SlideShare uma empresa Scribd logo

Information Security By Design

N
Nalneesh Gaur

Information Security is becoming a focus for the entire enterprise, not just IT. This need to align both business and technology is forcing IT to move Information Security from afterthought to forethought. Architects now ponder how Information Security can be integrated into the broader topic of Enterprise Architecture. This session shows how to make the integration happen. You will learn how to integrate assets and define trusts and threat models as a part of your overall EA plan. You will also understand how Information Security is traced all the way from business architecture to the technology implementation. Participants will understand the components of an Integrated EA and Information Security framework and ensuring the traceability between business goals and IT security solutions delivered from the framework. Key Issues: -Understand the need to think early about Information Security -Learn to incorporate Information Security into your EA blueprint and roadmap -Integrate Informatoin Security Goals, objectives and capabilities with your EA view of strategy -Integrate security policies, services and mechanisms with your EA view of solutions -Integrate security mechanisms, standards, and guidelines into your implementations

Tecnologia
1 de 28
Information Security by Design Nalneesh Gaur, CISSP Diamond Management and Technology Consultants Nalneesh.gaur@diamondconsultants.com, April 10, 2008
By the end of this course, you should be able to…  Understand the need to think early about Information Security  Learn how to align Information Security and business  Capture Information Security capabilities  Define security services and mechanisms  Apply an integrated Information Security EA framework to your practice Page 1
Businesses are transforming to address information risks Management Pressure Points Transformational Change Numerous regulations Establishment of Chief and control standards Information Security Office (CISO) Distributed operations organization and and relationships governance structures Implementation of risk-based Development of risk intelligence Information Increased accountability Security roadmap Fragmented information Raise Awareness Establishment of security organization of the importance Information structure of information Security security and best Increased globalization, architecture practices crime and cyber terrorism Implementation of Heightened privacy controls and Purchase of Cyber- awareness among insurance reporting consumers automation Today’s topic Board-level visibility Page 2
Information Security bridges the gap between Operational Risk and IT Security Operational Risk Areas Overarching framework for addressing risk Business Operations & Employee & Physical Business Financial Legal Regulatory Vendor External Process Culture Asset Continuity Reporting Information Security Areas Focuses on risk to information in all of the operational risk areas Systems Incident/Business Policy, Org & Asset Personnel Physical Security Development Comm. & Ops Compliance Continuity Governance Management Security /Access Control Life Management Cycle Examples of issues addressed - Financial Integrity, Trust, Fraud, Access Management, Intellectual Property, Privacy Technology IT Security Focuses on Information technology risks alone in all of the Information Security areas IT Threats Audits & Assessments Security Operations Controls e.g. Virus and Spyware, e.g. Penetration testing, e.g. Patch Applications, e.g. System Hardening, Hackers Security Assessments Provision User/Access Firewalls, Anti-virus Page 3
To address information risks, the Enterprise Architect must align business, operational risk and technology CISO/CRO Business wants to wants to know know Enterprise Architect Are our assets protected? What is our exposure? How do we prevent the next attack? How do we comply with regulations? How much does it cost? Which controls do I prioritize? How do we improve security? How do I automate controls reporting? How do I gain executive buy-in? Technical Staff wants to know How do I prioritize between IT and Security? How do I integrate Security into the Infrastructure? How do I ensure consistency? Page 4
But, roadblocks often thwart alignment  Information Security does not engage the business – Technology driven solutions “offered” to the business – Solutions looking for problems to solve – Organizational anomalies  Business strategy is too vague – Mission, vision, goals exist – Then what?  Complexity of the business – Do we plan for the whole enterprise?  Enterprise Architecture considered “too complexquot; and “too costly” Page 5
Alignment can be achieved through collaboration on a business-driven plan  Business owns Business Architecture – Leadership (strategy & operations) – Business SMEs  Infosec Facilitates  Infosec owns  Business approves Solution Architecture (platform independent)  IT Security owns  Governed by Business and Technical Architecture Solution Architecture (infrastructure & processes) Suggested Approach Page 6
The result is a business-capability driven blueprint that integrates business strategy, operational risks and Information Security solutions Components of a Security Blueprint Business Architecture Strategic Business Architecture (SBA) Security Specific Goals, Objectives and Capabilities Blueprint & Operational Business Architecture (OBA) Key Functions, Control Objectives, Trust Model Roadmap Solutions Architecture Security Privilege Security Policies Associations Services Technical Architecture Security Reference Security Standards Mechanisms Architecture and Guidelines Page 7
Start by understanding the environment and security drivers  Understand the environment enablers and constraints  Understand the Security drivers – regulations, policies, business strategy, recent incidents, mergers and acquisitions  Determine the organizations appetite for Security – Sr. Mgmt commitment to security – Available resources: people, money – Management expectations  Involve business to develop guiding principles – A collection of position statements used to assist decision making – Positions unlikely to change over the next two to three years – Filters for decision-making . . . guidelines, not hard and fast rules Page 8
