Method for business impact analysis of technical risks is explained, which combines the disciplines of technical risk analysis and Enterprise Architecture. Our method is supported by software tooling to (semi-)automatically import results of a penetration test into an Enterprise Architecture model, and to analyze and visualize the business impact of these technical risks. This both enhances the value of penetration testing and increases the return-on-investment of the Enterprise Architecture effort.
Delivering value. Enterprise architecture MUST deliver business value and do it now. Companies understand the need for architecture in general, but what are the specific benefits? Architecture processes are sometimes perceived as slow and bureaucratic. Architects are often insufficiently connected to strategic investment decisions on the one hand, and realization processes on the other. Architects have difficulty expressing their added value..
Solution Architecture and Solution ComplexityAlan McSweeney
This is an extract from the book An Introduction to Solution Architecture (https://www.amazon.com/dp/1797567616) that discusses the topic of solution complexity.
The solution architect cannot design solution in isolation without being aware of the implications of its subsequent delivery. Inherent unnecessary complexity must be avoided. The solution architect does not have control of the wider environment in which the solution will be delivered and that may be a source of additional complexity. But the solution architect can try to influence this by indicating where solution delivery problems may arise due to complexity so mitigation actions can be taken. The complexity factors can be used to assess and select solution options. The goal is, as always, no surprises.
Business Architecture as an Approach to Connect Strategy & ProjectsEnterprise Architects
Helen Palmer @helenmpal hosted interactive sessions at the October 2015 IIBA professional development days in Melbourne and Brisbane.
The presentation titled "Business Architecture as an Approach to Connect Strategy & Projects" covers a high level introduction to the discipline of Business Architecture and the platform it provides for effectively executing Business Strategy. Helen provided insights into how Business Architecture is positioned within the wider context of Enterprise Architecture and how the value it delivers can improve greatly with an increase in the mandate from the business. The presentation also gives an overview of some of the key artifacts and models used in defining a Business Architecture.
Enterprise Architects offers IIBA members an exclusive discount on our (IIBA endorsed) Applied Business Architecture: 4 Day Course
http://enterprisearchitects.com/courses/business-architecture/applied-business-architecture/
You can reach out to one of our learning services consultants at training@enterprisearchitects.com to find out more.
Delivering value. Enterprise architecture MUST deliver business value and do it now. Companies understand the need for architecture in general, but what are the specific benefits? Architecture processes are sometimes perceived as slow and bureaucratic. Architects are often insufficiently connected to strategic investment decisions on the one hand, and realization processes on the other. Architects have difficulty expressing their added value..
Solution Architecture and Solution ComplexityAlan McSweeney
This is an extract from the book An Introduction to Solution Architecture (https://www.amazon.com/dp/1797567616) that discusses the topic of solution complexity.
The solution architect cannot design solution in isolation without being aware of the implications of its subsequent delivery. Inherent unnecessary complexity must be avoided. The solution architect does not have control of the wider environment in which the solution will be delivered and that may be a source of additional complexity. But the solution architect can try to influence this by indicating where solution delivery problems may arise due to complexity so mitigation actions can be taken. The complexity factors can be used to assess and select solution options. The goal is, as always, no surprises.
Business Architecture as an Approach to Connect Strategy & ProjectsEnterprise Architects
Helen Palmer @helenmpal hosted interactive sessions at the October 2015 IIBA professional development days in Melbourne and Brisbane.
The presentation titled "Business Architecture as an Approach to Connect Strategy & Projects" covers a high level introduction to the discipline of Business Architecture and the platform it provides for effectively executing Business Strategy. Helen provided insights into how Business Architecture is positioned within the wider context of Enterprise Architecture and how the value it delivers can improve greatly with an increase in the mandate from the business. The presentation also gives an overview of some of the key artifacts and models used in defining a Business Architecture.
Enterprise Architects offers IIBA members an exclusive discount on our (IIBA endorsed) Applied Business Architecture: 4 Day Course
http://enterprisearchitects.com/courses/business-architecture/applied-business-architecture/
You can reach out to one of our learning services consultants at training@enterprisearchitects.com to find out more.
