SlideShare a Scribd company logo

Week-2_LectureA1_701.pdf

S
ssuserc3fe80

Security architecture

Internet
1 of 71
Download to read offline
Week - 2 MIS5214 – Security Architecture
Welcome • Introduction • Course Objectives • Grading, • Assignments, Participation, Team Project, Exam • Weekly Cycle • Semester Schedule • Week 2: Introduction to Security Architecture
Course Objectives • Learn about frameworks and methodologies for helping an organization: • Plan and develop its enterprise security architecture • Align its IT security capabilities with its business goals and strategy • How IT system security architectures and capabilities are assessed Objectives • Learn key Enterprise Security Architecture concepts • Understand how information system security frameworks are used to develop and review enterprise information system security architectures • Learn how security architectures are planned, designed and operated • Develop an understanding of conceptual, logical, physical and component levels or security architectures and how they relate to one another • Gain an overview of how operational security is achieved and managed • Gain experience working as part of team, developing and delivering a professional presentation
Grading
Assignments
Participation
Team Project
Exams
Weekly Cycle
Semester Schedule
Textbook Readings for “Week 2”
Readings for “Week 2”
Security Architecture Enterprise information security architecture (EISA) is the practice of applying a comprehensive and rigorous method to describe current and desired future structure and behavior of an organization's: • Business sub-units • Processes and Personnel • Information security systems …so they align with the organization's core goals and strategic direction Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture
“Information security” as protection of… • Confidentiality, integrity, and availability (“CIA”) of data and information • Data, information and information systems from unauthorized… • Access, use, disclosure = Confidentiality • Modification = Integrity • Disruption or destruction = Availability
Security Architecture “…the art and science of designing and supervising the construction of business systems, usually business information systems, which are: • Free from danger, damage, etc. • Free from fear, care, etc. • In safe custody • Not likely to fail • Able to be relied upon • Safe from attack” Sherwood et al. (2005) Enterprise Security Architecture: A Business-Driven Approach
The security architecture approach enables understanding enterprise information systems the way attackers do – as large diverse attack surfaces Security Architecture https://graquantum.com/blog/cyber-basics-cyber-attack-surface/
Enterprise Information and Security Architecture Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19 Huxham, H. (2006) “Own view of Enterprise Information Security Architecture (EIS))Framework” Sherwood et al. (2005) Enterprise Security Architecture: A Business-Driven Approach
Information Systems - definitions Enterprise information system is an information system which enable an organization to integrate and improve its business functions Information systems are software and hardware systems that support data-intensive applications Programs = Algorithms + Data Structures Algorithm in a software program is a step-by-step procedure for solving a problem or accomplishing some end especially by a computer Data Structure in a software program is a particular way of organizing data in a computer so that it can be manipulated by an algorithm Software are programs used to direct the operation of a computer Hardware are tangible physical parts of a computer system and IT network Firmware is software embedded in a piece of hardware
What is meant by the term “abstraction” ? • A fundamental human capability that enables us to deal with complexity • Its purpose is to limit the universe so we can do things • Selective examination of certain aspects of a problem • Its goal is the purposeful isolation of important aspects and suppression of unimportant aspects (i.e. omitting details) • Always done for a purpose, because the purpose determines what is and what is not important • As a result all abstractions are incomplete and therefore inaccurate – but this is their power and does not limit their usefulness • Many different abstractions of the same thing are possible • Depending on the purpose for which they are made – The problem solving context explains the source of their intent
What is a conceptual model ? • Are abstractions of things for the purpose of understanding them • Enable dealing with systems that are too complex to understand directly • Omit nonessential details making them easier to manipulate than the original entities • The human mind can cope with only a limited amount of information at one time • Models reduce complexity by separating out a small number of important things to deal with at a time • Aid understanding complex systems by enabling visualization and communication of different aspects expressed as individual models (“views”) using precise notations • Communicate an understanding of content, organization and function of a system • Useful for verifying that the system meets requirements • To be relied on, models must be validated by comparison to the implemented system to assure they accurately represent and document the implemented system • Serve several purposes • Testing a physical entity before building it • Communicating a shared understanding of the system with stakeholders, users, developers, information system auditors and testers
Models of Information Systems Content & Structure Function & Use
Database design Information System Development Examples of models of IT Design and Development…
