The document discusses various topics related to enterprise architecture including: - Strategy and planning, with discussions of how architecture supports strategy. - Risk and opportunity, including regulatory drivers and using a risk-focused approach. - Business context and requirements, emphasizing the need for a business-driven architecture. - Architectural strategies such as Internet of Things, cloud computing, bimodal IT, and approaches to digitization and disruptors.

1. M. M. Veeraragaloo
March 2016

2. Agenda
 Strategy and Planning
 Risk and Opportunity
 Business Context and Requirements
 Architectural Strategies
 Internet of Things / Everything
 Cloud
 Bi-Modal
 Digitisation / Disruptors
 Bring Your Own Identity (BYOID)
 Choose Your Own Device (CYOD)

4. Strategy and Planning
Does Enterprise Architecture Drive the Strategy?
Source: Enterprise Architecture as a Strategy
Source: TOGAF Capability Framework
Source: FEAF Source: Gartner

5. Architecture Supports Strategy
Every morning in Africa, a Gazelle wakes up . It
knows it must run faster than the fastest lion…….
or it will be killed.
Business View – Survival Strategy
When the sun comes up in Africa, it doesn’t matter what shape you are:
If you want to survive, what matters is that you’d better be running!
Every morning in Africa, a Lion wakes up.
It knows it must run faster than the
slowest Gazelle …….
or it will die of starvation.
Is it better to be a Lion or a Gazelle?

6. Strategy and Planning
Security in Context?
The Business
Prevention
Department
Security is Complex to Define
Security Does not
exist in Isolation
SECURE’ has no
intrinsic meaning
To much
emphasis on
Technology
Silo Approach to
Security

7. Strategy and Planning
Enterprise Security Architecture?
Layered
Framework
Integrated System Approach
Security meets
the Needs of
Business

8. Strategy and Planning
Feature Advantages Chairman / Board View
Business-Driven Value-Assured Protects shareholder value
Risk Focused Prioritised and Proportional Optimizes shareholder risk & aligns with
risk appetite
Comprehensive Scalable Scope Addresses all shareholder concerns
Modular Agility Enables flexibility to meet dynamic
market & economic conditions
Open Source Free use, Standard Guarantees perpetuity of return on
investment
Auditable Demonstrates Compliance Demonstrates compliance to regulators
& external auditors
Transparent Two Way Traceability Supports market transparency &
disclosure
Enterprise Security Architecture Framework?

9. Strategy and Planning
Feature Advantages CEO View
Business-Driven Value-Assured Protects corporate reputation
Risk Focused Prioritised and Proportional Meets corporate governance
requirements
Comprehensive Scalable Scope Meets enterprise-wide requirements
Modular Agility Enables fast time to market with
business solutions
Open Source Free use, Standard Provides assurance through industry
standard
Auditable Demonstrates Compliance Ensures a smooth & successful external
& regulatory audit process
Transparent Two Way Traceability Provides a clear view of expenditure and
value returned
Enterprise Security Architecture Framework?

10. Strategy and Planning
Feature Advantages CFO View
Business-Driven Value-Assured Ensures efficient return on investment
Risk Focused Prioritised and Proportional Improves predictability & consistency
Comprehensive Scalable Scope Supports scalable, granular budgeting
Modular Agility Facilitates effective management of
capital & operational costs
Open Source Free use, Standard Eliminates expensive & on-going license
fees
Auditable Demonstrates Compliance Minimizes cost of management time
dealing with audit processes
Transparent Two Way Traceability Enables full audit ability for
effectiveness of expenditure
Enterprise Security Architecture Framework?

11. Strategy and Planning
Feature Advantages COO View
Business-Driven Value-Assured Focuses on performance management
Risk Focused Prioritised and Proportional Enables process improvement
Comprehensive Scalable Scope Provides end-to-end process coverage
Modular Agility Integrates legacy and future
environments
Open Source Free use, Standard Simplifies recruitment and training
Auditable Demonstrates Compliance Minimises adverse effect of audit
findings on performance targets
Transparent Two Way Traceability Measures efficiency & effectiveness of
processes & resources
Enterprise Security Architecture Framework?

12. Strategy and Planning
Feature Advantages CRO View
Business-Driven Value-Assured Enables flexible fit with industry
regulations
Risk Focused Prioritised and Proportional Supports enterprise risk & opportunity
management
Comprehensive Scalable Scope Enables a fully-integrated risk
management strategy
Modular Agility Enables incrementally increasing
maturity
Open Source Free use, Standard Provides global acceptability for auditors
& regulators
Auditable Demonstrates Compliance Ensures that compliance risk is effectively
managed
Transparent Two Way Traceability Demonstrates current state, desired state
of compliance levels
Enterprise Security Architecture Framework?

