This document is a draft paper by Bill Ross discussing the role of a security architect. It notes that while security architecture is discussed frequently, there is no consistent definition or standards for what a security architect does. Job descriptions for security architects vary widely and often confuse it with roles like security engineer or CISO. The document proposes a definition of a security architect as someone with both technical security skills and business experience who can design a comprehensive security program aligned with business needs. It provides an example job description and analyzes one to show how it focuses more on specific technologies than an overall security architecture.
Security architecture analyses brief 21 april 2015Bill Ross
This brief defines problems with security architecture development, security architecture methodologies, and how to implement a security architecture briefing. This brief was created to define the themes stated in the INFOSECFORCE llc paper called the "Inviible Person ... the Security Architect"
This document provides an overview of how security architecture fits within enterprise architecture. It begins by noting that security architecture is a subset of enterprise architecture. It then discusses a presentation given on this topic, highlighting how security practices are often misunderstood by both IT and security professionals. The presentation explores how to better integrate security architecture with enterprise architecture frameworks and processes to ensure security priorities are properly considered throughout enterprise initiatives. It emphasizes the importance of understanding enterprise architecture, aligning security language with business needs, and using evidence-based approaches to integrate security architecture within overall enterprise architecture.
Security architecture - Perform a gap analysisCarlo Dapino
This document discusses security architecture and strategies for evaluating security posture. It describes how security strategies have changed from perimeter-based to zero-trust models. It also summarizes differences between securing on-premises versus cloud environments, and recommends evaluating security using a layered analysis approach. Lastly, it provides tips for threat modeling, incident response, and ensuring security architecture is integrated with enterprise architecture.
Ea Relationship To Security And The Enterprise V1pk4
The document discusses different frameworks and methodologies for enterprise architecture (EA) and enterprise security architecture (SA). EA focuses on optimizing business value through mapping business activities, while SA focuses on protecting business assets through a balanced security program. SA goals depend on an organization's risk management culture, which can range from generative to bureaucratic to pathologic. The document provides examples of using the TOGAF and Federal EA frameworks to structure SA.
Purpose: The slides provide an overview on the I.T. Security trend
Content: Summary information about the I.T. Security marketplace, including trends drivers, spending trends, industry business cases, and adoption challenges. Also included are links to additional resources.
How To Use This Report: This report is best read/studied and used as a learning document. You may want to view the slides in slideshow mode so you can easily follow the links
Available on Slideshare: This presentation (and other Trend Reports for 2017) will be available publically on Slideshare at http://www.slideshare.net/horizonwatching
Please Note: This report is based on internal IBM analysis and is not meant to be a statement of direction by IBM nor is IBM committing to any particular technology or solution.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
This document discusses building an information security architecture aligned with business objectives. It emphasizes establishing trust models and security domains to understand information flows and define appropriate controls at boundaries. This helps prioritize security efforts, automate baseline protections, and allow resources to focus on higher business risks. Defining controls based on trust and authority relationships can improve security posture while enabling productivity, innovation and business flexibility.
What i learned at issa international summit 2019Ulf Mattsson
This session will discuss what attendees learned at The ISSA International Summit 2019, held on October 1-2 at in Irving/Dallas, TX.
Learn from one of the presenters at this conference and what cybersecurity professionals got to share and learn from the leaders in the industry.
Over the last 30 years ISSA international has grown into the global community of choice for international cybersecurity professionals. With over 100 domestic and international chapters, members have world wide support with daily cyber threats that are becoming increasingly intricate and difficult to prevent, detect, and re-mediate.
Security architecture analyses brief 21 april 2015Bill Ross
This brief defines problems with security architecture development, security architecture methodologies, and how to implement a security architecture briefing. This brief was created to define the themes stated in the INFOSECFORCE llc paper called the "Inviible Person ... the Security Architect"
This document provides an overview of how security architecture fits within enterprise architecture. It begins by noting that security architecture is a subset of enterprise architecture. It then discusses a presentation given on this topic, highlighting how security practices are often misunderstood by both IT and security professionals. The presentation explores how to better integrate security architecture with enterprise architecture frameworks and processes to ensure security priorities are properly considered throughout enterprise initiatives. It emphasizes the importance of understanding enterprise architecture, aligning security language with business needs, and using evidence-based approaches to integrate security architecture within overall enterprise architecture.
Security architecture - Perform a gap analysisCarlo Dapino
This document discusses security architecture and strategies for evaluating security posture. It describes how security strategies have changed from perimeter-based to zero-trust models. It also summarizes differences between securing on-premises versus cloud environments, and recommends evaluating security using a layered analysis approach. Lastly, it provides tips for threat modeling, incident response, and ensuring security architecture is integrated with enterprise architecture.
Ea Relationship To Security And The Enterprise V1pk4
The document discusses different frameworks and methodologies for enterprise architecture (EA) and enterprise security architecture (SA). EA focuses on optimizing business value through mapping business activities, while SA focuses on protecting business assets through a balanced security program. SA goals depend on an organization's risk management culture, which can range from generative to bureaucratic to pathologic. The document provides examples of using the TOGAF and Federal EA frameworks to structure SA.
Purpose: The slides provide an overview on the I.T. Security trend
Content: Summary information about the I.T. Security marketplace, including trends drivers, spending trends, industry business cases, and adoption challenges. Also included are links to additional resources.
How To Use This Report: This report is best read/studied and used as a learning document. You may want to view the slides in slideshow mode so you can easily follow the links
Available on Slideshare: This presentation (and other Trend Reports for 2017) will be available publically on Slideshare at http://www.slideshare.net/horizonwatching
Please Note: This report is based on internal IBM analysis and is not meant to be a statement of direction by IBM nor is IBM committing to any particular technology or solution.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
This document discusses building an information security architecture aligned with business objectives. It emphasizes establishing trust models and security domains to understand information flows and define appropriate controls at boundaries. This helps prioritize security efforts, automate baseline protections, and allow resources to focus on higher business risks. Defining controls based on trust and authority relationships can improve security posture while enabling productivity, innovation and business flexibility.
What i learned at issa international summit 2019Ulf Mattsson
This session will discuss what attendees learned at The ISSA International Summit 2019, held on October 1-2 at in Irving/Dallas, TX.
Learn from one of the presenters at this conference and what cybersecurity professionals got to share and learn from the leaders in the industry.
Over the last 30 years ISSA international has grown into the global community of choice for international cybersecurity professionals. With over 100 domestic and international chapters, members have world wide support with daily cyber threats that are becoming increasingly intricate and difficult to prevent, detect, and re-mediate.
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
The document discusses how ITIL (Information Technology Infrastructure Library) principles are important for IT security management. While ITIL was not traditionally seen as related to security, the core ITIL processes like configuration management, change management, incident management and service desk management are crucial to minimizing security risks. When organizations properly implement repeatable ITIL processes, they experience fewer security incidents and better overall IT performance. Defining and adhering to IT management disciplines through an approach like ITIL can significantly improve security outcomes.
IBM Security QRadar SIEM
IBM Security QRadar SIEM is a next-generation SIEM platform that collects security data from across hybrid IT environments, analyzes it using advanced analytics and machine learning, and helps security teams detect, prioritize and respond to cyber threats.
This document provides an overview of cybersecurity domains including:
- Security architecture, network design, access control, identity management, data protection, cloud security, endpoint security, security operations, threat intelligence, governance, compliance, risk management, application security, physical security, and career development in cybersecurity.
It outlines key areas within each domain such as data leakage prevention, privileged access management, encryption, incident response, vulnerability management, laws and regulations, third-party risk, penetration testing, user education, and frameworks.
The document was created by Henry Jiang in March 2021 as a map of major cybersecurity domains and topics.
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
This document summarizes a white paper that evaluates claims of a global shortage of cybersecurity professionals, known as the "cyber skills gap". It discusses the origins of frequently cited estimates that there are 1 million open cybersecurity jobs worldwide. While many organizations report difficulty filling cybersecurity roles, the 1 million number originated from Cisco reports without clear sources. The document traces discussion of a cyber skills gap among US government agencies and non-profits beginning in the late 2000s. While a gap likely exists, the size and implications are worth examining given past exaggerations in the cybersecurity field.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Smart Buildings, Deep Learning AI, Drones, Robotics, and IoT....What is next?