Data model… • A collection of concepts used to describe a set of data • A high-level abstract description of real world entities and content and structure of a database that contains them • Organizes and standardizes data objects, their properties and how the data objects relate to one another • Usually described through graphic and linguistic representations
Entity-Relationship (ER) Model • Entities – Classes of real world objects: (e.g. Employee, City, Invoice…) graphically represented by rectangles Often described in linguistic terms with nouns
Entity-Relationship (ER) Model • Relationships – Associations between entities graphically represented by lines and diamonds connected to entities by lines, described linguistically with verbs Can be characterized by minimal and maximal cardinalities indicating how many of each type of entity is associated with the other types of entities through the relationship, represented by annotation on the lines
Relationships between entities can have greater meaning
Relationships Cardinalities Crow’s feet notation Numeric/Character notation
Entity-Relationship (ER) Model • Attributes – Represent elementary properties of entities or relationships, carrying the actual instance data representing each entity and relationship graphically represented by ovals or with text within an entity’s rectangle
Chen’s Entity-Relationship Diagram Legend Entity Attribute Relationship Association m:n, 1:n, n:1 Cardinality
Generalization relationship
ER Example What does this data model diagram say?
Specialized Student and Professor tables after inheritance of attributes from the generalization person • Student • Name • Phone Number • Email Address • Student Number • Average Mark • Professor • Name • Phone Number • Email Address • Salary
Models Help Understand Enterprise Information Systems and their Security The Open Data Group Architecture Framework (TOGAF) Version 9.1 https://www.opengroup.org/architecture/togaf91/downloads.htm Sherwood Applied Business Security Architecture http://www.sabsa.org/white_paper Horatio Huxham’s BITS https://en.wikipedia.org/wiki/Enterprise_informatio n_security_architecture
Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19 Consists of: • Business Architecture • Information Architecture • Security Architecture
Business Architecture
Information Architecture The Open Data Group Architecture Framework (TOGAF) Version 9.1 Application Architecture Data Architecture
Information Architecture – Models of Information Flows “Enterprise applications automate processes that span multiple business functions and organizational levels and may extend outside the organization” Laudon, K.C. and Traver, C.G. (2011), Management Information Systems, Prentice Hall … …
Enterprise Information System Architecture Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19 Consists of: • Business Architecture • Information Architecture • Security Architecture
Information System Security Architecture Model of What is Needed Sherwood Applied Business Security Architecture (SABSA)
Viewpoints • Contextual – Business requirements • Conceptual – Fundamental concepts that guide the way the business requirements will be met • Logical – The major security elements, flow of control and relationships among these security elements to protect the information systems • Physical – Detailed design of the security system components and mechanisms • Service Management – Operations and management of the security system
Contextual Security Architecture – Business’ View • What? The business’ priorities for its assets to be protected (brand, reputation, being lawful, etc.) • Who? The organizational structure and ‘extended enterprise’, which includes all business partners and external relationships that are based on the use and exchange of information • Where? Location-related aspects of business security • When? Time performance requirements (e.g. turn-around) and throughput requirements affecting business processes • How? The business processes that require security
From Harris, S. and Maymi, F. (2016) CISSP All-in-One Exam Guide, Seventh Edition, McGraw-Hill Education U.S. laws and regulations require protection of information (data) and computer (IT) systems that process them
What information needs protection? • Personally Identifiable Information (PII) • Protected Health Information (PHI) • Business information • Critical Infrastructure Information (CII) • …
Critical National Infrastructure 45 In 1996, President Clinton signed an Executive Order 13010 identifying infrastructure vulnerable to attack “Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States” • Telecommunications • Electrical power systems • Gas and oil storage and transport • Banking and finance • Transportation • Water supply systems • Emergency services • Continuity of government
16 U.S. Critical Infrastructure Sectors
Conceptual Security Architecture– Architect’s View • What you want to protect, expressed in the SABSA framework in terms of Business Attributes • Why the protection is important, in terms of control and enablement objectives • How to achieve the protection, in terms of high-level technical and management security strategies and a process-mapping framework through which to describe business processes • Who is involved in security management, roles and responsibilities and the type of business trust that exists between the parties, including asset owners, custodians and users, and service providers and service customers • Where you want to achieve the protection • When is the protection relevant, expressed in terms of a business time-management framework (e.g. Recovery Time Objective and Recovery Point Objective) National Institute of Standards and Technology provide special publications that help guide the Architect’s View…
What is NIST? • Non-regulatory agency of the United States Department of Commerce • Measurement standards laboratory Mission: Promote innovation and industrial competitiveness NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets (excluding national security systems)
