Information Information Security Security Juggernaut Juggernaut Putting the Business in Enterprise Information Security Architecture By Ravila Helen White, CISSP, CISM, CISA, GCIH ij ij Making it better without making it Making it better without making it complex complex
32
Embed
Putting the Business in Information Security Architecture
How to put the business in information security architecture.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Security Information Security
JuggernautJuggernaut
Putting the Business in Enterprise Information Security
Architecture
By Ravila Helen White, CISSP, CISM, CISA, GCIH
ijijMaking it better without making Making it better without making it complexit complex
DisclaimerDisclaimerThis presentation and the concepts
herein are my opinions through private research, practice and chatting with other professionals.
It is not the opinion of past, present or future employers.
AgendaAgendaAS IS – The current state of
affairs…Getting There – The return of
Systems Thinking…To Be – Becoming agile…
As IsAs IsThe current state of affairs….
Sherwood Applied Business Security Architecture (SABSA) 1995
Structure and Content of an Enterprise Information Security Architecture by Gartner 2006
Security Architecture and the ADM by TOGAF
SOA
LegacyLegacy
Where is the security Where is the security architect?architect?
Definition DichotomyDefinition DichotomyFrameworkGuidelinesTaxonomyPolicyProcedureStandardKnowing is not understanding. There is a great
difference between knowing and understanding: you can know a lot about something and not really understand it. [Charles Kettering]
Artifact HandlingArtifact HandlingWhat are they?Where are they?How are they used?
Architectural Artifact—A specific document, report, analysis, model, or other tangible that contributes to an architectural description. [Roger Sessions]
One EA’s Point of ViewOne EA’s Point of View"EA provides a filter on siloed thinking; I know
the solution you proposed makes sense to you, but we provide a wider perspective that can help you make sense for other people as well."
"Information Security professionals sometimes forget that the rest of the organization is there."
"Security professionals often fail to consider the incremental cost that accrues to a policy. Over time, a good policy can incur so much cost that it no longer makes sense from an EA perspective."
Nick Malik – Inside Architecture Blogger
Disparate StatesDisparate States
Revolutionary Evolutionary(1) of, pertaining to,
characterized by, or of the nature of a revolution, or a sudden, complete, or marked change. (2) radically new or innovative; outside or beyond established procedure, principles, etc
A gradual process in which something changes into a different and usually more complex or better form
Opportunities of Opportunities of OptimizationOptimizationSystemic integration of
information security architecture in to the business.
Adoption of a meta framework to drive information security architecture to business alignment and visibility.
Development of a modular schema to support the use of the most widely used security architecture methodologies.
Getting ThereGetting ThereThe return to Systems Thinking…
Systems Thinking not Systems Thinking not AnalyticsAnalyticsWhat it isWhy you need itHow you get it
Does not follow the traditional analysis focuses of separating individual pieces of what is being studied. Systems thinking, in contrast, focuses on how the thing being studied interacts with the other constituents of the system—a set of elements that interact to produce behavior—of which it is a part.
Security is a practice Security is a practice within the business/not within the business/not
the businessthe business
Information Security Focus Enterprise Perspective
CISSPCISACISMCIPP*GIAC (SANS)
Business Process Modeling
Enterprise Architecture
Information DesignSoftware Engineering
How to apply as How to apply as middlewaremiddlewareBusiness Process Modeling –
translates what you have to offer in terms and techniques used by the business.
Enterprise Architecture – aligns IT initiatives to business needs.
Information Design –takes the complex and makes it consumable.
Software Engineering– reverse engineering and agile development
Benefits of Systems Benefits of Systems ThinkingThinkingBusiness Process Modeling –
communicates intent and value to the organization
Enterprise Architecture – sets the context of information security within the business
Information Design – helps non-infosec partners quickly orient themselves in a complex environment
Software Engineering– provides synthesis of complex information into a whole
The Controls of Systems The Controls of Systems ThinkingThinkingStandardsRegulationsGuidelinesLogic ModelsSetting Context
Controls are used in business to prevent the taking on of too much risk and reduce the risk of an existing or potential weakness. When too much risk is taken against a system it is weakened systemically and typically results in system-wide failure.
TO BeTO BeBecoming Agile…
Synthesizing business Synthesizing business modelingmodelingA business model describes the
rationale of how an organization creates, delivers and captures value
a logic model is a systematic and visual way to present and share your understanding of the relationships among the resources you have to operate your program, the activities you plan, and the changes or results you hope to achieve.
Adapted from Alex Osterwalder’s Business Model Canvas
Defining ArtifactsDefining ArtifactsAuthoritative
◦sets the direction◦the business validates its decisions◦the business executes against◦the business captures resource
requirements◦the business verifies the activities
necessary to support a solutionHistorical
◦Project plans◦Proposals, RFPs,
Artifact HandlingArtifact HandlingResult in deliverables to the
business Contain sensitive information
Setting ContextSetting ContextCommunicates to the business