Adaptive Enterprise Security Architecture

Adaptive Enterprise Security Architecture
John J. Czaplewski | Director of Professional Services | David Lynas Consulting, Ltd.

We build, deploy and operate …
Complex IT Systems
21 September 2016 David Lynas Consulting Ltd 2

Supported by …
Often
Not-So-Engineered Security

Our technical security architectures focus on ...
Confidentiality, Integrity, Availability
and are becoming better and better
at adapting to dynamic threat environment

But our Enterprises are concerned with much more:

We need:
a Framework and Methodology
for
Developing
Adaptive Enterprise Security Architectures

SABSA
An internationally recognized methodology for:
• Developing risk-driven enterprise information security
and information assurance architectures
• Delivering security infrastructure solutions that support
and adapt to critical business initiatives.

SABSA
• Begins with developing an understanding of key
enterprise business requirements,
• Transforms them into key business drivers for security
• Engineers the real business attributes that provide
the core supporting framework for an adaptive, living
enterprise security architecture
• Creates a chain of traceability from “Strategy &
Planning” through “Design’, “Implement” and
ongoing “Manage and Measure” to ensure that the
business mandate is preserved.

An Adaptive Enterprise Security Architecture
Requires a comprehensive set of frameworks, models and methods

An Adaptive Enterprise Security Architecture:
Frames and Structures all Aspects of Enterprise Security

Manages all Aspects of Enterprise Security

Accountable Domain Authority
Develops Strategy and Plans
Sets Goals, Objectives & Expectations
Sets Performance Targets
Sets Risk Appetite
Sets Policy to Meet Objectives & Targets
Strategy & Planning Phase
Responsible Entities
Design Processes
Design Systems
Design Staffing Model
Design Controls & Enablers
Design
Establish Processes
Implement Systems
Appoint & Train People
Establish Controls & Enablers
Implement
Manage processes & operations
Manage people
Manage systems
Performance & Risk Monitoring
against KPIs and KRIs
Manage & Measure
Inform
of Responsibility
Report
Performance
& Compliance
With Target
Execute DesignTransition
Through-lifeAssurance
Higher Domain Authority
(Superdomain
Shareholders
Regulators)
Consult & Report Performance
Requires an Enterprise Security Architecture Governance Model

Defines Enterprise Security Architecture Capability Maturity Models
Unreliable1
Informal2
Defined3
Monitored4
Optimised5
Assets
Motivation
Process
People
Location
Time
Contextual
Assets
Motivation
Process
People
Location
Time
Conceptual
Assets
Motivation
Process
People
Location
Time
Logical
Assets
Motivation
Process
People
Location
Time
Physical
Assets
Motivation
Process
People
Location
Time
Component
Assets
Motivation
Process
People
Location
Time
Service
Management
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Time
Assets
Motivation
People
Time
Assets
Motivation
People
Time
Assets
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
Location
ProcessProcess
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
AssetsAssets
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
Time
Assets
Motivation
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Assets
People
Location
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Time
Motivation
People
Time
People
Time

Super Domain
Domain
A External
Impacted Domain
(customer)
Impacted
Peer Domain
C
Consult (C)
to define
policy &
target
C
C
Subdomain
External
Provider Domain
(service provider)
Inform (I)
policy &
target to
R domains
R
I
I
R
Inform (I*)
performance
to Super
&
Impacted
domains
I*
I*
I
Models Domain Roles and Responsibilities

Risk Context
Assets
at Risk
Overall
likelihood
of loss
Likelihood of
threat
materialising
Likelihood of
weakness
exploited
Negative
Outcomes
Threats
Loss Event
Positive
Outcomes
Opportunities
Beneficial Event
Overall
loss
value
Asset
value
Negative
impact
value
Overall
benefit
value
Asset
value
Positive
impact
value
Overall
likelihood
of benefit
Likelihood of
opportunity
materialising
Likelihood of
strength
exploited
Analyses Threats and Opportunities

Understands and Communicates Technical Risk in Business Terms

Creates Enterprise Policy Frameworks
Contextual Enterprise-wide Business Risk Policy
Conceptual
Policies for Enterprise-wide Risk & Opportunity Categories
Finance
Risk
Operational
Risk
Environment
Risk
Health &
Safety Risk
Information
Risk
Etc.
Logical
Policies for Logical
Domains
Domains
Domains
Physical
Procedures for Physical
Domains
Domains
Domains
Component
Standards for Nodes,
Addressed, Components

David Lynas Consulting Ltd 18
Business
Legislation
Process
Engineering
Methods
Business
Governance
Frameworks
Business
Sector
Regulation
Point of Primary
Integration for
any Standard
Requiring
measurable
Targets
Total Quality
Framework
Aligns and Integrates Business Requirements
21 September 2016

Contextual: Meta-ProcessesVerticalSecurityConsistency
Horizontal Security Consistency
Conceptual: Strategic View of Process
Logical: Information Flows & Transformations
Physical: Data Flows & System Interactions
Component: Protocols
& Step Sequences
Delivers Top-Down, End-to-End Process Security

Derives Business-Linked Security Controls & Enablers

Builds Defence/Strength-in-Depth Control & Enablement Strategies

Technical
Controls
Management
Controls PCI
SOx
HIPAA
NIST
CobiT
ISO 27002
Integrates Controls Frameworks & Libraries
21 September 2016

Develops Re-usable Operational Risk Management Architectures
Attributes
with performance targets & risk appetite thresholds
Risk Assessment
Ratings
Threat
Opportunity
Vulnerability
Strength
- Impact
+ Impact
Integrated Controls & Enablers Library – MTCS Modelled
Service 1
Mechanism 1
Component 1
Activity 1
Service 2
Mechanism 2
Component 2
Activity 2
Service 3
Mechanism 3
Component 3
Activity 3
21 September 2016

Incorporates Business-Linked Risk Monitoring and Reporting Dashboards
21 September 2016
Risk Management
Attributes
Legal / Regulatory
Attributes
Access-controlled
Accountable
Assurable Enforceable
Compliant
Admissible
Business Attributes
Business Requirements
Business Drivers for Security

Ensures the Enterprise Security Architecture Lives
21 September 2016

• Security is about mitigating threats AND enabling
opportunities
• Change the security conversation to focus on
delivering value to the Enterprise
• Include security at the strategy and planning table
• Develop Enterprise Security Architecture that
enables the Enterprise to meet its mission, goals
and objectives
21 September 2016

Adaptive Enterprise Security Architecture

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Adaptive Enterprise Security Architecture

Semelhante a Adaptive Enterprise Security Architecture (20)

Último

Último (20)

Adaptive Enterprise Security Architecture