50
51
Logical Security Architecture – Designer’s View • What? The logical representation of real business entities that represents what needs to be secured • Why? Specifying the security and risk management policy requirements for securing the business information • How? Specifying the logical security services and how they fit together in a security system that meets the overall business requirements • Who? Specifying the roles, authorizations/privileges and inter-relationships • Where? Specifying the security regions and inter-region relationships • When? Specifying the security-related timetable for workflows, processing and deliverables
53
Physical Security Architecture – Builder’s View • What? Specifying the business data model and the security-related data structures • Why? Specifying rules that drive logical decision-making within the system • How? Specifying security mechanisms and the physical applications, middleware and servers upon which these mechanisms will be hosted • Who? Specifying the access control and user interfaces that people used based on their roles • Where? Specifying physical layout of the security hardware, software and communications lines of the network • When? Specifying the timing and sequencing of processes and sessions
Component Security Architecture – Tradesman’s View • What? Information and communications technology (ICT) components including firewalls, switches/routers, data storage components, processors • Why? Risk management justification for tools and products • How? Tools, protocols and standards • Who? Personnel and access management – roles and access control lists • Where? Subnetworks, domains, • When? Time schedules
Security Service Management Architecture – Service Manager’s View • What? Operational service continuity delivery management • Why? Risk-priority treatment to minimize operational failures and disruptions • How? System Security administration: data back-ups, security monitoring, emergency response procedures… • Who? Personnel management, account provisioning and user support • Where? Security management of buildings, sites, platforms and networks • When? Security management schedule Cuts across the other 5 layers of the Security Architecture Model
Inspector’s View • IT Auditors and Security Testers assure the architecture exists, functions, and mitigates risk as scoped • The SABSA framework in its entirety supports the Inspector’s view
SABSA Matrix provides 2-way traceability: 1. Completeness Sherwood Applied Business Security Architecture
SABSA Matrix provides 2-way traceability: 2. Requirements
60
Security Architecture Development Process Requirements Phase Design/Implementation Phase
What is attribute data ? 1. Known facts or things used as a basis for inference or reckoning 2. Quantities or characters operated on by a computer etc. The Concise Oxford Dictionary https://blogs.microsoft.com/blog/2014/04/15/a-data-culture-for-everyone/ http://researchdata.ox.ac.uk/ What is the nature of data stored in the attributes comprising the entities within the information syatem’s databases
How is data understood ? Measurement Levels were defined by Stevens (1946), a psychologist at Harvard University An Entity’s attribute values can be understood in terms of “measurement levels” Stevens, S.S. 1946. On the theory of scales of measurement. Science 103:677-680. Measurements levels describe the inherent nature of information in the attribute data that make up entities • Qualitative information tells what things exist • Quantitative information orders and measures the magnitude of these things
Steven’s measurement levels 1. Nominal 2. Ordinal 3. Interval 4. Ratio
Nominal Attribute Values  The individual members of each category may be  Counted  Compared to see if they are = or <> to one another  The lowest level of information content in the measurement What comparisons can you do with the data in this simple ER diagram ? • Entities can be classified into groups based on a nominal attribute’s values • Classification is based on set theory – i.e. inclusion within a set or exclusion from the set • No ordering in the attribute’s values can be implied
Ordinal Attribute Values • Introduces ordering • Entities can be sorted on an ordinal attribute • Sorted entities continue in same direction  Ordinal attributes contain more information than nominal attributes  Can establish equivalence and difference between two entities = and <>  Can put the data in rank order – (…do not know how much more or less two entity instances are based on an ordinal attribute…) also < and >
Interval Attribute Values • Interval attribute’s values are quantitative • Numbers support algebraic comparison =, <>, >, <, +, - • Can be places on a number line and distance between values can be measured • Interval data can also be shifted around on the number line without changing the meaning of the measurement Interval scales mobilize a number line, but the origin and unit are arbitrary
Ratio Attribute Values • Ratio measures have a true origin (zero value) and an arbitrary interval (a meaning for the distance to be called 1-unit e.g. Elapsed Running Rime) • Supports full range of set and arithmetic operators: =, <>, >, <, +, -, *, / • Any two measurements bear the same ratio to each other irrespective of the unit of measurement • For example, groceries weighed on a scale with a true zero (where there is no weight): • If we buy two pounds of butter we shall receive twice as much butter as if we bought one pound. Similarly, if we buy two kilos of butter we shall receive twice as much butter as if we bought one kilo. The units of measurement are different, but the ratio is the same
Entity Attribute Value Measurement Types Qualitative Quantitative Nominal X Ordinal X Interval X Ratio X
Relative information content of attributes with different measurement levels…
Week - 2 MIS5214 – Security Architecture

