SlideShare uma empresa Scribd logo

Enterprise%20 security%20architecture%20 %20business%20driven%20security

wardell henley
wardell henley

enterprise security

Tecnologia
1 de 21
Baixar para ler offline
Enterprise Security Architecture Business-driven security April 2012
Page 2 Agenda ► Facilities and safety information ► Introduction ► Overview of the problem ► Introducing security architecture ► The SABSA approach ► A worked example ► Security architecture components ► Facilitated discussion 26 April 2012 ISACA Seminar– Enterprise Security Architecture
The Problem: Information Security The business perspective Page 3 26 April 2012 ISACA Seminar– Enterprise Security Architecture
The problem: answering the difficult questions How do we ensure security supports the business? How do we demonstrate alignment with the business risks? Are we spending too much or on the right things? How do we keep business and security aligned? How do we minimise security gaps and remediation costs How do we embed security in the wider business? Page 4 26 April 2012 ISACA Seminar– Enterprise Security Architecture
Introducing security architecture? Traditional architecture vs. security architecture ► Designing a secure business information system could take a number of directions, but there is considerable potential for the security and business requirements to clash and neither party is satisfied with the end result. ► The answers to these questions provide the architect with the business requirements which can then be fed into the design process. ► What type of structure do I want? ► Why do I want this structure? ► How will it be used? ► Who will be the users of the structure? ► Where should the structure be located? ► When will it be used? Building a physical structure ► What type of information system is being considered and what will it do? ► Why is it needed? ► How will it be used? ► Who will use it? ► Where will it be used? ► When will it be used? Protecting business information Page 5 26 April 2012 ISACA Seminar– Enterprise Security Architecture
How do I solve this problem What is business security architecture? ► The challenge in developing the architecture is to balance between risk, cost and usability ► Security architecture controls are composed of people, process and technology controls An organisation needs security controls that are: ► Driven by business requirements rather than technical considerations ► Directly traceable to business objectives ► Designed from the outset to be cost-effective, avoiding remediation effort ► Meet legal, regulatory and policy compliance requirements by design ► Are appropriate to both the business risks and organisation’s risk appetite Risk Usability Cost Page 6 26 April 2012 ISACA Seminar– Enterprise Security Architecture
Why do this? Benefits of the security architecture approach Customised information security control framework ► Driven by the organisation’s business requirements ► Meeting compliance ► Alignment with the business’ risk appetite Reduces information security, IT and security audit costs ► Eliminates redundant controls ► Reduces ad hoc security implementation ► Provides detailed agreed security requirements Informs executive management about security risk ► Articulates impact of information security risk in business terms ► Provides structured control framework to evaluate compliance ► Creates foundation for quantitative assessment of security ROI Page 7 26 April 2012 ISACA Seminar– Enterprise Security Architecture
The SABSA approach Step by step Business attributes Threat analysis Impact analysis Control objectives Security services Business Driver ► Identify the business drivers/ objectives. ► Prioritise drivers. Business Attributes ► Translate drivers into business security attributes. ► Security attributes are provided by SABSA framework. Threat analysis ► Perform threat analysis. ► Identify actual threats to business attributes/ business drivers. Impact analysis ► Use qualitative or quantitative methods to define impact of the realisation of the threat on the identified business objectives. Control Objectives ► Define control objectives to mitigate the identified threats to acceptable levels. Security services ► Identify security services to provide the required controls objectives. Business driver Page 8 26 April 2012 ISACA Seminar– Enterprise Security Architecture
The SABSA approach An architect’s perspective – Here comes the science! Assets (What) Process (How) Location (Where) People (Who) Time (When) Motivation (Why) Contextual The Business Business Process Model Business Geography Business Organization and Relationships Business Time Dependencies Business Risk Model Conceptual Business Attributes Profile Security Strategies and Architectural Layering Security Domain Model Security Entity Model and Trust Framework Security-Related Lifetimes and Deadlines Control Objectives Logical Security Services Security Domain Definitions and Associations Entity Schema and Privilege Profiles Security Processing Cycle Business Information Model Security Policies Physical Platform and Network Infrastructure Users, Applications and the User Interface Control Structure Execution Business Data Model Security Mechanisms Security Rules, Practices and Procedures Component Processes, Nodes, Addresses and Protocols Identities, Functions, Actions and ACLs Security Step Timing and Sequencing Detailed Data Structures Security Products and Tools Security Standards Operational Assurance of Operational Continuity Security Service Management and Support Security of Sites, Networks and Platforms Application and User Management and Support Security Operations Schedule Operational Risk Management Design Build Business Architect Designer Builder Tradesman Facilities Manager 26 April 2012 ISACA Seminar– Enterprise Security ArchitecturePage 9
Contextual & conceptual security Understanding the business and its risks ► Business strategy ► Business processes and functions ► Organisational structure – personnel, geographical, partnerships ► Budgets, technical constraints, time dependencies ► Use the business attributes database to describe the business in terms of strategy, related assets, business goals and objectives → business attribute profile ► Perform a threat analysis on the business assets, goals and objectives ► Define the business impact of the realisation of the threats ► Identify technical and procedural vulnerabilities Gather, assess and analyse business requirements Describe the business requirements Analyse the business risks Page 10 26 April 2012 ISACA Seminar– Enterprise Security Architecture