Engage the business by documenting and driving additional detail into the business strategy Strategic Business Architecture (SBA)  A comprehensive statement covering the major functions and operations MISSION that the program addresses ENVIRONMENT, SECURITY DRIVERS &  An inspirational, forward-thinking view of what the program wants to VISION GUIDING PRINCIPLES achieve  The top priorities that would achieve the vision GOAL GOAL GOAL GOAL  A set of realistic outcomes tracked by performance indicators that PERFORMANCE OBJECTIVE collectively support goal attainment INDICATORS  A description of how the business CAPABILITIES plans to achieve the objectives  A description of what should be REQUIREMENTS implemented Page 9
Engage the business by documenting and developing the details of the business operations Operational Business Architecture (OBA)  Entities  Trust Hierarchy Trust  Trust Domains Model Organization  Level 0/1 Functions  Capabilities Key Business Functions Mapping Context  Gap Analysis  Stakeholders  Information Risks Control  Likelihood and  Locations Impact Objectives  Control Standards Page 10
Starting with the business context view, identify the organizational aspects and then the respective functions Level 0/1 Functions Capability Mapping Gap Analysis What it is Top-down description of level 0 and level 1 LOB functions. Each level has 5- 10 steps. Use it to assess any gap with detailed processes. These functional maps serve as inputs in understanding/defining trust relationships and control objectives. Trust Model Sample Deliverable How to do it Organization  Use IDEF-0 to develop Key Business Functions Context functional maps and relationships. IDEF-0 allows simple visualization of Input, Control Objectives Output, Controls and Mechanisms.  Define best-in-class, end-to- end IDEF-0 maps and definitions for relevant level 0 and level 1 business functions Level 0/1 Functions Page 11
For each function map the SBA capabilities Level 0/1 Functions Capability Mapping Gap Analysis What it is Detailed mapping of SBA business capabilities to their supporting level 1 functions. Mapping assists in identifying capability gaps Trust Model Sample Deliverable How to do it Organization  Use a spreadsheet to organize Key Business Functions Context capabilities and then match functions to capabilities. Control  Examine the level 1 functions Objectives and identify the characteristics that enable the business capabilities (already captured from the SBA) Capabilities Mapping Page 12
Identify gaps in capabilities by comparing the current and future capabilities Level 0/1 Functions Capability Mapping Gap Analysis What it is Observations, risks, implications and planned resolutions for capability gaps in functions Trust Model Sample Deliverable How to do it  Compare the high-level Organization Key Business functions with the current state Functions Context detailed functions  Identify new capabilities and Control Objectives the functions required to support them Gap Analysis Page 13
Employ the knowledge of key functions to document and define the Trust Model – start by identifying the entities Entities Trust Hierarchy Trust Domains What it is An entity is a subject that takes an action in a business environment. Entities can be external (e.g. vendors, partners, customers) or internal (e.g. business units, employees). Trust Model Sample Deliverable How to do it Organization Use the key functions and Key Business Functions Context identify the subjects involved in those functions Control Objectives Entities Page 14
Once the entities are known, identify the relationships and the specifics such as information exchanged between them Entities Trust Hierarchy Trust Domains What it is Trust Hierarchies are relationships and may be represented as One-Way vs. Two-Way, Transitive, External vs. Internal. Business involvement in identifying the relationship is critical. The trust hierarchy allows for discrimination between relationships Trust Model Sample Deliverable How to do it Organization  Identify the relationships Key Business Functions Context between the entities.  Document the type of Control information being exchanged Objectives across each relationship. Trust Hierarchy Page 15
Develop trust domains by identifying common security themes Entities Trust Hierarchy Trust Domains What it is Trust Domains consist of entities and relationships that share a common security theme. Trust Domains are not a rigid construct, they are designed to make it easy to enforce security policies and may allow grouping of policies by domains. Trust Model Sample Deliverable How to do it Organization  Identify the unique security Key Business Functions Context characteristics of each entity and other entities that it interacts with to exchange Control Objectives information.  Group entities that share common security themes and depict the relationships between them to form the Trust domains. Trust Domains Page 16
Develop Control Objectives by identifying the enterprise assets, threats and vulnerabilities Likelihood and Information Risks Control Standards Impact What it is Document Information risks (assets, threats and vulnerabilities) to prioritize protection measures. Use interviews to gather risk information across the business and from the interviewee’s vantage point. Trust Model Sample Deliverable How to do it Organization  Develop a model to score Key Business Functions Context assets based on plausible impact Control  Use interviews and key Objectives functions to identify assets, threats and vulnerabilities  Prioritize information assets to focus on the most valuable assets.  Identify the vulnerabilities, threats Information Risks Page 17
Assess the impact and likelihood of the threat on assets to determine the greatest risks to the enterprise assets Likelihood and Information Risks Control Standards Impact What it is All risks are not created equal, assess the likelihood and impact of each risk. Prioritize the risks and then map capabilities to identify the capabilities that address the greatest risks first. Trust Model Sample Deliverable How to do it Organization  Identify the impacts and Key Business Functions Context likelihood of the threat to exploit the vulnerability. Control  Rank the assets, threats and Objectives vulnerabilities.  Focus on the greatest risks by plotting the assets, threats and vulnerabilities against likelihood and impact Likelihood and Impact Page 18
