putting the business in information security architecture
DESCRIPTION
How to put the business in information security architecture.TRANSCRIPT
Information Security Information Security
JuggernautJuggernaut
Putting the Business in Enterprise Information Security
Architecture
By Ravila Helen White, CISSP, CISM, CISA, GCIH
ijijMaking it better without making Making it better without making it complexit complex
DisclaimerDisclaimerThis presentation and the concepts
herein are my opinions through private research, practice and chatting with other professionals.
It is not the opinion of past, present or future employers.
AgendaAgendaAS IS – The current state of
affairs…Getting There – The return of
Systems Thinking…To Be – Becoming agile…
As IsAs IsThe current state of affairs….
Sherwood Applied Business Security Architecture (SABSA) 1995
Structure and Content of an Enterprise Information Security Architecture by Gartner 2006
Security Architecture and the ADM by TOGAF
SOA
LegacyLegacy
Where is the security Where is the security architect?architect?
Conflicting RolesConflicting RolesCISO/ISOSecurity Engineer/AdministratorCISO/Analyst/EngineerSecurity Architect
Definition DichotomyDefinition DichotomyFrameworkGuidelinesTaxonomyPolicyProcedureStandardKnowing is not understanding. There is a great
difference between knowing and understanding: you can know a lot about something and not really understand it. [Charles Kettering]
Artifact HandlingArtifact HandlingWhat are they?Where are they?How are they used?
Architectural Artifact—A specific document, report, analysis, model, or other tangible that contributes to an architectural description. [Roger Sessions]
One EA’s Point of ViewOne EA’s Point of View"EA provides a filter on siloed thinking; I know
the solution you proposed makes sense to you, but we provide a wider perspective that can help you make sense for other people as well."
"Information Security professionals sometimes forget that the rest of the organization is there."
"Security professionals often fail to consider the incremental cost that accrues to a policy. Over time, a good policy can incur so much cost that it no longer makes sense from an EA perspective."
Nick Malik – Inside Architecture Blogger
Disparate StatesDisparate States
Revolutionary Evolutionary(1) of, pertaining to,
characterized by, or of the nature of a revolution, or a sudden, complete, or marked change. (2) radically new or innovative; outside or beyond established procedure, principles, etc
A gradual process in which something changes into a different and usually more complex or better form
Opportunities of Opportunities of OptimizationOptimizationSystemic integration of
information security architecture in to the business.
Adoption of a meta framework to drive information security architecture to business alignment and visibility.
Development of a modular schema to support the use of the most widely used security architecture methodologies.
Getting ThereGetting ThereThe return to Systems Thinking…
Systems Thinking not Systems Thinking not AnalyticsAnalyticsWhat it isWhy you need itHow you get it
Does not follow the traditional analysis focuses of separating individual pieces of what is being studied. Systems thinking, in contrast, focuses on how the thing being studied interacts with the other constituents of the system—a set of elements that interact to produce behavior—of which it is a part.
Security is a practice Security is a practice within the business/not within the business/not
the businessthe business
Information Security Focus Enterprise Perspective
CISSPCISACISMCIPP*GIAC (SANS)
Business Process Modeling
Enterprise Architecture
Information DesignSoftware Engineering
How to apply as How to apply as middlewaremiddlewareBusiness Process Modeling –
translates what you have to offer in terms and techniques used by the business.
Enterprise Architecture – aligns IT initiatives to business needs.
Information Design –takes the complex and makes it consumable.
Software Engineering– reverse engineering and agile development
Benefits of Systems Benefits of Systems ThinkingThinkingBusiness Process Modeling –
communicates intent and value to the organization
Enterprise Architecture – sets the context of information security within the business
Information Design – helps non-infosec partners quickly orient themselves in a complex environment
Software Engineering– provides synthesis of complex information into a whole
The Controls of Systems The Controls of Systems ThinkingThinkingStandardsRegulationsGuidelinesLogic ModelsSetting Context
Controls are used in business to prevent the taking on of too much risk and reduce the risk of an existing or potential weakness. When too much risk is taken against a system it is weakened systemically and typically results in system-wide failure.
TO BeTO BeBecoming Agile…
Synthesizing business Synthesizing business modelingmodelingA business model describes the
rationale of how an organization creates, delivers and captures value
a logic model is a systematic and visual way to present and share your understanding of the relationships among the resources you have to operate your program, the activities you plan, and the changes or results you hope to achieve.
Adapted from Alex Osterwalder’s Business Model Canvas
Defining ArtifactsDefining ArtifactsAuthoritative
◦sets the direction◦the business validates its decisions◦the business executes against◦the business captures resource
requirements◦the business verifies the activities
necessary to support a solutionHistorical
◦Project plans◦Proposals, RFPs,
Artifact HandlingArtifact HandlingResult in deliverables to the
business Contain sensitive information
Setting ContextSetting ContextCommunicates to the business
and peers what services are provided
Sets the scope of activities
Contextualized Infosec Contextualized Infosec ArchitectureArchitecture
Component ArchitectureComponent Architecture
Plan of ActionPlan of Action1. Apply a business model2. Choose your metadata sources3. Adopt a common terminology
taxonomy4. Define artifacts and storage
location5. Research current and future6. Develop component architecture
AGILE Infosec ArchitectureAGILE Infosec Architecture
Credits & ReferencesCredits & References
General Professional Influencers
Business Model Generation www.dictionary.com Google: www.Google.com Information Design Handbook Logic Model Development
Guide: http://www.wkkf.org/Pubs/Tools/Evaluation/Pub3669.pdf
Oxford Dictionary Thinking Page:
www.thinking.net TOGAF: www.opengroup.org SABSA:
www.sabsa-institute.org/ Wikipedia: www.wikipedia.com
Deborah Arline
Copyright InformationCopyright InformationSome works in this presentation
have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them.
For more information please go here:
www.creativecommons.org
Thank you…Thank you…
Questions and Comments
Contact me via slidshare.net