Martin Sheridan, CTO of Sheridan Solutions Consulting and his co-author, our COO Scott Taylor explore the challenges and opportunities that emerging technologies are driving across security industry.
IBM Security Products: Intelligence, Integration, ExpertiseShwetank Jayaswal
This document provides an overview of IBM's security products and services portfolio. It discusses (1) the complex threats businesses face today from hyper-connected digital environments, (2) IBM's approach to security intelligence through comprehensive internal and external monitoring, analytics and threat research, and (3) IBM's integrated portfolio of security products, consulting services and global security operations centers to help customers address challenges.
John Masiliunas has over 15 years of experience in information security and privacy consulting. He has a variety of security certifications and clearances. He has expertise in managing offshore teams, developing security architectures, assessing SAAS/cloud security, introducing new technologies, and mobile/BYOD security. He has experience architecting security solutions for many large organizations across various industries.
The document discusses cognitive security and IBM's cognitive security solutions. It begins by explaining that traditional security methods are no longer enough due to increasing technological changes. It then introduces cognitive security as a new era of security that uses techniques like machine learning and natural language processing to mimic the human brain. The document summarizes IBM's cognitive security products like IBM QRadar Security Intelligence Platform, IBM QRadar Vulnerability Manager, and IBM QRadar Risk Manager. It acknowledges challenges to adopting cognitive security but emphasizes the need to educate organizations on cognitive security capabilities.
Today, automation plays a larger role in cyber-security than ever before – for both sides, the attackers and the defenders. The escalation in volume and sophistication of attacks, constantly evolving cloud environments and transition to a remote workforce are putting additional pressure on organizations to transform Security Operations and Defense Centers.
Since the advent of automation and ML/AI technologies and their promised impact to transform incident response processes and threat hunting capabilities, what lessons have we learnt in ‘fine tuning’ process flows and automations in SecOps?
- Moving beyond the marketing hype, how is automation actually serving attackers and defenders today and what trends are happening here?
- What are the lessons learned – the good, bad and ugly – in automating security operations processes?
- Is there a right path to automation and what are the alternatives?
Kista watson summit final public versionIBM Sverige
IBM Security Strategi
Talare: Peter Holm, Sweden Country Manager Security Systems, IBM och Kaja Narum, Integrated Business Unit Leader Security, IBM
Security Operations Center behind the curtain
Talare: Marcus Hallberg, Technical Solution Specialist, IBM Security
From Log to SIEM ... and Incident Response
Talare: Marcus Hallberg, Marcus Hallberg, Technical Solution Specialist, IBM Security och Victor Grane, Techical Sales, IBM Security
IoT Security
Talare: Torbjörn Andersson, Senior Security Consultant, IBM
Presentationerna hölls på Watson Kista Summit 2018
SBIC Enterprise Information Security Strategic TechnologiesEMC
This report from the Security for Business Innovation Council describes next generation technologies that support an Information-Driven Security strategy.
Ibm cognitive security_white_paper_04_2016Janghyuck Choi
Cognitive security uses cognitive systems to analyze large amounts of structured and unstructured security data to understand threats and provide recommendations to security analysts. It learns from data and interactions to enhance its knowledge over time. This allows it to process more data, including unstructured sources like text, than traditional rule-based systems. Cognitive security aims to help analysts respond faster by automating some tasks and providing new insights. It also seeks to increase organizations' security by adapting quickly to emerging threats.
Don't Get Left In The Dust How To Evolve From Ciso To CiroPriyanka Aash
The role of the CISO is evolving to become the CIRO (Chief Information Risk Officer) to better align information security with business objectives. Drivers for this change include the growing importance of information to businesses and increased expectations from boards. To become a CIRO, one must adopt a risk-based approach, demonstrate business acumen, and have strong communication and leadership skills. The CIRO role oversees a broader set of functions beyond security to holistically manage information risk across the enterprise.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
The document discusses the importance of separating the roles of information security (InfoSec) and information technology (IT) within organizations. It argues that InfoSec and IT have different priorities, with InfoSec focused on evaluating and mitigating risks, and IT focused on enabling business operations through technology. The document also suggests that the InfoSec role should be separated into three distinct roles - the technical information security officer, business information security officer, and strategic information security officer - to properly address security issues at different levels of the organization. By separating but closely aligning the InfoSec and IT roles, organizations can better protect their information assets against modern cyber threats.
The document summarizes an interview with Joyce Brocaglia, founder and CEO of Alta Associates, a boutique executive search firm specializing in information security, IT risk management, and privacy. Brocaglia discusses how the role of Chief Information Security Officer (CISO) has evolved over the past 20 years from a highly technical role focused on securing mainframe systems to a more holistic risk management role. She also outlines the industries most actively recruiting for security positions and the types of roles in highest demand, such as CISO, Chief Data Officer, and security architects.
DSS ITSEC 2013 Conference 07.11.2013 - IBM Security StrategyAndris Soroka
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.
The document discusses how ITIL (Information Technology Infrastructure Library) principles are important for IT security management. While ITIL was not traditionally seen as related to security, the core ITIL processes like configuration management, change management, incident management and service desk management are crucial to minimizing security risks. When organizations properly implement repeatable ITIL processes, they experience fewer security incidents and better overall IT performance. Defining and adhering to IT management disciplines through an approach like ITIL can significantly improve security outcomes.
IBM Security QRadar SIEM
IBM Security QRadar SIEM is a next-generation SIEM platform that collects security data from across hybrid IT environments, analyzes it using advanced analytics and machine learning, and helps security teams detect, prioritize and respond to cyber threats.
This document provides an overview of cybersecurity domains including:
- Security architecture, network design, access control, identity management, data protection, cloud security, endpoint security, security operations, threat intelligence, governance, compliance, risk management, application security, physical security, and career development in cybersecurity.
It outlines key areas within each domain such as data leakage prevention, privileged access management, encryption, incident response, vulnerability management, laws and regulations, third-party risk, penetration testing, user education, and frameworks.
The document was created by Henry Jiang in March 2021 as a map of major cybersecurity domains and topics.
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
This document summarizes a white paper that evaluates claims of a global shortage of cybersecurity professionals, known as the "cyber skills gap". It discusses the origins of frequently cited estimates that there are 1 million open cybersecurity jobs worldwide. While many organizations report difficulty filling cybersecurity roles, the 1 million number originated from Cisco reports without clear sources. The document traces discussion of a cyber skills gap among US government agencies and non-profits beginning in the late 2000s. While a gap likely exists, the size and implications are worth examining given past exaggerations in the cybersecurity field.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Smart Buildings, Deep Learning AI, Drones, Robotics, and IoT....What is next?
Martin Sheridan, CTO of Sheridan Solutions Consulting and his co-author, our COO Scott Taylor explore the challenges and opportunities that emerging technologies are driving across security industry.
IBM Security Products: Intelligence, Integration, ExpertiseShwetank Jayaswal
This document provides an overview of IBM's security products and services portfolio. It discusses (1) the complex threats businesses face today from hyper-connected digital environments, (2) IBM's approach to security intelligence through comprehensive internal and external monitoring, analytics and threat research, and (3) IBM's integrated portfolio of security products, consulting services and global security operations centers to help customers address challenges.
John Masiliunas has over 15 years of experience in information security and privacy consulting. He has a variety of security certifications and clearances. He has expertise in managing offshore teams, developing security architectures, assessing SAAS/cloud security, introducing new technologies, and mobile/BYOD security. He has experience architecting security solutions for many large organizations across various industries.
The document discusses cognitive security and IBM's cognitive security solutions. It begins by explaining that traditional security methods are no longer enough due to increasing technological changes. It then introduces cognitive security as a new era of security that uses techniques like machine learning and natural language processing to mimic the human brain. The document summarizes IBM's cognitive security products like IBM QRadar Security Intelligence Platform, IBM QRadar Vulnerability Manager, and IBM QRadar Risk Manager. It acknowledges challenges to adopting cognitive security but emphasizes the need to educate organizations on cognitive security capabilities.