Prioritize information risks and for each risk identify control standards Likelihood and Information Risks Control Standards Impact What it is Identify Control standards to address the greatest risks. Control Standards specify a desired end state and are platform agnostic. Control standards may be selected from ISO 270001, COBIT etc. Trust Model Sample Deliverable How to do it Organization  Identify the control standard Key Business Functions Context you wish to use  For each of the prioritized Control risks, identify applicable Objectives control standards  Consolidate risks that yield the exact same control objectives  Identify the frequently occurring standards to identify the priority control standards Control Standards Page 19
The Strategic and Operational Business Architectures provide the necessary input for the Solution Architecture The Security Policies The Security are based on the OBA. Solution Architecture Mechanisms are Defines roles and profiles Policies are hierarchical mapped to Security within the organization. in nature and cross Services. They reference other policies Security represent different ways Policies of implementing the Technical Architecture services. Once Security Business Privilege Security Mechanisms are defined Architecture Model Mechanisms then a set of reference architecture can be built for each mechanism. The Security Reference reference architecture Services Architectures defines the organizations • The Security Services best practices for is a logical construct, implementing a given Security used as a stepping Security Mechanism. These are the platform Standards and stone to achieve specific technology Guidelines capabilities. standards and guidelines. Standards are linked to specific Security Policies. Page 20
Engage policy, business and application owners to develop the solution architectures  Establish the policy catalog based on the SBA, OBA and the control objectives: – Local vs. global versions of policies – Driven by local regulations as well as unique business needs – Trust domain specific policies Solution  EA participates in policy development Architecture but does not own it. Security  Include clauses that can be enforced Policies immediately or in the near term Business Privilege Architecture Model  Privilege management forms the basis PRIVILEGE Security for any sophisticated Identity & Access ASSOCIATIONS Services Management solution. Asset Asset  Inventory existing roles and map Privilege Privilege individuals to those roles.  Engage business and application Profile Profile owners to develop an abstract construct such as “profiles”; Use profiles to map Roles Roles Roles organization roles. Individual Individual  The profiles can be used to grant access to assets Page 21
Identify Security services and then develop its building blocks – security mechanisms Illustrative Technical Security Service Security Mechanism Architecture • Encryption Data Security • Security Digital Signatures mechanisms • Access Control in Transit • Integrity Verification Business Reference Architecture Architectures Encryption • Security Data Transformation • Standards and Data Security • Data Masking Guidelines at Rest Access Control • Integrity Verification • • Security Policies must be used to Host-Based Intrusion Protection • develop Security services Anti-Virus • Platform • The Security services vocabulary Platform Security Updates • should suggest a solution to a problem Security • Security services should be vetted Patch Management • with business and application owners to ensure they are usable Anti-Spam • • Security mechanisms must be Anti-Spyware • Messaging enhanced on a periodic basis to adapt Anti-Malware • to evolving risks Security Anti-Virus • • Security mechanisms may be reused Digital Signatures • across services and form the building blocks for services Page 22
Complete the technical architecture by defining the remaining components Technical Architecture Security mechanisms Business Reference Architecture Architectures Security Standards and Guidelines • Reference Architectures are built for each • Standards are specific to a technology platform, security mechanism and define the specifics of a service, device or application. vendor solution, applicability, pros and cons • Temporary exception to the Standards must be • Reference Architectures must be periodically governed through the architecture governance updated to adapt to the evolving solutions process. landscape. Security Mechanisms Reference Architecture 1 Data Masking Reference Architecture n Page 23
Use the Business and Solution Architectures to derive a roadmap of business capabilities Operational Business Architecture Strategic Business Architecture Solution Architecture 1H06 2H06 1H07 2H07 Capability 01 Theme 1 Capability 12 Capability 04 Capability 07 Roadmap of when Theme 2 each capability is Capability 09 delivered Capability 02 Capability 03 Theme 3 Capability 05 Capability 08 Business Capabilities Requiring Infosec ad IT Support Page 24
Avoid some common pitfalls when building an Information Security Blueprint  Do not start with requirements, start with capabilities – Requirements are good for implementation but bog down the planning process – Capabilities provide a manageable level of detail for prioritization and release planning  Recognize Information Security as a key component of Operational Risk, work towards getting the OBA right – Start with key functions not processes for developing the OBA – Understand what you want to protect before deciding how you want to protect  Differentiate between IT security and Information Security, do not focus on technology alone – Hold off on tools until reference architecture Page 25
Key Takeaways  Understand the significance of Information Security as a business enabler by identifying the drivers and appetite for Information Security early in the planning process  Information Security must engage the business by developing the – guiding principles – Strategic Business Architecture (SBA) – Operational Business Architecture (OBA)  Getting the Security Services right is the first step before developing the technical architecture artifacts  Develop Security Mechanisms and corresponding Reference Architectures for the highest priority Security services Page 26
Thank You Questions? Page 27