Chapter 04 of ICT Project Management based on IOE Engineering syllabus. This Chapter contains advantages of project management, characteristics of project life cycles, product life cycles and project life cycles, role and responsibilities of key product members and more. Provided By Project Management Sir of KU.
This presentation explores three important questions:
1. How does disciplined agile software development work?
2. How does agile analysis work?
3. How do business analysts fit on agile teams?
Versions of this presentation has been given several times at conferences internationally.
An updated version of this presentation is available at http://www.slideshare.net/ScottWAmbler/disciplined-agile-business-analysis-58401041
Understand the What, Why, and How of Agile Project and Delivery Management from your desk in 5 weeks with 5 sessions.
Join the LIVE ICAgile (ICP-APM) global program.
This program will help you to enhance your skills to lead delivery & applying Agile and Lean concepts in Project, Product, and No Project delivery modes.
Trainer: Saket Bansal
Sessions Starting From 7th September 2020.
In March 2014, the Project Management Institute (PMI) introduced a new certification called the PMI Professional in Business Analysis (PMI-PBA). The business analyst field has had two certifications up until this point: the Certified Business Analysis Professional™ (CBAP®) and the Certification of Competency in Business Analysis™ (CCBA®), both administered by the International Institute of Business Analysis (IIBA).
This webinar details the differences between the CBAP, CCBA, and PMI-PBA certifications, explains why a PMI-PBA certification makes sense, and defines what you need to do to become certified.
In this Business Analysis training session, you will learn about basics of Business Analysis. Topics covered in this session are:
• Introduction to Business Analysis
• What is a Project?
• Business Process – What and Why?
• Who is a Project Manager?
• Who is a Business Analyst?
• What is Business Analysis and why is it important?
• Roles, Responsibilities and necessary Skills for a Business Analyst
• Introduction to SDLC
• Requirement Analysis
• Design Phase
• Development Phase
• Testing Phase
• Release & Maintenance
• Current Trends in BA
For more information, click here: https://www.mindsmapped.com/courses/business-analysis/become-a-business-analyst-with-hands-on-practice/
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Alan McSweeney
Analysis paralysis and decision avoidance occur all too frequently and commonly in the business and solution analysis and design process. It wastes time and money. Analysis paralysis occurs when you cannot escape the analysis stage – you are always looking for more information and for perfection. Decision avoidance and evasion occurs when there is a decision making request/response loop as there are seemingly endless requests for more information – there are always requests for more details, additional options and more clarifications.
There are two possible loops:
1. Analysis Loop – where analysis never finished. Analysis and design do not want to let go – always looking for perfection and want to retain ownership.
2. Decision/Analysis Loop – where decision making is deferred because of requests for more analysis. Fear of decision-making is masked by endless requests for more information and options.
You cannot avoid analysis but do not perform analysis is isolation without a business and solution context
The Conceptual Solution Architecture framework focusses on the core functional and system components of the solution. This enables effective decision-making on the available options implementation time-frames, implementation approaches and likely budget requirements.
Effective analysis and solution design minimise the Solution Space while maximising the size of Requirements Space encompassed within it.
You need to measure the progress of analysis and design and decision making to identify when progress is stalling.
The IT function needs to be a lens concentrating solution need onto solution options. It needs to successfully mediate between the business as the originator of a solution need and the solution provider, either internal or external or both. The IT function needs to be good at moving from analysis and option identification to an implementation decision quickly and effectively.
You need a systematic, structured and measurable approach to decision making. Decision making that follows a systematic approach is be more productive and results in better decisions.
In this Business Analysis training session, you will learn about Enterprise Analysis. Topics covered in this session are:
• Enterprise Analysis
• What is Enterprise Analysis
• Why Enterprise Analysis
• Different Architectures
• Enterprise Analysis Activities
• Techniques Used to Define a Business Need
• Techniques Used to assess Capability Gaps
• Techniques Used to Determine Solution Approach
• Techniques Used to Define Solution Scope
• Techniques Used to Define a Business Case
• SWOT Analysis
• GAP Analysis
• Feasibility Study
• Root Cause Analysis
For more information, click here: https://www.mindsmapped.com/courses/business-analysis/become-a-business-analyst-with-hands-on-practice/
ESOFT Metro Campus - Diploma in Software Engineering - (Module VII) Introduction to Project Management
(Template - Virtusa Corporate)
Contents:
What is a Project?
