SlideShare a Scribd company logo

" The Invisible Person ... the Security Architect "

Download as DOCX, PDF
Bill Ross
Bill Ross

This document is a draft paper by Bill Ross discussing the role of a security architect. It notes that while security architecture is discussed frequently, there is no consistent definition or standards for what a security architect does. Job descriptions for security architects vary widely and often confuse it with roles like security engineer or CISO. The document proposes a definition of a security architect as someone with both technical security skills and business experience who can design a comprehensive security program aligned with business needs. It provides an example job description and analyzes one to show how it focuses more on specific technologies than an overall security architecture.

Engineering
1 of 17
DRAFT ………………. by Bill Ross 1 Title: “ The Invisible Person …. the Security Architect “ A paper by INFOSECFORCE 804-855-4988 infosecforce@yahoo.com
DRAFT ………………. by Bill Ross 2 The Invisible Person …. The Security Architect 10 August 2012 An open letter and personal thoughts on Security Architecture to all the great security professionals who devote so much energy to our mission to predict, prevent, detect, and respond. Since this original letter was composed, I have received 436 global requests for same. 10/1/2013 We are in a CYBER War and corporations and governments are being clobbered by an invisible enemy that, at times, seems to own numerous private networks. Information Security Teams across the globe are fighting the good fight and win and lose in this battle. Every year thousands of articles and conferences across the globe address the tactics and procedures to address this challenge and when one reads the literature and attends the meetings, one knows that the most fundamental and missing piece to orchestrating and defining the arsenal that each institution that manages data is the cohesive risked-based methodology that needs to define solutions to the sometimes chaotic response to threats and that is the systematic and strategically planned and tactically executed security architecture thoughtfully and professionally managed by a dedicated and multi talented Information Security Professional with business savvy, technically astute with threat awareness and with a dose of the Ninja instinct. Until industry and organizations “embrace it”, they will flounder in defining the roles, responsibilities and implementation of a cohesive and hardened environment that beats cyber crooks and miscreants. This is the environment we face and where this paper begins. There are numerous and conflicting concepts of the roles and responsibilities of a Security Architect within industry and government. This short and quick paper is designed to examine the definitions of Information Security Architecture (ISA) and what the role of a Security Architect is. These two questions seem harder to define as the separation between Security Architecture and Infrastructure Architecture begins to dissolve. Thank you for reading this as it is an issue I often struggle with. I have designed this paper to examine the various interpretations of what an Information Security Architect is, the essence of Information Security Architecture, and suggested best models and references for Security Architecture modeling. I also offer a suggested Security
DRAFT ………………. by Bill Ross 3 Architecture framework for aligning business requirements to the security solution, optimizing technology to protect data, and creating a strategic, operational, and tactical defense in depth layering approach that will ensure that the classic Information Security Community (ISC) tenets of confidentiality, integrity, and availability are designed, implemented and monitored within the layered ISA solution. ISA is as much an art form as it is a VISIO diagram of trust zones and firewall placement. The ISC does not have a consistent and recognized approach to define what an Information Security Architecture is and as such, the ISC does not seem to have recognized standards for what an Information Security Architecture (ISA) should accomplish in advancing both the financial or business success of an organization let alone defeating cyber criminals. Given the lack of an ISA standard, the Security Architect sometimes struggles in his role to adequately protect an organization’s vital information assets as what he thinks he should do is not what the company thinks they hired him for. While great writers and thinkers have published a plethora of ISA frameworks and white papers discussing what an ISA is, there does not seem to be one unifying agreement of what an ISA should address and on how to define and implement an ISA. As such, when a government or private sector organization is trying to hire an Information Security Architect, they publish wide ranging and variable job descriptions that cover almost every aspect of Information Security roles and responsibilities. These Security Architect job descriptions could include requirements for anything from an actual Security Architect, to a highly sophisticated and brilliant security engineer, to the Chief Information Security Officer, or to simply being a Firewall or Security System Administrator who some organizations think can also create an ISA. In other words, will the real Information Security Architect step out of the shadows and reveal him/her self so we all know who and what we are. It is actually rare that when an organization advertises its Security Architect requirement that the advertisement really reflects what they need the “Security Architect” to do to create and implement the organization’s ISA. For example, as we shall see in the sample job descriptions below, the Security Architecture job description often does not align with the end-to-end strategic, operational, and tactical benefits that an Information Security Architect can contribute to the success of an organization.
DRAFT ………………. by Bill Ross 4 Here is my suggested ISA Job Description An information security architect should have at least 10 years experience in information security and at one point in his/her career should have had hands on technical experience in anything from help desk support to being a UNIX or data base administrator. This person should have extensive knowledge of security platforms, has managed acquisition efforts, identity access management, cyber warfare, governance as it is translated from security standards and policies into an operational technical environment that is aligned with the core business processes be they financial institutions like JP Morgan or e-commerce giants like Amazon or Best Buy. This person should have served on the front lines of cyber battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an EE degree, is a visionary, and understands security supports business objectives. Ultimately, the Security Architect is a perfect blend of a highly skilled security engineer, a governance and policy expert, an enterprise architect, a business savvy professional with a Ninja spirit. Background It has been my experience that generally an information Security Architect role is confused with a superior “top gun” level four information security engineer. Within the last 13 years, I have built Security Architectures strategies, hired Security Architects and mentored them to become fully trained and empowered Security Architect professionals. As examples of my experiences, I was chosen by the Air Force during Desert Storm to combine two war fighting commands’ intelligence architectures. I led the team to baseline the global IT Architecture for a global Army logistics command, I appointed the first Information Security Architect for the Federal Reserve Information Technology (FRIT) organization. Also, I was one of the principles in hiring the Security Architect for the Virginia Information Technology Agency-Northrop Grumman Partnership. Additionally, I was selected to become the Director of Security Architecture for AXA Technology which is the IT support function for AXA which is one of the world’s largest insurance firms. Even though I was hired as the Security Architect, my real job description should have been the Director of Information Security and developing the ISA was just one of my numerous responsibilities. Lastly, I was hired in my current job as the Security Architect for United Guaranty Corporation.
DRAFT ………………. by Bill Ross So, considering my prior experiences from both a hands-on Security Architecture perspective and from the fact that in the past several months, I have reviewed numerous a Security Architect Position job descriptions from a host of excellent organizations, it has been my experience that these fine organizations were really looking for the above referenced “top gun” security engineer and not the person that can comprehensively build the business-based, requirements driven and risk management solution for the overall security architecture requirement. I can understand their deep engineering requirements even to the point of needing a fully qualified Security Electrical Engineer (EE) but, being an EE is not the same thing as developing an ISA as defined above. Please see the following job descriptions as a recent sample of a corporate Security Architect position job board advertisement. The first one sounds like a great job but as one reads the job description, it is very specific about the technologies that the possible candidate must have knowledge of. My observations for this job description are that while a candidate could have knowledge of these technologies and etc, there is no indication of the much needed requirement of how the person should integrate the technologies into a cohesive layered security program providing a comprehensive defense in depth strategy to ensure that the mentioned security tools work synergistically and cohesively in a defense-in-depth layered configuration. Nor is there any indication that the person should have business savvy and the ability to develop and link business requirements to the Security Architecture and the overall success of the organization. The job description does not discuss integrating the overall Security Architecture with the organization’s Enterprise Architecture planning. The job sounds more like a CISO position. Interestingly though, this is one of the better Security Architecture job descriptions I have seen on the job boards. Note what is in red as this is where I think it starts to diverge from being a security architect. Now, in addition to being a Security Architect, the company wants the person to be the threat manager. 5 Security Architect job description from a recognized job board. “ Specifically, this resource will lead and set architecture strategy for security in close partnership with the Global Information Security and Global Infrastructure organizations. Functional responsibilities include but are not limited to the following:
DRAFT ………………. by Bill Ross 6  Ability to build and maintain constructive working relationships with a diverse community (in and outside of technology); ability to effectively communicate (both written and verbal) with and influence both technical and non-technical audiences.  Providing architectural and technical guidance to support information system and infrastructure design, improvements, and planning.  Assessing current and planned information systems, identifying Security Architecture issues, and designing solutions for gaps.  Review, assess, and mitigate penetration tests and vulnerability assessments on information systems and infrastructure.  Participating in infrastructure projects to develop, plan, and implement specifications for network and distributed system security technologies in support of key information systems.  Preparing and presenting information on infrastructure plans, progress, and resolution of security gaps to leadership. The ideal candidate should have 5-8 years of experience with the following:  Bachelor's Degree required. Master's in Information Security (or related field) is a plus.  Identity and Access Management (e.g., LDAP, Sun Access Manager, MS Active Directory, Sun Identity Manager, Tivoli Access Manager, and Unix Account Centralization tools such as Power Broker and other PAM-based tools)  Remote Access Authorization and Authentication (RADIUS, SecurID, IPSEC and SSL VPN)  Operating System Security Configurations (Windows, Unix (HPUX and AIX), and Linux)  Operating System and Application Vulnerability and Patch Analsysis Vulnerability Scanning and Penetration Testing Tools (Tripwire, Foundstone, etc)  Web Proxies and URL/Content Filtering (e.g., products from WebWasher, and the ICAP protocols)  Secure File Transfers (e.g., Sterling, Forum Systems, Ipswitch, sftp, ftps, https, and ftp with PGP)  Wireless Security (e.g., 802.1x, Cisco and Aruba Wireless)  Encryption and Key Management (whole disk, file-level, network, database, PGP, MS Certificate Services, and backup tapes)  Incident Response and Forensic Analysis Support  Application and Web Layer Security (e.g., Web 2.0, SOAP, SOA, Secure Messaging)  Code Security Analysis (manual and leveraging automated scanning tools)  Risk Assessments, methodologies, and compensating controls
DRAFT ………………. by Bill Ross 7  Endpoint Protection (e.g., Anti-Virus, Personal Firewall, and Application Executable Control from vendors such as Symantec and McAfee)  Network and Host-based Intrusion Detection and Prevention (e.g. external monitoring integration as well as Cisco Mars)  Firewalls, Routers, and Load-Balancers  Data Loss Prevention (for databases/storage, the network, and endpoints e.g. Symantec Vontu)  Email Filtering (e.g., Anti-virus, Anti-Spam, Content Filtering)  Log Monitoring (e.g., Windows, Unix, Linux, Networking, and Applications leveraging tools such as Kiwi, Snare, Arcsight, and LogLogic)  Audit and Regulatory Issues (e.g., SOX)  Normal duties include, but are not limited to; Security Architecture analysis and design; network, desktop, server, and application security risk analysis; recommendations of procedural and technological compensating controls; project management; policy and procedure development; incident management, and forensic analysis.  Solid organizational, interpersonal and communication skills and the ability to thrive in a fast-paced, deadline-oriented environment are a must. Job will AT LEAST include hands on experience in the technologies and products listed above. “ Security Architect description two I included this Security Architect definition as a contrast to the above job description. I extracted this Information Security Architect Description from the “Wise Geek” site. It is not nearly as technical as the above job description and it sounds much more like a security manager than a Security Architect. “ A Security Architect is a computing professional who focuses on maintaining security in a computer system. Security Architects work in a variety of settings, securing corporate networks, government computer systems, and websites, and they are part of an overall information technology staff which is designed to keep a computer system relevant, current, and useful. To work as a Security Architect, it is usually necessary to have a bachelor's degree in computer science or computer engineering, along with specific training and certification in Security Architecture.
DRAFT ………………. by Bill Ross There are a number of aspects to a Security Architect's job. He or she must first review the system, gaining an understanding of how the system is used, who is using it, and where the weak points in the system may be located. The Security Architect thinks about how to improve an outdated system after reviewing it, or makes recommendations to toughen security on a relatively new system. These recommendations can include hardware and software upgrades as well as new protocols for the system's users. Security Architects set policies and enforce them, regularly checking for compliance. These policies can range from never leaving a workstation unattended while someone is logged into the computer system to always using an encryption protocol to collect sensitive information from customers over the Internet. The Security Architect wants basic security measures in place at all times and wants people to observe the protocols he or she establishes, and the system also has countermeasures in place which can become active when someone attempts to breach the system. A good Security Architect is able to think like an attacker. He or she can look at a system and not only see conventional weak points, but potential areas which someone thinking outside the box can exploit. He or she also knows that the work of developing a good Security Architecture is never finished, because security needs are constantly evolving and changing, and it is necessary to be highly adaptable, and to avoid getting attached to particular approaches. Every computer system and website has unique security needs which must be addressed. While some software suites provide basic security, for large or sensitive systems, it is necessary to hire a Security Architect to protect the system. As a member of the permanent staff of an organization, the Security Architect keeps the organization strong by keeping up with changes and trends in the security and computing fields. “ 8 SOURCE: http://www.wisegeek.com/what-is-a-security-architect.htm#discussions What is an Architecture, what is a Security Architecture and what is a Security Architecture framework …. Classical Architecture Definition
DRAFT ………………. by Bill Ross Given that the ISC has integrated the concept of “architecture” into its lexicon, let’s examine one of many definitions for what “architecture” means. We will reference this in relationship to an ISA. 9 “ Architecture (Latin architectura, from the Greek ἀρχιτέκτων – arkhitekton, from ἀρχι- "chief" and τέκτων "builder, carpenter, mason") is both the process and product of planning, designing and construction. Architectural works, in the material form of buildings, are often perceived as cultural symbols and as works of art. Historical civilizations are often identified with their surviving architectural achievements. "Architecture" can mean:  A general term to describe buildings and other physical structures.  The art and science of designing and erecting buildings and other physical structures.  The style and method of design and construction of buildings and other physical structures.  The practice of the architect, where architecture means the offering or rendering of professional services in connection with the design and construction of buildings, or built environments.[1]  The design activity of the architect, from the macro-level (urban design, landscape architecture) to the micro-level (construction details and furniture).  The term "architecture" has been adopted to describe the activity of designing any kind of system, and is commonly used in describing information technology. In relation to buildings, architecture has to do with the planning, designing and constructing form, space and ambience that reflect functional, technical, social, environmental, and aesthetic considerations. It requires the creative manipulation and coordination of material, technology, light and shadow. Architecture also encompasses the pragmatic aspects of realizing buildings and structures, including scheduling, cost estimating and construction administration. As documentation produced by architects, typically drawings, plans and technical specifications, architecture defines the structure and/or behavior of a building or any other kind of system that is to be or has been constructed. “ SOURCE: http://en.wikipedia.org/wiki/Architecture I think the lessons to take from the above classical architecture definitions is that architecture (security architecture) is a comprehensive macro to micro art form and science “building” process that includes detailed planning, designing and then construction. Using example one
DRAFT ………………. by Bill Ross 10 above, it is not just having a stack of building materials such as having numerous parts and pieces but it is the art and science of designing a comprehensive solution that enables all the pieces to smoothly integrate into a cohesive whole of information security protection. Information Security Architect descriptions I have listed two similar and complimentary definitions of what an ISA is. These were created by experts with far greater insight than myself. Interestingly, while the definitions are similar and describe the essence of end-to-end Security Architecture development, it is rare that job descriptions for organizational Information Security Architects align with these descriptions. The first concept is excellent but rarely used in corporate hiring requirements. May I suggest we embrace these ideas in the ISC. Description 1 (very good by the way) Enterprise Information Security Architecture “ Enterprise information Security Architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units, so that they align with the organization's core goals and strategic direction. Although often associated strictly with information security technology, it relates more broadly to the security practice of business optimization in that it addresses business Security Architecture, performance management and security process architecture as well. Enterprise information Security Architecture is becoming a common practice within the financial institutions around the globe. The primary purpose of creating an enterprise information Security Architecture is to ensure that business strategy and IT security are aligned. As such, enterprise information Security Architecture allows traceability from the business strategy down to the underlying technology. “ (my underlines). Methodology The practice of Enterprise Information Security Architecture involves developing an architecture security framework to describe a series of "current", "intermediate" and "target" reference architectures and applying them to align programs of change. These frameworks detail the organizations, roles, entities and relationships that exist or should exist to perform a set of
DRAFT ………………. by Bill Ross business processes. This framework will provide a rigorous taxonomy and ontology that clearly identifies what processes a business performs and detailed information about how those processes are executed and secured. The end product is a set of artifacts that describe in varying degrees of detail exactly what and how a business operates and what security controls are required. These artifacts are often graphical. Given these descriptions, whose levels of detail will vary according to affordability and other practical considerations, decision makers are provided the means to make informed decisions about where to invest resources, where to realign organizational goals and processes, and what policies and procedures will support core missions or business functions. 11 A strong enterprise information Security Architecture process helps to answer basic questions like:  What is the information security risk posture of the organization?  Is the current architecture supporting and adding value to the security of the organization?  How might a Security Architecture be modified so that it adds more value to the organization?  Based on what we know about what the organization wants to accomplish in the future, will the current Security Architecture support or hinder that? Implementing Enterprise Information Security Architecture generally starts with documenting the organization's strategy and other necessary details such as where and how it operates. The process then cascades down to documenting discrete core competencies, business processes, and how the organization interacts with itself and with external parties such as customers, suppliers, and government entities. Having documented the organization's strategy and structure, the architecture process then flows down into the discrete information technology components such as:  Organization charts, activities, and process flows of how the IT Organization operates  Organization cycles, periods and timing  Suppliers of technology hardware, software, and services  Applications and software inventories and diagrams  Interfaces between applications - that is: events, messages and data flows  Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization
DRAFT ………………. by Bill Ross 12  Data classifications, databases and supporting data models  Hardware, platforms, hosting: servers, network components and security devices and where they are kept  Local and wide area networks, Internet connectivity diagrams Wherever possible, all of the above should be related explicitly to the organization's strategy, goals, and operations. The Enterprise Information Security Architecture will document the current state of the technical security components listed above, as well as an ideal-world desired future state (Reference Architecture) and finally a "Target" future state which is the result of engineering tradeoffs and compromises vs. the ideal. Essentially the result is a nested and interrelated set of models, usually managed and maintained with specialized software available on the market. “ SOURCE: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture ISA Description two “ Security Architecture and Design: architecture and design of security services that enable business risk exposure targets to be met. The policies, standards and risk management decisions drive the Security Architecture and the design of the security processes and ‘defense in depth’ stack. . Security Architecture: unifying framework and reusable services that implement policy, standards and risk management decisions. The Security Architecture is a strategic framework that allows the development and operations staff to align efforts, in addition the Security Architecture can drive platform improvements which are not possible to make at a project level. A given software development project may not be able to make a business case to purchase an XML Security Gateway for improved web services security, but at the architecture level, architects can potentially identify several projects that could leverage such a reusable service. In this instance the Security Architecture delivers improved XML/ Web services security, a simplified programming model for developers, and saves development costs, because the wheel is not reinvented multiple times. Risk management, security policy and standards, and Security Architecture govern the security processes and defense in depth architecture through design guidance, runtime
DRAFT ………………. by Bill Ross 13 support, and assurance services. Security metrics are used for decision support for risk management, security policy and standards, and Security Architecture. The security architecture should have a reference implementation for developers and other IT staff to review what functions the security mechanisms performs, and how they do it. “ SOURCE: Gunnar Peterson’s excellent article, “ Security Architecture Blueprint “, 2006 http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf Implementing the above examples Interestingly, GARTNER, almost six years ago,, in its 2006 White Paper “Incorporating Security Into the Enterprise Architecture (EA) Process” proposes a possible basic process to fulfill the objectives of the above two ISA descriptions. Interestingly, GARTNER’s outline does not seem to have gained traction as it should have in the ISC. While the GARTNER’s outline provides a basically good outline for incorporating security into the EA process, I would probably increase the outline to include items like technical engineering skills, risk-based ISA decisions, secure development life cycle management, return on investment, metrics, operational tracking, software updating, security road maps (N-1 plan) and role and responsibilities. Gartner Outline for “Incorporating Security Into the Enterprise Architecture (EA) Process”  1.0 The Rationale for Incorporating Security With the EA Process Model  2.0 Security and the EA Process Model in Relation to EA Frameworks  3.0 Environmental Trends  4.0 Business Strategy  5.0 Organize Architecture Effort  6.0 Security in the Future-State Architecture o 6.1 Develop Requirements o 6.2 Develop Principles o 6.3 Develop Models  7.0 Current-State Architecture — Documenting  8.0 Closing the Gap  9.0 Governing and Managing o 9.1 Governing EA Artifact Creation o 9.2 Governing EA Compliance and Project/Procurement Management
DRAFT ………………. by Bill Ross 14 o 9.3 Managing SOURCE: http://www.gartner.com/DisplayDocument?ref=g_search&id=488575 Here is the problem with Industry Interpretations of a Security Architect As we have seen above, there are various interpretations of what a Security Architect is and that companies struggle with defining what they want form the ISA.. We have also seen excellent comprehensive descriptions of what a security architect is. Ultimately, based on Security Architect job descriptions as seen on job boards or knowing of Security Architects that are already on the job, it seems that the ISC and/or government and private sector organizations have about five various interpretations that are advertised concerning what a Security Architect is and what they need from the Security Architect to meet their data and enterprise security goals. I believe the Security Architect description seen in items 3 and 4 below will provide the best ISA support to their parent organization and who will fulfill the goals of a Security Architect as described above in “description one” of a security architect. 1. Extremely technical in one or two security technologies such as Firewalls or intrusion detection devices. This person gets hired based on the fact it seems since they had a high degree of expertise in two areas it must mean they are experts in all areas. The problem here is the organization did not really understand what its Security Architect requirements were and expected definitions of success were for the Security Architect position. This Security Architecture type will provide limited overall input to an organization’s strategic ISA plan 2. Extremely technical on all aspects of security but cannot connect the architecture to business requirements and the overall strategy. The person is more a highly talented senior security engineer versus an architect. The person can make things fit and work within the context of what the technology is supposed to do but the person might not have considered the overall synergistic effects of the technology and the defense in depth aspects of the technology. A good example of this is that the person could install a HIDS or even a firewall but the person did not design a strategy on how these systems could operationally and tactically integrate as part of the intrusion detection framework. 3. Extremely technical engineer and strategists who also has a holistic view of the business objectives and the requirements definition process. This is the perfect Security Architect.
DRAFT ………………. by Bill Ross 4. Highly technical and can combine all aspects of risk management and business requirements into a cohesive strategy and technical plan. This person can easily work with the person in number 2 to develop the ISA and deploy and manage an end-to-end Security Architecture. This is probably the most likely person a company can find when wanting to have someone that is charge of the organization’s ISA. 5. Some companies actually call the security director or security manager the architect because they, in essence, are architecting the entire management, governance, and technical solution for the enterprise. This is what I did at AXA but I ultimately was not a dedicated security architect focused on all things seen in the two above architect descriptions. 15 Building an Information Security Architecture Framework If the Security Architect wants to properly manage their program in accordance with the above ISA descriptions defined in Wikipedia or by Gunnar Peterson , the Security Architect needs to define an end-to-end framework that can define the context and game plan that the Security Architect should use to protect the organization’s vital information assets. Given how many sources there are in circulation on how to create an ISA focused on layered security and a defense-in-depth strategy, the fundamental guidance I can provide is keep your framework very simple but with a sophisticated implementation of same based on risk, threats, vulnerabilities, regulatory issues and business requirements. I like three fundamental sources to use to build an ISA framework and the models needed to develop an outstanding ISA. The secret sauce in using these three fundamental models together is to create an integrated ISA Framework combining the three systems and tailor it to your organization’s mission or business product line. Simply put, use your framework to plan, build, test, deploy and operate your security services within your supporting infrastructure to provide the best layered security program possible to protect your vital information assets. Here is my ISA trifecta. 1. While the Sherwood Applied Business Security Architecture (SABSA) is not highly technical, SABSA provides excellent models to define requirements against ISA plans. Please write to me and I will send you my highly detailed SABSA spread sheet which defines risk management planning and the appropriate ISA road map. http://www.sabsa.org/
DRAFT ………………. by Bill Ross 2. Open Security Architecture (OSA) is an eloquent technical meta model process the brilliantly compliments the requirements as defined in SABSA. Develop and use the meta models as your current state and planning libraries. http://www.opensecurityarchitecture.org/cms/index.php 16 3. The Open Group Architecture Framework (TOGAF) is an excellent document that is a master’s thesis on how to build technical architectures. I strongly recommend reading its introduction and the entire chapter 21 that is dedicated to ISA. http://pubs.opengroup.org/architecture/togaf9-doc/arch/ Conclusion We are at war. A Security Architect can define strategies to defeat the aggressors. The ISC needs to standardize its doctrine and strategy to define the ISC view concerning what an ISA is and as such, once defined, it will be easier to define what a Security Architect is and should do to protect vital business data assets. Not only will this protect your data and business, you will implement optimized solutions for investment utilization. Organizations need to hire the right people for ISA jobs and stop confusing the Senior Security Engineers with the roles and responsibilities of an Information Security Architect. While they are complimentary in nature, the roles are different. Smart Security Architects always should include brilliant security and infrastructure engineers in developing their business’ holistic and comprehensive ISA. I am confident that if the an organization uses the simple framework I described above that it’s Security Architect will create an outstanding ISA and ISA road map. Other Great References See below http://www.everyspec.com/DoD/DOD-General/ download.php?spec=DISA_TAFIM_VOL4.007538.pdf http://www.sans.org/reading_room/whitepapers/policyissues/approach-enterprise-security-architecture_ 504 http://en.wikipedia.org/wiki/DODAF’
DRAFT ………………. by Bill Ross 17 https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.html https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.pdf http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf http://www.webopedia.com/TERM/S/security_architecture.html http://en.wikipedia.org/wiki/Computer_security http://www.wisegeek.com/what-is-a-security-architect.htm#discussions http://en.wikipedia.org/wiki/Enterprise_information_security_architecture