Recomendados

Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation
PECB
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 

Recomendados

Iso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interpromIso iec 27001 foundation training course by interprom
Iso iec 27001 foundation training course by interprom
Mart Rovers
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
Sherri Booher
 
7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation7 Key Problems to Avoid in ISO 27001 Implementation
7 Key Problems to Avoid in ISO 27001 Implementation
PECB
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Priyanka Aash
 
NQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation GuideNQA ISO 27001 Implementation Guide
NQA ISO 27001 Implementation Guide
NQA
 
What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Alan McSweeney
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
Ulf Mattsson
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
Jean-Michel Franco
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
Ramiro Cid
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
Hernan Huwyler, MBA CPA
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
Tanmay Shinde
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan
 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
Edureka!
 
Aujas Cyber Security
Aujas Cyber SecurityAujas Cyber Security
Aujas Cyber Security
VivianMarcello3
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
Dam Frank
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
Network Intelligence India
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
SlideTeam
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
Craig Willetts ISO Expert
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
Seccuris Inc.
 
The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...
The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...
The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...
The Internet of Things Methodology
 

Mais conteúdo relacionado

Mais procurados

What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
Ulf Mattsson
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
Jean-Michel Franco
 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
Edureka!
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
SlideTeam
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 

Mais procurados (20)

What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?What is a secure enterprise architecture roadmap?
What is a secure enterprise architecture roadmap?
 
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
Integrating It Frameworks, Methodologies And Best Practices Into It Delivery ...
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Advanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protectionAdvanced PII / PI data discovery and data protection
Advanced PII / PI data discovery and data protection
 
Roadmap to IT Security Best Practices
Roadmap to IT Security Best PracticesRoadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
 
Practical steps to GDPR compliance
Practical steps to GDPR compliance Practical steps to GDPR compliance
Practical steps to GDPR compliance
 
ISO/IEC 27001:2013
ISO/IEC 27001:2013ISO/IEC 27001:2013
ISO/IEC 27001:2013
 
How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...How can the ISO 27701 help to design, implement, operate and improve a privac...
How can the ISO 27701 help to design, implement, operate and improve a privac...
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Introduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
 
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
How to become a Cybersecurity Engineer? | Cybersecurity Salary | Cybersecurit...
 