History of the Project Management
Attributes of a Project
What is Project Management?
Why Project Management Important?
The Triple Constraints of a Project
Project Stakeholders
Performing Organizational Structures
Project Management Life Cycle
Project Management Processes
Nine Knowledge Areas
Integration Management
Scope Management
Time Management
Cost Management
Quality Management
Human Resource Management
Communication Management
Risk Management
Procurement Management
Agile software development is a group of software development methods in which requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development, early delivery, continuous improvement, and encourages rapid and flexible response to change.
The Agile development model is also a type of Incremental model. Software is developed in incremental, rapid cycles. This results in small incremental releases with each release building on previous functionality. Each release is thoroughly tested to ensure software quality is maintained. It is used for time critical applications.
My talk in the technical meeting "Global Burden of Diseases and Scientific Computation in Health". 25-26 September 2015. FIOCRUZ, Rio de Janeiro, Brazil
Chapter 04 of ICT Project Management based on IOE Engineering syllabus. This Chapter contains advantages of project management, characteristics of project life cycles, product life cycles and project life cycles, role and responsibilities of key product members and more. Provided By Project Management Sir of KU.
This presentation explores three important questions:
1. How does disciplined agile software development work?
2. How does agile analysis work?
3. How do business analysts fit on agile teams?
Versions of this presentation has been given several times at conferences internationally.
An updated version of this presentation is available at http://www.slideshare.net/ScottWAmbler/disciplined-agile-business-analysis-58401041
Understand the What, Why, and How of Agile Project and Delivery Management from your desk in 5 weeks with 5 sessions.
Join the LIVE ICAgile (ICP-APM) global program.
This program will help you to enhance your skills to lead delivery & applying Agile and Lean concepts in Project, Product, and No Project delivery modes.
Trainer: Saket Bansal
Sessions Starting From 7th September 2020.
In March 2014, the Project Management Institute (PMI) introduced a new certification called the PMI Professional in Business Analysis (PMI-PBA). The business analyst field has had two certifications up until this point: the Certified Business Analysis Professional™ (CBAP®) and the Certification of Competency in Business Analysis™ (CCBA®), both administered by the International Institute of Business Analysis (IIBA).
This webinar details the differences between the CBAP, CCBA, and PMI-PBA certifications, explains why a PMI-PBA certification makes sense, and defines what you need to do to become certified.
In this Business Analysis training session, you will learn about basics of Business Analysis. Topics covered in this session are:
• Introduction to Business Analysis
• What is a Project?
• Business Process – What and Why?
• Who is a Project Manager?
• Who is a Business Analyst?
• What is Business Analysis and why is it important?
• Roles, Responsibilities and necessary Skills for a Business Analyst
• Introduction to SDLC
• Requirement Analysis
• Design Phase
• Development Phase
• Testing Phase
• Release & Maintenance
• Current Trends in BA
For more information, click here: https://www.mindsmapped.com/courses/business-analysis/become-a-business-analyst-with-hands-on-practice/
Stopping Analysis Paralysis And Decision Avoidance In Business Analysis And S...Alan McSweeney
Analysis paralysis and decision avoidance occur all too frequently and commonly in the business and solution analysis and design process. It wastes time and money. Analysis paralysis occurs when you cannot escape the analysis stage – you are always looking for more information and for perfection. Decision avoidance and evasion occurs when there is a decision making request/response loop as there are seemingly endless requests for more information – there are always requests for more details, additional options and more clarifications.
There are two possible loops:
1. Analysis Loop – where analysis never finished. Analysis and design do not want to let go – always looking for perfection and want to retain ownership.
2. Decision/Analysis Loop – where decision making is deferred because of requests for more analysis. Fear of decision-making is masked by endless requests for more information and options.
