The document provides an overview of enterprise security architecture and frameworks for cyber security. It discusses the SABSA and TOGAF frameworks for enterprise architecture and how they can be integrated. It proposes a framework for enterprise security architecture that incorporates requirements, standards for enforcement and practices, and industrialized security services. The framework aims to standardize security measures to assure customers and direct ICT production.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –
Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate.
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to address these issues, but is frequently misaligned with Enterprise Architecture. In this presentation we explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise Architecture value-chain so as position Risk, Security and IT as true business enablers.
We will explore why the current industry approach to security is failing us. We will then discuss how building security as an architecture can raise the security level for any organization. An architectural approach is required to take security to the next level and defend against modern threats. We will discuss how you can use Cisco solutions to build a true security architecture.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
The Future of Security Architecture Certificationdanb02
Would you drive over a Bay Bridge built from an amateur building architect's blueprints? What if the architect passed a multiple choice test first - is that good enough?
Society's answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking.
As information gains value, and we move from "information security" to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing.
The slides are from a webinar in which Linked In Security Architecture group participants collaboratively explored the Future of Security Architecture Certification.
The intent of the paper is to propose a simple yet comprehensive technique to model enterprise security architecture and design aligned to SABSA that enables –
Standardisation of SABSA Enterprise Security Architecture framework by formalizing common language used in the form of ESA modelling notation
Reusability of model artefacts (not documents) to enable enterprise and department level collaboration and knowledge management
Generic or organisation specific Library of assets for various ESA artefacts such as – Business attribute profile(s), security services, mechanisms and components and associated views
Tool-assisted development using a separate toolbox for ESA that augments Enterprise Architecture (ToGAF) modelling using Archimate.
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to address these issues, but is frequently misaligned with Enterprise Architecture. In this presentation we explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise Architecture value-chain so as position Risk, Security and IT as true business enablers.
We will explore why the current industry approach to security is failing us. We will then discuss how building security as an architecture can raise the security level for any organization. An architectural approach is required to take security to the next level and defend against modern threats. We will discuss how you can use Cisco solutions to build a true security architecture.
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.
This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
The Future of Security Architecture Certificationdanb02
Would you drive over a Bay Bridge built from an amateur building architect's blueprints? What if the architect passed a multiple choice test first - is that good enough?
Society's answer to these questions is obviously NO. But unlike building architects, security architects are not always required to have Certificates or Degrees and standards for such are lacking.
As information gains value, and we move from "information security" to also securing the Internet of Things, security architecture becomes increasingly consequence-laden and the question of required training and accreditation more pressing.
The slides are from a webinar in which Linked In Security Architecture group participants collaboratively explored the Future of Security Architecture Certification.
The Heatmap - Why is Security Visualization so Hard?Raffael Marty
This presentation explores why it is so hard to come up with a security monitoring (or shall we call it security intelligence) approach that helps find sophisticated attackers in all the data collected. It explores the question of how to visualize a billion events. To do so, the presentation dives deeply into heatmaps - matrices - as an example of a simple type of visualization. While these heatmaps are very simple, they are incredibly versatile and help us think about the problem of security visualization. They help illustrate how data mining and user experience design help get a handle of the security visualization challenges - enabling us to gain deep insight for a number of security use-cases.
To view recording of this webinar please use the below URL:
http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/
Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities.
This webinar will discuss how to
Enable SSO for heterogeneous systems
Handle different types of enterprise identities
Protect your data and APIs
Implement centralized authorization and authentication management
Changing the Security Landscape: An overview of the powerful SABSA Business Attributes Profiling technique and it's applications and benefits including two-way traceability, risk & opportunity management, strategic planing and executive reporting.
This presentation summarises earlier work (June 2007) on a restructure of IT-oriented frameworks and methods - Zachman and TOGAF 8 - for better alignment with whole-of-enterprise architecture.
[Review copyright (c) Tetradian 2007; original Zachman Framework copyright Zachman Associates; original TOGAF copyright The Open Group]
Michael W Meissner - Cyber Security Experience and Capabilities - 02/17/2015
Michael W. Meissner is a Solutions Architect, Infrastructure Architect and Cyber Security Engineer at Ethernautics, Inc.
Michael Meissner has over thirty years of relevant Information Systems and Information Technology experience. Mr. Meissner is a Cyber Security Engineer with over 20 years of Information Security practice. Mr. Meissner authored Information Security Patents.