Aujas Cyber Security
Aujas Cyber SecurityAujas Cyber Security
Aujas Cyber Security
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Iso 27001 Checklist
Iso 27001 ChecklistIso 27001 Checklist
Iso 27001 Checklist
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 

Destaque

NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
North Texas Chapter of the ISSA
 
Smart School Blueprint
Smart School BlueprintSmart School Blueprint
Smart School Blueprint
Maria Ting
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
Tammy Clark
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
Tjylen Veselyj
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
David Kennedy
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 

Destaque (20)

Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...
The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...
The IoT Methodology & An Introduction to the Intel Galileo, Edison and SmartL...
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 
Hiring Guide to the Information Security Profession
Hiring Guide to the Information Security ProfessionHiring Guide to the Information Security Profession
Hiring Guide to the Information Security Profession
 
The Malaysian Smart School: A Conceptual Blueprint
The Malaysian Smart School: A Conceptual BlueprintThe Malaysian Smart School: A Conceptual Blueprint
The Malaysian Smart School: A Conceptual Blueprint
 
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
NTXISSACSC2 - Texas CISO Council - Information Security Program Essential Gui...
 
Smart School Blueprint
Smart School BlueprintSmart School Blueprint
Smart School Blueprint
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Developing A Risk Based Information Security Program
Developing A Risk Based Information Security ProgramDeveloping A Risk Based Information Security Program
Developing A Risk Based Information Security Program
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLC
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
 
Lecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information SystemLecture #1 - Introduction to Information System
Lecture #1 - Introduction to Information System
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
IB Chemistry on Electrolysis and Faraday's Law
IB Chemistry on Electrolysis and Faraday's LawIB Chemistry on Electrolysis and Faraday's Law
IB Chemistry on Electrolysis and Faraday's Law
 
Top 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security DashboardTop 10 Essentials for Building a Powerful Security Dashboard
Top 10 Essentials for Building a Powerful Security Dashboard
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 

Semelhante a Information Security By Design

Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
nooralmousa
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
DFLABS SRL
 
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
Fabrizio Cilli
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 

Semelhante a Information Security By Design (20)

Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
Real Time Risk Management
Real Time Risk ManagementReal Time Risk Management
Real Time Risk Management
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
Dubai Cyber Security 01 Ics Scada Cyber Security Solutions and Challenges...
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
 
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
ISACA GRC-CYBER CALL FOR PAPERS ABSTRACT v.3.0
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Day 3 p2 - security
Day 3 p2 - securityDay 3 p2 - security
Day 3 p2 - security
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Information Security By Design