You cannot avoid analysis but do not perform analysis is isolation without a business and solution context
The Conceptual Solution Architecture framework focusses on the core functional and system components of the solution. This enables effective decision-making on the available options implementation time-frames, implementation approaches and likely budget requirements.
Effective analysis and solution design minimise the Solution Space while maximising the size of Requirements Space encompassed within it.
You need to measure the progress of analysis and design and decision making to identify when progress is stalling.
The IT function needs to be a lens concentrating solution need onto solution options. It needs to successfully mediate between the business as the originator of a solution need and the solution provider, either internal or external or both. The IT function needs to be good at moving from analysis and option identification to an implementation decision quickly and effectively.
You need a systematic, structured and measurable approach to decision making. Decision making that follows a systematic approach is be more productive and results in better decisions.
In this Business Analysis training session, you will learn about Enterprise Analysis. Topics covered in this session are:
• Enterprise Analysis
• What is Enterprise Analysis
• Why Enterprise Analysis
• Different Architectures
• Enterprise Analysis Activities
• Techniques Used to Define a Business Need
• Techniques Used to assess Capability Gaps
• Techniques Used to Determine Solution Approach
• Techniques Used to Define Solution Scope
• Techniques Used to Define a Business Case
• SWOT Analysis
• GAP Analysis
• Feasibility Study
• Root Cause Analysis
For more information, click here: https://www.mindsmapped.com/courses/business-analysis/become-a-business-analyst-with-hands-on-practice/
ESOFT Metro Campus - Diploma in Software Engineering - (Module VII) Introduction to Project Management
(Template - Virtusa Corporate)
Contents:
What is a Project?
History of the Project Management
Attributes of a Project
What is Project Management?
Why Project Management Important?
The Triple Constraints of a Project
Project Stakeholders
Performing Organizational Structures
Project Management Life Cycle
Project Management Processes
Nine Knowledge Areas
Integration Management
Scope Management
Time Management
Cost Management
Quality Management
Human Resource Management
Communication Management
Risk Management
Procurement Management
Agile software development is a group of software development methods in which requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development, early delivery, continuous improvement, and encourages rapid and flexible response to change.
The Agile development model is also a type of Incremental model. Software is developed in incremental, rapid cycles. This results in small incremental releases with each release building on previous functionality. Each release is thoroughly tested to ensure software quality is maintained. It is used for time critical applications.
My talk in the technical meeting "Global Burden of Diseases and Scientific Computation in Health". 25-26 September 2015. FIOCRUZ, Rio de Janeiro, Brazil
Data visualizations make huge amounts of data more accessible and understandable. Data visualization, or "data viz," is becoming largely important as the amount of data generated is increasing and big data tools are helping to create meaning behind all of that data.
This SlideShare presentation takes you through more details around data visualization and includes examples of some great data visualization pieces.
Implementing Enterprise Risk Management with ISO 31000:2009Goutama Bachtiar
This presentation slides is intended for the training-workshop lead as well as the participants.
Developed based on ISO 31000:2009 – Principles and Guidelines on Implementation, ISO/IEC 31010:2009 – Risk Assessment Techniques, ISO Guide 73:2009 – Vocabulary.
The strategic importance of Information Security for organisations is gaining momentum. The current surge in cyber threats is compelling organisations to invest in information security to protect their assets. Rushing to protect assets often comes with the expense of excessive technology adoption without a valid strategic foundation. Enterprise Security Architecture is geared to address these issues, but is frequently misaligned with Enterprise Architecture. In this presentation we explore avenues for the adoption and enforcement of Security-By-Design in the Enterprise Architecture value-chain so as position Risk, Security and IT as true business enablers.
Does Anyone Remember Enterprise Security Architecture?rbrockway
The concept of Enterprise Security Architecture (ESA) is not new (Gartner 2006), yet the numbers from the past several years’ worth of breach data indicates that most organizations continue to approach security on a project by project basis or from a compliance perspective. This talk will refresh the ESA concept and communicate tangible and realistic steps any organization can take to align their security processes, architecture and management to their business strategies, reduce business risks and significantly improve their overarching security posture.