Recommended

Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
Bill Ross
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
pk4
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
Bill Chamberlin
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
Seccuris Inc.
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
Ulf Mattsson
 

Recommended

Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
Bill Ross
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1
pk4
 
Security Trend Report, 2017
Security Trend Report, 2017Security Trend Report, 2017
Security Trend Report, 2017
Bill Chamberlin
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
Seccuris Inc.
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
Ulf Mattsson
 
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
Andris Soroka
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
Rick Lemieux
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
Patrick Bouillaud
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One Pager
Thierry Matusiak
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills Gap
Stephen Cobb
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
Southern Cross Group Services
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
Thierry Matusiak
 
IBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, ExpertiseIBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, Expertise
Shwetank Jayaswal
 
general_resume_12 1 linked in
general_resume_12 1 linked ingeneral_resume_12 1 linked in
general_resume_12 1 linked in
John Masiliunas
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
Iqra khalil
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
♟Sergej Epp
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
IBM Sverige
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016
Janghyuck Choi
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Priyanka Aash
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
Priyanka Aash
 
infosec-it
infosec-itinfosec-it
infosec-it
Michael Trofi Jr. CISSP, CISM, CGEIT
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
Joyce Brocaglia
 

More Related Content

What's hot

DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
Andris Soroka
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
Rick Lemieux
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
Patrick Bouillaud
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
Oscar Ferreira
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One Pager
Thierry Matusiak
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills Gap
Stephen Cobb
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
Vladimir Jirasek
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
Southern Cross Group Services
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
Thierry Matusiak
 
IBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, ExpertiseIBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, Expertise
Shwetank Jayaswal
 
general_resume_12 1 linked in
general_resume_12 1 linked ingeneral_resume_12 1 linked in
general_resume_12 1 linked in
John Masiliunas
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
Iqra khalil
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
♟Sergej Epp
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
IBM Sverige
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
EMC
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016
Janghyuck Choi
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Priyanka Aash
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
Priyanka Aash
 

What's hot (20)

DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyDSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security Strategy
 
Dit yvol4iss40
Dit yvol4iss40Dit yvol4iss40
Dit yvol4iss40
 
Ibm security products portfolio
Ibm security products portfolioIbm security products portfolio
Ibm security products portfolio
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
IBM Security Software Solutions - One Pager
IBM Security Software Solutions - One PagerIBM Security Software Solutions - One Pager
IBM Security Software Solutions - One Pager
 
Sizing the Cyber Skills Gap
Sizing the Cyber Skills GapSizing the Cyber Skills Gap
Sizing the Cyber Skills Gap
 
Security models for security architecture
Security models for security architectureSecurity models for security architecture
Security models for security architecture
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
 
IBM Security Software Solutions
IBM Security Software Solutions IBM Security Software Solutions
IBM Security Software Solutions
 
IBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, ExpertiseIBM Security Products: Intelligence, Integration, Expertise
IBM Security Products: Intelligence, Integration, Expertise
 
general_resume_12 1 linked in
general_resume_12 1 linked ingeneral_resume_12 1 linked in
general_resume_12 1 linked in
 
Cognitive security
Cognitive securityCognitive security
Cognitive security
 
Cyber Defense Automation
Cyber Defense AutomationCyber Defense Automation
Cyber Defense Automation
 
Kista watson summit final public version
Kista watson summit final public versionKista watson summit final public version
Kista watson summit final public version
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016Ibm cognitive security_white_paper_04_2016
Ibm cognitive security_white_paper_04_2016
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To CiroDon't Get Left In The Dust How To Evolve From Ciso To Ciro
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Keynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring SecurityKeynote Session : NIST - Cyber Security Framework Measuring Security
Keynote Session : NIST - Cyber Security Framework Measuring Security
 

Similar to " The Invisible Person ... the Security Architect "

infosec-it
infosec-itinfosec-it
infosec-it
Michael Trofi Jr. CISSP, CISM, CGEIT
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
Joyce Brocaglia
 
Information security-integration-part-1-of-2
Information security-integration-part-1-of-2Information security-integration-part-1-of-2
Information security-integration-part-1-of-2
wardell henley
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
United Security Providers AG
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
elinoraudley582231
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
Bill Ross
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
Mighty Guides, Inc.
 
Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture
Asim Jahan
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
Merlin Florrence
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksLessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Mighty Guides, Inc.
 