  • 1. Information Security by Design Nalneesh Gaur, CISSP Diamond Management and Technology Consultants Nalneesh.gaur@diamondconsultants.com, April 10, 2008
  • 2. By the end of this course, you should be able to…  Understand the need to think early about Information Security  Learn how to align Information Security and business  Capture Information Security capabilities  Define security services and mechanisms  Apply an integrated Information Security EA framework to your practice Page 1
  • 3. Businesses are transforming to address information risks Management Pressure Points Transformational Change Numerous regulations Establishment of Chief and control standards Information Security Office (CISO) Distributed operations organization and and relationships governance structures Implementation of risk-based Development of risk intelligence Information Increased accountability Security roadmap Fragmented information Raise Awareness Establishment of security organization of the importance Information structure of information Security security and best Increased globalization, architecture practices crime and cyber terrorism Implementation of Heightened privacy controls and Purchase of Cyber- awareness among insurance reporting consumers automation Today’s topic Board-level visibility Page 2
  • 4. Information Security bridges the gap between Operational Risk and IT Security Operational Risk Areas Overarching framework for addressing risk Business Operations & Employee & Physical Business Financial Legal Regulatory Vendor External Process Culture Asset Continuity Reporting Information Security Areas Focuses on risk to information in all of the operational risk areas Systems Incident/Business Policy, Org & Asset Personnel Physical Security Development Comm. & Ops Compliance Continuity Governance Management Security /Access Control Life Management Cycle Examples of issues addressed - Financial Integrity, Trust, Fraud, Access Management, Intellectual Property, Privacy Technology IT Security Focuses on Information technology risks alone in all of the Information Security areas IT Threats Audits & Assessments Security Operations Controls e.g. Virus and Spyware, e.g. Penetration testing, e.g. Patch Applications, e.g. System Hardening, Hackers Security Assessments Provision User/Access Firewalls, Anti-virus Page 3
  • 5. To address information risks, the Enterprise Architect must align business, operational risk and technology CISO/CRO Business wants to wants to know know Enterprise Architect Are our assets protected? What is our exposure? How do we prevent the next attack? How do we comply with regulations? How much does it cost? Which controls do I prioritize? How do we improve security? How do I automate controls reporting? How do I gain executive buy-in? Technical Staff wants to know How do I prioritize between IT and Security? How do I integrate Security into the Infrastructure? How do I ensure consistency? Page 4
  • 6. But, roadblocks often thwart alignment  Information Security does not engage the business – Technology driven solutions “offered” to the business – Solutions looking for problems to solve – Organizational anomalies  Business strategy is too vague – Mission, vision, goals exist – Then what?  Complexity of the business – Do we plan for the whole enterprise?  Enterprise Architecture considered “too complexquot; and “too costly” Page 5
  • 7. Alignment can be achieved through collaboration on a business-driven plan  Business owns Business Architecture – Leadership (strategy & operations) – Business SMEs  Infosec Facilitates  Infosec owns  Business approves Solution Architecture (platform independent)  IT Security owns  Governed by Business and Technical Architecture Solution Architecture (infrastructure & processes) Suggested Approach Page 6
  • 8. The result is a business-capability driven blueprint that integrates business strategy, operational risks and Information Security solutions Components of a Security Blueprint Business Architecture Strategic Business Architecture (SBA) Security Specific Goals, Objectives and Capabilities Blueprint & Operational Business Architecture (OBA) Key Functions, Control Objectives, Trust Model Roadmap Solutions Architecture Security Privilege Security Policies Associations Services Technical Architecture Security Reference Security Standards Mechanisms Architecture and Guidelines Page 7
  • 9. Start by understanding the environment and security drivers  Understand the environment enablers and constraints  Understand the Security drivers – regulations, policies, business strategy, recent incidents, mergers and acquisitions  Determine the organizations appetite for Security – Sr. Mgmt commitment to security – Available resources: people, money – Management expectations  Involve business to develop guiding principles – A collection of position statements used to assist decision making – Positions unlikely to change over the next two to three years – Filters for decision-making . . . guidelines, not hard and fast rules Page 8
  • 10. Engage the business by documenting and driving additional detail into the business strategy Strategic Business Architecture (SBA)  A comprehensive statement covering the major functions and operations MISSION that the program addresses ENVIRONMENT, SECURITY DRIVERS &  An inspirational, forward-thinking view of what the program wants to VISION GUIDING PRINCIPLES achieve  The top priorities that would achieve the vision GOAL GOAL GOAL GOAL  A set of realistic outcomes tracked by performance indicators that PERFORMANCE OBJECTIVE collectively support goal attainment INDICATORS  A description of how the business CAPABILITIES plans to achieve the objectives  A description of what should be REQUIREMENTS implemented Page 9
  • 11. Engage the business by documenting and developing the details of the business operations Operational Business Architecture (OBA)  Entities  Trust Hierarchy Trust  Trust Domains Model Organization  Level 0/1 Functions  Capabilities Key Business Functions Mapping Context  Gap Analysis  Stakeholders  Information Risks Control  Likelihood and  Locations Impact Objectives  Control Standards Page 10