Enterprise Architecture - An Introduction from the Real World Daljit Banger
The attached slides where presented at a BCS EA SIG organised event hosted by Deloitte in Edinburgh on the 24th April 2017.
Slide 7 is not rendered as I wish to protect the IP, however will publish soon
A Brief Introduction to Enterprise Architecture Daljit Banger
Presentation to Metropolitan University (London) on the 16th Feb 2017.
The purpose of the session was to introduce core basic concepts around Enterprise Architecture and discuss the role of the Enterprise Architect .
Advanced Analytics to Attain Risk Insights and Reduce ThreatTripwire
Enterprises today are dealing with “it’s not a matter of if you will be breached but a matter of when.” Executives are taking an increased interest in their organization’s security posture and the impact on business goals and objectives—their job depends on it. Because of this, there is a need to quickly detect, prioritize and remediate information technology risks.
This presentation highlights how security professionals can leverage security controls and analytics to gain more visibility and business context, in order to protect sensitive data from breaches, vulnerabilities and threats.
Supporting material for my Webinar to the ACS - June2017Daljit Banger
The attached slide deck was used to Support a webinar for the Australian Computer Society (Queensland) on June 1st 2017.
Some previously used slides with modified content and some additional slides to support the webinar theme
Full Webinar Video can be seen at https://youtu.be/_41-izCm5rw
Enterprise Architecture - An Introduction Daljit Banger
The Slides are from my session at "An Evening of Enterprise Architecture Awareness" held at theUniversity of Sussex Hosted by the BCS Local Chapter and facilitated by the BCS EA Specialist Group.
Neupart webinar 1: Four shortcuts to better risk assessmentsLars Neupart
At this webinar, you will learn how to perform risk assessments and risk analysis based on the most commonly used standards for information security. You will learn about
● Business Impact Assessments
● Vulnerability Assessments
● Threat Catalogues
● Risk Reporting
● Carrying out a risk assessment project
● Responsible shortcuts to better risk assessments
Language: English
For a full list of Neupart's webinars and other events visit www.neupart.com/events
Link to Youtube video: https://youtu.be/OJMqMWnxlT8
You can contact me at abhimanyu.bhogwan@gmail.com
My linkdin id : https://www.linkedin.com/in/abhimanyu-bhogwan-cissp-ctprp-98978437/
Threat Modeling(system+ enterprise)
What is Threat Modeling?
Why do we need Threat Modeling?
6 Most Common Threat Modeling Misconceptions
Threat Modelling Overview
6 important components of a DevSecOps approach
DevSecOps Security Best Practices
Threat Modeling Approaches
Threat Modeling Methodologies for IT Purposes
STRIDE
Threat Modelling Detailed Flow
System Characterization
Create an Architecture Overview
Decomposing your Application
Decomposing DFD’s and Threat-Element Relationship
Identify possible attack scenarios mapped to S.T.R.I.D.E. model
Identifying Security Controls
Identify possible threats
Report to Developers and Security team
DREAD Scoring
My Opinion on implementing Threat Modeling at enterprise level
Implementing AppSec Policies with TeamMentortmbainjr131
This is a nice little prezo that keeps with its promise - a part 3 of 3 parts, and it pulls a story together to round out some solid product use cases going from the more practical application to the higher level application of a product - TeamMentor.
This white paper endeavors to compare the traditional Threat identification techniques and the challenges they pose as they are applied into current product designs. It also proposes the key elements to consider while designing new threat identification solutions.
Similar to Visualizing BI technical cyber risks. Enterprise Risk and Security (20)
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Subhajit Sahu
Abstract — Levelwise PageRank is an alternative method of PageRank computation which decomposes the input graph into a directed acyclic block-graph of strongly connected components, and processes them in topological order, one level at a time. This enables calculation for ranks in a distributed fashion without per-iteration communication, unlike the standard method where all vertices are processed in each iteration. It however comes with a precondition of the absence of dead ends in the input graph. Here, the native non-distributed performance of Levelwise PageRank was compared against Monolithic PageRank on a CPU as well as a GPU. To ensure a fair comparison, Monolithic PageRank was also performed on a graph where vertices were split by components. Results indicate that Levelwise PageRank is about as fast as Monolithic PageRank on the CPU, but quite a bit slower on the GPU. Slowdown on the GPU is likely caused by a large submission of small workloads, and expected to be non-issue when the computation is performed on massive graphs.