Recommended

chapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfchapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfMahmoudSOLIMAN380726
 
Chapter 4: Data Architecture Management
Chapter 4: Data Architecture ManagementChapter 4: Data Architecture Management
Chapter 4: Data Architecture ManagementAhmed Alorage
 
NISI Agile Software Architecture Slide Deck
NISI Agile Software Architecture Slide DeckNISI Agile Software Architecture Slide Deck
NISI Agile Software Architecture Slide DeckUtrecht University
 
Software architecture simplified
Software architecture simplifiedSoftware architecture simplified
Software architecture simplifiedPrasad Chitta
 
System Analysis and Design slides by yared yenealem DTU Ethiopia
System Analysis and Design slides by yared yenealem DTU EthiopiaSystem Analysis and Design slides by yared yenealem DTU Ethiopia
System Analysis and Design slides by yared yenealem DTU EthiopiaDebre Tabor University
 
Systems analysis and design
Systems analysis and designSystems analysis and design
Systems analysis and designArnel Llemit
 
System Analysis and Design slides by Belew yenealem DTU Ethiopia
System Analysis and Design slides by Belew yenealem DTU EthiopiaSystem Analysis and Design slides by Belew yenealem DTU Ethiopia
System Analysis and Design slides by Belew yenealem DTU EthiopiaDebre Tabor University
 
Week 2-What is Enterprise Architecure (1).pptx
Week 2-What is Enterprise Architecure (1).pptxWeek 2-What is Enterprise Architecure (1).pptx
Week 2-What is Enterprise Architecure (1).pptxRizalPrambudi3
 

Recommended

chapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfchapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfMahmoudSOLIMAN380726
 
Chapter 4: Data Architecture Management
Chapter 4: Data Architecture ManagementChapter 4: Data Architecture Management
Chapter 4: Data Architecture ManagementAhmed Alorage
 
NISI Agile Software Architecture Slide Deck
NISI Agile Software Architecture Slide DeckNISI Agile Software Architecture Slide Deck
NISI Agile Software Architecture Slide DeckUtrecht University
 
Software architecture simplified
Software architecture simplifiedSoftware architecture simplified
Software architecture simplifiedPrasad Chitta
 
System Analysis and Design slides by yared yenealem DTU Ethiopia
System Analysis and Design slides by yared yenealem DTU EthiopiaSystem Analysis and Design slides by yared yenealem DTU Ethiopia
System Analysis and Design slides by yared yenealem DTU EthiopiaDebre Tabor University
 
Systems analysis and design
Systems analysis and designSystems analysis and design
Systems analysis and designArnel Llemit
 
System Analysis and Design slides by Belew yenealem DTU Ethiopia
System Analysis and Design slides by Belew yenealem DTU EthiopiaSystem Analysis and Design slides by Belew yenealem DTU Ethiopia
System Analysis and Design slides by Belew yenealem DTU EthiopiaDebre Tabor University
 
Week 2-What is Enterprise Architecure (1).pptx
Week 2-What is Enterprise Architecure (1).pptxWeek 2-What is Enterprise Architecure (1).pptx
Week 2-What is Enterprise Architecure (1).pptxRizalPrambudi3
 
System analysis and design
System analysis and designSystem analysis and design
System analysis and designRobinsonObura
 
Information System Management - Architecture and Infrastructure
Information System Management - Architecture and InfrastructureInformation System Management - Architecture and Infrastructure
Information System Management - Architecture and InfrastructureLaguna State Polytechnic University
 
Why to Architecture Information
Why to Architecture InformationWhy to Architecture Information
Why to Architecture InformationAshwani Kumar Ramani
 
Over view of system analysis and design
Over view of system analysis and designOver view of system analysis and design
Over view of system analysis and designSaroj Dhakal
 
Architectural design of software
Architectural design of softwareArchitectural design of software
Architectural design of softwareTawhidur Rahman Bhuiyan
 
chapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfchapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfMahmoudSOLIMAN380726
 
Chapter 5: Data Development
Chapter 5: Data Development Chapter 5: Data Development
Chapter 5: Data Development Ahmed Alorage
 
1. oose
1. oose1. oose
1. ooseAshenafi Workie
 
Tropos project toward RE
Tropos project toward RETropos project toward RE
Tropos project toward RESehrish Asif
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Road to rockstar system analyst
Road to rockstar system analystRoad to rockstar system analyst
Road to rockstar system analystMizno Kruge
 
Platinum 5th sem project
Platinum 5th sem project Platinum 5th sem project
Platinum 5th sem project Pramesh_Devkota
 
Information Architecture Profession
Information Architecture ProfessionInformation Architecture Profession
Information Architecture Professionguestd2298c
 
Design Concepts in Software Engineering-1.pptx
Design Concepts in Software Engineering-1.pptxDesign Concepts in Software Engineering-1.pptx
Design Concepts in Software Engineering-1.pptxKarthigaiSelviS3
 
11.ppt
11.ppt11.ppt
11.pptJP Chicano
 
Information system
Information system Information system
Information system AyushiDubey19
 
Systems Analyst and Its Roles
Systems Analyst and Its RolesSystems Analyst and Its Roles
Systems Analyst and Its RolesAjeng Savitri
 
Conceptual vs. Logical vs. Physical Data Modeling
Conceptual vs. Logical vs. Physical Data ModelingConceptual vs. Logical vs. Physical Data Modeling
Conceptual vs. Logical vs. Physical Data ModelingDATAVERSITY
 