  • 12. Starting with the business context view, identify the organizational aspects and then the respective functions Level 0/1 Functions Capability Mapping Gap Analysis What it is Top-down description of level 0 and level 1 LOB functions. Each level has 5- 10 steps. Use it to assess any gap with detailed processes. These functional maps serve as inputs in understanding/defining trust relationships and control objectives. Trust Model Sample Deliverable How to do it Organization  Use IDEF-0 to develop Key Business Functions Context functional maps and relationships. IDEF-0 allows simple visualization of Input, Control Objectives Output, Controls and Mechanisms.  Define best-in-class, end-to- end IDEF-0 maps and definitions for relevant level 0 and level 1 business functions Level 0/1 Functions Page 11
  • 13. For each function map the SBA capabilities Level 0/1 Functions Capability Mapping Gap Analysis What it is Detailed mapping of SBA business capabilities to their supporting level 1 functions. Mapping assists in identifying capability gaps Trust Model Sample Deliverable How to do it Organization  Use a spreadsheet to organize Key Business Functions Context capabilities and then match functions to capabilities. Control  Examine the level 1 functions Objectives and identify the characteristics that enable the business capabilities (already captured from the SBA) Capabilities Mapping Page 12
  • 14. Identify gaps in capabilities by comparing the current and future capabilities Level 0/1 Functions Capability Mapping Gap Analysis What it is Observations, risks, implications and planned resolutions for capability gaps in functions Trust Model Sample Deliverable How to do it  Compare the high-level Organization Key Business functions with the current state Functions Context detailed functions  Identify new capabilities and Control Objectives the functions required to support them Gap Analysis Page 13
  • 15. Employ the knowledge of key functions to document and define the Trust Model – start by identifying the entities Entities Trust Hierarchy Trust Domains What it is An entity is a subject that takes an action in a business environment. Entities can be external (e.g. vendors, partners, customers) or internal (e.g. business units, employees). Trust Model Sample Deliverable How to do it Organization Use the key functions and Key Business Functions Context identify the subjects involved in those functions Control Objectives Entities Page 14
  • 16. Once the entities are known, identify the relationships and the specifics such as information exchanged between them Entities Trust Hierarchy Trust Domains What it is Trust Hierarchies are relationships and may be represented as One-Way vs. Two-Way, Transitive, External vs. Internal. Business involvement in identifying the relationship is critical. The trust hierarchy allows for discrimination between relationships Trust Model Sample Deliverable How to do it Organization  Identify the relationships Key Business Functions Context between the entities.  Document the type of Control information being exchanged Objectives across each relationship. Trust Hierarchy Page 15
  • 17. Develop trust domains by identifying common security themes Entities Trust Hierarchy Trust Domains What it is Trust Domains consist of entities and relationships that share a common security theme. Trust Domains are not a rigid construct, they are designed to make it easy to enforce security policies and may allow grouping of policies by domains. Trust Model Sample Deliverable How to do it Organization  Identify the unique security Key Business Functions Context characteristics of each entity and other entities that it interacts with to exchange Control Objectives information.  Group entities that share common security themes and depict the relationships between them to form the Trust domains. Trust Domains Page 16
  • 18. Develop Control Objectives by identifying the enterprise assets, threats and vulnerabilities Likelihood and Information Risks Control Standards Impact What it is Document Information risks (assets, threats and vulnerabilities) to prioritize protection measures. Use interviews to gather risk information across the business and from the interviewee’s vantage point. Trust Model Sample Deliverable How to do it Organization  Develop a model to score Key Business Functions Context assets based on plausible impact Control  Use interviews and key Objectives functions to identify assets, threats and vulnerabilities  Prioritize information assets to focus on the most valuable assets.  Identify the vulnerabilities, threats Information Risks Page 17
  • 19. Assess the impact and likelihood of the threat on assets to determine the greatest risks to the enterprise assets Likelihood and Information Risks Control Standards Impact What it is All risks are not created equal, assess the likelihood and impact of each risk. Prioritize the risks and then map capabilities to identify the capabilities that address the greatest risks first. Trust Model Sample Deliverable How to do it Organization  Identify the impacts and Key Business Functions Context likelihood of the threat to exploit the vulnerability. Control  Rank the assets, threats and Objectives vulnerabilities.  Focus on the greatest risks by plotting the assets, threats and vulnerabilities against likelihood and impact Likelihood and Impact Page 18
  • 20. Prioritize information risks and for each risk identify control standards Likelihood and Information Risks Control Standards Impact What it is Identify Control standards to address the greatest risks. Control Standards specify a desired end state and are platform agnostic. Control standards may be selected from ISO 270001, COBIT etc. Trust Model Sample Deliverable How to do it Organization  Identify the control standard Key Business Functions Context you wish to use  For each of the prioritized Control risks, identify applicable Objectives control standards  Consolidate risks that yield the exact same control objectives  Identify the frequently occurring standards to identify the priority control standards Control Standards Page 19