06-04-2024 - NYC Tech Week - Discussion on Vector Databases, Unstructured Data and AI
Discussion on Vector Databases, Unstructured Data and AI
https://www.meetup.com/unstructured-data-meetup-new-york/
This meetup is for people working in unstructured data. Speakers will come present about related topics such as vector databases, LLMs, and managing data at scale. The intended audience of this group includes roles like machine learning engineers, data scientists, data engineers, software engineers, and PMs.This meetup was formerly Milvus Meetup, and is sponsored by Zilliz maintainers of Milvus.
The Building Blocks of QuestDB, a Time Series Databasejavier ramirez
Talk Delivered at Valencia Codes Meetup 2024-06.
Traditionally, databases have treated timestamps just as another data type. However, when performing real-time analytics, timestamps should be first class citizens and we need rich time semantics to get the most out of our data. We also need to deal with ever growing datasets while keeping performant, which is as fun as it sounds.
It is no wonder time-series databases are now more popular than ever before. Join me in this session to learn about the internal architecture and building blocks of QuestDB, an open source time-series database designed for speed. We will also review a history of some of the changes we have gone over the past two years to deal with late and unordered data, non-blocking writes, read-replicas, or faster batch ingestion.
Enhanced Enterprise Intelligence with your personal AI Data Copilot.pdfGetInData
Recently we have observed the rise of open-source Large Language Models (LLMs) that are community-driven or developed by the AI market leaders, such as Meta (Llama3), Databricks (DBRX) and Snowflake (Arctic). On the other hand, there is a growth in interest in specialized, carefully fine-tuned yet relatively small models that can efficiently assist programmers in day-to-day tasks. Finally, Retrieval-Augmented Generation (RAG) architectures have gained a lot of traction as the preferred approach for LLMs context and prompt augmentation for building conversational SQL data copilots, code copilots and chatbots.
In this presentation, we will show how we built upon these three concepts a robust Data Copilot that can help to democratize access to company data assets and boost performance of everyone working with data platforms.
Why do we need yet another (open-source ) Copilot?
How can we build one?
Architecture and evaluation
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Visualizing BI technical cyber risks. Enterprise Risk and Security
1. Visualizing the Business Impact of
Technical Cyber Risks
May 21, 2014
Henk Jonkers
Senior Research Consultant, BiZZdesign
2. Agenda
• Introduction and problem statement
• Enterprise Architecture with ArchiMate® and TOGAF®
• Enterprise Risk & Security Management with ArchiMate
• Case Study: Pentest-based Business Impact Analysis
• Visualizing the business impact of
cyber risks
• Conclusions
3. Henk Jonkers
• Senior Research Consultant at BiZZdesign
– Enterprise architecture, ArchiMate and TOGAF
– Editor of the ArchiMate 2.1 standard
– Enterprise Risk & Security Management
– Business Decision Management
• h.jonkers@bizzdesign.com
Case study in collaboration with
Bart Seghers, Thales Cyber Security
5. Customers, offices and partners worldwide
Partners
• Latin America: Dux Diligens
• Mexico: Unycorp
• Australia: Neodata
• Portugal: Process Sphere
• Netherlands: Enschede, Amersfoort
• North America: Toronto, Boston
• Belgium: Leuven
• UK: London
• Slovakia / Eastern Europe: Bratislava
• France: Paris
• Germany / Central Europe: Düsseldorf
• Sweden / Nordic countries: Stockholm
6. What you will learn today
• How to incorporate risk and security aspects in your EA
models
• Combining Enterprise Risk & Security Management with
ArchiMate brings risk and security to the boardroom
• How to visualize vulnerabilities of the IT infrastructure in
your EA models
• How to achieve more balanced decision making based
on risk and security measures
7. Problem statement
• Organizations are increasingly networked and thus more complex
• Attacks on information systems are becoming increasingly sophisticated
• Attacks use digital, physical
and social engineering and the
departments responsible for
each of these domains within
an organization operate in silos
• Current risk management
methods cannot handle the
resulting complexity
8. Limitations of current approaches
• Existing information security and risk management methods
do not systematically identify potential attacks
• They are based on, e.g., checklists, heuristics and experience
• Security controls are applied in a bottom-up way
• They are not based on a thorough analysis of risks and vulnerabilities
• No explicit definition of security principles and requirements
• Focus on only IT security
• They have difficulties in dealing with complex
attacks on socio-technical systems, combining
physical/digital access, and social engineering
• Focus on preventive security controls
• Corrective and curative controls are not considered
9. Characteristics of Enterprise Risk & Security Management
• Integral vision on security: protection of business,
information, application and technology assets
• Structured identification and analysis of risks and
vulnerabilities
• Supports strategic risk management
• Supports “Security by Design”
