The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value.
The presentation was given at BrighTalk
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
Cyber Security is one of the major challenges facing organisations within all industries. This presentation will examine the integration of an Enterprise Architecture approach with an Enterprise Security Architecture approach (TOGAF and SABSA) and propose a generic framework.
Download this presentation at http://opengroup.co.za/presentations
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
To protect your organization from cyber attacks, you need to implement a robust information security management system (ISMS) and business continuity management system (BCMS) based on international standards, such as ISO/IEC 27001 and ISO 22301.
Amongst others, the webinar covers:
• Why we need a cyber response plan to protect business operations
• Introduction to ISO/IEC 27001 and ISO 22301
• What do we need for a cyber security response plan?
• How do we develop a cyber security response plan?
Presenters:
Nick Frost
Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.
Simon Lacey
Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.
Date: April 26, 2023
Find out more about ISO training and certification services
Training: https://bit.ly/3AyoyYF
https://bit.ly/3LbBVTx
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
YouTube video: https://youtu.be/i4qx5mjEqio
We will explore why the current industry approach to security is failing us. We will then discuss how building security as an architecture can raise the security level for any organization. An architectural approach is required to take security to the next level and defend against modern threats. We will discuss how you can use Cisco solutions to build a true security architecture.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to address these issues, but is frequently misaligned with Enterprise Architecture. In this presentation we explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise Architecture value-chain so as position Risk, Security and IT as true business enablers.
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
In this lightning talk we will explore one approach to getting multi-stakeholder agreement on Enterprise Architecture decisions focused on a defence in depth security model. Corporate enterprise technology environments can be large and complicated. And when it comes to making changes to the internet facing security environment both rigorousness and resistance to change increase. These increased challenges can be overcome with good project / process management, solid end-to-end architecture, and a comprehensive decision making template. In a nutshell, this talk explores the enterprise architecture decision.
Main points covered:
- the case for adopting a model -driven approach: the drivers & benefits of integrating security into EA models;
- the techniques / design patterns for expressing security within ArchiMate's notational & grammar constraints;
- a short demonstration of how these models can be used in practice
Presenter:
Steven is an independent consultant with 25+ years in IT. Based in Brussels, where he has undertaken major assignments for clients in the public sector, agencies, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. Much of his work in recent years has been in the field of developing tools, processes and models to support security analysis.
Steven holds numerous security, architecture and privacy certifications including SABSA Chartered Practitioner and ArchiMate 3.0.
Date: August 28, 2019
Recorded webinar: https://www.youtube.com/watch?v=Bt1xRZQ5T58&t=3s
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Digital Transformation And Solution ArchitectureAlan McSweeney
Digital strategy is a statement about the organisation’s digital positioning, competitors and customer and collaborator needs and behaviour to achieve a direction for innovation, communication, transaction and promotion. Digital strategy needs to be defined in the same framework structure as the proposed digital architecture platform.
Achieving the target digital organisation means deploying solutions that enable the digital architecture. Solution architecture needs to design solutions that fit into the target digital architecture framework. This requires:
• Solution architecture team operating in an integrated manner designing solutions to a set of common standards and that run on the platform
• Solution architecture team leadership ensuring solutions conform to the common standards
• Solution architecture technical leadership to develop and maintain common solution design standards
• Solution architecture updates the digital reference architecture based on solution design experience
Digital solution design requires greater discipline to create an integrated set solutions that operate within the rigour of the digital architecture framework. The solution architecture function must interact with other IT architecture disciplines to ensure the set of solutions that implement the digital framework operate together. This requires greater solution architecture team leadership. This needs to be supplemented and supported by a well-defined set of digital solution design standards.
This follows-on from the previous presentation: Digital Transformation And Enterprise Architecture
https://www.slideshare.net/alanmcsweeney/digital-transformation-and-enterprise-architecture.