Today, automation plays a larger role in cyber-security than ever before – for both sides, the attackers and the defenders. The escalation in volume and sophistication of attacks, constantly evolving cloud environments and transition to a remote workforce are putting additional pressure on organizations to transform Security Operations and Defense Centers.
Since the advent of automation and ML/AI technologies and their promised impact to transform incident response processes and threat hunting capabilities, what lessons have we learnt in ‘fine tuning’ process flows and automations in SecOps?
- Moving beyond the marketing hype, how is automation actually serving attackers and defenders today and what trends are happening here?
- What are the lessons learned – the good, bad and ugly – in automating security operations processes?
- Is there a right path to automation and what are the alternatives?
Kista watson summit final public versionIBM Sverige
IBM Security Strategi
Talare: Peter Holm, Sweden Country Manager Security Systems, IBM och Kaja Narum, Integrated Business Unit Leader Security, IBM
Security Operations Center behind the curtain
Talare: Marcus Hallberg, Technical Solution Specialist, IBM Security
From Log to SIEM ... and Incident Response
Talare: Marcus Hallberg, Marcus Hallberg, Technical Solution Specialist, IBM Security och Victor Grane, Techical Sales, IBM Security
IoT Security
Talare: Torbjörn Andersson, Senior Security Consultant, IBM
Presentationerna hölls på Watson Kista Summit 2018
SBIC Enterprise Information Security Strategic TechnologiesEMC
This report from the Security for Business Innovation Council describes next generation technologies that support an Information-Driven Security strategy.
Ibm cognitive security_white_paper_04_2016Janghyuck Choi
Cognitive security uses cognitive systems to analyze large amounts of structured and unstructured security data to understand threats and provide recommendations to security analysts. It learns from data and interactions to enhance its knowledge over time. This allows it to process more data, including unstructured sources like text, than traditional rule-based systems. Cognitive security aims to help analysts respond faster by automating some tasks and providing new insights. It also seeks to increase organizations' security by adapting quickly to emerging threats.
Don't Get Left In The Dust How To Evolve From Ciso To CiroPriyanka Aash
The role of the CISO is evolving to become the CIRO (Chief Information Risk Officer) to better align information security with business objectives. Drivers for this change include the growing importance of information to businesses and increased expectations from boards. To become a CIRO, one must adopt a risk-based approach, demonstrate business acumen, and have strong communication and leadership skills. The CIRO role oversees a broader set of functions beyond security to holistically manage information risk across the enterprise.
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
The document discusses the importance of separating the roles of information security (InfoSec) and information technology (IT) within organizations. It argues that InfoSec and IT have different priorities, with InfoSec focused on evaluating and mitigating risks, and IT focused on enabling business operations through technology. The document also suggests that the InfoSec role should be separated into three distinct roles - the technical information security officer, business information security officer, and strategic information security officer - to properly address security issues at different levels of the organization. By separating but closely aligning the InfoSec and IT roles, organizations can better protect their information assets against modern cyber threats.
The document summarizes an interview with Joyce Brocaglia, founder and CEO of Alta Associates, a boutique executive search firm specializing in information security, IT risk management, and privacy. Brocaglia discusses how the role of Chief Information Security Officer (CISO) has evolved over the past 20 years from a highly technical role focused on securing mainframe systems to a more holistic risk management role. She also outlines the industries most actively recruiting for security positions and the types of roles in highest demand, such as CISO, Chief Data Officer, and security architects.
Information security-integration-part-1-of-2wardell henley
This document discusses integrating information security into an organization's enterprise reference architecture model. It begins by defining key concepts like enterprise architecture, frameworks, and reference models. It then discusses information security architecture considerations, including baseline definitions and how information security must be embedded at all levels of the enterprise. The document aims to help readers understand how to incorporate information security principles into their enterprise reference architecture.
We are witnessing an onslaught of attacks coming in from highly organized cybercriminals. It is so bad, in fact, that the situation was recently described by U.S. Secretary of State, John Kerry as, “…pretty much the wild west…”.
By United Security Providers
Discussion 1Recommend three countermeasures that could enhance.docxelinoraudley582231
Discussion 1
Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations.
1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9).
2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17).
3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14).
Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why.
The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7).
Discussion 2
Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response.
As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .
This document proposes replacing existing security operation centers (SOCs) with modernized Cyber Intelligence Operations Centers (CIOCs) to better coordinate organizational cyber defense strategies. The CIOC would integrate intelligence cycle processes, defense-in-depth approaches, big data analytics, and control frameworks. This centralized command structure is needed to mobilize against cyber threats in a coordinated, strategic manner across both private and public sectors. The document outlines the growing cyber threat landscape and need for modernized processes to predict, prevent, detect, and respond to attacks as organizations fight an undeclared global cyber war.
Open Security and Privacy Reference Architecture Asim Jahan
A book teaser for the E-book and open community project "Open Security and Privacy Reference Architecture". The book provides reusable models for both information (cyber) security and privacy.
This document discusses staffing the information security function within an organization. It covers placing the security function within the organizational structure, qualifications for security positions, and key information security roles. The main security roles discussed are the Chief Information Security Officer, Security Manager, and Security Technician. The CISO manages the overall security program, the manager oversees day-to-day operations, and the technician focuses on technical implementation and troubleshooting of security controls. Qualifications for security roles can include a technical background, understanding of business operations, and strong communication and policy development skills.
Lessons Learned: Protecting Critical Infrastructure from Cyber AttacksMighty Guides, Inc.
James Shank recommends that CISOs take three key steps to secure OT/ICS environments:
1) Examine network connectivity with the outside world and carefully evaluate inbound and outbound data transfers, implementing real-time monitoring.
2) Control all portable media and mobile devices that access the ICS network by implementing a strict PMD program.
3) Integrate multiple layers of defense with updated threat intelligence to better detect suspicious activity, as a single layer of defense can be easily defeated.
The chief security officer (CSO) is responsible for an organization's entire security posture, both physical and digital. Originally, the CSO title referred to the head of IT security, but it now encompasses leadership of corporate security functions like physical security, safety, and assets. There is debate around combining all security under one role, as technology integrates into physical security tools and a holistic approach could lower costs, but CSOs face challenges overcoming organizational barriers. The CSO will oversee security efforts across multiple departments and groups to identify initiatives and standards.
Fortinet: The New CISO – From Technology to Business Focused LeadershipMighty Guides, Inc.
The document provides advice from various CISOs on how to transition from a technology-focused to business-focused leadership role. One CISO recommends that to be effective, a CISO needs holistic business knowledge equivalent to an MBA degree. They should understand how businesses work in general and follow the money by understanding risk management and how it impacts business objectives. A CISO is a business leader who must have a seat at the table for enterprise decisions. Soft skills are also important, including clear communication and looking at issues from different perspectives gained through industry experience.
Robert Hood discusses keys to shutting down attacks on endpoints. He emphasizes the importance of (1) protecting endpoints through technologies like antivirus and anti-malware, as well as educating users on social engineering threats, and (2) using advanced endpoint security solutions that provide real-time forensics and analytics to more easily detect legitimate incidents and reduce alerts for security teams to analyze. Hood also notes that as employees work remotely on mobile devices, endpoints effectively extend network perimeters, making their protection even more critical.
This white paper discusses the challenges of hiring the right Chief Information Security Officer (CISO) and provides recommendations to improve the hiring process. It notes that the CISO role is still evolving and most executives do not fully understand the role's responsibilities. It recommends that companies clarify the CISO role by making cybersecurity a board-level priority, assessing current security strengths and weaknesses, and evaluating organizational security culture to identify needed CISO skills. Taking these steps will help companies define CISO job requirements and find candidates best suited to their specific cybersecurity needs.
The document discusses the challenges of hiring the right Chief Information Security Officer (CISO) for financial services firms. It notes that the CISO role is still evolving and there is no consensus on the required qualifications. It recommends that firms clarify the CISO role and their security needs by making cybersecurity a board-level priority, assessing their current security posture and vulnerabilities, and evaluating their security culture. Taking these steps will help firms define the right profile for their next CISO candidate.