This mind map of information security illustrates the complexity of the topic information security. Furthermore this brake down of the topic based on ontological and sociological principles discloses the importance of the topic for the welfare of future democratic (information) societies.
Enterprise Security Architecture: From access to auditBob Rhubart
Paul Andres' presentation from OTN Architect Day in Pasadena, July 9, 2009.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Docker Container As A Service
X11 Linux apps on mac in a container.
In container Java development with STS or Eclipse in a container.
Docker UCP and swarm load balancing with Interlock.
This briefing was given at I/ITSEC 2015 (30 Nov - 03 Dec 2015, Orlando, USA) and provides an introduction and overview of NATO's Modelling and Simulation Group 136 (MSG-136). MSG-136 investigates service-based approaches in context of M&S, commonly known as "M&S as a Service" (MSaaS).
Silicon Valley Grade IT and Cloud Maturity Assessment for Startup Ecosystem i...Engin Deveci, Ph.D.
This work is an effort of technologists from Ericsson and Microsoft who came together with the following goal:
Providing ITU Teknokent Ecosystem institutionalized and structured ways of improving the Startups by;
Advising startups assessing the role of IT in their business strategy
Highlighting key Silicon Valley expectations on IT assets of startups
Assessing the maturity of ITU GATE Software Startup IT assets
Using public cloud services from Microsoft (Azure), Amazon (AWS), Google (GCP) for web-scale service development and operations
Collecting and analyzing data for valuable decision making in a service orien...SpagoWorld
The presentation supported the first part of the woekshop a workshop on Spago4Q platform, delivered at the SEcure Service-oriented Architectures Research (SESAR) Lab within the Computer Science Department of the "Università degli Studi di Milano" on December 18th, 2013.
This work is an effort of technologists from Ericsson and Microsoft who came together with the following goal:
Providing ITU Teknokent Ecosystem institutionalized and structured ways of improving the Startups by;
1-Advising startups assessing the role of IT in their business strategy
2-Highlighting key Silicon Valley expectations on IT assets of startups
3-Assessing the maturity of ITU GATE Software Startup IT assets
4-Using public cloud services from Microsoft (Azure), Amazon (AWS), Google (GCP) for web-scale service development and operations
Cloud Computing Deployments Should Begin With Service Definition - SOA architecture and How Cloud enhances ease of doing business in a scalable and reliable way.
Security in the Context of Business Processes: Thoughts from a System Vendor'...Achim D. Brucker
Enterprise systems in general and process aware systems in particular are storing and processing the most critical assets of a company. To protect these assets, such systems need to implement a multitude of security properties. Moreover, such systems need often to comply to various compliance regulations.
In this keynote, we present process-level security requirements as well as discuss the gap between the ideal world of process-aware information systems and the real world. We conclude our presentation by discussing several research challenges in the area of verifiable secure process aware information systems.
Introduction to Enterprise Architecture and TOGAF 9.1iasaglobal
Santos Pardos nos dará una visión general a TOGAF. Durante 2 horas, Santos nos introducirá al mundo de The Open Group Architecture Framework (TOGAF), ese marco de trabajo de Arquitectura Empresarial que muchos escuchamos hablar. Nos contará el enfoque propuesto para el diseño, planificación, implementación y gobierno de una arquitectura empresarial de información. También repasará, a alto nivel, cuatro niveles o dimensiones: Arquitectura de Negocios Arquitectura de Aplicaciones Arquitectura Tecnológica Arquitectura de Dat
Mark Sage (AREA): Fulfilling the Potential of AR for EnterpriseAugmentedWorldExpo
A talk from the Work Track at AWE USA 2018 - the World's #1 XR Conference & Expo in Santa Clara, California May 30- June 1, 2018.
Mark Sage (AREA): Fulfilling the Potential of AR for Enterprise
Want to understand the status of the Enterprise AR market? Find out about the latest research, initiatives and benefits the only global alliance focused on developing the enterprise AR ecosystem is working on. This is a must see session for anyone interested in enterprise AR!