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Enterprise Security Architecture: From access to auditBob Rhubart
Paul Andres' presentation from OTN Architect Day in Pasadena, July 9, 2009.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Enterprise Architecture
Enterprise Architectural Methodologies
A Brief History of Enterprise Architecture
Zachman Framework
Business Attributes
Features & Advantages
SABSA Lifecycle
SABSA Development Process
SMP Maturity Levels
Enterprise Security Architecture was initially targeted to address two problems
1- System complexity
2- Inadequate business alignment
Resulting into More Cost, Less Value
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
To protect your organization from cyber attacks, you need to implement a robust information security management system (ISMS) and business continuity management system (BCMS) based on international standards, such as ISO/IEC 27001 and ISO 22301.
Amongst others, the webinar covers:
• Why we need a cyber response plan to protect business operations
• Introduction to ISO/IEC 27001 and ISO 22301
• What do we need for a cyber security response plan?
• How do we develop a cyber security response plan?
Presenters:
Nick Frost
Nick Frost is Co-founder and Lead Consultant at CRMG.
Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant.
In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management.
Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry.
Simon Lacey
Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change.
Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker.
Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors.
When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic.
Date: April 26, 2023
Find out more about ISO training and certification services
Training: https://bit.ly/3AyoyYF
https://bit.ly/3LbBVTx
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
YouTube video: https://youtu.be/i4qx5mjEqio
We will explore why the current industry approach to security is failing us. We will then discuss how building security as an architecture can raise the security level for any organization. An architectural approach is required to take security to the next level and defend against modern threats. We will discuss how you can use Cisco solutions to build a true security architecture.
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
Ana Kukec, Lead Enterprise Security Consultant, Enterprise Architects, Australia
The Open Group Architecture Forum and Security Forum agree that the coverage of security in TOGAF should be updated and improved. The understanding and focus of security architecture has moved from a threat-driven approach of addressing non-normative flaws through systems and applications to a risk-driven and business outcome-focused methodology of enabling a business strategy.
Following this trend, we defined fundamental characteristics of effective security architecture. 1) Capabilities are primary assets at risk, while information systems and technology components are secondary assets at risk supporting the primary assets. 2) Security requirements include the business aspects and not only the technology aspects of confidentiality, integrity and availability. 3) IT risk management is business-opportunity-driven. It requires understanding of risk appetite across business, information systems and technology architecture to manage security risks of vulnerabilities and compliance issues, which may arise at any layer of enterprise architecture in a business-outcome-focused way. 4) Security services are aligned to business drivers, goals and objectives, and managed in a risk-driven way.
Yet, there is no single security architecture development methodology to deliver these characteristics. We believe that existing information security standards and frameworks in a combination with the TOGAF are sufficient to meet the aforementioned fundamental characteristics of effective security architecture. However the challenge is in their integration. Our Enterprise Security Architecture Framework integrates key industry standards and best practices for information security and risk management, such as COBIT 5 for Information Security, ITILv3 Security Service Management, ISO/IEC 27000 and ISO/IEC 31000 families of standards, using the TOGAF Architecture Development Method and Content Meta-model as the key integrators. It is a pragmatic security architecture framework which establishes a common language between IT, security, risk and business organisations within an enterprise and ensures effective and efficient support of long-term security needs of both business and IT, with a risk-driven enterprise as a final outcome.
We will present a case study of the implementation of the aforementioned business-outcome-focused and risk-driven Enterprise Security Architecture Framework at the University of New South Wales.
Key takeaways:
-- Overview of a risk-driven and business-outcome-focused security architecture methodology seamlessly integrated with the TOGAF
-> Security strategic planning
-> Enterprise-wide compliance, internal (policies and standards) and external (laws and regulations
-> Business-opportunity driven management of security risk of threats, vulnerabilities and compliance issues across business, information systems and technology architecture
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
A practical example of using the SABSA extended Security-in-depth layer strategy. A little bit of insight into why and how I extended the original and how to use it to create Information Security Standards that have sound architecture behind them.
The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to address these issues, but is frequently misaligned with Enterprise Architecture. In this presentation we explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise Architecture value-chain so as position Risk, Security and IT as true business enablers.
HD version: http://1drv.ms/1eR5OQf
This is my publication on how the integration of the TOGAF Enterprise Architecture framework, the SABSA Enterprise Security Architecture framework, and Information Governance discipline add up to a robust and successful Information Security Management Program.