Advisory from Professionals Preparing Information .docxkatherncarlyle
Advisory from Professionals
Preparing Information Systems (IS) Graduates to Meet the
Challenges of Global IT Security: Some Suggestions
Jeff Sauls
IT Operations Professional
Austin, TX, USA
Naveen Gudigantala
Operations and Technology Management
University of Portland
Portland, OR 97203, USA
[email protected]
ABSTRACT
Managing IT security and assurance is a top priority for organizations. Aware of the costs associated with a security or privacy
breach, organizations are constantly vigilant about protecting their data and IT systems. In addition, organizations are
investing heavily in IT resources to keep up with the challenges of managing their IT security and assurance. Therefore, the IT
industry relies greatly on the U.S. higher education system to produce a qualified and competent workforce to manage security
challenges. This advisory discusses some security challenges faced by global companies and provides input into the design
and delivery of IS curriculum to effectively meet such challenges.
Keywords: Information assurance and security, Curriculum design and development, Computer security
1. INTRODUCTION
Information security and assurance management is vital for
the success of organizations. It is particularly relevant for
global companies whose customers demand a high level of
security for their products. Meeting such high expectations
requires companies to study security best practices,
continually invest in technical and human resources, and
implement a secure corporate environment. The goal of this
paper is to discuss some security challenges faced by global
organizations and to provide suggestions to IS academics
concerning security curriculum to effectively educate the
next generation IT workforce to meet these challenges.
2. SECURITY CHALLENGES FACED BY GLOBAL
COMPANIES
This advisory focuses on security challenges faced by global
companies. For instance, security challenges faced by a
multinational company operating manufacturing plants in
several countries are likely to be much different than those of
a company with a manufacturing plant in a single location.
The goal of this section is to present some security
challenges faced by global companies.
What many companies do in terms of security is driven
by the needs of their customers. For instance, consider the
case of a global manufacturing company that makes
hardware for a smart card. Smart cards include embedded
integrated circuits and customers generally provide the
manufacturer with a detailed list of functional and assurance
requirements for security. The manufacturer of the hardware
is expected to comply with the specifications of the
customer. If the company decides to manufacture in two
plants in Europe and the U.S., it becomes important for the
manufacturer to have uniform security standards in both
plants. These security standards may include many aspects
.
Advisory from Professionals Preparing Information .docxdaniahendric
Advisory from Professionals
Preparing Information Systems (IS) Graduates to Meet the
Challenges of Global IT Security: Some Suggestions
Jeff Sauls
IT Operations Professional
Austin, TX, USA
Naveen Gudigantala
Operations and Technology Management
University of Portland
Portland, OR 97203, USA
[email protected]
ABSTRACT
Managing IT security and assurance is a top priority for organizations. Aware of the costs associated with a security or privacy
breach, organizations are constantly vigilant about protecting their data and IT systems. In addition, organizations are
investing heavily in IT resources to keep up with the challenges of managing their IT security and assurance. Therefore, the IT
industry relies greatly on the U.S. higher education system to produce a qualified and competent workforce to manage security
challenges. This advisory discusses some security challenges faced by global companies and provides input into the design
and delivery of IS curriculum to effectively meet such challenges.
Keywords: Information assurance and security, Curriculum design and development, Computer security
1. INTRODUCTION
Information security and assurance management is vital for
the success of organizations. It is particularly relevant for
global companies whose customers demand a high level of
security for their products. Meeting such high expectations
requires companies to study security best practices,
continually invest in technical and human resources, and
implement a secure corporate environment. The goal of this
paper is to discuss some security challenges faced by global
organizations and to provide suggestions to IS academics
concerning security curriculum to effectively educate the
next generation IT workforce to meet these challenges.
2. SECURITY CHALLENGES FACED BY GLOBAL
COMPANIES
This advisory focuses on security challenges faced by global
companies. For instance, security challenges faced by a
multinational company operating manufacturing plants in
several countries are likely to be much different than those of
a company with a manufacturing plant in a single location.
The goal of this section is to present some security
challenges faced by global companies.
What many companies do in terms of security is driven
by the needs of their customers. For instance, consider the
case of a global manufacturing company that makes
hardware for a smart card. Smart cards include embedded
integrated circuits and customers generally provide the
manufacturer with a detailed list of functional and assurance
requirements for security. The manufacturer of the hardware
is expected to comply with the specifications of the
customer. If the company decides to manufacture in two
plants in Europe and the U.S., it becomes important for the
manufacturer to have uniform security standards in both
plants. These security standards may include many aspects
...
Over the last few years, there has been an increase in the number of cybersecurity headlines. Cybercriminals steal customer social security numbers, steal company secrets from the cloud, and grab personal information and passwords from social media sites. Keeping information safe has become a great concern for both big and small businesses
Similar to " The Invisible Person ... the Security Architect " (20)
Cyber Security Command, Control, Communications, Computers Intelligence Surve...Bill Ross
This document discusses the concept of Cybersecurity Command, Control, Communications, Intelligence, Surveillance and Reconnaissance (CS C4ISR) and how applying military-inspired C4ISR concepts can help strengthen cybersecurity operations in the private sector and government agencies. It begins by defining the differences between cyberspace and cybersecurity, and examines how C4ISR is currently applied in the military domain versus how the key concepts of command and control, communications, computing, intelligence, surveillance and reconnaissance can be adapted for cybersecurity use. The document then analyzes each C4ISR element in detail and how private sector cybersecurity teams could implement similar functions. It argues that taking a more militarized approach to cyber
Cyber_Warfare_Escalation_to_Nuclear_Warfare_ExaminationBill Ross
This document discusses the potential escalation of cyber warfare to nuclear warfare and analyzes failures in U.S. cybersecurity policy. It argues that cyber weapons are now part of nation-states' arsenals and that escalation models need to be defined, as cyber attacks could escalate rapidly. It critiques the NIST cybersecurity framework and notes the U.S. government's mystical understanding of cyber warfare. It examines the failure to prevent hacks like the DNC email hack and questions the vague threats of cyber retaliation against Russia, worrying this could further escalate tensions.
This document discusses the difference between the terms "cyber" and "cyber security". While many use "cyber" as a synonym for cyber security, the document argues it is more accurate to think of "cyber" as referring to cyberspace. Cyberspace refers to the man-made domain created by connecting computers, networks, and other digital infrastructure. The document provides an excerpt from the Army Cyber Command that outlines how they view cyberspace and includes operations like offensive and defensive cyberspace operations. It includes a graphic created by the author to show the interrelationship of cyberspace components, with cyber security as a supporting function rather than core to cyberspace.
Secure by design and secure software developmentBill Ross
This secure lifecycle management process (SLCMP said slickum) defines the basic and most realistic way to develop secure software. While the briefing is a bit dated slide 34 is still a very relevant process. What is below the green line is the security dynamic process that happens supporting the basic development process seen above the green line. SLCMP is supported by building a complementary and excellent information risk framework system security plan or IRASSP. SLCMP is operationally deployed.
INFOSECFORCE Risk Management Framework Transition PlanBill Ross
7 slide briefing showing the migration from DIACAP to the Risk Management Framework. It also shows the idea and synchronization between RMF and continuou monitoring. PCI should adopt this framework.
The document describes cybersecurity services offered by INFOSECFORCE LLC. It lists over 50 specific services across categories like predictive intelligence, cybersecurity frameworks, virtual/cloud security programs, secure software development, vulnerability testing, and compliance. Key services highlighted include cyber intelligence framework development, predictive intelligence analysis, big data security programs, and cybersecurity as a service. INFOSECFORCE bases its development and implementation work on the ISO 27001 plan-do-check-act cycle for information security management systems.