An overview of SABSA attributes database Page 11 26 April 2012 ISACA Seminar– Enterprise Security Architecture
A logical security architecture What does it look like? Business Attributes Profile Control objectives Security strategies Security services Business Attributes Profile ► Select business attributes (mapped to business drivers). ► Define enterprise- specific business attributes, a measurement approach, metrics and targets. Control objectives ► Derive control objectives from the Business Attributes Profile and the Business Risk Model developed at the Conceptual layer. Security strategies ► Define appropriate security strategies based on the business process model, the Business Attributes profile, the control objectives and the assessment of the current state of security Security services ► Layered model of security services, including: ► Prevention ► Containment ► Detection and notification ► Event collection and tracking ► Recovery ► Assurance Page 12 26 April 2012 ISACA Seminar– Enterprise Security Architecture
A worked example Business drivers ► Customer data is disclosed to internal users through inappropriate access controls ► Staff leak customer information to unauthorised third parties ► Customer information is disclosed in transit to third- party processor. ► Sensitive* customer data is disclosed to unauthorised parties Compliant Access-controlled Protected Protect customer information Business driver Business attributes Threats Prioritised Page 13 26 April 2012 ISACA Seminar– Enterprise Security Architecture
A worked example Control objectives Operations, process and procedures ► User access management ► Monitoring user access levels and user activity, particularly third parties ► Incident response for data breach Technology ► Identity management ► Authentication and authorisation ► Database and network encryption to protect personal data in storage and in transit ► Auditing and logging of access to sensitive* personal data People ► Training and awareness for all staff on data protection ► Focussed training for high-risk areas, e.g., call centres Governance ► Nominated Data Protection Officer ► Data protection policies, standards and procedures ► Third party risk management framework ► Data protection assurance Compliant Access- controlled Protected Control Objectives: Protect customer information Business attributes – Compliant, access-controlled and protected Page 14 26 April 2012 ISACA Seminar– Enterprise Security Architecture
A worked example Security services ► Identity management tools ► Authentication ► Access control ► Authorisation ► Auditing ► Storage encryption ► Link encryption ► Breach ► Security management ► Incident management ► Policies, standards, procedures, guidelines ► Training and awareness ► Proactive reviews ► Third party management frameworks Technical security services Technical security services Page 15 26 April 2012 ISACA Seminar– Enterprise Security Architecture
Security architecture deliverables What do you get? Contextual Architecture ► Business Drivers ► Prioritised drivers ► Impact Assessment Conceptual Architecture ► Business Attribute Profile ► Business Risk Model ► Security Domain Model Logical Security Architecture ► Security Domains and associations ► Logical security services framework Physical and Component Architecture ► Detailed infrastructure and component solution design ► Documented controls against control objectives Operational security control framework Page 16 26 April 2012 ISACA Seminar– Enterprise Security Architecture
Portrait of a successful security architect An architect’s skill-set is different from a tradesman Understands the business strategy and objectives ► There are more than just ‘security’ requirements Thinks in business terms at all times ► Why are we doing this? ► What are we trying to do? Has good communication skills ► Bridges the gaps between business and technology Maintains strength of character ► Defends the security architecture ► Meets the constant challenge Page 17 26 April 2012 ISACA Seminar– Enterprise Security Architecture
Optimising your investment in security architecture – measuring success ► Characteristics of a good business security architecture ► Strategic alignment: aligned to the current business strategy ► Agility: designing a security architecture to deal with the changing legal, regulatory and client requirements ► Extensibility: expanding the architecture on a phased based throughout an organisation ► Robustness: demonstrates a thorough development with appropriate input, review and approval and will withstand critical evaluation from detractors ► Pragmatism: reflects the operating environment of the organisation and imposes appropriate security controls for the people and culture. Page 18 Good security controls Driven by business requirements rather than technical considerations Directly traceable to business objectives Designed from the project outset to be cost-effective thereby avoiding remediation effort Meets regulatory, audit and compliance requirements by design Appropriate to both the business risks and organisation’s risk appetite 26 April 2012 ISACA Seminar– Enterprise Security Architecture
Security Architecture Summary Page 19 26 April 2012 ISACA Seminar– Enterprise Security Architecture
EY Contacts Security architecture experience Hugh Callaghan Director Direct Tel: +353 (0)1 221 2411 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)87 983 8511 E-mail: hugh.callaghan@ie.ey.com Patricia O’Gara Senior Manager Direct Tel: +353 (0)1 221 2008 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)87 235 6023 E-mail: patricia.ogara@ie.ey.com Vasilijs Mihailovs Assistant Direct Tel: +353 (0)1 221 2653 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)86 176 6444 E-mail: vasilijs.mihailovs@ie.ey.com Eoin O’Reilly Senior Manager Direct Tel: +353 (0)1 221 2698 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)86 770 9820 E-mail: eoin.oreilly@ie.ey.com 26 April 2012 ISACA Seminar– Enterprise Security ArchitecturePage 20
Thank you