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
In today’s business environment, organizations have a responsibility to their employees, clients, and customers to ensure the confidentiality, integrity and availability of the critical data that is entrusted to them. Every network is vulnerable to some form of attack. However it is not enough to simply confirm that a technical vulnerability exists and implement countermeasures; it is critical to repeatedly verify that the countermeasures are in place and working properly throughout the secured network. During this webinar, David Hammarberg, Principal, IT Director, and leader of McKonly & Asbury’s Cybersecurity Practice will be joined by Partner, Michael Hoffner and they will lead a discussion on a Cybersecurity Risk Management Program including what it is and how it can prepare your organization for the future.
In this lightning talk we will explore one approach to getting multi-stakeholder agreement on Enterprise Architecture decisions focused on a defence in depth security model. Corporate enterprise technology environments can be large and complicated. And when it comes to making changes to the internet facing security environment both rigorousness and resistance to change increase. These increased challenges can be overcome with good project / process management, solid end-to-end architecture, and a comprehensive decision making template. In a nutshell, this talk explores the enterprise architecture decision.
Main points covered:
- the case for adopting a model -driven approach: the drivers & benefits of integrating security into EA models;
- the techniques / design patterns for expressing security within ArchiMate's notational & grammar constraints;
- a short demonstration of how these models can be used in practice
Presenter:
Steven is an independent consultant with 25+ years in IT. Based in Brussels, where he has undertaken major assignments for clients in the public sector, agencies, finance, telecoms and utilities and also lends his support to local cyber-security initiatives. Much of his work in recent years has been in the field of developing tools, processes and models to support security analysis.
Steven holds numerous security, architecture and privacy certifications including SABSA Chartered Practitioner and ArchiMate 3.0.
Date: August 28, 2019
Recorded webinar: https://www.youtube.com/watch?v=Bt1xRZQ5T58&t=3s
What is a secure enterprise architecture roadmap?Ulf Mattsson
Webcast title : What is a Secure Enterprise Architecture Roadmap?
Description : This session will cover the following topics:
* What is a Secure Enterprise Architecture roadmap (SEA)?
* Are there different Roadmaps for different industries?
* How does compliance fit in with a SEA?
* Does blockchain, GDPR, Cloud, and IoT conflict with compliance regulations complicating your SEA?
* How will quantum computing impact SEA roadmap?
Presenters : Juanita Koilpillai, Bob Flores, Mark Rasch, Ulf Mattsson, David Morris
Duration : 68 min
Date & Time : Sep 20 2018 8:00 am
Timezone : United States - New York
Webcast URL : https://www.brighttalk.com/webinar/what-is-a-secure-enterprise-architecture-roadmap
Digital Transformation And Solution ArchitectureAlan McSweeney
Digital strategy is a statement about the organisation’s digital positioning, competitors and customer and collaborator needs and behaviour to achieve a direction for innovation, communication, transaction and promotion. Digital strategy needs to be defined in the same framework structure as the proposed digital architecture platform.
Achieving the target digital organisation means deploying solutions that enable the digital architecture. Solution architecture needs to design solutions that fit into the target digital architecture framework. This requires:
• Solution architecture team operating in an integrated manner designing solutions to a set of common standards and that run on the platform
• Solution architecture team leadership ensuring solutions conform to the common standards
• Solution architecture technical leadership to develop and maintain common solution design standards
• Solution architecture updates the digital reference architecture based on solution design experience
Digital solution design requires greater discipline to create an integrated set solutions that operate within the rigour of the digital architecture framework. The solution architecture function must interact with other IT architecture disciplines to ensure the set of solutions that implement the digital framework operate together. This requires greater solution architecture team leadership. This needs to be supplemented and supported by a well-defined set of digital solution design standards.
This follows-on from the previous presentation: Digital Transformation And Enterprise Architecture
https://www.slideshare.net/alanmcsweeney/digital-transformation-and-enterprise-architecture.
Presentation for March 2017 webcast by NIST.
www.nist.gov/cyberframework
Webcast video: https://www.nist.gov/news-events/events/2017/03/cybersecurity-framework-virtual-events
This presentation introduces the audience to the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). It provides a brief history about why and how the Framework was developed, and an understanding of each of the three primary Framework components (the Core, Implementation Tiers, and Profiles). It covers potential benefits of Framework, and how the Framework can be used. It highlights industry resources, progress in Roadmap areas, and future direction of the Framework program.
