LMI Enterprise Architecture and Information Assurance Integration Approach A Case Study.

LMI Enterprise Architecture and Information Assurance Integration Approach

A Case Study

P A G E 2

Agenda

• Introduction

• Background/History

• Why Integrate EA and IA

• LMI LEAP Methodology

• Approach to EA IA integration

• Challenges encountered

• Solutions developed

P A G E 2

P A G E 3

Overview of LMI—History

Founded in 1961 by Secretary McNamara under the Kennedy administration

“…to bring the best minds to bear on solving our government’s most complex management problems”

P A G E 4

Background/History —Continued

• LMI is an independent not-for-profit government consulting firm– Located in McLean, VA

• LMI has substantial experience assisting federal agencies with IT planning and implementation, including EA and IA.

P A G E 5

Background/History —Continued

• Dr. Didier Perdu and Dr. Roxanne Everetts

• LMI Research Fellows– Members of the EA and IA communities of

practice

• Dr. Perdu is the EA Practice Technical Advisor; over 20 years experience with EA

• Dr. Everetts leads the IA Practice, over 28 years experience in IT, last 15 in IA

P A G E 6

Initial Problem

• LMI was asked to developed an IA EA integration implementation plan– in response to requirements from GAO EAMMF to

capture security aspects in EA

• Conducted initial research to establish state of the practice and identify industry best practice for integration approach

P A G E 7

Findings

• Over-estimated maturity of the practice

• IA requirements are not included in EA models and artifacts

• IA has only been routinely integrated into Design Phase of the System Development Life Cycle (SDLC)

• Bottom line:

There is limited integration between EA and IA

P A G E 8

Why integrate EA and IA

• EA can be used to express IA throughout SDLC

• EA provides enterprise-wide coordination and integration of processes, information, and technology

• EA enables multi-layered analysis of managerial, technical and operational elements

• EA can enable organizations to meet the challenge of ensuring the optimal allocation of resources while providing the highest level of security

P A G E 9

Call to Action

• Based on findings, LMI decided that its EA approach, LEAP should be modified to integrate IA– In response to increasing requests– To best serve our government clients– To align our practice with emerging industry

standards and best practices

P A G E 10

What is LEAP?• LMI Enterprise Architecture Practice (LEAP) is the approach

used by LMI since 2000 to help federal agencies develop and implement Enterprise Architecture

• LEAP perspective is that EA is more than a set of products required to achieve compliance

LEAP Framework

Business Areas/Functions Business Architecture

Information Flows Information Architecture

Bus. Processes

Data Model Data Architecture

Application Systems Application Architecture

Data Elements and Metadata Stds . Data Sets

Application Modules

Network Descriptions, Components, and Workings Technology Architecture

Technical Reference Model

Business Areas/Functions Business Architecture

Information Flows Process Architecture

Bus. Processes

Data Model Information Architecture

Application Systems Application Architecture

Data Elements and Metadata Stds . Data Sets

Application Modules

Networks and Servers Infrastructure Architecture

Technical Reference Model

Interrelationship of architecture layers

P A G E 11

LMI EA/IA Integration Methodology

• Focus of IR&D project to integrate IA into EA program

• Formed team of EA and IA specialists

• Reviewed existing EA document

• Reviewed IA controls

• Mapped NIST Security controls to EA process layers

• Identified EA products/artifacts to address controls

P A G E 12

Challenges Encountered

• No common taxonomy

• Unsure of impact of IA controls on EA artifacts

• Gap between EA process oriented focus and IA system/technology focused approaches

• Lack of Industry Best Practices for integration approach

P A G E 13

Solutions Developed

• Extend BPMN to cover process areas where security controls apply– Bridge gap between process focus vs system

focus

• For each IA control, identify changes to related EA artifacts to address security

P A G E 14

Solutions Developed —Continued

FinancialMgmt

Vendor

Customer

AcquisitionMgmt

GenerateAcquisition

Action Request

Disbursement

DevelopRequirements

AND

ApproveInvoice

Respond toOrder

Respond toSolicitation

Invoicing Receivingand

Acceptance

PurchasingFunds Control

ReceiveOrder

GenerateOrder

ReviewProposal

RequirementsDefinition

ContractAward

AcquisitionPlanning

OrderManagement

SolicitationWriting

ProposalEvaluation

I AI A

User Identification and Authentication

SCSC

Transmission Integrity

A CA C

Separation of Duties

Receiving Report

Award

Proposal

Delivery

Obligation

Approved InvoiceFunds Availability

Sales Instrument

Acquisition Funding

Acquisition Action Request

Requirements Definition Collaboration

Proposal EvaluationOrder

Response

Award Notification

Solicitation

Order Invoice

P A G E 15

Solutions Developed —Continued

• Initiate EA and IA staff orientation sessions– To develop common understanding and taxonomy

• Transform research into best practices– Reach out to both the EA and IA communities– Participate in the public discussion– Share our experience with the community

P A G E 16

Next Steps

• Normalize LEAP with Federal Segment Architecture Methodology (FSAM)

• Continue to monitor emerging industry standards and best practices

• Continue research and development activities

P A G E 17

For further information

Dr. Didier [email protected]

Dr. Roxanne [email protected]

P A G E 18

Speakers’ Bio

Roxanne B. Everetts, DM, CISSP, CISM, CBCP, is a Information Assurance Research Fellow at LMI with over twenty five years of progressively

increasing information technology experience, including systems administration, database design and implementation, open systems migration,

staff training and management, and general management experience. As a Research Fellow at LMI, Dr. Everetts uses her extensive technical

background to provide high-level support in the areas of Information Systems Security, Information Assurance, Information Operations, and

Critical Infrastructure Protection.  She provides support to multiple government agencies, providing functional and operational expertise analyzing

information security requirements to assist customers establishing information assurance and defensive information operations programs.  Dr.

Everetts performs extensive research on policy issues for a variety of customers. 

Dr. Didier Perdu is a Research Fellow with LMI Government Consulting and heads the Tools and Methods Group of the Enterprise Architecture

Practice. He has more than twenty years of experience in modeling and evaluation of enterprise architecture and information systems using a

variety of methodologies and software packages.  Dr. Perdu has worked on many Enterprise Architecture projects for government clients such as

GSA, OMB, US Army, CMS, and GPO. Dr Perdu holds a Ph.D. in Information Technology from George Mason University and a Master of

Science in Technology and Policy from MIT.