Page 1
SABSA and TOGAF –Enterprise Security Architecture
at Eskom
March 2015
Maganathin Marcus Veeraragaloo: Chief Advisor Information Security
"What we think, or what we know, or what we believe is, in the end, of little consequence. The only consequence is what we do." -- John Ruskin
Page 2
Agenda
• The role of IT in Eskom
• SABSA Overview
• TOGAF at Eskom
• Enterprise Security Architecture at Eskom
Building High Performance Group IT
Page 3
The role of IT in Eskom
Building High Performance Group IT
Page 4
The role of IT in Eskom
Building High Performance Group IT4
• SAP PM
• GPSS
• THEMSE
• CSS
• COLLOPS
• MDMS
• FLIP
• SCADA
• MAXIMO/ TERTIARY WIRES
• GTX
• CS-ONLINE
• AVAYA
• VAT – MOBILITY
• SMALLWORLD
• FMS
• ENS
• PRIMAVERA
• SPF
• PRISM
• SMALLWORLD & ENS
• ACNAC
• SMARTPLANT
• ENGINEERING
SYSTEMS
• CIBOODLE
• MV90
• ROUTEMASTER
• AMI
• ALFS
• KSACS MDMS
• CNL
• CS-ONLINE
INTEGRATION
INTEGRATION
INTEGRATION
INTEGRATION
Page 5
Sherwood Applied Business Security Architecture (SABSA) Overview
Building High Performance Group IT
Page 6
SABSA Introduction
• Business Driven Architecture
• Being business-driven means never losing site of the organisation’s goals, objectives, success factors and targets, and ensuring that the security strategy demonstrably supports, enhances and protects them.
• SABSA has a layered mapping approach for traceability
Building High Performance Group IT
Page 7
SABSA Meta Model
Building High Performance Group IT
Page 8
SABSA Matrix
Building High Performance Group IT
Page 9
Alignment, Integration & Compliance Strategy
Strategy & Planning Phase Alignment Risk Management Method Alignment
Performance & Reporting Methods Control Objectives Libraries & Standards
Page 10
Controls Frameworks & Libraries
Building High Performance Group IT
Page 11
Application of Multi-tiered Control Strategy
Building High Performance Group IT
Page 12
TOGAF at Eskom
Building High Performance Group IT
Page 13
Eskom Extensions to the TOGAF Reference Model
Building High Performance Group IT
Legend
Eskom
Extension
Togaf Core
Togaf
Extension
Page 14
Eskom Group IT Project Life Cycle Management
Building High Performance Group IT
Statement of
Architecture Work
Conceptual
Architecture
Definition
(Preferred
Solution)
Logical
Architecture
Definition
Physical
Design
Update
Statement of
Architecture
Work
Update
Statement
of
Architecture
Work
Update
Statement
of
Architecture
Work
Testing Pre-transfer
Modelled in ARIS
Partial Physical Architecture only
Not in ARIS
Physical Config
and
Implementation
design
Page 15
Salient Facts – Managed in the EA repository
Building High Performance Group IT
Eskom business processes
modeled to logical level
throughout the enterprise
710 Application objects
with life cycle management446 Application interfaces
298 Software Technology
Components228 Logical Data Entities
Integration between IT and
OT artefacts
AND MANY MORE
Page 16
Enterprise Security Architecture at Eskom
Building High Performance Group IT
Page 17
SABSA overlay on TOGAF Crop Circle –Guide
Building High Performance Group IT
Page 18
Preliminary – Enterprise Security Architecture
Building High Performance Group IT
Page 19
Preliminary – Enterprise Security Architecture
Our purposeTo provide sustainable electricity
solutions to grow the economy and improve the
quality of the life of people in South Africa and in the region
1. Leading and partnering to
keep thelights on
Providing high
availability reliable IT
infrastructure
2.Reducing our carbon footprint
and pursuing low carbon growth opportunities
Introducing green-IT
infrastructure
3.Securing future resource,
requirements, mandate and the required enabling
environment
Centers of excellence
developing talent
4.Implementing coal haulage and the road- to-rail migration plan
World class PMO to
deliver on-time and on-
budget
5.Pursuing private sector
participation
Tools to support the
integration of IPP’s
Business Drivers – Group IT
Page 20
Preliminary – Enterprise Security Architecture
Information
Security
Policy
Security Principles
Security
Built-in
Define
Security
Boundaries
Security Risk
Mitigation
Unique
Security
Architectures
Security
Architecture
Capability
Security Principles
Page 21
Preliminary – Enterprise Security Architecture
Key Risk Areas
Departmental Risks
• All group IT departments
• Operations and service delivery
Project Risks
• Top 10 projects (PLCM)
• BAU Projects (<R10 mil)
Compliance Risks
• Compliance to IT regulation
Page 22
Preliminary – Enterprise Security Architecture
Risk Appetite
Page 23
Preliminary – Enterprise Security Architecture
Enterprise Security Management
Identity and Access Management
Infrastructure SecurityInformation and
Application Security
Security Categories
Standard Delivery Elements
Security Topics
Security Resource Plan
Page 24
Requirements Management – Enterprise Security Architecture
Building High Performance Group IT
Page 25
Requirements Management – Enterprise Security Architecture
Building High Performance Group IT
Business Attributes
User AttributesManagement
AttributesRisk Management
AttributesLegal/Regulatory
Attributes
Technical Strategy
Attributes
Operational Attributes
Business Strategy
Attributes
Business
Attribute Business Attribute Definition Suggested Measurement Approach
Metric
Type
User Attributes
AccessibleInformation to which the user is entitled to
gain access should be easily found and
accessed by that user.