Chief Security Officer
Chief Security OfficerChief Security Officer
Chief Security Officer
PLN9 Security Services Pvt. Ltd.
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
Varun Mithran
 
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipFortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused Leadership
Mighty Guides, Inc.
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
Mighty Guides, Inc.
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
Scott Smith
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
John Budriss
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docx
katherncarlyle
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docx
daniahendric
 
Should i study cyber security
Should i study cyber securityShould i study cyber security
Should i study cyber security
Vishal Singh
 

Similar to " The Invisible Person ... the Security Architect " (20)

infosec-it
infosec-itinfosec-it
infosec-it
 
Building World Class Cybersecurity Teams
Building World Class Cybersecurity TeamsBuilding World Class Cybersecurity Teams
Building World Class Cybersecurity Teams
 
Information security-integration-part-1-of-2
Information security-integration-part-1-of-2Information security-integration-part-1-of-2
Information security-integration-part-1-of-2
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
 
Discussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docxDiscussion 1Recommend three countermeasures that could enhance.docx
Discussion 1Recommend three countermeasures that could enhance.docx
 
Cyber Intelligence Operations Center
Cyber Intelligence Operations CenterCyber Intelligence Operations Center
Cyber Intelligence Operations Center
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture Open Security and Privacy Reference Architecture
Open Security and Privacy Reference Architecture
 
Security and personnel bp11521
Security and personnel bp11521Security and personnel bp11521
Security and personnel bp11521
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksLessons Learned: Protecting Critical Infrastructure from Cyber Attacks
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
 
Chief Security Officer
Chief Security OfficerChief Security Officer
Chief Security Officer
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipFortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused Leadership
 
Carbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down AttacksCarbon Black: Keys to Shutting Down Attacks
Carbon Black: Keys to Shutting Down Attacks
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docx
 
Advisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docxAdvisory from Professionals Preparing Information .docx
Advisory from Professionals Preparing Information .docx
 
Should i study cyber security
Should i study cyber securityShould i study cyber security
Should i study cyber security
 

More from Bill Ross

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Bill Ross
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Bill Ross
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_Security
Bill Ross
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
Bill Ross
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
Bill Ross
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
Bill Ross
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
Bill Ross
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
Bill Ross
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
Bill Ross
 

More from Bill Ross (9)

Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Cyber Security Command, Control, Communications, Computers Intelligence Surve...
Cyber Security Command, Control, Communications, Computers Intelligence Surve...
 
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationCyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
Cyber_Warfare_Escalation_to_Nuclear_Warfare_Examination
 
Cyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_SecurityCyber_Space_is_not_Cyber_Security
Cyber_Space_is_not_Cyber_Security
 
Infosecforce security services
Infosecforce security servicesInfosecforce security services
Infosecforce security services
 
Secure by design and secure software development
Secure by design and secure software developmentSecure by design and secure software development
Secure by design and secure software development
 
INFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition PlanINFOSECFORCE Risk Management Framework Transition Plan
INFOSECFORCE Risk Management Framework Transition Plan
 
INFOSECFORCE llc security services
INFOSECFORCE llc security servicesINFOSECFORCE llc security services
INFOSECFORCE llc security services
 
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of..." Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
" Soviet Military Doctrine ... a Blueprint for the Future or an Indictment of...
 
Security Lifecycle Management Process
Security Lifecycle Management ProcessSecurity Lifecycle Management Process
Security Lifecycle Management Process
 

Recently uploaded

Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...
Prakhyath Rai
 
An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...
IJECEIAES
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
Divyanshu
 
Material for memory and display system h
Material for memory and display system hMaterial for memory and display system h
Material for memory and display system h
gowrishankartb2005
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
abbyasa1014
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
21UME003TUSHARDEB
 
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURSCompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
RamonNovais6
 
Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...
bijceesjournal
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
Yasser Mahgoub
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
ydzowc
 
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
Gino153088
 
Data Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptxData Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptx
ramrag33
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
PKavitha10
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
ecqow
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
co23btech11018
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
LAXMAREDDY22
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
bijceesjournal
 

Recently uploaded (20)

Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...Software Engineering and Project Management - Introduction, Modeling Concepts...
Software Engineering and Project Management - Introduction, Modeling Concepts...
 
An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...An improved modulation technique suitable for a three level flying capacitor ...
An improved modulation technique suitable for a three level flying capacitor ...
 
Null Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAMNull Bangalore | Pentesters Approach to AWS IAM
Null Bangalore | Pentesters Approach to AWS IAM
 
Material for memory and display system h
Material for memory and display system hMaterial for memory and display system h
Material for memory and display system h
 
Engineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdfEngineering Drawings Lecture Detail Drawings 2014.pdf
Engineering Drawings Lecture Detail Drawings 2014.pdf
 
Mechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdfMechanical Engineering on AAI Summer Training Report-003.pdf
Mechanical Engineering on AAI Summer Training Report-003.pdf
 
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURSCompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
CompEx~Manual~1210 (2).pdf COMPEX GAS AND VAPOURS
 
Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...Rainfall intensity duration frequency curve statistical analysis and modeling...
Rainfall intensity duration frequency curve statistical analysis and modeling...
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
 
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
原版制作(Humboldt毕业证书)柏林大学毕业证学位证一模一样
 
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
4. Mosca vol I -Fisica-Tipler-5ta-Edicion-Vol-1.pdf
 
Data Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptxData Control Language.pptx Data Control Language.pptx
Data Control Language.pptx Data Control Language.pptx
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1CEC 352 - SATELLITE COMMUNICATION UNIT 1
CEC 352 - SATELLITE COMMUNICATION UNIT 1
 
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
一比一原版(CalArts毕业证)加利福尼亚艺术学院毕业证如何办理
 
Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
Computational Engineering IITH Presentation
Computational Engineering IITH PresentationComputational Engineering IITH Presentation
Computational Engineering IITH Presentation
 
BRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdfBRAIN TUMOR DETECTION for seminar ppt.pdf
BRAIN TUMOR DETECTION for seminar ppt.pdf
 
Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...Comparative analysis between traditional aquaponics and reconstructed aquapon...
Comparative analysis between traditional aquaponics and reconstructed aquapon...
 

" The Invisible Person ... the Security Architect "