http://AugmentedWorldExpo.com
Similar to SABSA vs. TOGAF in a RMF NIST 800-30 context (20)
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
Many ways to support street children.pptxSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
Presentation by Jared Jageler, David Adler, Noelia Duchovny, and Evan Herrnstadt, analysts in CBO’s Microeconomic Studies and Health Analysis Divisions, at the Association of Environmental and Resource Economists Summer Conference.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
2. Outline
• Cyber Security Overview
• TOGAF and Sherwood Applied Business Security
Architecture (SABSA)
o Overview of SABSA
o Integration of TOGAF and SABSA
• Enterprise Security Architecture Framework
The Open Group EA Practitioners Conference - Johannesburg 2013 2
3. Cyber Security
3
1. What is Cyber Security?
2. How is Cyber Security related to information security?
3. How do I protect my company from malicious attacks?
The Four Types of Security Incidents
1. Natural Disaster
2. Malicious Attack (External Source)
3. Internal Attack
4. Malfunction and Unintentional Human Error
Information security - the "preservation of confidentiality, integrity and availability
of information" (ISO/IEC 27001:2005);
"Cyber Security is to be free from danger or damage caused by disruption or fall-out of
ICT or abuse of ICT. The danger or the damage due to abuse, disruption or fall-out can
be comprised of a limitation of the availability and reliability of the ICT, breach of the
confidentiality of information stored in ICT or damage to the integrity of that
information.” (The National Cyber Security Strategy 2011, Dutch Ministry of Security
and Justice)
4. Cyber Security in Perspective
4The Open Group EA Practitioners Conference - Johannesburg 2013
No official position about the differences between Cyber Security and Information Security
Risk Management
(ISO/IEC 27001:2005);
Information Security
ISO/IEC 2700:2009
Information Technology
Business Continuity
(BS 25999-2:2007).
Cyber Security
Source: 9 Steps to Cyber Security – The Manager’s Information Security Strategy Manual (Dejan Kosutic)
5. Cyber Security in South Africa
5Source: SA-2012-cyber-threat (Wolf Pack) [ 2012/2013 The South African Cyber Threat Barometer]
10. SABSA Life Cycle
The Open Group EA Practitioners Conference - Johannesburg 2013 10
In the SABSA Lifecycle, the development of the contextual and conceptual layers is grouped into an activity called Strategy &
Planning. This is followed by an activity called Design, which embraces the design of the logical, physical, component, and
service management architectures. The third activity is Implement, followed by Manage & Measure. The significance of the
Manage & Measure activity is that once the system is operational, it is essential to measure actual performance against targets,
to manage any deviations observed, and to feed back operational experience into the iterative architectural development process.
11. SABSA Taxonomy of ICT Business Attributes
The Open Group EA Practitioners Conference - Johannesburg 2013 11
12. SABSA Taxonomy of General Business Attributes
The Open Group EA Practitioners Conference - Johannesburg 2013 12
13. SABSA Operational Risk Model
The Open Group EA Practitioners Conference - Johannesburg 2013 13
15. A Central Role for Requirements Management
The Open Group EA Practitioners Conference - Johannesburg 2013 15
Linking the Business Requirements (Needs) to the Security Services – which TOGAF does in the “Requirements
Management” Phase and SABSA does via the Business Attributes Profile. These Artefacts needs to be linked to ensure
traceability from Business Needs to Security Services.
16. Requirements Management in TOGAF
using SABSA Business Attribute Profiling
The Open Group EA Practitioners Conference - Johannesburg 2013 16
Business Attribute Profiling: This describes the level of
protection required for each business capability.
• Requirements Catalog: This stores the architecture
requirements of which security requirements form an integral
part. The Business Attribute Profile can form the basis for all
quality requirements (including security requirements) and
therefore has significant potential to fully transform the current
TOGAF requirements management approach.
•Business and Information System Service Catalogs: TOGAF
defines a business service catalog (in Phase B: Business
Architecture) and an information system service catalog (Phase
C: Information Systems Architecture). The creation of the
information system services in addition to the core concept of
business services is intended to allow more sophisticated
modelling of the service portfolio.
• The Security Service Catalog: As defined by the SABSA
Logical Layer, this will form an integral part of the TOGAF
Information System Service Catalogs.
17. The Business Attribute Profile Mapped onto the TOGAF
Content Meta Model
The Open Group EA Practitioners Conference - Johannesburg 2013 17
18. SABSA Life Cycle and TOGAF ADM
The Open Group EA Practitioners Conference - Johannesburg 2013 18
19. Mapping TOGAF and SABSAAbstraction
Layers
The Open Group EA Practitioners Conference - Johannesburg 2013 19
20. Mapping of TOGAF to SABSA Strategy and
Planning Phase
The Open Group EA Practitioners Conference - Johannesburg 2013 20
As the SABSA phases extend beyond the core phases of the TOGAF ADM, the scoping provided by
the SABSA Domain Model extends beyond these core phases of TOGAF, both in terms of solution
design and system and process management during the operational lifecycle.