Recomendados

Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certificationdanb02
 
Introduction to International Standardization
Introduction to International StandardizationIntroduction to International Standardization
Introduction to International StandardizationKris Kimmerle
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1pk4
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 

Recomendados

Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
The Future of Security Architecture Certification
The Future of Security Architecture CertificationThe Future of Security Architecture Certification
The Future of Security Architecture Certificationdanb02
 
Introduction to International Standardization
Introduction to International StandardizationIntroduction to International Standardization
Introduction to International StandardizationKris Kimmerle
 
Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1Ea Relationship To Security And The Enterprise V1
Ea Relationship To Security And The Enterprise V1pk4
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
SABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSAcourses
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Zachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureZachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureJoaquin Marques
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Safeguarding the Enterprise. A new approach.
Safeguarding the Enterprise. A new approach.Safeguarding the Enterprise. A new approach.
Safeguarding the Enterprise. A new approach.ADGP, Public Grivences, Bangalore
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
 
IntelAdapt
IntelAdaptIntelAdapt
IntelAdaptMaggie Albrecht
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessGary Hayslip CISSP, CISA, CRISC, CCSK
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Ccie security 01
Ccie security 01Ccie security 01
Ccie security 01Peter Cheong
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSAMaganathin Veeraragaloo
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture FrameworkMohamed Ridha CHEBBI, CISSP
 
Dave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO InsightsDave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO Insightsciso_insights
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 bSelectedPresentations
 

Mais conteúdo relacionado

Mais procurados

Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
SABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSAcourses
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Zachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureZachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureJoaquin Marques
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 

Mais procurados (20)

Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
SABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White PaperSABSA - TOGAF Integration White Paper
SABSA - TOGAF Integration White Paper
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Zachman Enterprise Security Architecture
Zachman Enterprise Security ArchitectureZachman Enterprise Security Architecture
Zachman Enterprise Security Architecture
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Safeguarding the Enterprise. A new approach.
Safeguarding the Enterprise. A new approach.Safeguarding the Enterprise. A new approach.
Safeguarding the Enterprise. A new approach.
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
 
IntelAdapt
IntelAdaptIntelAdapt
IntelAdapt
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
So you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to SuccessSo you want to be a CISO - 5 steps to Success
So you want to be a CISO - 5 steps to Success
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Ccie security 01
Ccie security 01Ccie security 01
Ccie security 01
 
Security review using SABSA
Security review using SABSASecurity review using SABSA
Security review using SABSA
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 

Semelhante a Enterprise%20 security%20architecture%20 %20business%20driven%20security

Dave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO InsightsDave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO Insightsciso_insights
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsBen Rothke
 
Open group spc rosenthal v3
Open group spc rosenthal v3Open group spc rosenthal v3
Open group spc rosenthal v3City of Toronto
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioAkingbade Akinfenwa
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioBim Akinfenwa
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsPECB
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Information Systems Audit-Related Designations
Information Systems Audit-Related DesignationsInformation Systems Audit-Related Designations
Information Systems Audit-Related DesignationsMichael Lin
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At MicrosoftMark J. Feldman
 
110.decision makers.cio.ciso
110.decision makers.cio.ciso110.decision makers.cio.ciso
110.decision makers.cio.cisoLarry Smith
 
Certified Information Systems Security Professional
Certified Information Systems Security ProfessionalCertified Information Systems Security Professional
Certified Information Systems Security ProfessionalHelen Njuguna
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integrationMichael Nickle
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architectureangelohammond
 
ClockworkISMS
ClockworkISMSClockworkISMS
ClockworkISMSDelaney
 

Semelhante a Enterprise%20 security%20architecture%20 %20business%20driven%20security (20)

Dave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO InsightsDave Tyson Profile for CISO Insights
Dave Tyson Profile for CISO Insights
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Open group spc rosenthal v3
Open group spc rosenthal v3Open group spc rosenthal v3
Open group spc rosenthal v3
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Key metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenarioKey metrics and process in cyber security case scenario
Key metrics and process in cyber security case scenario
 
Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworks
 
Information Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO StandardsInformation Security between Best Practices and ISO Standards
Information Security between Best Practices and ISO Standards
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Information Systems Audit-Related Designations
Information Systems Audit-Related DesignationsInformation Systems Audit-Related Designations
Information Systems Audit-Related Designations
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
II Security At Microsoft
II Security At MicrosoftII Security At Microsoft
II Security At Microsoft
 
110.decision makers.cio.ciso
110.decision makers.cio.ciso110.decision makers.cio.ciso
110.decision makers.cio.ciso
 
Certified Information Systems Security Professional
Certified Information Systems Security ProfessionalCertified Information Systems Security Professional
Certified Information Systems Security Professional
 
Ca world 2007 SOC integration
Ca world 2007 SOC integrationCa world 2007 SOC integration
Ca world 2007 SOC integration
 
MS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference ArchitectureMS. Cybersecurity Reference Architecture
MS. Cybersecurity Reference Architecture
 
CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1CV_Anil K Dubey V1.1
CV_Anil K Dubey V1.1
 
ClockworkISMS
ClockworkISMSClockworkISMS
ClockworkISMS
 

Mais de wardell henley

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfwardell henley
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfwardell henley
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfwardell henley
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfwardell henley
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdfwardell henley
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmpwardell henley
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paperwardell henley
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingwardell henley
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmenwardell henley
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178wardell henley
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01wardell henley
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardswardell henley
 
Ms app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguideMs app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguidewardell henley
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Managementwardell henley
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaperwardell henley
 

Mais de wardell henley (20)