  • 1. DRAFT ………………. by Bill Ross 1 Title: “ The Invisible Person …. the Security Architect “ A paper by INFOSECFORCE 804-855-4988 infosecforce@yahoo.com
  • 2. DRAFT ………………. by Bill Ross 2 The Invisible Person …. The Security Architect 10 August 2012 An open letter and personal thoughts on Security Architecture to all the great security professionals who devote so much energy to our mission to predict, prevent, detect, and respond. Since this original letter was composed, I have received 436 global requests for same. 10/1/2013 We are in a CYBER War and corporations and governments are being clobbered by an invisible enemy that, at times, seems to own numerous private networks. Information Security Teams across the globe are fighting the good fight and win and lose in this battle. Every year thousands of articles and conferences across the globe address the tactics and procedures to address this challenge and when one reads the literature and attends the meetings, one knows that the most fundamental and missing piece to orchestrating and defining the arsenal that each institution that manages data is the cohesive risked-based methodology that needs to define solutions to the sometimes chaotic response to threats and that is the systematic and strategically planned and tactically executed security architecture thoughtfully and professionally managed by a dedicated and multi talented Information Security Professional with business savvy, technically astute with threat awareness and with a dose of the Ninja instinct. Until industry and organizations “embrace it”, they will flounder in defining the roles, responsibilities and implementation of a cohesive and hardened environment that beats cyber crooks and miscreants. This is the environment we face and where this paper begins. There are numerous and conflicting concepts of the roles and responsibilities of a Security Architect within industry and government. This short and quick paper is designed to examine the definitions of Information Security Architecture (ISA) and what the role of a Security Architect is. These two questions seem harder to define as the separation between Security Architecture and Infrastructure Architecture begins to dissolve. Thank you for reading this as it is an issue I often struggle with. I have designed this paper to examine the various interpretations of what an Information Security Architect is, the essence of Information Security Architecture, and suggested best models and references for Security Architecture modeling. I also offer a suggested Security
  • 3. DRAFT ………………. by Bill Ross 3 Architecture framework for aligning business requirements to the security solution, optimizing technology to protect data, and creating a strategic, operational, and tactical defense in depth layering approach that will ensure that the classic Information Security Community (ISC) tenets of confidentiality, integrity, and availability are designed, implemented and monitored within the layered ISA solution. ISA is as much an art form as it is a VISIO diagram of trust zones and firewall placement. The ISC does not have a consistent and recognized approach to define what an Information Security Architecture is and as such, the ISC does not seem to have recognized standards for what an Information Security Architecture (ISA) should accomplish in advancing both the financial or business success of an organization let alone defeating cyber criminals. Given the lack of an ISA standard, the Security Architect sometimes struggles in his role to adequately protect an organization’s vital information assets as what he thinks he should do is not what the company thinks they hired him for. While great writers and thinkers have published a plethora of ISA frameworks and white papers discussing what an ISA is, there does not seem to be one unifying agreement of what an ISA should address and on how to define and implement an ISA. As such, when a government or private sector organization is trying to hire an Information Security Architect, they publish wide ranging and variable job descriptions that cover almost every aspect of Information Security roles and responsibilities. These Security Architect job descriptions could include requirements for anything from an actual Security Architect, to a highly sophisticated and brilliant security engineer, to the Chief Information Security Officer, or to simply being a Firewall or Security System Administrator who some organizations think can also create an ISA. In other words, will the real Information Security Architect step out of the shadows and reveal him/her self so we all know who and what we are. It is actually rare that when an organization advertises its Security Architect requirement that the advertisement really reflects what they need the “Security Architect” to do to create and implement the organization’s ISA. For example, as we shall see in the sample job descriptions below, the Security Architecture job description often does not align with the end-to-end strategic, operational, and tactical benefits that an Information Security Architect can contribute to the success of an organization.
  • 4. DRAFT ………………. by Bill Ross 4 Here is my suggested ISA Job Description An information security architect should have at least 10 years experience in information security and at one point in his/her career should have had hands on technical experience in anything from help desk support to being a UNIX or data base administrator. This person should have extensive knowledge of security platforms, has managed acquisition efforts, identity access management, cyber warfare, governance as it is translated from security standards and policies into an operational technical environment that is aligned with the core business processes be they financial institutions like JP Morgan or e-commerce giants like Amazon or Best Buy. This person should have served on the front lines of cyber battles such as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an EE degree, is a visionary, and understands security supports business objectives. Ultimately, the Security Architect is a perfect blend of a highly skilled security engineer, a governance and policy expert, an enterprise architect, a business savvy professional with a Ninja spirit. Background It has been my experience that generally an information Security Architect role is confused with a superior “top gun” level four information security engineer. Within the last 13 years, I have built Security Architectures strategies, hired Security Architects and mentored them to become fully trained and empowered Security Architect professionals. As examples of my experiences, I was chosen by the Air Force during Desert Storm to combine two war fighting commands’ intelligence architectures. I led the team to baseline the global IT Architecture for a global Army logistics command, I appointed the first Information Security Architect for the Federal Reserve Information Technology (FRIT) organization. Also, I was one of the principles in hiring the Security Architect for the Virginia Information Technology Agency-Northrop Grumman Partnership. Additionally, I was selected to become the Director of Security Architecture for AXA Technology which is the IT support function for AXA which is one of the world’s largest insurance firms. Even though I was hired as the Security Architect, my real job description should have been the Director of Information Security and developing the ISA was just one of my numerous responsibilities. Lastly, I was hired in my current job as the Security Architect for United Guaranty Corporation.
  • 5. DRAFT ………………. by Bill Ross So, considering my prior experiences from both a hands-on Security Architecture perspective and from the fact that in the past several months, I have reviewed numerous a Security Architect Position job descriptions from a host of excellent organizations, it has been my experience that these fine organizations were really looking for the above referenced “top gun” security engineer and not the person that can comprehensively build the business-based, requirements driven and risk management solution for the overall security architecture requirement. I can understand their deep engineering requirements even to the point of needing a fully qualified Security Electrical Engineer (EE) but, being an EE is not the same thing as developing an ISA as defined above. Please see the following job descriptions as a recent sample of a corporate Security Architect position job board advertisement. The first one sounds like a great job but as one reads the job description, it is very specific about the technologies that the possible candidate must have knowledge of. My observations for this job description are that while a candidate could have knowledge of these technologies and etc, there is no indication of the much needed requirement of how the person should integrate the technologies into a cohesive layered security program providing a comprehensive defense in depth strategy to ensure that the mentioned security tools work synergistically and cohesively in a defense-in-depth layered configuration. Nor is there any indication that the person should have business savvy and the ability to develop and link business requirements to the Security Architecture and the overall success of the organization. The job description does not discuss integrating the overall Security Architecture with the organization’s Enterprise Architecture planning. The job sounds more like a CISO position. Interestingly though, this is one of the better Security Architecture job descriptions I have seen on the job boards. Note what is in red as this is where I think it starts to diverge from being a security architect. Now, in addition to being a Security Architect, the company wants the person to be the threat manager. 5 Security Architect job description from a recognized job board. “ Specifically, this resource will lead and set architecture strategy for security in close partnership with the Global Information Security and Global Infrastructure organizations. Functional responsibilities include but are not limited to the following:
  • 6. DRAFT ………………. by Bill Ross 6  Ability to build and maintain constructive working relationships with a diverse community (in and outside of technology); ability to effectively communicate (both written and verbal) with and influence both technical and non-technical audiences.  Providing architectural and technical guidance to support information system and infrastructure design, improvements, and planning.  Assessing current and planned information systems, identifying Security Architecture issues, and designing solutions for gaps.  Review, assess, and mitigate penetration tests and vulnerability assessments on information systems and infrastructure.  Participating in infrastructure projects to develop, plan, and implement specifications for network and distributed system security technologies in support of key information systems.  Preparing and presenting information on infrastructure plans, progress, and resolution of security gaps to leadership. The ideal candidate should have 5-8 years of experience with the following:  Bachelor's Degree required. Master's in Information Security (or related field) is a plus.  Identity and Access Management (e.g., LDAP, Sun Access Manager, MS Active Directory, Sun Identity Manager, Tivoli Access Manager, and Unix Account Centralization tools such as Power Broker and other PAM-based tools)  Remote Access Authorization and Authentication (RADIUS, SecurID, IPSEC and SSL VPN)  Operating System Security Configurations (Windows, Unix (HPUX and AIX), and Linux)  Operating System and Application Vulnerability and Patch Analsysis Vulnerability Scanning and Penetration Testing Tools (Tripwire, Foundstone, etc)  Web Proxies and URL/Content Filtering (e.g., products from WebWasher, and the ICAP protocols)  Secure File Transfers (e.g., Sterling, Forum Systems, Ipswitch, sftp, ftps, https, and ftp with PGP)  Wireless Security (e.g., 802.1x, Cisco and Aruba Wireless)  Encryption and Key Management (whole disk, file-level, network, database, PGP, MS Certificate Services, and backup tapes)  Incident Response and Forensic Analysis Support  Application and Web Layer Security (e.g., Web 2.0, SOAP, SOA, Secure Messaging)  Code Security Analysis (manual and leveraging automated scanning tools)  Risk Assessments, methodologies, and compensating controls
