TOGAF: The Open Group Architecture Framework. It can be used to develop Business Architecture, Data Architecture, Applications Architecture and Technology Architecture
Military based security architectures:
DoDAF: Department of Defense Architecture Framework
MoDAF: Military of Defence Architecture Framework
SABSA: Sherwood Applied Business Security Architecture. Similar to Zachman architecture it works in a layered approach. The two dimensional parameters are Why, Where, How, Who, When, What and Contextual, Conceptual, Logical, Physical, Component, Operational
ISMS Vs Security Architecture: An ISMS outlines the controls that need to put into place (risk management, vulnerability management, BCP, data protection, auditing, configuration management, physical security, etc.) and provides direction on how those controls should be managed throughout their life cycle. The ISMS specifies the pieces and parts that need to be put into place to provide a holistic security program for the organization overall and how to properly take care of those pieces and parts. The enterprise security architecture illustrates how these components are to be integrated into the different layers of the current business environment. The security components of the ISMS have to be interwoven throughout the business environment and not siloed within individual company departments.
Requirements of Enterprise Security Architecture:
- Strategic alignment
- Business Enablement
- Process enhancement
- Security Effectiveness
Enterprise Vs System Architecture: Enterprise Architecture addresses the structure of the organization while System Architecture addresses the structure of Software and Computing components
Cobit: Based on Plan and Organize, Acquire and Implement,
NIST 800-53: Cobit is for private sector while NIST 800-53 is for government sector
COSO: COSO applies for any organizational function while Cobit applies for systems architecture audit.
SOX: Sarbanes – Oxley Act is a US federal act is to check companies that submit fraudulent accounts to Security Exchange Commission (SEC)
ITIL: Information Technology Infrastructure Library is a de facto standard of best practices for IT service management. It was created based on increased dependency of information technology on business needs. Its focus is on internal service level agreements between the IT department the customers it serves
Six Sigma: It is process improvement methodology
CMMI: Capability Maturity Model Integration: Used within organizations to layout a path for incremental improvement.
Top Down Approach to Security: Security programs in an organization should follow top down approach, meaning: the initiation, support and direction should come from top management through middle management to staff members,
A Bottom Up Approach is where IT staff initiate a security program without proper support and direction from the top management.
Steps involved in security life cycle process
- Plan and Organize
- Implement
- Operate and Maintain
- Monitor and Evaluate
To tie these pieces together, you can think of the ISO/IEC 27000 that works mainly at the policy level as adescription of the type of house you want to build (two-story, ranch-style, five bedroom, three bath). The security enterprise framework is the architecture layout of the house (foundation, walls, ceilings). The blueprints are the detailed descriptions of specific components of the house (window types, security system, electrical system, plumbing). And the control objectives are the building specifications and codes that need to be met for safety (electrical grounding and wiring, construction material, insulation and fire protection). A building inspector will use his checklists (building codes) to ensure that you are building your house safely. Which is just like how an auditor will use his checklists (CobiT or SP 800-53) to ensure that you are building and maintaining your security program securely.
Once your house is built and your family moves in, you set up schedules and processes for everyday life to happen in a predictable and efficient manner (dad picks up kids from school, mom cooks dinner, teenager does laundry, dad pays the bills, everyone does yard work). This is analogous to ITIL—process management and improvement. If the family is made up of anal overachievers with the goal of optimizing these daily activities to be as efficient as possible, they could integrate a Six Sigma approach where continual process improvement is a focus.
No comments:
Post a Comment