Software Engineering and Project Management - Introduction, Modeling Concepts...Prakhyath Rai
Introduction, Modeling Concepts and Class Modeling: What is Object orientation? What is OO development? OO Themes; Evidence for usefulness of OO development; OO modeling history. Modeling
as Design technique: Modeling, abstraction, The Three models. Class Modeling: Object and Class Concept, Link and associations concepts, Generalization and Inheritance, A sample class model, Navigation of class models, and UML diagrams
Building the Analysis Models: Requirement Analysis, Analysis Model Approaches, Data modeling Concepts, Object Oriented Analysis, Scenario-Based Modeling, Flow-Oriented Modeling, class Based Modeling, Creating a Behavioral Model.
An improved modulation technique suitable for a three level flying capacitor ...IJECEIAES
This research paper introduces an innovative modulation technique for controlling a 3-level flying capacitor multilevel inverter (FCMLI), aiming to streamline the modulation process in contrast to conventional methods. The proposed
simplified modulation technique paves the way for more straightforward and
efficient control of multilevel inverters, enabling their widespread adoption and
integration into modern power electronic systems. Through the amalgamation of
sinusoidal pulse width modulation (SPWM) with a high-frequency square wave
pulse, this controlling technique attains energy equilibrium across the coupling
capacitor. The modulation scheme incorporates a simplified switching pattern
and a decreased count of voltage references, thereby simplifying the control
algorithm.
Null Bangalore | Pentesters Approach to AWS IAMDivyanshu
#Abstract:
- Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
- Gain actionable insights into AWS IAM policies and roles, using hands on approach.
#Prerequisites:
- Basic understanding of AWS services and architecture
- Familiarity with cloud security concepts
- Experience using the AWS Management Console or AWS CLI.
- For hands on lab create account on [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
# Scenario Covered:
- Basics of IAM in AWS
- Implementing IAM Policies with Least Privilege to Manage S3 Bucket
- Objective: Create an S3 bucket with least privilege IAM policy and validate access.
- Steps:
- Create S3 bucket.
- Attach least privilege policy to IAM user.
- Validate access.
- Exploiting IAM PassRole Misconfiguration
-Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
- Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
- Steps:
- Allow user to pass IAM role to EC2.
- Exploit misconfiguration for unauthorized access.
- Access sensitive resources.
- Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
- An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
- Objective: Show how overly permissive IAM roles can lead to privilege escalation.
- Steps:
- Create role with administrative privileges.
- Allow user to assume the role.
- Perform administrative actions.
- Differentiation between PassRole vs AssumeRole
Try at [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
Rainfall intensity duration frequency curve statistical analysis and modeling...bijceesjournal
Using data from 41 years in Patna’ India’ the study’s goal is to analyze the trends of how often it rains on a weekly, seasonal, and annual basis (1981−2020). First, utilizing the intensity-duration-frequency (IDF) curve and the relationship by statistically analyzing rainfall’ the historical rainfall data set for Patna’ India’ during a 41 year period (1981−2020), was evaluated for its quality. Changes in the hydrologic cycle as a result of increased greenhouse gas emissions are expected to induce variations in the intensity, length, and frequency of precipitation events. One strategy to lessen vulnerability is to quantify probable changes and adapt to them. Techniques such as log-normal, normal, and Gumbel are used (EV-I). Distributions were created with durations of 1, 2, 3, 6, and 24 h and return times of 2, 5, 10, 25, and 100 years. There were also mathematical correlations discovered between rainfall and recurrence interval.
Findings: Based on findings, the Gumbel approach produced the highest intensity values, whereas the other approaches produced values that were close to each other. The data indicates that 461.9 mm of rain fell during the monsoon season’s 301st week. However, it was found that the 29th week had the greatest average rainfall, 92.6 mm. With 952.6 mm on average, the monsoon season saw the highest rainfall. Calculations revealed that the yearly rainfall averaged 1171.1 mm. Using Weibull’s method, the study was subsequently expanded to examine rainfall distribution at different recurrence intervals of 2, 5, 10, and 25 years. Rainfall and recurrence interval mathematical correlations were also developed. Further regression analysis revealed that short wave irrigation, wind direction, wind speed, pressure, relative humidity, and temperature all had a substantial influence on rainfall.
Originality and value: The results of the rainfall IDF curves can provide useful information to policymakers in making appropriate decisions in managing and minimizing floods in the study area.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
Comparative analysis between traditional aquaponics and reconstructed aquapon...bijceesjournal
The aquaponic system of planting is a method that does not require soil usage. It is a method that only needs water, fish, lava rocks (a substitute for soil), and plants. Aquaponic systems are sustainable and environmentally friendly. Its use not only helps to plant in small spaces but also helps reduce artificial chemical use and minimizes excess water use, as aquaponics consumes 90% less water than soil-based gardening. The study applied a descriptive and experimental design to assess and compare conventional and reconstructed aquaponic methods for reproducing tomatoes. The researchers created an observation checklist to determine the significant factors of the study. The study aims to determine the significant difference between traditional aquaponics and reconstructed aquaponics systems propagating tomatoes in terms of height, weight, girth, and number of fruits. The reconstructed aquaponics system’s higher growth yield results in a much more nourished crop than the traditional aquaponics system. It is superior in its number of fruits, height, weight, and girth measurement. Moreover, the reconstructed aquaponics system is proven to eliminate all the hindrances present in the traditional aquaponics system, which are overcrowding of fish, algae growth, pest problems, contaminated water, and dead fish.
Comparative analysis between traditional aquaponics and reconstructed aquapon...
" The Invisible Person ... the Security Architect "
1. DRAFT ………………. by Bill Ross
1
Title:
“ The Invisible Person …. the Security Architect “
A paper by INFOSECFORCE
804-855-4988
infosecforce@yahoo.com
2. DRAFT ………………. by Bill Ross
2
The Invisible Person …. The Security Architect 10 August 2012
An open letter and personal thoughts on Security Architecture to all the great security
professionals who devote so much energy to our mission to predict, prevent, detect, and
respond. Since this original letter was composed, I have received 436 global requests for
same. 10/1/2013
We are in a CYBER War and corporations and governments are being clobbered by an invisible
enemy that, at times, seems to own numerous private networks. Information Security Teams
across the globe are fighting the good fight and win and lose in this battle. Every year
thousands of articles and conferences across the globe address the tactics and procedures to
address this challenge and when one reads the literature and attends the meetings, one knows
that the most fundamental and missing piece to orchestrating and defining the arsenal that each
institution that manages data is the cohesive risked-based methodology that needs to define
solutions to the sometimes chaotic response to threats and that is the systematic and
strategically planned and tactically executed security architecture thoughtfully and professionally
managed by a dedicated and multi talented Information Security Professional with business
savvy, technically astute with threat awareness and with a dose of the Ninja instinct.
Until industry and organizations “embrace it”, they will flounder in defining the roles,
responsibilities and implementation of a cohesive and hardened environment that beats cyber
crooks and miscreants. This is the environment we face and where this paper begins.
There are numerous and conflicting concepts of the roles and responsibilities of a Security
Architect within industry and government. This short and quick paper is designed to examine
the definitions of Information Security Architecture (ISA) and what the role of a Security
Architect is. These two questions seem harder to define as the separation between Security
Architecture and Infrastructure Architecture begins to dissolve. Thank you for reading this as it
is an issue I often struggle with.
I have designed this paper to examine the various interpretations of what an Information
Security Architect is, the essence of Information Security Architecture, and suggested best
models and references for Security Architecture modeling. I also offer a suggested Security
3. DRAFT ………………. by Bill Ross
3
Architecture framework for aligning business requirements to the security solution, optimizing
technology to protect data, and creating a strategic, operational, and tactical defense in depth
layering approach that will ensure that the classic Information Security Community (ISC) tenets
of confidentiality, integrity, and availability are designed, implemented and monitored within the
layered ISA solution. ISA is as much an art form as it is a VISIO diagram of trust zones and
firewall placement.
The ISC does not have a consistent and recognized approach to define what an Information
Security Architecture is and as such, the ISC does not seem to have recognized standards for
what an Information Security Architecture (ISA) should accomplish in advancing both the
financial or business success of an organization let alone defeating cyber criminals. Given the
lack of an ISA standard, the Security Architect sometimes struggles in his role to adequately
protect an organization’s vital information assets as what he thinks he should do is not what the
company thinks they hired him for.
