LMI Enterprise Architecture and Information Assurance Integration Approach A Case Study
Apr 01, 2015
LMI Enterprise Architecture and Information Assurance Integration Approach
A Case Study
P A G E 2
Agenda
• Introduction
• Background/History
• Why Integrate EA and IA
• LMI LEAP Methodology
• Approach to EA IA integration
• Challenges encountered
• Solutions developed
P A G E 2
P A G E 3
Overview of LMI—History
Founded in 1961 by Secretary McNamara under the Kennedy administration
“…to bring the best minds to bear on solving our government’s most complex management problems”
P A G E 4
Background/History —Continued
• LMI is an independent not-for-profit government consulting firm– Located in McLean, VA
• LMI has substantial experience assisting federal agencies with IT planning and implementation, including EA and IA.
P A G E 5
Background/History —Continued
• Dr. Didier Perdu and Dr. Roxanne Everetts
• LMI Research Fellows– Members of the EA and IA communities of
practice
• Dr. Perdu is the EA Practice Technical Advisor; over 20 years experience with EA
• Dr. Everetts leads the IA Practice, over 28 years experience in IT, last 15 in IA
P A G E 6
Initial Problem
• LMI was asked to developed an IA EA integration implementation plan– in response to requirements from GAO EAMMF to
capture security aspects in EA
• Conducted initial research to establish state of the practice and identify industry best practice for integration approach
P A G E 7
Findings
• Over-estimated maturity of the practice
• IA requirements are not included in EA models and artifacts
• IA has only been routinely integrated into Design Phase of the System Development Life Cycle (SDLC)
• Bottom line:
There is limited integration between EA and IA
P A G E 8
Why integrate EA and IA
• EA can be used to express IA throughout SDLC
• EA provides enterprise-wide coordination and integration of processes, information, and technology
• EA enables multi-layered analysis of managerial, technical and operational elements
• EA can enable organizations to meet the challenge of ensuring the optimal allocation of resources while providing the highest level of security
P A G E 9
Call to Action
• Based on findings, LMI decided that its EA approach, LEAP should be modified to integrate IA– In response to increasing requests– To best serve our government clients– To align our practice with emerging industry
standards and best practices
P A G E 10
What is LEAP?• LMI Enterprise Architecture Practice (LEAP) is the approach
used by LMI since 2000 to help federal agencies develop and implement Enterprise Architecture
• LEAP perspective is that EA is more than a set of products required to achieve compliance
LEAP Framework
Business Areas/Functions Business Architecture
Information Flows Information Architecture
Bus. Processes
Data Model Data Architecture
Application Systems Application Architecture
Data Elements and Metadata Stds . Data Sets
Application Modules
Network Descriptions, Components, and Workings Technology Architecture
Technical Reference Model
Business Areas/Functions Business Architecture
Information Flows Process Architecture
Bus. Processes
Data Model Information Architecture
Application Systems Application Architecture
Data Elements and Metadata Stds . Data Sets
Application Modules
Networks and Servers Infrastructure Architecture
Technical Reference Model
Interrelationship of architecture layers
P A G E 11
LMI EA/IA Integration Methodology
• Focus of IR&D project to integrate IA into EA program
• Formed team of EA and IA specialists
• Reviewed existing EA document
• Reviewed IA controls
• Mapped NIST Security controls to EA process layers
• Identified EA products/artifacts to address controls
P A G E 12
Challenges Encountered
• No common taxonomy
• Unsure of impact of IA controls on EA artifacts
• Gap between EA process oriented focus and IA system/technology focused approaches
• Lack of Industry Best Practices for integration approach
P A G E 13
Solutions Developed
• Extend BPMN to cover process areas where security controls apply– Bridge gap between process focus vs system
focus
• For each IA control, identify changes to related EA artifacts to address security
P A G E 14
Solutions Developed —Continued
FinancialMgmt
Vendor
Customer
AcquisitionMgmt
GenerateAcquisition
Action Request
Disbursement
DevelopRequirements
AND
ApproveInvoice
Respond toOrder
Respond toSolicitation
Invoicing Receivingand
Acceptance
PurchasingFunds Control
ReceiveOrder
GenerateOrder
ReviewProposal
RequirementsDefinition
ContractAward
AcquisitionPlanning
OrderManagement
SolicitationWriting
ProposalEvaluation
I AI A
User Identification and Authentication
SCSC
Transmission Integrity
A CA C
Separation of Duties
Receiving Report
Award
Proposal
Delivery
Obligation
Approved InvoiceFunds Availability
Sales Instrument
Acquisition Funding
Acquisition Action Request
Requirements Definition Collaboration
Proposal EvaluationOrder
Response
Award Notification
Solicitation
Order Invoice
P A G E 15
Solutions Developed —Continued
• Initiate EA and IA staff orientation sessions– To develop common understanding and taxonomy
• Transform research into best practices– Reach out to both the EA and IA communities– Participate in the public discussion– Share our experience with the community
P A G E 16
Next Steps
• Normalize LEAP with Federal Segment Architecture Methodology (FSAM)
• Continue to monitor emerging industry standards and best practices
• Continue research and development activities
P A G E 18
Speakers’ Bio
Roxanne B. Everetts, DM, CISSP, CISM, CBCP, is a Information Assurance Research Fellow at LMI with over twenty five years of progressively
increasing information technology experience, including systems administration, database design and implementation, open systems migration,
staff training and management, and general management experience. As a Research Fellow at LMI, Dr. Everetts uses her extensive technical
background to provide high-level support in the areas of Information Systems Security, Information Assurance, Information Operations, and
Critical Infrastructure Protection. She provides support to multiple government agencies, providing functional and operational expertise analyzing
information security requirements to assist customers establishing information assurance and defensive information operations programs. Dr.
Everetts performs extensive research on policy issues for a variety of customers.
Dr. Didier Perdu is a Research Fellow with LMI Government Consulting and heads the Tools and Methods Group of the Enterprise Architecture
Practice. He has more than twenty years of experience in modeling and evaluation of enterprise architecture and information systems using a
variety of methodologies and software packages. Dr. Perdu has worked on many Enterprise Architecture projects for government clients such as
GSA, OMB, US Army, CMS, and GPO. Dr Perdu holds a Ph.D. in Information Technology from George Mason University and a Master of
Science in Technology and Policy from MIT.