Search tree depth necessary to find the
information Soft
Accurate
The information provided to users should
be accurate within a range that has been
preagreed upon as being applicable to the
service being delivered.
Acceptance testing on key data to
demonstrate compliance with design rules Hard
AnonymousFor certain specialized types of service, the
anonymity of the user should be protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
Consistent
The way in which log-in, navigation, and
target services are presented to the user
should be consistent across different times,
locations, and channels of access.
Conformance with design style guides Red
team review
Soft
Current
Information provided to users should be
current and kept up to date, within a range
that has been pre-agreed upon as being
applicable for the service being delivered.
Refresh rates at the data source and
replication of source and replication of
refreshed data to the destination. Hard
Business Attribute Profile
Page 26
Requirements Management – Enterprise Security Architecture
Building High Performance Group IT
Statement of
Architecture Work
Conceptual
Architecture
Definition
(Preferred
Solution)
Logical
Architecture
Definition
Physical
Design
Update
Statement of
Architecture
Work
Update
Statement
of
Architecture
Work
Update
Statement
of
Architecture
Work
Testing Pre-transfer
Modelled in ARIS
Partial Physical Architecture only
Not in ARIS
Physical Config
and
Implementation
design
Control Objectives / Architecture Requirements
Page 27
Architecture Vision – Enterprise Security Architecture
Building High Performance Group IT
Page 28
Architecture Vision – Enterprise Security Architecture
Security Stakeholders
Page 29
Business Architecture – Enterprise Security Architecture
Building High Performance Group IT
Page 30
Business Architecture – Enterprise Security Architecture
Building High Performance Group IT
Departmental Risks
•All group IT departments
•Operations and service delivery
Project Risks
•Top 10 projects (PLCM)
•BAU Projects (<R10 mil)
Compliance Risks
• Compliance to IT regulation
Business Risk Model
Page 31
Business Architecture – Enterprise Security Architecture
ITIL
ISO 27002
CobiT
CIS
King III
PFMA
Control Frameworks
Page 32
Information Systems Architecture –Enterprise Security Architecture
Building High Performance Group IT
Page 33
Preliminary – Enterprise Security Architecture
Enterprise Security Management
Identity and Access Management
Infrastructure SecurityInformation and
Application Security
Security Categories
Standard Delivery Elements
Security Topics
Security Services Catalog
Classification of Services
Page 34
Technology Architecture – Enterprise Security Architecture
Building High Performance Group IT
Page 35
Technology Architecture – Enterprise Security Architecture
Change Management & Training
Information
security policy
Data
Privacy
Logical access
Mgt/access control
Information
classification
Remote access
Management controls
reviews
Procedures
Clauses: and SO requirements
Strategic
Alignment
Regulations,
legislations &
contracts)
Security threat
environment
• Cryptography :32-387
• Server room/physical & environmental security:
32-894
• Malicious code:32-375
• Remote access??
• Wireless: 32-382
• Network security: 240-50201762
• IT service continuity: 240-49448549
• Password standards
• Physical asset classification and control: 32-369
• Removable media: 32-389
• Mobile computing
• Identity management
• Firewall: 32-377
• System Development, Acquisition and
Maintenance standard(clause A.14.2.5)
• Security Monitoring
• Open IP and open port: 32-354
• Logical access : 32-351
• System classification: 32-438
• Inventory of assets (clause A.8.1.1)
• Access control (clause A.9.1.1)
• Secure system engineering principles
(clause A.14.2.5)
• Access management(clause A.15.1.1)
Standards
• Asset & info. Classification:32-363
• Access control: 32-359
• Open IP & open port: 240-
75879464
• Password reset : 32-364
• Remote access: 32-398
• Third party access :32-359
• Incident management procedure (clause A.16.1.5)
• Server backups((clause A.17.1.2)
Procedure
objective
Process for
deviations&
exceptions
Applicability
statement
Clauses RACIProcess for deviations
& exceptions
Standards
objectives
RACI
Procedure flows
& sub-
procedures
Clauses Monitoring
RACIPolicy
objectivesProcess for deviations &
exceptionsManagement controls
Guidelines
Supplier
security
Security Rules, Practices and Procedures
Security Standards
Page 36
Implementation Governance – Enterprise Security Architecture
Building High Performance Group IT
Page 37
Implementation Governance – Enterprise Security Architecture
Building High Performance Group IT
1. Security Management
a. Operational Models
2. Security Audit
a. Continuous Audits
b. Test Centre of Excellence (TCoE)
3. Security Awareness
a. Continuous Security Awareness Programme’s.
Page 38
Architecture Change Management –Enterprise Security Architecture
Building High Performance Group IT
Page 39
Architecture Change Management –Enterprise Security Architecture
Building High Performance Group IT
1. Risk Management
a. Business Processes – Process Control Manual’s
b. Risk Management Tools
2. Security Architecture Governance
a. Architecture Governance Committees and Forum’s
i. Architecture Design Review
ii. Enterprise Architecture Body
iii. Enterprise Architecture Review Board
iv. Cyber Security Forum IT/OT
Page 40
Building High Performance Group IT