While great writers and thinkers have published a plethora of ISA frameworks and white papers
discussing what an ISA is, there does not seem to be one unifying agreement of what an ISA
should address and on how to define and implement an ISA. As such, when a government or
private sector organization is trying to hire an Information Security Architect, they publish wide
ranging and variable job descriptions that cover almost every aspect of Information Security
roles and responsibilities. These Security Architect job descriptions could include requirements
for anything from an actual Security Architect, to a highly sophisticated and brilliant security
engineer, to the Chief Information Security Officer, or to simply being a Firewall or Security
System Administrator who some organizations think can also create an ISA. In other words, will
the real Information Security Architect step out of the shadows and reveal him/her self so we all
know who and what we are.
It is actually rare that when an organization advertises its Security Architect requirement that the
advertisement really reflects what they need the “Security Architect” to do to create and
implement the organization’s ISA. For example, as we shall see in the sample job descriptions
below, the Security Architecture job description often does not align with the end-to-end
strategic, operational, and tactical benefits that an Information Security Architect can contribute
to the success of an organization.
4. DRAFT ………………. by Bill Ross
4
Here is my suggested ISA Job Description
An information security architect should have at least 10 years experience in information
security and at one point in his/her career should have had hands on technical experience in
anything from help desk support to being a UNIX or data base administrator. This person
should have extensive knowledge of security platforms, has managed acquisition efforts,
identity access management, cyber warfare, governance as it is translated from security
standards and policies into an operational technical environment that is aligned with the core
business processes be they financial institutions like JP Morgan or e-commerce giants like
Amazon or Best Buy. This person should have served on the front lines of cyber battles such
as NIMDA, LUZ or APT. Optimally, the person is ITIL certified, has an EE degree, is a
visionary, and understands security supports business objectives. Ultimately, the Security
Architect is a perfect blend of a highly skilled security engineer, a governance and policy expert,
an enterprise architect, a business savvy professional with a Ninja spirit.
Background
It has been my experience that generally an information Security Architect role is confused with
a superior “top gun” level four information security engineer. Within the last 13 years, I have
built Security Architectures strategies, hired Security Architects and mentored them to become
fully trained and empowered Security Architect professionals. As examples of my experiences,
I was chosen by the Air Force during Desert Storm to combine two war fighting commands’
intelligence architectures. I led the team to baseline the global IT Architecture for a global Army
logistics command, I appointed the first Information Security Architect for the Federal Reserve
Information Technology (FRIT) organization. Also, I was one of the principles in hiring the
Security Architect for the Virginia Information Technology Agency-Northrop Grumman
Partnership. Additionally, I was selected to become the Director of Security Architecture for
AXA Technology which is the IT support function for AXA which is one of the world’s largest
insurance firms. Even though I was hired as the Security Architect, my real job description
should have been the Director of Information Security and developing the ISA was just one of
my numerous responsibilities. Lastly, I was hired in my current job as the Security Architect for
United Guaranty Corporation.
5. DRAFT ………………. by Bill Ross
So, considering my prior experiences from both a hands-on Security Architecture perspective
and from the fact that in the past several months, I have reviewed numerous a Security
Architect Position job descriptions from a host of excellent organizations, it has been my
experience that these fine organizations were really looking for the above referenced “top gun”
security engineer and not the person that can comprehensively build the business-based,
requirements driven and risk management solution for the overall security architecture
requirement. I can understand their deep engineering requirements even to the point of
needing a fully qualified Security Electrical Engineer (EE) but, being an EE is not the same thing
as developing an ISA as defined above.
Please see the following job descriptions as a recent sample of a corporate Security Architect
position job board advertisement. The first one sounds like a great job but as one reads the job
description, it is very specific about the technologies that the possible candidate must have
knowledge of. My observations for this job description are that while a candidate could have
knowledge of these technologies and etc, there is no indication of the much needed requirement
of how the person should integrate the technologies into a cohesive layered security program
providing a comprehensive defense in depth strategy to ensure that the mentioned security
tools work synergistically and cohesively in a defense-in-depth layered configuration. Nor is
there any indication that the person should have business savvy and the ability to develop and
link business requirements to the Security Architecture and the overall success of the
organization. The job description does not discuss integrating the overall Security Architecture
with the organization’s Enterprise Architecture planning. The job sounds more like a CISO
position. Interestingly though, this is one of the better Security Architecture job descriptions I
have seen on the job boards. Note what is in red as this is where I think it starts to diverge from
being a security architect. Now, in addition to being a Security Architect, the company wants
the person to be the threat manager.
5
Security Architect job description from a recognized job board.
“ Specifically, this resource will lead and set architecture strategy for security in close
partnership with the Global Information Security and Global Infrastructure organizations.
Functional responsibilities include but are not limited to the following:
6. DRAFT ………………. by Bill Ross
6
Ability to build and maintain constructive working relationships with a diverse community (in
and outside of technology); ability to effectively communicate (both written and verbal) with
and influence both technical and non-technical audiences.
Providing architectural and technical guidance to support information system and
infrastructure design, improvements, and planning.
Assessing current and planned information systems, identifying Security Architecture issues,
and designing solutions for gaps.
Review, assess, and mitigate penetration tests and vulnerability assessments on information
systems and infrastructure.
Participating in infrastructure projects to develop, plan, and implement specifications for
network and distributed system security technologies in support of key information systems.
Preparing and presenting information on infrastructure plans, progress, and resolution of
security gaps to leadership.
The ideal candidate should have 5-8 years of experience with the following:
Bachelor's Degree required. Master's in Information Security (or related field) is a plus.
Identity and Access Management (e.g., LDAP, Sun Access Manager, MS Active Directory,
Sun Identity Manager, Tivoli Access Manager, and Unix Account Centralization tools such as
Power Broker and other PAM-based tools)
Remote Access Authorization and Authentication (RADIUS, SecurID, IPSEC and SSL VPN)
Operating System Security Configurations (Windows, Unix (HPUX and AIX), and Linux)
Operating System and Application Vulnerability and Patch Analsysis Vulnerability Scanning
and Penetration Testing Tools (Tripwire, Foundstone, etc)
Web Proxies and URL/Content Filtering (e.g., products from WebWasher, and the ICAP
protocols)
Secure File Transfers (e.g., Sterling, Forum Systems, Ipswitch, sftp, ftps, https, and ftp with
PGP)
Wireless Security (e.g., 802.1x, Cisco and Aruba Wireless)
Encryption and Key Management (whole disk, file-level, network, database, PGP, MS
Certificate Services, and backup tapes)
Incident Response and Forensic Analysis Support
Application and Web Layer Security (e.g., Web 2.0, SOAP, SOA, Secure Messaging)
Code Security Analysis (manual and leveraging automated scanning tools)
Risk Assessments, methodologies, and compensating controls
7. DRAFT ………………. by Bill Ross
7
Endpoint Protection (e.g., Anti-Virus, Personal Firewall, and Application Executable Control
from vendors such as Symantec and McAfee)
Network and Host-based Intrusion Detection and Prevention (e.g. external monitoring
integration as well as Cisco Mars)
Firewalls, Routers, and Load-Balancers
Data Loss Prevention (for databases/storage, the network, and endpoints e.g. Symantec
Vontu)
Email Filtering (e.g., Anti-virus, Anti-Spam, Content Filtering)
Log Monitoring (e.g., Windows, Unix, Linux, Networking, and Applications leveraging tools
such as Kiwi, Snare, Arcsight, and LogLogic)
Audit and Regulatory Issues (e.g., SOX)
Normal duties include, but are not limited to; Security Architecture analysis and design;
network, desktop, server, and application security risk analysis; recommendations of
procedural and technological compensating controls; project management; policy and
procedure development; incident management, and forensic analysis.
Solid organizational, interpersonal and communication skills and the ability to thrive in a fast-paced,
deadline-oriented environment are a must. Job will AT LEAST include hands on
experience in the technologies and products listed above. “
Security Architect description two
I included this Security Architect definition as a contrast to the above job description. I extracted
this Information Security Architect Description from the “Wise Geek” site. It is not nearly as
technical as the above job description and it sounds much more like a security manager than a
Security Architect.