21. Overview of Security Related Artifacts in the TOGAF ADM
The Open Group EA Practitioners Conference - Johannesburg 2013 21
22. Preliminary Phase – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 22
23. Phase A - Architecture Vision – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 23
24. Phase B – Business Architecture – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 24
25. Phase C – Information Systems Architecture – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 25
26. Phase D – Technology Architecture – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 26
27. Phase G – Implementation Governance – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 27
28. Phase H – Architecture Change Management – Security Artifacts
The Open Group EA Practitioners Conference - Johannesburg 2013 28
30. ICT service providers must consider the whole
market. Four dimensions to put in one line
The Open Group EA Practitioners Conference - Johannesburg 2013 30
Service Models
Cloud (XaaS)
Hosting
Managed Service
Monitoring
Frameworks
ISO 27002
NIST
ISF
Requirements
national/intern. law
industries
SOX, PCI DSS…
customers
Service Types
Desktop
Communication
Collaboration
Computing
LogonLogonLogon
Service Provider
31. ICT service providers must consider the whole
market. Four dimensions to put in one line
The Open Group EA Practitioners Conference - Johannesburg 2013 31
4) Mapping Model to demonstrate fulfillment of
all types of security requirements
3) Hierarchy of Security Standards
delivering information on each level of detail
2) Modular and Structured approach
that serves all possible models
and offerings
1) Produce Standardized Security measures for
industrialized ICT production
Enterprise Security Architecture
» shaping the security of ICT service provisioning «
deliver assurance to customers and provide directions for production
32. From Requirements to ICT Services.
Standardisation is Key
The Open Group EA Practitioners Conference - Johannesburg 2013 32
requirements identification
requirements consolidation
conception, integration
operations, maintenance
Corporate Governance, Risk, &
Compliance
customer requirements
(Automotive, Finance, Public, …)
partially
overlap
standard options full custom
no-go
industrialized services
(established platforms and processes)
customer-specific
services
33. Framework for Enterprise Security
Architecture
The Open Group EA Practitioners Conference - Johannesburg 2013 33
Requirements (corporate and customer)
Framework for ESA
Enablement (ISMS)
security management process and
reference model (mainly ISO 27001)
Enforcement (Practices)
controls / techniques
(mainly ISO 27002)
specific standards
impact analysis for
non-framework
requirements
Enterprise Security Architecture
Industrialized ESA Services
processes including roles for new
business, changes and operational
services
technology platform
evidence (monitoring, analytics
and reporting)
custom services
(specific service and
realization for a
customer)
34. Framework for ESA.
The Enablement Framework with ISMS activities.
The Open Group EA Practitioners Conference - Johannesburg 2013 34
Define scope and
ISMS policy
Define risk assessment approach
Identify risks, derive control obj.
& controls
Approve residual risks
Draw up statement of
applicability (SoA)
P1
P2
P3
P4
P5
Implement risk handling plan &
controls
Define process for monitoring the
effectiveness of controls
Develop security awareness
D1
D2
D3
Lead ISMS and steer fundsD4
Implement methods to identify /
handle security incidentsD5
Monitoring & review security
incidents
Review risk assessment approach
C1
Evaluate effectiveness of the
controls implemented
C2
C3
Perform and document ISMS
audits
C4
Carry out management
evaluations
C5
Implement appropriate corrective
and preventative controls
Communicate activities &
improvements
Ensure improvements achieve
targets
Implement identified
improvements in ISMS
A1
A2
A3
A4
Activities of the Enablement Framework
35. Considering: Plan – Build – Run.
Sales, Service, Production, (Integration).
The Open Group EA Practitioners Conference - Johannesburg 2013 35
ESA reflects three types of business:
Customer Projects – Operations – Platform Preparation
Bid, Transition, Transformation
Set-up for operations
Major Changes
New Business & Major Changes
(Project Business)
Service Delivery Management
Provide industrialized and customer specific ICT
Services
Evidence
Operations
(Daily Business)
Define Offering and SDEs
Initial set-up of ESA (creation and extension)
Maintenance of ESA (improvements)
ESA Platform
EnterpriseSecurityArchitecture
forICTServices
36. Considering: Plan – Build – Run.
Sales, Service, Production, (Integration).
The Open Group EA Practitioners Conference - Johannesburg 2013 36
How?Standards
3
Who?Rolesetc.