Enterprise Security Architecture: From access to auditBob Rhubart
Paul Andres' presentation from OTN Architect Day in Pasadena, July 9, 2009.
Find an OTN Architect Day event near you: http://www.oracle.com/technology/architect/archday.html
Interact with Architect Day presenters and participants on Oracle Mix: https://mix.oracle.com/groups/15511
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
This presentation provides an overview of industrial control systems and typical system topologies, identifies typical threats and vulnerabilities to these systems, and provides recommended security countermeasures to mitigate the risks.
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
This post contains detailed Mindmap related to Complex subject of Cyber security and address critical components summarized as below:
- Cyber Security standards
- SOC (Security Operation Center)
- Cybersecurity Lifecycle
- Hacker Kill Chain
- Malware (Types,Protection Mechanism)
- Cyber Architecture
- CSC (Critical Security Standards)
- Incident Management
- Network Perimeter best security practices
- Final Case Study
I hope the Technical post is appreciated and liked by Security Consultants and Subject Matter experts on Cybersecurity.Your criticals Inputs are appreciated.Thank you
- Wajahat Iqbal
(Wajahat_Iqbal@Yahoo.com)
This post shows the complex NIST Cybersecurity Framework as a Mindmap.It captures the critical components of the NIST Cybersecurity framework which is becoming a defacto standard.
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
RedLegg's unique approach to Security Program Development is based on a solid Risk Management Foundation. The Risk Management approach considers the business needs while navigating the complexities of legal, regulatory and security requirements.
A portion of an internal training session at EBSL Technologies Int\'l
Principles of IT Operations, to include ISO 27001, COBIL ,ITIL,IT Security, IT Frameworks.
Presentation from AWS Worldwide Public Sector team's conference Building and Securing Applications in the Cloud (http://aws.amazon.com/campaigns/building-securing-applications-cloud/).
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
The Tripwire Enterprise solution provides organizations with powerful configuration control through its configuration assessment and change auditing capabilities. In this white paper, learn how with Tripwire Enterprise, organizations can quickly achieve IT configuration integrity by proactively assessing how their current configurations measure up to specifications as given in ISO 27001. This provides immediate visibility into the state of their systems, and through automating the process, saves time and effort over a manual efforts.
White Paper here: http://www.tripwire.com/register/effective-security-with-a-continuous-approach-to-iso-27001-compliance/
NERC Critical Infrastructure Protection (CIP) and Security for Field DevicesSchneider Electric
The North American Electric Reliability Corporation (NERC) maintains a set of Critical Infrastructure Protection (CIP) guidelines that address a broad range of critical cyber asset and cyber security issues. These guidelines describe the security-focused procedures that, in combination with compliant technology, enable secure electric grid operations. The CIP guidelines do not specify the technologies that must be deployed. Instead, they describe the technology design necessary to build an information management architecture that complies with security goals.
These goals include the minimizing of administrative authorization needed for operational functions. Rights and privileges are to be assigned to a functional role, not a named individual. Audit trails of field data device and substation activity, similar to control room auditability, must be maintained to assure comprehensive confidence in data and controls.
The six CIP guidelines summarized in the paper speak to the procedures and policies that are vital to critical cyber asset security – personnel authorizations; personnel training; security of the information management system’s electronic perimeter; security of the information management system’s physical assets; operational security; and incident reporting and response planning.
The utility builds its CIP-compliant program with defined procedures addressing these guidelines, coupled with the hardware and software that enable full implementation of these procedures. Training of all personnel is necessary for effective and efficient compliance.
Open Digital Architecture (ODA) is a blueprint for modular, cloud-based, open digital platforms that can be orchestrated using AI.
Designed to support our industry into the cloud native era, ODA sets the framework required
for CSPs to invest in IT, transforming business agility and operations by creating simpler IT and network solutions that are easier and cheaper to deploy, integrate and upgrade. Enabling growth, profitability and a cutting-edge customer experience.