Welingkar First Year Project- ProjectWeLike
Welingkar First Year Project- ProjectWeLikeWelingkar First Year Project- ProjectWeLike
Welingkar First Year Project- ProjectWeLikePrinceTrivedi4
 
Lab Software Architecture (in spanish)
Lab Software Architecture (in spanish)Lab Software Architecture (in spanish)
Lab Software Architecture (in spanish)Fáber D. Giraldo
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 

More Related Content

Similar to Week-2_LectureA1_701.pdf

System analysis and design
System analysis and designSystem analysis and design
System analysis and designRobinsonObura
 
Over view of system analysis and design
Over view of system analysis and designOver view of system analysis and design
Over view of system analysis and designSaroj Dhakal
 
chapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfchapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfMahmoudSOLIMAN380726
 
Chapter 5: Data Development
Chapter 5: Data Development Chapter 5: Data Development
Chapter 5: Data Development Ahmed Alorage
 
Tropos project toward RE
Tropos project toward RETropos project toward RE
Tropos project toward RESehrish Asif
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Road to rockstar system analyst
Road to rockstar system analystRoad to rockstar system analyst
Road to rockstar system analystMizno Kruge
 
Platinum 5th sem project
Platinum 5th sem project Platinum 5th sem project
Platinum 5th sem project Pramesh_Devkota
 
Information Architecture Profession
Information Architecture ProfessionInformation Architecture Profession
Information Architecture Professionguestd2298c
 
Design Concepts in Software Engineering-1.pptx
Design Concepts in Software Engineering-1.pptxDesign Concepts in Software Engineering-1.pptx
Design Concepts in Software Engineering-1.pptxKarthigaiSelviS3
 
Systems Analyst and Its Roles
Systems Analyst and Its RolesSystems Analyst and Its Roles
Systems Analyst and Its RolesAjeng Savitri
 
Conceptual vs. Logical vs. Physical Data Modeling
Conceptual vs. Logical vs. Physical Data ModelingConceptual vs. Logical vs. Physical Data Modeling
Conceptual vs. Logical vs. Physical Data ModelingDATAVERSITY
 
Welingkar First Year Project- ProjectWeLike
Welingkar First Year Project- ProjectWeLikeWelingkar First Year Project- ProjectWeLike
Welingkar First Year Project- ProjectWeLikePrinceTrivedi4
 
Lab Software Architecture (in spanish)
Lab Software Architecture (in spanish)Lab Software Architecture (in spanish)
Lab Software Architecture (in spanish)Fáber D. Giraldo
 

Similar to Week-2_LectureA1_701.pdf (20)

System analysis and design
System analysis and designSystem analysis and design
System analysis and design
 
Information System Management - Architecture and Infrastructure
Information System Management - Architecture and InfrastructureInformation System Management - Architecture and Infrastructure
Information System Management - Architecture and Infrastructure
 
Why to Architecture Information
Why to Architecture InformationWhy to Architecture Information
Why to Architecture Information
 
Over view of system analysis and design
Over view of system analysis and designOver view of system analysis and design
Over view of system analysis and design
 
Architectural design of software
Architectural design of softwareArchitectural design of software
Architectural design of software
 
chapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfchapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdf
 
Chapter 5: Data Development
Chapter 5: Data Development Chapter 5: Data Development
Chapter 5: Data Development
 
1. oose
1. oose1. oose
1. oose
 
Tropos project toward RE
Tropos project toward RETropos project toward RE
Tropos project toward RE
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Road to rockstar system analyst
Road to rockstar system analystRoad to rockstar system analyst
Road to rockstar system analyst
 
Platinum 5th sem project
Platinum 5th sem project Platinum 5th sem project
Platinum 5th sem project
 
Information Architecture Profession
Information Architecture ProfessionInformation Architecture Profession
Information Architecture Profession
 
Design Concepts in Software Engineering-1.pptx
Design Concepts in Software Engineering-1.pptxDesign Concepts in Software Engineering-1.pptx
Design Concepts in Software Engineering-1.pptx
 
11.ppt
11.ppt11.ppt
11.ppt
 
Information system
Information system Information system
Information system
 
Systems Analyst and Its Roles
Systems Analyst and Its RolesSystems Analyst and Its Roles
Systems Analyst and Its Roles
 
Conceptual vs. Logical vs. Physical Data Modeling
Conceptual vs. Logical vs. Physical Data ModelingConceptual vs. Logical vs. Physical Data Modeling
Conceptual vs. Logical vs. Physical Data Modeling
 
Welingkar First Year Project- ProjectWeLike
Welingkar First Year Project- ProjectWeLikeWelingkar First Year Project- ProjectWeLike
Welingkar First Year Project- ProjectWeLike
 