2
Define Offering and Service Delivery Elements
Initial set-up of ESA
Maintenance
ESA Technology Platform
Bid, Transition,
Transformation
Set-up for operations
Major Changes
New Business & Change
(Project Business)
Service Delivery Management
Provide ICT Services
Evidence
Operations
(Daily Business)
What?Workareas
1
37. Cooperation: Implementation of Roles.
Customer Projects, Portfolio, and Operations.
The Open Group EA Practitioners Conference - Johannesburg 2013 37
Security Manager
Customer
ICT SRC Manager
Security Architects and Experts
(engineering)
Customer Security Manager
Operations Manager
Operations Personnel
step-by-step transfer of business
Project (bid,
transition, transformation)
Operations
(CMO+FMO)
requirements requirements
governance
Offering Manager
38. Considering: Plan – Build – Run.
Sales, Service, Production, (Integration).
The Open Group EA Practitioners Conference - Johannesburg 2013 38
How?Standards
3
Who?Rolesetc.
2
Define Offering and Service Delivery Elements
Initial set-up of ESA
Maintenance
ESA Technology Platform
Bid, Transition,
Transformation
Set-up for operations
Major Changes
New Business & Change
(Project Business)
Service Delivery Management
Provide ICT Services
Evidence
Operations
(Daily Business)
What?Workareas
1
39. Corporate and Product Security
incorporated in one Hierarchy
The Open Group EA Practitioners Conference - Johannesburg 2013 39
Corporate Security Rule Base
Corporate Security Policy
ICT Security Standards
ICT Security Principles
ICT Security Baselines
Refinement Pyramid of Standards Requirements for
ICT Service Provisioning
(“product security”)
ISO 27001
Certificate
Detailed
customer
inquiry
Software
settings,
configuration
Examples
Certification and Audit
Security Measures
Security Implementation
40. Demonstrating that Customer
Requirements are met
The Open Group EA Practitioners Conference - Johannesburg 2013 40
Customer Requirements
R1
R2
R3
R4
R5
C1 C2 C3 C4 C5 C6 C7
Set of Controls
(contractual )
Requirements are met
(Suitability)
Controls of ESA and its
ICT Security Standards
Service type:
Desktop
Communication
Collaboration
Computing
41. 9/9/2013Footer Text 41
Evidenceand
CustomerRelation
ServiceManagement
Wide Area Network
Security
Customer and users Data Center
User LAN
Periphery
Remote User
Access
User Identity
Management
Mobile Work-
place Security
Office Work-
place Security
Corporate
Provider Access
Gateway and
Central Services
Provider Identity
Management
Data Center
Security
Data Center
Networks
Computer Systems
Security
Application and
AM Security
VM and S/W
Image Mngt.
Database and
Storage Security
Operations
Support Security
Networks
Asset and Configu-
ration Management
Business Continuity
Management
Security Patch
Management
Hardening, Provisio-
ning & Maintenance
Change and Problem
Management
Customer Communi
cation and Security
System Development
Life-Cycle
Systems Acquisition
and Contracting
Risk Management
Logging, Monitoring &
Security Reporting
Incident Handling and
Forensics
Vulnerability
Assessment, Mitigation
Plan
Release Mngt. and
Acceptance Testing
Certification and 3rd
Party Assurance
Administration Network
Security
Security
Taxonomy.
42. EAS – Meta Model
The Open Group EA Practitioners Conference - Johannesburg 2013 42
Queries,
Analysis,
Portfolios,
etc.
Stakeholder
Views
“Model World”
Architecture
Repository
“Real World”
Enterprise
applications
teams &
information
Industry Glossaries
Industry Reference Models
Application Models
Application Glossaries
“Meta-Model”
Common Language
“Standardized”
Content, e.g. business
processes, applications
etc.
“Integrated and
consistent Views”
Stakeholder specific
views & reports
43. ICT Security Services and Solutions
The Open Group EA Practitioners Conference - Johannesburg 2013 43
Enterprise
Security
Management
Identity
and Access
Management
ICT
Infrastructure
Security
Architecture and Processes
Applications, Risk and Compliance
Security and Vulnerability Management
Users and Identities
Smart Cards
Trust Centers
Business
Enablement
Enabling the managed use
of ICT resources and IT
applications with digital
identities, roles and rights.
Business
Integration
Embedding security in
processes, defining goals
and responsibilities,
ensuring good
governance and
compliance.
Workplace, Host and Storage Security
Network Security
Physical Security
Business
Protection
Defending from hostile
action: protecting
networks, IT applications,
data and building security
44. 44
If you have one last breath
use it to say...
The Open Group EA Practitioners Conference - Johannesburg 2013