A simple Small to Medium Enterprise Cybersecurity approach with minimal cost for Enterprise `security Architecture implementation with technologies proposed
2. Security architecture has its own methods. These methods
might be the basis for a discreet security methodology.
Security architecture composes its own discrete view and
viewpoints.
Security architecture addresses non-normative flows through
systems and among applications.
Security architecture introduces its own normative flows
through systems and among applications.
Security architecture introduces unique, single-purpose
components in the design.
Security architecture calls for its own unique set of skill
requirements in the IT architect.
4. 1. Business Rules
5. Data
Classification 2. Security Policy
Policy
Artefacts
3.
4. Risk Analysis Data/Information
Ownership
5.
6. Security Security
Policy Standard
Enterprise Requirements Management Process
New Security Requirements arise from many sources:
2 3
1
A new IT
architecture
A new threat initiative
A new statutory realized or discovers new
or regulatory experienced stakeholders
mandate and/or new
requirements
7.
8. •A written Security Policy for the organisation must be in
place
Objective
•ISO/IEC 17799:2005 a basis for the security policy
•Architecture constraints established in the security policy
Security must be communicated
Assessment
•Dependent upon the functionality of the system and the
data collected or maintained.
Regulatory •The jurisdiction where the system or service is deployed
Requirements
11. •Obtain management support for security measures
Management
Support
•Define necessary security-related management sign-off milestones
Milestones
of this architecture development cycle
•Determine and document applicable disaster recovery or business
DR and BCM
continuity plans/requirements
•Identify and document the anticipated physical/business/regulatory
Environment
environment(s) in which the system(s) will be deployed
•Determine and document the criticality of the system: safety-
Criticality
critical/mission-critical/noncritical
13. Output
2 3 4
1
Business
Physical Regulatory Security Policy
Security
Security Environment Cover Letter
Environment
Environment Statement Signed
Statement
Statement
6 7
5
List of Disaster
Architecture Recovery and System Critical
Development Business Statement
Checkpoints for Continuity Plans
Sign-off
14.
15. • Determine who are the legitimate actors who will
Legitimate
Actors
interact with the product/ser vice/process
• Assess and baseline current security-specific business
Baseline processes (enhancement of existing objective)
• Determine whom/how much it is acceptable to
Security
Measures
inconvenience in utilizing security measures
• Identify and document interconnecting systems beyond
Interconnecting
Systems
project control
• Determine the assets at risk if something goes wrong —
Assets at Risk ‘‘What are we trying to protect?’’
16. • Determine the cost (both qualitative and
Cost quantitative) of asset loss/impact in failure cases
Asset
• Identify and document the ownership of assets
Ownership
• Determine and document appropriate security
Forensic
Process
forensic processes
• Identify the criticality of the availability and correct
Criticality operation of the overall service
• Reassess and confirm Architecture Vision decisions
Re-assess
17. Business and
regulatory security
Applicable disaster
environment
recovery and
statements
business continuity
plans
applicable security
policies and regulations
Input
18. Output
2 3 4
1
New disaster Validated
recovery and business and Validated
Forensic business regulatory security policies
Processes continuity environment and regulations
requirements statements
6 7 8
5
Baseline
Interconnecting
Target security security security actors
Systems
processes processes
9 10 11 12
List of trust
security
Asset list with paths and
tolerance for Threat analysis
values and Availability
each class of matrix
owners impact
security actor
statement(s)
19.
20. •Assess and baseline current security-specific architecture elements (enhancement of existing
objective)
Baseline Architecture
Elements
•Identify safe default actions and failure states
•Safe default actions and failure modes must be defined for the system informed by the current
Default Actions and state, business environment, applicable policies, and regulatory obligations.