“ A Security Architect is a computing professional who focuses on maintaining security in a
computer system. Security Architects work in a variety of settings, securing corporate networks,
government computer systems, and websites, and they are part of an overall information
technology staff which is designed to keep a computer system relevant, current, and useful. To
work as a Security Architect, it is usually necessary to have a bachelor's degree in computer
science or computer engineering, along with specific training and certification in Security
Architecture.
8. DRAFT ………………. by Bill Ross
There are a number of aspects to a Security Architect's job. He or she must first review the
system, gaining an understanding of how the system is used, who is using it, and where the
weak points in the system may be located. The Security Architect thinks about how to improve
an outdated system after reviewing it, or makes recommendations to toughen security on a
relatively new system. These recommendations can include hardware and software upgrades
as well as new protocols for the system's users.
Security Architects set policies and enforce them, regularly checking for compliance. These
policies can range from never leaving a workstation unattended while someone is logged into
the computer system to always using an encryption protocol to collect sensitive information from
customers over the Internet. The Security Architect wants basic security measures in place at all
times and wants people to observe the protocols he or she establishes, and the system also has
countermeasures in place which can become active when someone attempts to breach the
system.
A good Security Architect is able to think like an attacker. He or she can look at a system and
not only see conventional weak points, but potential areas which someone thinking outside the
box can exploit. He or she also knows that the work of developing a good Security Architecture
is never finished, because security needs are constantly evolving and changing, and it is
necessary to be highly adaptable, and to avoid getting attached to particular approaches.
Every computer system and website has unique security needs which must be addressed.
While some software suites provide basic security, for large or sensitive systems, it is necessary
to hire a Security Architect to protect the system. As a member of the permanent staff of an
organization, the Security Architect keeps the organization strong by keeping up with changes
and trends in the security and computing fields. “
8
SOURCE: http://www.wisegeek.com/what-is-a-security-architect.htm#discussions
What is an Architecture, what is a Security Architecture and what is a Security
Architecture framework ….
Classical Architecture Definition
9. DRAFT ………………. by Bill Ross
Given that the ISC has integrated the concept of “architecture” into its lexicon, let’s examine one
of many definitions for what “architecture” means. We will reference this in relationship to an
ISA.
9
“ Architecture (Latin architectura, from the Greek ἀρχιτέκτων – arkhitekton, from ἀρχι- "chief"
and τέκτων "builder, carpenter, mason") is both the process and product
of planning, designing and construction. Architectural works, in the material form of buildings,
are often perceived as cultural symbols and as works of art. Historical civilizations are often
identified with their surviving architectural achievements.
"Architecture" can mean:
A general term to describe buildings and other physical structures.
The art and science of designing and erecting buildings and other physical structures.
The style and method of design and construction of buildings and other physical structures.
The practice of the architect, where architecture means the offering or rendering of
professional services in connection with the design and construction of buildings, or built
environments.[1]
The design activity of the architect, from the macro-level (urban design, landscape
architecture) to the micro-level (construction details and furniture).
The term "architecture" has been adopted to describe the activity of designing any kind of
system, and is commonly used in describing information technology.
In relation to buildings, architecture has to do with the planning, designing and constructing
form, space and ambience that reflect functional, technical, social, environmental, and aesthetic
considerations. It requires the creative manipulation and coordination of material, technology,
light and shadow. Architecture also encompasses the pragmatic aspects of realizing buildings
and structures, including scheduling, cost estimating and construction administration. As
documentation produced by architects, typically drawings, plans and technical specifications,
architecture defines the structure and/or behavior of a building or any other kind of system that
is to be or has been constructed. “
SOURCE: http://en.wikipedia.org/wiki/Architecture
I think the lessons to take from the above classical architecture definitions is that architecture
(security architecture) is a comprehensive macro to micro art form and science “building”
process that includes detailed planning, designing and then construction. Using example one
10. DRAFT ………………. by Bill Ross
10
above, it is not just having a stack of building materials such as having numerous parts and
pieces but it is the art and science of designing a comprehensive solution that enables all the
pieces to smoothly integrate into a cohesive whole of information security protection.
Information Security Architect descriptions
I have listed two similar and complimentary definitions of what an ISA is. These were created
by experts with far greater insight than myself. Interestingly, while the definitions are similar and
describe the essence of end-to-end Security Architecture development, it is rare that job
descriptions for organizational Information Security Architects align with these descriptions. The
first concept is excellent but rarely used in corporate hiring requirements. May I suggest we
embrace these ideas in the ISC.
Description 1 (very good by the way)
Enterprise Information Security Architecture
“ Enterprise information Security Architecture (EISA) is the practice of applying a
comprehensive and rigorous method for describing a current and/or future structure and
behavior for an organization's security processes, information security systems, personnel and
organizational sub-units, so that they align with the organization's core goals and strategic
direction. Although often associated strictly with information security technology, it relates more
broadly to the security practice of business optimization in that it addresses business Security
Architecture, performance management and security process architecture as well.
Enterprise information Security Architecture is becoming a common practice within the financial
institutions around the globe. The primary purpose of creating an enterprise information Security
Architecture is to ensure that business strategy and IT security are aligned. As such, enterprise
information Security Architecture allows traceability from the business strategy down to the
underlying technology. “ (my underlines).
Methodology
The practice of Enterprise Information Security Architecture involves developing an architecture
security framework to describe a series of "current", "intermediate" and "target" reference
architectures and applying them to align programs of change. These frameworks detail the
organizations, roles, entities and relationships that exist or should exist to perform a set of
11. DRAFT ………………. by Bill Ross
business processes. This framework will provide a rigorous taxonomy and ontology that clearly
identifies what processes a business performs and detailed information about how those
processes are executed and secured. The end product is a set of artifacts that describe in
varying degrees of detail exactly what and how a business operates and what security controls
are required. These artifacts are often graphical.
Given these descriptions, whose levels of detail will vary according to affordability and other
practical considerations, decision makers are provided the means to make informed decisions
about where to invest resources, where to realign organizational goals and processes, and what
policies and procedures will support core missions or business functions.
11
A strong enterprise information Security Architecture process helps to answer basic questions
like:
What is the information security risk posture of the organization?
Is the current architecture supporting and adding value to the security of the organization?
How might a Security Architecture be modified so that it adds more value to the
organization?
Based on what we know about what the organization wants to accomplish in the future, will
the current Security Architecture support or hinder that?
Implementing Enterprise Information Security Architecture generally starts with documenting the
organization's strategy and other necessary details such as where and how it operates. The
process then cascades down to documenting discrete core competencies, business processes,
and how the organization interacts with itself and with external parties such as customers,
suppliers, and government entities.
Having documented the organization's strategy and structure, the architecture process then
flows down into the discrete information technology components such as:
Organization charts, activities, and process flows of how the IT Organization operates
Organization cycles, periods and timing
Suppliers of technology hardware, software, and services
Applications and software inventories and diagrams
Interfaces between applications - that is: events, messages and data flows
Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the
organization
12. DRAFT ………………. by Bill Ross
12
Data classifications, databases and supporting data models
Hardware, platforms, hosting: servers, network components and security devices and where
they are kept
Local and wide area networks, Internet connectivity diagrams
Wherever possible, all of the above should be related explicitly to the organization's
strategy, goals, and operations. The Enterprise Information Security Architecture will document
the current state of the technical security components listed above, as well as an ideal-world
desired future state (Reference Architecture) and finally a "Target" future state which is the
result of engineering tradeoffs and compromises vs. the ideal. Essentially the result is a nested
and interrelated set of models, usually managed and maintained with specialized
software available on the market. “
SOURCE: http://en.wikipedia.org/wiki/Enterprise_information_security_architecture
ISA Description two
“ Security Architecture and Design: architecture and design of security services that
enable business risk exposure targets to be met. The policies, standards and risk
management decisions drive the Security Architecture and the design of the security
processes and ‘defense in depth’ stack.
.
