Group who morphed into what is today knows as TOGAF (The Open Group Architecture Framework)