Failure States
•Identify and evaluate applicable recognized guidelines and standards
Guidelines and
Standards
•Revisit assumptions regarding interconnecting systems beyond project control
•In light of the risk assessments performed, assumptions regarding interconnecting systems may
Revisit Interconnecting
Systems
•require modification
•Determine and document the sensitivity or classification level of information stored/created/used
•Identify and document custody of assets
Classification Level •Identify the criticality of the availability and correct operation of each function
21. • Determine the relationship of the system under design with existing business
disaster/continuity plans
• Identify what aspects of the system must be configurable to reflect changes in
DR and BCM policy/business environment/access control
• Identify lifespan of information used as defined by business needs and
regulatory requirements
Lifespan • Determine approaches to address identified risks
• Identify actions/events that warrant logging for later review or triggering
forensic processes
• Identify and document requirements for rigor in proving accuracy of logged
Logs events (non-repudiation)
• Identify potential/likely avenues of attack
• Thinking like an adversar y will prepare the architect for creation of a robust
system that resists malicious tampering and, providentially, malfunction
Attacks arising from random error
22. Forensic Business
Risk Analysis Processes Policies and
Threat Analysis
Guidelines
Matrix
DR and BCM
Interconnecting
Requirements Systems
Security Input
23. Security Output
2 3 4
1
List of
Risk
Event log-level Data Life Cycle configurable
Management
matrix and Definitions system
Strategy
requirements elements
6 7 8
5
Security use-
New or
case models,
Baseline list of augmented Validated
List of
security-related security-related interconnected
applicable
elements of the elements of the system list
security
system system
standards
9 10 11 12
Information
Revised disaster
classification Function
recovery and Refined threat
report, List of criticality
business analysis matrix
asset statement
continuity plans
custodians
24.
25. •Assess and baseline current security-specific technologies (enhancement of existing objective)
•Revisit assumptions regarding interconnecting systems beyond project control
Baseline •Identify and evaluate applicable recognized guidelines and standards
Technologies
•Identify methods to regulate consumption of resources
•Engineer a method by which the efficacy of security measures will be measured and
communicated on an ongoing basis
Measures •Identify minimal privileges required for any entity to achieve a technical or business objective
•Identify minimal privileges required for any entity to achieve a technical or business objective
Privileges
•Identify the trust (clearance) level of:
•All users of the system
•All administrators of the system
Trust •All interconnecting systems beyond project control
26. Applicable Security
Standards and
Security-related Actors and Risk
elements and Management
interconnected Strategy
systems
Validated Security
Policies, Regulatory and
Trust Requirements
Security Input
27. Security Output
2 3 4
1
Validated Selected Resource
Baseline list of interconnected security conservation
security systems list standards list plan
technologies
6 7 8
5
User Risk User trust
Security metrics authorization management (clearance)
and monitoring policies plan requirements
plan
28.
29. •Identify existing security services available for re-use
•Statutory or regulator y requirements may call for physical separation of domains
Security which may eliminate the ability to re-use existing infrastructure
Services
•Engineer mitigation measures addressing identified risks
•Mitigation measures must be designed, implemented, deployed, and/or operated.
Mitigation
•Evaluate tested and re-usable security software and security system resources
Evaluate
•Identify new code/resources/assets that are appropriate for re-use
•It is appropriate to evaluate those new solutions for inclusion into any existing
Re-Use libraries, archives, or other repositories for future re-use.
30.
31. •Assess the impact of new security measures upon other new
Impact components or existing leveraged systems
Assessment
•Implement assurance methods by which the efficacy of security
measures will be measured and communicated on an ongoing basis
Assurance
Methods
•Identify correct secure installation parameters, initial conditions, and
configurations
Installation
•Implement disaster recover y and business continuity plans or
modifications
Modifications
32.
33. •Establish architecture artifact, design, and code reviews and
define acceptance criteria for the successful implementation of
Review the findings
•Implement methods and procedures to review evidence
produced by the system that reflects operational stability and
adherence to security policies
Evidence
•Implement necessary training to ensure correct deployment,
configuration, and operations of security-relevant subsystems
and components; ensure awareness training of all users and
Training non-privileged operators of the system and/or its components
34.
35. • Change is driven by new requirements. Changes in
security requirements are often more disruptive than
Requirements a simplification or incremental change.
• Changes in security policy can be driven by statute,
regulation, or something that has gone wrong
Statutes and
Regulations
• Changes in security standards are usually less
disruptive since the trade-off for their adoption is
based on the value of the change. However, standards
Standards changes can also be mandated
36. TOGAF Version 9, The Open Group
Architecture Framework (TOGAF), 2009