11. What is Enterprise Architecture?
• A discipline, with the objective of
steering changes
• A product
– A design that shows the coherence between
products, processes, organisation, information
supply and infrastructure, based on a vision and
certain explicit starting points, principles and preferences
• A process
– Way of working
– Aimed at the development and use of enterprise
architectures within an enterprise
– With people and resources
Process architecture
Application architecture Technical architecture
Information architecture
?
12. Ingredients for a successful EA practice
ArchiMateTOGAF
View-
points
Process Language
Repository, Reference Models
14. The ArchiMate language
ArchiMate languageHigh-level
modelling
within
domains
Modeling relationships
between domains
Visualizations
Analysis
Relating detailed
design models
A basis for
16. ArchiMate + TOGAF
Free download of the whitepaper
“Enterprise Architecture with TOGAF 9.1
and ArchiMate” here:
http://www.bizzdesign.com/downloadmanager
/download/293
18. Why ArchiMate for Risk & Security Architecture?
• Widely accepted open standard for modeling
enterprise architecture
• Tool support widely available
• Good fit with other EA and security frameworks
(TOGAF, Zachman, SABSA)
• ArchiMate models integrate business, information,
application and technology architecture
• Link with (security) requirements, principles goals
(Motivation extension) → Traceability
• Link with detailed design languages for business
processes and IT solutions
(e.g., BPMN and UML)
• Suitable as a basis for (qualitative
and quantitative) analysis and visualization
19. ArchiMate Risk project
• Collaboration of ArchiMate Forum and Security Forum
• Two areas of concern:
– Risk analysis
– Security deployment (risk mitigation)
• Investigate how (specializations of) existing ArchiMate
concepts (Core and extensions) can be used
• Inspired on well-established risk and
security standards and frameworks,
including COSO, FAIR, SABSA
• White paper in progress
24. Case study partners
• Tools, methods and best
practices for Enterprise
Architecture, Business Process
Management, Enterprise Risk&
Security Mgt.
• Cyber security consultancy,
solutions and services
• Pentesting and Pentest-based BIA
25. What is a pentest?
• Goal pentest:
• Find weak spots and threats in a network infrastructure
and/or a web application
• Advise on ways to fix and mitigate these weak spots and
threats
• Pentesting from different perspectives:
• External: “what can a hacker (ab)use or do from the
internet?”
• Internal: “what can a hacker or employee do when he/she
is in your network?”