Lab Software Architecture (in spanish)
Lab Software Architecture (in spanish)Lab Software Architecture (in spanish)
Lab Software Architecture (in spanish)
 

Recently uploaded

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 

Recently uploaded (20)

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 

Week-2_LectureA1_701.pdf

  • 1. Week - 2 MIS5214 – Security Architecture
  • 2. Welcome • Introduction • Course Objectives • Grading, • Assignments, Participation, Team Project, Exam • Weekly Cycle • Semester Schedule • Week 2: Introduction to Security Architecture
  • 3. Course Objectives • Learn about frameworks and methodologies for helping an organization: • Plan and develop its enterprise security architecture • Align its IT security capabilities with its business goals and strategy • How IT system security architectures and capabilities are assessed Objectives • Learn key Enterprise Security Architecture concepts • Understand how information system security frameworks are used to develop and review enterprise information system security architectures • Learn how security architectures are planned, designed and operated • Develop an understanding of conceptual, logical, physical and component levels or security architectures and how they relate to one another • Gain an overview of how operational security is achieved and managed • Gain experience working as part of team, developing and delivering a professional presentation
  • 13. Security Architecture Enterprise information security architecture (EISA) is the practice of applying a comprehensive and rigorous method to describe current and desired future structure and behavior of an organization's: • Business sub-units • Processes and Personnel • Information security systems …so they align with the organization's core goals and strategic direction Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture
  • 14. “Information security” as protection of… • Confidentiality, integrity, and availability (“CIA”) of data and information • Data, information and information systems from unauthorized… • Access, use, disclosure = Confidentiality • Modification = Integrity • Disruption or destruction = Availability
  • 15. Security Architecture “…the art and science of designing and supervising the construction of business systems, usually business information systems, which are: • Free from danger, damage, etc. • Free from fear, care, etc. • In safe custody • Not likely to fail • Able to be relied upon • Safe from attack” Sherwood et al. (2005) Enterprise Security Architecture: A Business-Driven Approach
  • 16. The security architecture approach enables understanding enterprise information systems the way attackers do – as large diverse attack surfaces Security Architecture https://graquantum.com/blog/cyber-basics-cyber-attack-surface/
  • 17. Enterprise Information and Security Architecture Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19 Huxham, H. (2006) “Own view of Enterprise Information Security Architecture (EIS))Framework” Sherwood et al. (2005) Enterprise Security Architecture: A Business-Driven Approach
  • 18. Information Systems - definitions Enterprise information system is an information system which enable an organization to integrate and improve its business functions Information systems are software and hardware systems that support data-intensive applications Programs = Algorithms + Data Structures Algorithm in a software program is a step-by-step procedure for solving a problem or accomplishing some end especially by a computer Data Structure in a software program is a particular way of organizing data in a computer so that it can be manipulated by an algorithm Software are programs used to direct the operation of a computer Hardware are tangible physical parts of a computer system and IT network Firmware is software embedded in a piece of hardware
  • 19. What is meant by the term “abstraction” ? • A fundamental human capability that enables us to deal with complexity • Its purpose is to limit the universe so we can do things • Selective examination of certain aspects of a problem • Its goal is the purposeful isolation of important aspects and suppression of unimportant aspects (i.e. omitting details) • Always done for a purpose, because the purpose determines what is and what is not important • As a result all abstractions are incomplete and therefore inaccurate – but this is their power and does not limit their usefulness • Many different abstractions of the same thing are possible • Depending on the purpose for which they are made – The problem solving context explains the source of their intent
  • 20. What is a conceptual model ? • Are abstractions of things for the purpose of understanding them • Enable dealing with systems that are too complex to understand directly • Omit nonessential details making them easier to manipulate than the original entities • The human mind can cope with only a limited amount of information at one time • Models reduce complexity by separating out a small number of important things to deal with at a time • Aid understanding complex systems by enabling visualization and communication of different aspects expressed as individual models (“views”) using precise notations • Communicate an understanding of content, organization and function of a system • Useful for verifying that the system meets requirements • To be relied on, models must be validated by comparison to the implemented system to assure they accurately represent and document the implemented system • Serve several purposes • Testing a physical entity before building it • Communicating a shared understanding of the system with stakeholders, users, developers, information system auditors and testers
  • 21. Models of Information Systems Content & Structure Function & Use
  • 22. Database design Information System Development Examples of models of IT Design and Development…