13. Strategy and Planning
Feature Advantages CIO View
Business-Driven Value-Assured Enables a digital information-age
business
Risk Focused Prioritised and Proportional Identifies information exploitation
opportunities
Comprehensive Scalable Scope Sustains through-life information
architecture
Modular Agility Enables technology-neutral information
management strategies
Open Source Free use, Standard Provides a future-proof framework for
information management
Auditable Demonstrates Compliance Facilitates smooth & successful audits of
systems & processes
Transparent Two Way Traceability Encourages fully integrated people-
process-technology solutions
Enterprise Security Architecture Framework?

14. Strategy and Planning
Feature Advantages CISO View
Business-Driven Value-Assured Facilitates alignment of security
strategy with business goals
Risk Focused Prioritised and Proportional Facilitates prioritization of security
and risk-control solutions
Comprehensive Scalable Scope Ensures all business security &
control concerns are addressed
Modular Agility Enables a project-focused approach
to security development
Open Source Free use, Standard Provides a sustainable framework for
security integration
Auditable Demonstrates Compliance Supports security, risk & opportunity
review processes
Transparent Two Way Traceability Provides traceability of business-
aligned security implementations
Enterprise Security Architecture Framework?

15. Strategy and Planning
Feature Advantages CTO / Architect View
Business-Driven Value-Assured Leverages the full power of information
technology
Risk Focused Prioritised and Proportional Manages information system risk
Comprehensive Scalable Scope Applies at any project size or level of
complexity
Modular Agility Provides a holistic and integrated
architectural approach
Open Source Free use, Standard Avoids vendor-dependence and lock-in
Auditable Demonstrates Compliance Improves relationship and interactions
with auditors & reviewers
Transparent Two Way Traceability Verifies justification and completeness
of technical solutions
Enterprise Security Architecture Framework?

16. Strategy and Planning
Sherwood Applied Business Security Architecture (SABSA)

17. SABSA META MODEL

18. SABSA Matrix

19. SABSA and TOGAF

21. Risk and Opportunity
 Regulatory Drivers for Operational Risk Management
 BASEL II, SOX, Corporate Governance, PCI, HIPAA
 ISO 31000 – Improved planning through provision of
information for decision-making
 Risk Management
 Strategic, operational and business imperative
 Risk Analysis Measures Risk Elements
 Valuing assets, Identifying threats, Quantifying business impacts,
Identifying vulnerabilities
 Issues with Threat-driven Approach
 Technical threats are not well understood by stakeholders
 Impact-based Approach
 Provides a good view of business criticality
 Operational Risk – SABSA Approach
 Business enablement is achieved through excellence in operational
processes, people and technical systems

22. Risk and Opportunity
SABSA Risk & Opportunity Model

24. Business Context and Requirements
 Business-Driven means never losing site of the
organisation’s goals, objectives, success factors and
targets.
 Ensuring that the security strategy demonstrably
supports, enhances and protects this.
 Contextual Architecture Layer
 Full Set of Requirements, including conflicts in
Business Strategy, Risks & Priorities
 Conceptual Architecture Layer
 Resolve these conflicts by delivering an appropriate,
measurable security strategy
Business Driven Architecture

25. Business Context and Requirements
 Each Organisations Business Needs are Unique
 Meaningful traceability is enabled by credible
abstraction from business context (assets, goals &
objectives) to a business security context
Business Driven Architecture

26. Business Context and Requirements
 An Attribute is a conceptual abstraction of a
real business requirement (the goals,
objectives, drivers, targets, and assets
confirmed as part of the business contextual
architecture)
 The Attributes Profiling technique enables
any unique set of business requirements to be
engineered as a standardised and re-usable
set of specifications
 The Attributes are modeled into a normalised
language that articulates requirements and
measures performance in a way that is
instinctive to all stakeholders
Defining Business Attributes

27. Business Context and Requirements
 Attributes can be tangible or intangible
 Each attribute requires a meaningful name and detailed
definition customised specifically for a particular organisation
 Each attribute requires a measurement approach and metric to
be defined during the SABSA Strategy & Planning phase to set
performance targets for security
 Attributes must be validated (and preferably created) by senior
management & the business stake-holders by report, interview
or facilitated workshop
 The performance targets are then used as the basis for reporting
and/or SLAs in the SABSA Manage & Measure phase
 Powerful requirements engineering technique
 Populates the vital ‘missing link’ between business
requirements and technology / process design
Attributes Profiling Rules & Features