26. Pentest approach
• Partly automated (vulnerability scan)
• Human interpretation and customized advice
31. Approach – Option 1
Option 1 – configuration from EA
1. Use the enterprise architecture
to set the scope of the pentest
– Top-down analysis
2. Perform a focused pentest
3. Import and analyze results in EA
model
– Bottom-up analysis
– Insight in risks to (critical) business
processes
32. Approach – Option 2
Option 2 – Manual configuration
1. Perform pentest or use results
from a previously performed
pentest
2. Create Enterprise Architecture
– Possibly partly automated, based
on pentest results
3. Import and analyze pentest
results in the EA model
– Bottom-up analysis
– Insight in risks to (critical)
business processes
36. Business impact of technical risks
Example: Missing critical patches on Database Server
VA – 01 Missing critical patches which can lead to jeopardization of the server
Technical risk Complexity (to exploit) Effort (to solve)
High Meidum Low
Present on system(s) 192.168.1.101 (Database Server)
Description This system misses critical patches for the Microsoft Operating System concerning the following
security bulletins:
• MS08-067: Conficker patch – Published in 2008
• MS06-040: Published in 2006
This leads to multiple weaknesses on the system. Exploiting these weaknesses can lead to
• Running own/arbitrary code on the system
• Buffer overflow in the server service which may put the system in jeopardy
Recommendation Install missing patches
Impact on Business Business processes “Intake” and “Notify requester” depend on this Database Server and are the
processes that “fill” this server with (sensitive) data. When this server is compromised by
exploitation of abovementioned vulnerabilities, then the attacker can steal personal data from
the registering applicants as well as modify who will be informed on its registration request.
Business risk Medium
Business recommendation Because of the low effort necessary to process the (technical) recommendation in combination
with the Medium business risk, we recommend to process the technical recommendation within
1 month.
43. Business value of pentest-based BIA
A pentest-based BIA:
– Makes the business impact as a
result of cyber risks visible and
measurable
– Powerful management dashboard
– Facilitates focused testing of
technical components supporting
critical business processes
– Provides insight in the business risk when adding
new components to your technical infrastructure
– Increases the return on investment for your
enterprise architecture effort
Insight in the impact that cyber risks have on your business
Top-down-analyse Bottom-up-analyse
(“business impact”)
44. Summary
• Current risk management approaches, working in isolation,
fall short in the complexity of current organizations
• A model-based approach for Enterprise Risk
& Security Management is needed
– Systematic analysis of threats and vulnerabilities
– Integrated design of control measures
• The ArchiMate language provides the hooks
for integrated risk & security modeling,
integrated with Enterprise Architecture
• EA models support business impact analysis
of technical risks / vulnerabilities
45. Integrated tool suite
• Architecture Tools
– Design, communicate & analyze architectures
– Incorporating risk & security aspects
– Easy to use
– Integrated in
one repository
– http://www.bizzdesign.com/
tools/bizzdesign-architect/
46. Consultancy on Enterprise Architecture and
Enterprise Risk & Security Management
• Integrated consultancy
– Workshops and consultancy services
– Kick-start your EA or Enterprise Risk &
Security Management initiative
– Implementing TOGAF, ArchiMate, Enterprise
Risk & Security Management
47. Training on Enterprise Architecture
• ArchiMate & Architect training, 3 days
(open/in house)
– ArchiMate language
– BiZZdesign Architect
– includes ArchiMate certification
• TOGAF certified training, 4 days
(open/in house)
– Foundation 2 days, Practitioner 2 days
– Includes TOGAF certification
• Security architecture training, 1 day
– Modelling a security architecture with ArchiMate
48. Contact info and more information
A copy of these slides: www.bizzdesign.com/downloads and select “webinars"
blog.bizzdesign.com
• http://www.bizzdesign.com/blog/the-value-
of-enterprise-architecture-in-managing-risk-
compliance-and-security/
• http://www.bizzdesign.com/blog/designing-
secure-organizations-risk-management-
enterprise-security-management-and-
archimate/
• Downloadable versions of the full
specifications of ArchiMate and TOGAF at
http://www.opengroup.org
• Many whitepapers, and recorded
webinars
• General information about BiZZdesign:
http://www.bizzdesign.com
• The website of our Academy:
http://www.bizzdesign.com/training
• Our Tool, BiZZdesign Architect
http://bizzdesign.com/tools/bizzdesign-architect/
• Free trial version:
www.bizzdesign.com/tools/bizzdesign-architect/
• Whitepaper EA with ArchiMate® and TOGAF ® :
http://www.bizzdesign.com/downloadmanager/
download/293