  • 21. The Strategic and Operational Business Architectures provide the necessary input for the Solution Architecture The Security Policies The Security are based on the OBA. Solution Architecture Mechanisms are Defines roles and profiles Policies are hierarchical mapped to Security within the organization. in nature and cross Services. They reference other policies Security represent different ways Policies of implementing the Technical Architecture services. Once Security Business Privilege Security Mechanisms are defined Architecture Model Mechanisms then a set of reference architecture can be built for each mechanism. The Security Reference reference architecture Services Architectures defines the organizations • The Security Services best practices for is a logical construct, implementing a given Security used as a stepping Security Mechanism. These are the platform Standards and stone to achieve specific technology Guidelines capabilities. standards and guidelines. Standards are linked to specific Security Policies. Page 20
  • 22. Engage policy, business and application owners to develop the solution architectures  Establish the policy catalog based on the SBA, OBA and the control objectives: – Local vs. global versions of policies – Driven by local regulations as well as unique business needs – Trust domain specific policies Solution  EA participates in policy development Architecture but does not own it. Security  Include clauses that can be enforced Policies immediately or in the near term Business Privilege Architecture Model  Privilege management forms the basis PRIVILEGE Security for any sophisticated Identity & Access ASSOCIATIONS Services Management solution. Asset Asset  Inventory existing roles and map Privilege Privilege individuals to those roles.  Engage business and application Profile Profile owners to develop an abstract construct such as “profiles”; Use profiles to map Roles Roles Roles organization roles. Individual Individual  The profiles can be used to grant access to assets Page 21
  • 23. Identify Security services and then develop its building blocks – security mechanisms Illustrative Technical Security Service Security Mechanism Architecture • Encryption Data Security • Security Digital Signatures mechanisms • Access Control in Transit • Integrity Verification Business Reference Architecture Architectures Encryption • Security Data Transformation • Standards and Data Security • Data Masking Guidelines at Rest Access Control • Integrity Verification • • Security Policies must be used to Host-Based Intrusion Protection • develop Security services Anti-Virus • Platform • The Security services vocabulary Platform Security Updates • should suggest a solution to a problem Security • Security services should be vetted Patch Management • with business and application owners to ensure they are usable Anti-Spam • • Security mechanisms must be Anti-Spyware • Messaging enhanced on a periodic basis to adapt Anti-Malware • to evolving risks Security Anti-Virus • • Security mechanisms may be reused Digital Signatures • across services and form the building blocks for services Page 22
  • 24. Complete the technical architecture by defining the remaining components Technical Architecture Security mechanisms Business Reference Architecture Architectures Security Standards and Guidelines • Reference Architectures are built for each • Standards are specific to a technology platform, security mechanism and define the specifics of a service, device or application. vendor solution, applicability, pros and cons • Temporary exception to the Standards must be • Reference Architectures must be periodically governed through the architecture governance updated to adapt to the evolving solutions process. landscape. Security Mechanisms Reference Architecture 1 Data Masking Reference Architecture n Page 23
  • 25. Use the Business and Solution Architectures to derive a roadmap of business capabilities Operational Business Architecture Strategic Business Architecture Solution Architecture 1H06 2H06 1H07 2H07 Capability 01 Theme 1 Capability 12 Capability 04 Capability 07 Roadmap of when Theme 2 each capability is Capability 09 delivered Capability 02 Capability 03 Theme 3 Capability 05 Capability 08 Business Capabilities Requiring Infosec ad IT Support Page 24
  • 26. Avoid some common pitfalls when building an Information Security Blueprint  Do not start with requirements, start with capabilities – Requirements are good for implementation but bog down the planning process – Capabilities provide a manageable level of detail for prioritization and release planning  Recognize Information Security as a key component of Operational Risk, work towards getting the OBA right – Start with key functions not processes for developing the OBA – Understand what you want to protect before deciding how you want to protect  Differentiate between IT security and Information Security, do not focus on technology alone – Hold off on tools until reference architecture Page 25
  • 27. Key Takeaways  Understand the significance of Information Security as a business enabler by identifying the drivers and appetite for Information Security early in the planning process  Information Security must engage the business by developing the – guiding principles – Strategic Business Architecture (SBA) – Operational Business Architecture (OBA)  Getting the Security Services right is the first step before developing the technical architecture artifacts  Develop Security Mechanisms and corresponding Reference Architectures for the highest priority Security services Page 26