  • 7. DRAFT ………………. by Bill Ross 7  Endpoint Protection (e.g., Anti-Virus, Personal Firewall, and Application Executable Control from vendors such as Symantec and McAfee)  Network and Host-based Intrusion Detection and Prevention (e.g. external monitoring integration as well as Cisco Mars)  Firewalls, Routers, and Load-Balancers  Data Loss Prevention (for databases/storage, the network, and endpoints e.g. Symantec Vontu)  Email Filtering (e.g., Anti-virus, Anti-Spam, Content Filtering)  Log Monitoring (e.g., Windows, Unix, Linux, Networking, and Applications leveraging tools such as Kiwi, Snare, Arcsight, and LogLogic)  Audit and Regulatory Issues (e.g., SOX)  Normal duties include, but are not limited to; Security Architecture analysis and design; network, desktop, server, and application security risk analysis; recommendations of procedural and technological compensating controls; project management; policy and procedure development; incident management, and forensic analysis.  Solid organizational, interpersonal and communication skills and the ability to thrive in a fast-paced, deadline-oriented environment are a must. Job will AT LEAST include hands on experience in the technologies and products listed above. “ Security Architect description two I included this Security Architect definition as a contrast to the above job description. I extracted this Information Security Architect Description from the “Wise Geek” site. It is not nearly as technical as the above job description and it sounds much more like a security manager than a Security Architect. “ A Security Architect is a computing professional who focuses on maintaining security in a computer system. Security Architects work in a variety of settings, securing corporate networks, government computer systems, and websites, and they are part of an overall information technology staff which is designed to keep a computer system relevant, current, and useful. To work as a Security Architect, it is usually necessary to have a bachelor's degree in computer science or computer engineering, along with specific training and certification in Security Architecture.
  • 8. DRAFT ………………. by Bill Ross There are a number of aspects to a Security Architect's job. He or she must first review the system, gaining an understanding of how the system is used, who is using it, and where the weak points in the system may be located. The Security Architect thinks about how to improve an outdated system after reviewing it, or makes recommendations to toughen security on a relatively new system. These recommendations can include hardware and software upgrades as well as new protocols for the system's users. Security Architects set policies and enforce them, regularly checking for compliance. These policies can range from never leaving a workstation unattended while someone is logged into the computer system to always using an encryption protocol to collect sensitive information from customers over the Internet. The Security Architect wants basic security measures in place at all times and wants people to observe the protocols he or she establishes, and the system also has countermeasures in place which can become active when someone attempts to breach the system. A good Security Architect is able to think like an attacker. He or she can look at a system and not only see conventional weak points, but potential areas which someone thinking outside the box can exploit. He or she also knows that the work of developing a good Security Architecture is never finished, because security needs are constantly evolving and changing, and it is necessary to be highly adaptable, and to avoid getting attached to particular approaches. Every computer system and website has unique security needs which must be addressed. While some software suites provide basic security, for large or sensitive systems, it is necessary to hire a Security Architect to protect the system. As a member of the permanent staff of an organization, the Security Architect keeps the organization strong by keeping up with changes and trends in the security and computing fields. “ 8 SOURCE: http://www.wisegeek.com/what-is-a-security-architect.htm#discussions What is an Architecture, what is a Security Architecture and what is a Security Architecture framework …. Classical Architecture Definition
  • 9. DRAFT ………………. by Bill Ross Given that the ISC has integrated the concept of “architecture” into its lexicon, let’s examine one of many definitions for what “architecture” means. We will reference this in relationship to an ISA. 9 “ Architecture (Latin architectura, from the Greek ἀρχιτέκτων – arkhitekton, from ἀρχι- "chief" and τέκτων "builder, carpenter, mason") is both the process and product of planning, designing and construction. Architectural works, in the material form of buildings, are often perceived as cultural symbols and as works of art. Historical civilizations are often identified with their surviving architectural achievements. "Architecture" can mean:  A general term to describe buildings and other physical structures.  The art and science of designing and erecting buildings and other physical structures.  The style and method of design and construction of buildings and other physical structures.  The practice of the architect, where architecture means the offering or rendering of professional services in connection with the design and construction of buildings, or built environments.[1]  The design activity of the architect, from the macro-level (urban design, landscape architecture) to the micro-level (construction details and furniture).  The term "architecture" has been adopted to describe the activity of designing any kind of system, and is commonly used in describing information technology. In relation to buildings, architecture has to do with the planning, designing and constructing form, space and ambience that reflect functional, technical, social, environmental, and aesthetic considerations. It requires the creative manipulation and coordination of material, technology, light and shadow. Architecture also encompasses the pragmatic aspects of realizing buildings and structures, including scheduling, cost estimating and construction administration. As documentation produced by architects, typically drawings, plans and technical specifications, architecture defines the structure and/or behavior of a building or any other kind of system that is to be or has been constructed. “ SOURCE: http://en.wikipedia.org/wiki/Architecture I think the lessons to take from the above classical architecture definitions is that architecture (security architecture) is a comprehensive macro to micro art form and science “building” process that includes detailed planning, designing and then construction. Using example one
  • 10. DRAFT ………………. by Bill Ross 10 above, it is not just having a stack of building materials such as having numerous parts and pieces but it is the art and science of designing a comprehensive solution that enables all the pieces to smoothly integrate into a cohesive whole of information security protection. Information Security Architect descriptions I have listed two similar and complimentary definitions of what an ISA is. These were created by experts with far greater insight than myself. Interestingly, while the definitions are similar and describe the essence of end-to-end Security Architecture development, it is rare that job descriptions for organizational Information Security Architects align with these descriptions. The first concept is excellent but rarely used in corporate hiring requirements. May I suggest we embrace these ideas in the ISC. Description 1 (very good by the way) Enterprise Information Security Architecture “ Enterprise information Security Architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units, so that they align with the organization's core goals and strategic direction. Although often associated strictly with information security technology, it relates more broadly to the security practice of business optimization in that it addresses business Security Architecture, performance management and security process architecture as well. Enterprise information Security Architecture is becoming a common practice within the financial institutions around the globe. The primary purpose of creating an enterprise information Security Architecture is to ensure that business strategy and IT security are aligned. As such, enterprise information Security Architecture allows traceability from the business strategy down to the underlying technology. “ (my underlines). Methodology The practice of Enterprise Information Security Architecture involves developing an architecture security framework to describe a series of "current", "intermediate" and "target" reference architectures and applying them to align programs of change. These frameworks detail the organizations, roles, entities and relationships that exist or should exist to perform a set of
  • 11. DRAFT ………………. by Bill Ross business processes. This framework will provide a rigorous taxonomy and ontology that clearly identifies what processes a business performs and detailed information about how those processes are executed and secured. The end product is a set of artifacts that describe in varying degrees of detail exactly what and how a business operates and what security controls are required. These artifacts are often graphical. Given these descriptions, whose levels of detail will vary according to affordability and other practical considerations, decision makers are provided the means to make informed decisions about where to invest resources, where to realign organizational goals and processes, and what policies and procedures will support core missions or business functions. 11 A strong enterprise information Security Architecture process helps to answer basic questions like:  What is the information security risk posture of the organization?  Is the current architecture supporting and adding value to the security of the organization?  How might a Security Architecture be modified so that it adds more value to the organization?  Based on what we know about what the organization wants to accomplish in the future, will the current Security Architecture support or hinder that? Implementing Enterprise Information Security Architecture generally starts with documenting the organization's strategy and other necessary details such as where and how it operates. The process then cascades down to documenting discrete core competencies, business processes, and how the organization interacts with itself and with external parties such as customers, suppliers, and government entities. Having documented the organization's strategy and structure, the architecture process then flows down into the discrete information technology components such as:  Organization charts, activities, and process flows of how the IT Organization operates  Organization cycles, periods and timing  Suppliers of technology hardware, software, and services  Applications and software inventories and diagrams  Interfaces between applications - that is: events, messages and data flows  Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization
  • 12. DRAFT ………………. by Bill Ross 12  Data classifications, databases and supporting data models  Hardware, platforms, hosting: servers, network components and security devices and where they are kept  Local and wide area networks, Internet connectivity diagrams Wherever possible, all of the above should be related explicitly to the organization's strategy, goals, and operations. The Enterprise Information Security Architecture will document the current state of the technical security components listed above, as well as an ideal-world desired future state (Reference Architecture) and finally a "Target" future state which is the result of engineering tradeoffs and compromises vs. the ideal. Essentially the result is a nested and interrelated set of models, usually managed and maintained with specialized software available on the market. “ SOURCE: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture ISA Description two “ Security Architecture and Design: architecture and design of security services that enable business risk exposure targets to be met. The policies, standards and risk management decisions drive the Security Architecture and the design of the security processes and ‘defense in depth’ stack. . Security Architecture: unifying framework and reusable services that implement policy, standards and risk management decisions. The Security Architecture is a strategic framework that allows the development and operations staff to align efforts, in addition the Security Architecture can drive platform improvements which are not possible to make at a project level. A given software development project may not be able to make a business case to purchase an XML Security Gateway for improved web services security, but at the architecture level, architects can potentially identify several projects that could leverage such a reusable service. In this instance the Security Architecture delivers improved XML/ Web services security, a simplified programming model for developers, and saves development costs, because the wheel is not reinvented multiple times. Risk management, security policy and standards, and Security Architecture govern the security processes and defense in depth architecture through design guidance, runtime
  • 13. DRAFT ………………. by Bill Ross 13 support, and assurance services. Security metrics are used for decision support for risk management, security policy and standards, and Security Architecture. The security architecture should have a reference implementation for developers and other IT staff to review what functions the security mechanisms performs, and how they do it. “ SOURCE: Gunnar Peterson’s excellent article, “ Security Architecture Blueprint “, 2006 http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf Implementing the above examples Interestingly, GARTNER, almost six years ago,, in its 2006 White Paper “Incorporating Security Into the Enterprise Architecture (EA) Process” proposes a possible basic process to fulfill the objectives of the above two ISA descriptions. Interestingly, GARTNER’s outline does not seem to have gained traction as it should have in the ISC. While the GARTNER’s outline provides a basically good outline for incorporating security into the EA process, I would probably increase the outline to include items like technical engineering skills, risk-based ISA decisions, secure development life cycle management, return on investment, metrics, operational tracking, software updating, security road maps (N-1 plan) and role and responsibilities. Gartner Outline for “Incorporating Security Into the Enterprise Architecture (EA) Process”  1.0 The Rationale for Incorporating Security With the EA Process Model  2.0 Security and the EA Process Model in Relation to EA Frameworks  3.0 Environmental Trends  4.0 Business Strategy  5.0 Organize Architecture Effort  6.0 Security in the Future-State Architecture o 6.1 Develop Requirements o 6.2 Develop Principles o 6.3 Develop Models  7.0 Current-State Architecture — Documenting  8.0 Closing the Gap  9.0 Governing and Managing o 9.1 Governing EA Artifact Creation o 9.2 Governing EA Compliance and Project/Procurement Management
  • 14. DRAFT ………………. by Bill Ross 14 o 9.3 Managing SOURCE: http://www.gartner.com/DisplayDocument?ref=g_search&id=488575 Here is the problem with Industry Interpretations of a Security Architect As we have seen above, there are various interpretations of what a Security Architect is and that companies struggle with defining what they want form the ISA.. We have also seen excellent comprehensive descriptions of what a security architect is. Ultimately, based on Security Architect job descriptions as seen on job boards or knowing of Security Architects that are already on the job, it seems that the ISC and/or government and private sector organizations have about five various interpretations that are advertised concerning what a Security Architect is and what they need from the Security Architect to meet their data and enterprise security goals. I believe the Security Architect description seen in items 3 and 4 below will provide the best ISA support to their parent organization and who will fulfill the goals of a Security Architect as described above in “description one” of a security architect. 1. Extremely technical in one or two security technologies such as Firewalls or intrusion detection devices. This person gets hired based on the fact it seems since they had a high degree of expertise in two areas it must mean they are experts in all areas. The problem here is the organization did not really understand what its Security Architect requirements were and expected definitions of success were for the Security Architect position. This Security Architecture type will provide limited overall input to an organization’s strategic ISA plan 2. Extremely technical on all aspects of security but cannot connect the architecture to business requirements and the overall strategy. The person is more a highly talented senior security engineer versus an architect. The person can make things fit and work within the context of what the technology is supposed to do but the person might not have considered the overall synergistic effects of the technology and the defense in depth aspects of the technology. A good example of this is that the person could install a HIDS or even a firewall but the person did not design a strategy on how these systems could operationally and tactically integrate as part of the intrusion detection framework. 3. Extremely technical engineer and strategists who also has a holistic view of the business objectives and the requirements definition process. This is the perfect Security Architect.
  • 15. DRAFT ………………. by Bill Ross 4. Highly technical and can combine all aspects of risk management and business requirements into a cohesive strategy and technical plan. This person can easily work with the person in number 2 to develop the ISA and deploy and manage an end-to-end Security Architecture. This is probably the most likely person a company can find when wanting to have someone that is charge of the organization’s ISA. 5. Some companies actually call the security director or security manager the architect because they, in essence, are architecting the entire management, governance, and technical solution for the enterprise. This is what I did at AXA but I ultimately was not a dedicated security architect focused on all things seen in the two above architect descriptions. 15 Building an Information Security Architecture Framework If the Security Architect wants to properly manage their program in accordance with the above ISA descriptions defined in Wikipedia or by Gunnar Peterson , the Security Architect needs to define an end-to-end framework that can define the context and game plan that the Security Architect should use to protect the organization’s vital information assets. Given how many sources there are in circulation on how to create an ISA focused on layered security and a defense-in-depth strategy, the fundamental guidance I can provide is keep your framework very simple but with a sophisticated implementation of same based on risk, threats, vulnerabilities, regulatory issues and business requirements. I like three fundamental sources to use to build an ISA framework and the models needed to develop an outstanding ISA. The secret sauce in using these three fundamental models together is to create an integrated ISA Framework combining the three systems and tailor it to your organization’s mission or business product line. Simply put, use your framework to plan, build, test, deploy and operate your security services within your supporting infrastructure to provide the best layered security program possible to protect your vital information assets. Here is my ISA trifecta. 1. While the Sherwood Applied Business Security Architecture (SABSA) is not highly technical, SABSA provides excellent models to define requirements against ISA plans. Please write to me and I will send you my highly detailed SABSA spread sheet which defines risk management planning and the appropriate ISA road map. http://www.sabsa.org/
  • 16. DRAFT ………………. by Bill Ross 2. Open Security Architecture (OSA) is an eloquent technical meta model process the brilliantly compliments the requirements as defined in SABSA. Develop and use the meta models as your current state and planning libraries. http://www.opensecurityarchitecture.org/cms/index.php 16 3. The Open Group Architecture Framework (TOGAF) is an excellent document that is a master’s thesis on how to build technical architectures. I strongly recommend reading its introduction and the entire chapter 21 that is dedicated to ISA. http://pubs.opengroup.org/architecture/togaf9-doc/arch/ Conclusion We are at war. A Security Architect can define strategies to defeat the aggressors. The ISC needs to standardize its doctrine and strategy to define the ISC view concerning what an ISA is and as such, once defined, it will be easier to define what a Security Architect is and should do to protect vital business data assets. Not only will this protect your data and business, you will implement optimized solutions for investment utilization. Organizations need to hire the right people for ISA jobs and stop confusing the Senior Security Engineers with the roles and responsibilities of an Information Security Architect. While they are complimentary in nature, the roles are different. Smart Security Architects always should include brilliant security and infrastructure engineers in developing their business’ holistic and comprehensive ISA. I am confident that if the an organization uses the simple framework I described above that it’s Security Architect will create an outstanding ISA and ISA road map. Other Great References See below http://www.everyspec.com/DoD/DOD-General/ download.php?spec=DISA_TAFIM_VOL4.007538.pdf http://www.sans.org/reading_room/whitepapers/policyissues/approach-enterprise-security-architecture_ 504 http://en.wikipedia.org/wiki/DODAF’
  • 17. DRAFT ………………. by Bill Ross 17 https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.html https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.pdf http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf http://www.webopedia.com/TERM/S/security_architecture.html http://en.wikipedia.org/wiki/Computer_security http://www.wisegeek.com/what-is-a-security-architect.htm#discussions http://en.wikipedia.org/wiki/Enterprise_information_security_architecture