28. Business Context and Requirements
Sample Taxonomy of Attributes

32. Architectural Strategies
 Define the Business Drivers for the Industry
Driver
#
Business Drivers
BD1
Protecting the reputation of the Organization, ensuring that it is
perceived as competent in its sector
BD2
Providing support to the claims made by the Organization about its
competence to carry out its intended functions
BD3
Protecting the trust that exists in business relationships and
propagating that trust across remote electronic business
communications links and distributed information systems
BD4
Maintaining the confidence of other key parties in their
relationships with the Organization
BD5
Maintaining the operational capability of the Organization’s
systems
BD6
Maintaining the continuity of service delivery, including the ability
to meet the requirements of service level agreements where these
exist
BD7
Maintaining the accuracy of information
BD8
Maintaining the ability to govern
BD9
Preventing losses through financial fraud
BD33
Ensuring that security services can be extended to all user locations, to all
interface types and across all network types that will be used to support
delivery
BD34
Maximize the economic advantage of the Enterprise Security
Architecture
BD35
Security services to be supported through electronic communications,
without the need for physical transfer of documents or storage media.
BD36
System security solutions should as far as possible comply with internal
and external standards and best practices
BD37
The Security Architecture should be independent of any specific vendor
or product, and should be capable of supporting multiple products from
multiple vendors
BD38
The Security Architecture must remain compatible with new technical
solutions as these evolve and become available, and with new business
requirements as these emerge, with a minimum of redesign
BD39
The Security Architecture must be able to be adapted to counter new
threats and vulnerabilities as they are discovered
BD40
Ensure that the required internal and external cultural shift is achieved
to support the Security Architecture
BD41
Ensuring accurate information is available when needed
BD42
Minimise the risk of loss of key customer relationships
BD43
Minimize the risk of excessive loading on insurance premiums due to
negligence on the
Organization’s behalf or lack of due diligence

33. Architectural Strategies
 Define the Business Attributes for the Industry
Business
Attributes
User Attributes
Management
Attributes
Risk Management
Attributes
Legal/Regulatory
Attributes
Technical
Strategy
Attributes
Operational
Attributes
Business Strategy
Attributes
Business Attribute Business Attribute Definition Suggested Measurement Approach Metric Type
User Attributes
Accessible Information to which the user is entitled
to gain access should be easily found and
accessed by that user.
Search tree depth necessary to find the information Soft
Accurate
The information provided to users
should be accurate within a range that
has been preagreed upon as being
applicable to the service being delivered.
Acceptance testing on key data to demonstrate
compliance with design rules
Hard
Anonymous
For certain specialized types of service,
the anonymity of the user should be
protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
 Business Attribute integrated with Measurements for the Industry

34. Architectural Strategies
 Integrate the Business Drivers and Business Attributes for the Industry
 Business Attribute integrated with Measurements for the Industry
Business
Attribute
Business
Driver
Business Attribute Definition Measurement Approach Metric Performance
Target
User Attributes
Accessible 5 Information to which the user is entitled to gain
access should be easily found and accessed by that
user.
Search tree depth necessary to find the information Soft
Accurate 7 The information provided to users should be accurate
within a range that has been preagreed upon as being
applicable to the service being delivered.
Acceptance testing on key data to demonstrate
compliance with design rules
Hard
Anonymous 4 For certain specialized types of service, the
anonymity of the user should be protected.
Rigorous proof of system functionality
Red team review
Hard
Soft

35. Architectural Strategies

36. Architectural Strategies
Internet of Things / Everything

37. Architectural Strategies
Data
Sovereignty
Data
Protection
Provider
Trust
Management
Business
Continuity
Management
Risk
Management
Cloud
Computing

38. Architectural Strategies

39. Architectural Strategies
Source: An Enterprise Architecture Practitioner’s Notes: Volume 3 Solution Level Architecture
Bimodal

40. Architectural Strategies
Digitisation / Disruptors
Digital Disruptors
Source: Gartner 2015

41. Architectural Strategies
Digitisation / Disruptors
Digital Disruptors

42. Architectural Strategies
Bring Your Own Identity (BYOID)
Security Risk? or
Business Advantage?
What is the
Business Value?
Is it part of the
Corporate Strategy?
Loss of Control vs
Cost

43. Architectural Strategies
Employees appreciate using the device with
which they are the most comfortable with.
Requires employees to choose from a
list of preapproved devices.

44. Business
Models
Cloud
Services
Bimodal
Services
Digital
Disruptors
IoT
Green ITBYOD
CYOD
BYOID
Big Data

45. The Journey is the Reward ~ Chinese Proverb