  • 23. Data model… • A collection of concepts used to describe a set of data • A high-level abstract description of real world entities and content and structure of a database that contains them • Organizes and standardizes data objects, their properties and how the data objects relate to one another • Usually described through graphic and linguistic representations
  • 24. Entity-Relationship (ER) Model • Entities – Classes of real world objects: (e.g. Employee, City, Invoice…) graphically represented by rectangles Often described in linguistic terms with nouns
  • 25. Entity-Relationship (ER) Model • Relationships – Associations between entities graphically represented by lines and diamonds connected to entities by lines, described linguistically with verbs Can be characterized by minimal and maximal cardinalities indicating how many of each type of entity is associated with the other types of entities through the relationship, represented by annotation on the lines
  • 26. Relationships between entities can have greater meaning
  • 27. Relationships Cardinalities Crow’s feet notation Numeric/Character notation
  • 28. Entity-Relationship (ER) Model • Attributes – Represent elementary properties of entities or relationships, carrying the actual instance data representing each entity and relationship graphically represented by ovals or with text within an entity’s rectangle
  • 31. ER Example What does this data model diagram say?
  • 32. Specialized Student and Professor tables after inheritance of attributes from the generalization person • Student • Name • Phone Number • Email Address • Student Number • Average Mark • Professor • Name • Phone Number • Email Address • Salary
  • 33. Models Help Understand Enterprise Information Systems and their Security The Open Data Group Architecture Framework (TOGAF) Version 9.1 https://www.opengroup.org/architecture/togaf91/downloads.htm Sherwood Applied Business Security Architecture http://www.sabsa.org/white_paper Horatio Huxham’s BITS https://en.wikipedia.org/wiki/Enterprise_informatio n_security_architecture
  • 34.
  • 35. Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19 Consists of: • Business Architecture • Information Architecture • Security Architecture
  • 37. Information Architecture The Open Data Group Architecture Framework (TOGAF) Version 9.1 Application Architecture Data Architecture
  • 38. Information Architecture – Models of Information Flows “Enterprise applications automate processes that span multiple business functions and organizational levels and may extend outside the organization” Laudon, K.C. and Traver, C.G. (2011), Management Information Systems, Prentice Hall … …
  • 39. Enterprise Information System Architecture Wikipedia: https://en.wikipedia.org/wiki/Enterprise_information_security_architecture, accessed 2017-1-19 Consists of: • Business Architecture • Information Architecture • Security Architecture
  • 40. Information System Security Architecture Model of What is Needed Sherwood Applied Business Security Architecture (SABSA)
  • 41. Viewpoints • Contextual – Business requirements • Conceptual – Fundamental concepts that guide the way the business requirements will be met • Logical – The major security elements, flow of control and relationships among these security elements to protect the information systems • Physical – Detailed design of the security system components and mechanisms • Service Management – Operations and management of the security system
  • 42. Contextual Security Architecture – Business’ View • What? The business’ priorities for its assets to be protected (brand, reputation, being lawful, etc.) • Who? The organizational structure and ‘extended enterprise’, which includes all business partners and external relationships that are based on the use and exchange of information • Where? Location-related aspects of business security • When? Time performance requirements (e.g. turn-around) and throughput requirements affecting business processes • How? The business processes that require security
  • 43. From Harris, S. and Maymi, F. (2016) CISSP All-in-One Exam Guide, Seventh Edition, McGraw-Hill Education U.S. laws and regulations require protection of information (data) and computer (IT) systems that process them
  • 44. What information needs protection? • Personally Identifiable Information (PII) • Protected Health Information (PHI) • Business information • Critical Infrastructure Information (CII) • …
  • 45. Critical National Infrastructure 45 In 1996, President Clinton signed an Executive Order 13010 identifying infrastructure vulnerable to attack “Certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States” • Telecommunications • Electrical power systems • Gas and oil storage and transport • Banking and finance • Transportation • Water supply systems • Emergency services • Continuity of government
  • 46. 16 U.S. Critical Infrastructure Sectors
  • 47. Conceptual Security Architecture– Architect’s View • What you want to protect, expressed in the SABSA framework in terms of Business Attributes • Why the protection is important, in terms of control and enablement objectives • How to achieve the protection, in terms of high-level technical and management security strategies and a process-mapping framework through which to describe business processes • Who is involved in security management, roles and responsibilities and the type of business trust that exists between the parties, including asset owners, custodians and users, and service providers and service customers • Where you want to achieve the protection • When is the protection relevant, expressed in terms of a business time-management framework (e.g. Recovery Time Objective and Recovery Point Objective) National Institute of Standards and Technology provide special publications that help guide the Architect’s View…
  • 48. What is NIST? • Non-regulatory agency of the United States Department of Commerce • Measurement standards laboratory Mission: Promote innovation and industrial competitiveness NIST is responsible for developing standards, guidelines, and associated methods and techniques for providing adequate information security for all agency operations and assets (excluding national security systems)