Security Architecture: unifying framework and reusable services that implement policy,
standards and risk management decisions. The Security Architecture is a strategic
framework that allows the development and operations staff to align efforts, in addition
the Security Architecture can drive platform improvements which are not possible to make
at a project level. A given software development project may not be able to make a
business case to purchase an XML Security Gateway for improved web services security,
but at the architecture level, architects can potentially identify several projects that could
leverage such a reusable service. In this instance the Security Architecture delivers
improved XML/ Web services security, a simplified programming model for developers,
and saves development costs, because the wheel is not reinvented multiple times.
Risk management, security policy and standards, and Security Architecture govern the
security processes and defense in depth architecture through design guidance, runtime
13. DRAFT ………………. by Bill Ross
13
support, and assurance services. Security metrics are used for decision support for risk
management, security policy and standards, and Security Architecture. The security
architecture should have a reference implementation for developers and other IT staff to
review what functions the security mechanisms performs, and how they do it. “
SOURCE: Gunnar Peterson’s excellent article, “ Security Architecture Blueprint “, 2006
http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
Implementing the above examples
Interestingly, GARTNER, almost six years ago,, in its 2006 White Paper “Incorporating Security
Into the Enterprise Architecture (EA) Process” proposes a possible basic process to fulfill the
objectives of the above two ISA descriptions. Interestingly, GARTNER’s outline does not seem
to have gained traction as it should have in the ISC. While the GARTNER’s outline provides a
basically good outline for incorporating security into the EA process, I would probably increase
the outline to include items like technical engineering skills, risk-based ISA decisions, secure
development life cycle management, return on investment, metrics, operational tracking,
software updating, security road maps (N-1 plan) and role and responsibilities.
Gartner Outline for “Incorporating Security Into the Enterprise Architecture (EA) Process”
1.0 The Rationale for Incorporating Security With the EA Process Model
2.0 Security and the EA Process Model in Relation to EA Frameworks
3.0 Environmental Trends
4.0 Business Strategy
5.0 Organize Architecture Effort
6.0 Security in the Future-State Architecture
o 6.1 Develop Requirements
o 6.2 Develop Principles
o 6.3 Develop Models
7.0 Current-State Architecture — Documenting
8.0 Closing the Gap
9.0 Governing and Managing
o 9.1 Governing EA Artifact Creation
o 9.2 Governing EA Compliance and Project/Procurement Management
14. DRAFT ………………. by Bill Ross
14
o 9.3 Managing
SOURCE: http://www.gartner.com/DisplayDocument?ref=g_search&id=488575
Here is the problem with Industry Interpretations of a Security Architect
As we have seen above, there are various interpretations of what a Security Architect is and
that companies struggle with defining what they want form the ISA.. We have also seen
excellent comprehensive descriptions of what a security architect is. Ultimately, based on
Security Architect job descriptions as seen on job boards or knowing of Security Architects that
are already on the job, it seems that the ISC and/or government and private sector
organizations have about five various interpretations that are advertised concerning what a
Security Architect is and what they need from the Security Architect to meet their data and
enterprise security goals. I believe the Security Architect description seen in items 3 and 4
below will provide the best ISA support to their parent organization and who will fulfill the goals
of a Security Architect as described above in “description one” of a security architect.
1. Extremely technical in one or two security technologies such as Firewalls or intrusion
detection devices. This person gets hired based on the fact it seems since they had a high
degree of expertise in two areas it must mean they are experts in all areas. The problem here is
the organization did not really understand what its Security Architect requirements were and
expected definitions of success were for the Security Architect position. This Security
Architecture type will provide limited overall input to an organization’s strategic ISA plan
2. Extremely technical on all aspects of security but cannot connect the architecture to business
requirements and the overall strategy. The person is more a highly talented senior security
engineer versus an architect. The person can make things fit and work within the context of
what the technology is supposed to do but the person might not have considered the overall
synergistic effects of the technology and the defense in depth aspects of the technology. A
good example of this is that the person could install a HIDS or even a firewall but the person did
not design a strategy on how these systems could operationally and tactically integrate as part
of the intrusion detection framework.
3. Extremely technical engineer and strategists who also has a holistic view of the business
objectives and the requirements definition process. This is the perfect Security Architect.
15. DRAFT ………………. by Bill Ross
4. Highly technical and can combine all aspects of risk management and business
requirements into a cohesive strategy and technical plan. This person can easily work with the
person in number 2 to develop the ISA and deploy and manage an end-to-end Security
Architecture. This is probably the most likely person a company can find when wanting to have
someone that is charge of the organization’s ISA.
5. Some companies actually call the security director or security manager the architect because
they, in essence, are architecting the entire management, governance, and technical solution
for the enterprise. This is what I did at AXA but I ultimately was not a dedicated security
architect focused on all things seen in the two above architect descriptions.
15
Building an Information Security Architecture Framework
If the Security Architect wants to properly manage their program in accordance with the above
ISA descriptions defined in Wikipedia or by Gunnar Peterson , the Security Architect needs to
define an end-to-end framework that can define the context and game plan that the Security
Architect should use to protect the organization’s vital information assets.
Given how many sources there are in circulation on how to create an ISA focused on layered
security and a defense-in-depth strategy, the fundamental guidance I can provide is keep your
framework very simple but with a sophisticated implementation of same based on risk, threats,
vulnerabilities, regulatory issues and business requirements. I like three fundamental sources
to use to build an ISA framework and the models needed to develop an outstanding ISA. The
secret sauce in using these three fundamental models together is to create an integrated ISA
Framework combining the three systems and tailor it to your organization’s mission or business
product line. Simply put, use your framework to plan, build, test, deploy and operate your
security services within your supporting infrastructure to provide the best layered security
program possible to protect your vital information assets. Here is my ISA trifecta.
1. While the Sherwood Applied Business Security Architecture (SABSA) is not highly technical,
SABSA provides excellent models to define requirements against ISA plans. Please write to me
and I will send you my highly detailed SABSA spread sheet which defines risk management
planning and the appropriate ISA road map.
http://www.sabsa.org/
16. DRAFT ………………. by Bill Ross
2. Open Security Architecture (OSA) is an eloquent technical meta model process the brilliantly
compliments the requirements as defined in SABSA. Develop and use the meta models as your
current state and planning libraries.
http://www.opensecurityarchitecture.org/cms/index.php
16
3. The Open Group Architecture Framework (TOGAF) is an excellent document that is a
master’s thesis on how to build technical architectures. I strongly recommend reading its
introduction and the entire chapter 21 that is dedicated to ISA.
http://pubs.opengroup.org/architecture/togaf9-doc/arch/
Conclusion
We are at war. A Security Architect can define strategies to defeat the aggressors. The ISC
needs to standardize its doctrine and strategy to define the ISC view concerning what an ISA is
and as such, once defined, it will be easier to define what a Security Architect is and should do
to protect vital business data assets. Not only will this protect your data and business, you will
implement optimized solutions for investment utilization. Organizations need to hire the right
people for ISA jobs and stop confusing the Senior Security Engineers with the roles and
responsibilities of an Information Security Architect. While they are complimentary in nature, the
roles are different. Smart Security Architects always should include brilliant security and
infrastructure engineers in developing their business’ holistic and comprehensive ISA.
I am confident that if the an organization uses the simple framework I described above that it’s
Security Architect will create an outstanding ISA and ISA road map.
Other Great References
See below
http://www.everyspec.com/DoD/DOD-General/
download.php?spec=DISA_TAFIM_VOL4.007538.pdf
http://www.sans.org/reading_room/whitepapers/policyissues/approach-enterprise-security-architecture_
504
http://en.wikipedia.org/wiki/DODAF’
17. DRAFT ………………. by Bill Ross
17
https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.html
https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/architecture/10-BSI.pdf
http://www.arctecgroup.net/pdf/ArctecSecurityArchitectureBlueprint.pdf
http://www.webopedia.com/TERM/S/security_architecture.html
http://en.wikipedia.org/wiki/Computer_security
http://www.wisegeek.com/what-is-a-security-architect.htm#discussions
http://en.wikipedia.org/wiki/Enterprise_information_security_architecture