  • 49.
  • 50. 50
  • 51. 51
  • 52. Logical Security Architecture – Designer’s View • What? The logical representation of real business entities that represents what needs to be secured • Why? Specifying the security and risk management policy requirements for securing the business information • How? Specifying the logical security services and how they fit together in a security system that meets the overall business requirements • Who? Specifying the roles, authorizations/privileges and inter-relationships • Where? Specifying the security regions and inter-region relationships • When? Specifying the security-related timetable for workflows, processing and deliverables
  • 53. 53
  • 54. Physical Security Architecture – Builder’s View • What? Specifying the business data model and the security-related data structures • Why? Specifying rules that drive logical decision-making within the system • How? Specifying security mechanisms and the physical applications, middleware and servers upon which these mechanisms will be hosted • Who? Specifying the access control and user interfaces that people used based on their roles • Where? Specifying physical layout of the security hardware, software and communications lines of the network • When? Specifying the timing and sequencing of processes and sessions
  • 55. Component Security Architecture – Tradesman’s View • What? Information and communications technology (ICT) components including firewalls, switches/routers, data storage components, processors • Why? Risk management justification for tools and products • How? Tools, protocols and standards • Who? Personnel and access management – roles and access control lists • Where? Subnetworks, domains, • When? Time schedules
  • 56. Security Service Management Architecture – Service Manager’s View • What? Operational service continuity delivery management • Why? Risk-priority treatment to minimize operational failures and disruptions • How? System Security administration: data back-ups, security monitoring, emergency response procedures… • Who? Personnel management, account provisioning and user support • Where? Security management of buildings, sites, platforms and networks • When? Security management schedule Cuts across the other 5 layers of the Security Architecture Model
  • 57. Inspector’s View • IT Auditors and Security Testers assure the architecture exists, functions, and mitigates risk as scoped • The SABSA framework in its entirety supports the Inspector’s view
  • 58. SABSA Matrix provides 2-way traceability: 1. Completeness Sherwood Applied Business Security Architecture
  • 60. 60
  • 61. Security Architecture Development Process Requirements Phase Design/Implementation Phase
  • 62. What is attribute data ? 1. Known facts or things used as a basis for inference or reckoning 2. Quantities or characters operated on by a computer etc. The Concise Oxford Dictionary https://blogs.microsoft.com/blog/2014/04/15/a-data-culture-for-everyone/ http://researchdata.ox.ac.uk/ What is the nature of data stored in the attributes comprising the entities within the information syatem’s databases
  • 63. How is data understood ? Measurement Levels were defined by Stevens (1946), a psychologist at Harvard University An Entity’s attribute values can be understood in terms of “measurement levels” Stevens, S.S. 1946. On the theory of scales of measurement. Science 103:677-680. Measurements levels describe the inherent nature of information in the attribute data that make up entities • Qualitative information tells what things exist • Quantitative information orders and measures the magnitude of these things
  • 64. Steven’s measurement levels 1. Nominal 2. Ordinal 3. Interval 4. Ratio
  • 65. Nominal Attribute Values  The individual members of each category may be  Counted  Compared to see if they are = or <> to one another  The lowest level of information content in the measurement What comparisons can you do with the data in this simple ER diagram ? • Entities can be classified into groups based on a nominal attribute’s values • Classification is based on set theory – i.e. inclusion within a set or exclusion from the set • No ordering in the attribute’s values can be implied
  • 66. Ordinal Attribute Values • Introduces ordering • Entities can be sorted on an ordinal attribute • Sorted entities continue in same direction  Ordinal attributes contain more information than nominal attributes  Can establish equivalence and difference between two entities = and <>  Can put the data in rank order – (…do not know how much more or less two entity instances are based on an ordinal attribute…) also < and >
  • 67. Interval Attribute Values • Interval attribute’s values are quantitative • Numbers support algebraic comparison =, <>, >, <, +, - • Can be places on a number line and distance between values can be measured • Interval data can also be shifted around on the number line without changing the meaning of the measurement Interval scales mobilize a number line, but the origin and unit are arbitrary
  • 68. Ratio Attribute Values • Ratio measures have a true origin (zero value) and an arbitrary interval (a meaning for the distance to be called 1-unit e.g. Elapsed Running Rime) • Supports full range of set and arithmetic operators: =, <>, >, <, +, -, *, / • Any two measurements bear the same ratio to each other irrespective of the unit of measurement • For example, groceries weighed on a scale with a true zero (where there is no weight): • If we buy two pounds of butter we shall receive twice as much butter as if we bought one pound. Similarly, if we buy two kilos of butter we shall receive twice as much butter as if we bought one kilo. The units of measurement are different, but the ratio is the same
  • 69. Entity Attribute Value Measurement Types Qualitative Quantitative Nominal X Ordinal X Interval X Ratio X
  • 71. Week - 2 MIS5214 – Security Architecture