RP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdfRP_Patch_Management_S508C.pdf
RP_Patch_Management_S508C.pdf
 
mita_overview.pdf
mita_overview.pdfmita_overview.pdf
mita_overview.pdf
 
Landscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdfLandscape_Medicaid_Healthcare_Information_Technology.pdf
Landscape_Medicaid_Healthcare_Information_Technology.pdf
 
Facets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdfFacets Overview and Navigation User Guide.pdf
Facets Overview and Navigation User Guide.pdf
 
self_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdfself_inspect_handbook_nisp.pdf
self_inspect_handbook_nisp.pdf
 
Itil a guide to cab meetings pdf
Itil a guide to cab meetings pdfItil a guide to cab meetings pdf
Itil a guide to cab meetings pdf
 
Mn bfdsprivacy
Mn bfdsprivacyMn bfdsprivacy
Mn bfdsprivacy
 
9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp9 150928065812-lva1-app6892 gmp
9 150928065812-lva1-app6892 gmp
 
It security cert_508
It security cert_508It security cert_508
It security cert_508
 
15466 mba technology_white_paper
15466 mba technology_white_paper15466 mba technology_white_paper
15466 mba technology_white_paper
 
Best practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_trainingBest practices for_implementing_security_awareness_training
Best practices for_implementing_security_awareness_training
 
213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen213946 dmarc-architecture-identifier-alignmen
213946 dmarc-architecture-identifier-alignmen
 
Soa security2
Soa security2Soa security2
Soa security2
 
Cissp chapter-05ppt178
Cissp chapter-05ppt178Cissp chapter-05ppt178
Cissp chapter-05ppt178
 
3 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp013 securityarchitectureandmodels-120331064706-phpapp01
3 securityarchitectureandmodels-120331064706-phpapp01
 
Splunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandardsSplunk 7.2.3-security-hardeningstandards
Splunk 7.2.3-security-hardeningstandards
 
Ms app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguideMs app 1.5.1-msinfra-bestpracticesguide
Ms app 1.5.1-msinfra-bestpracticesguide
 
IBM enterprise Content Management
IBM enterprise Content ManagementIBM enterprise Content Management
IBM enterprise Content Management
 
oracle EBS
oracle EBSoracle EBS
oracle EBS
 
5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper5 principles-securing-devops-veracode-whitepaper
5 principles-securing-devops-veracode-whitepaper
 

Último

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 

Último (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

Enterprise%20 security%20architecture%20 %20business%20driven%20security

  • 2. Page 2 Agenda ► Facilities and safety information ► Introduction ► Overview of the problem ► Introducing security architecture ► The SABSA approach ► A worked example ► Security architecture components ► Facilitated discussion 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 3. The Problem: Information Security The business perspective Page 3 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 4. The problem: answering the difficult questions How do we ensure security supports the business? How do we demonstrate alignment with the business risks? Are we spending too much or on the right things? How do we keep business and security aligned? How do we minimise security gaps and remediation costs How do we embed security in the wider business? Page 4 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 5. Introducing security architecture? Traditional architecture vs. security architecture ► Designing a secure business information system could take a number of directions, but there is considerable potential for the security and business requirements to clash and neither party is satisfied with the end result. ► The answers to these questions provide the architect with the business requirements which can then be fed into the design process. ► What type of structure do I want? ► Why do I want this structure? ► How will it be used? ► Who will be the users of the structure? ► Where should the structure be located? ► When will it be used? Building a physical structure ► What type of information system is being considered and what will it do? ► Why is it needed? ► How will it be used? ► Who will use it? ► Where will it be used? ► When will it be used? Protecting business information Page 5 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 6. How do I solve this problem What is business security architecture? ► The challenge in developing the architecture is to balance between risk, cost and usability ► Security architecture controls are composed of people, process and technology controls An organisation needs security controls that are: ► Driven by business requirements rather than technical considerations ► Directly traceable to business objectives ► Designed from the outset to be cost-effective, avoiding remediation effort ► Meet legal, regulatory and policy compliance requirements by design ► Are appropriate to both the business risks and organisation’s risk appetite Risk Usability Cost Page 6 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 7. Why do this? Benefits of the security architecture approach Customised information security control framework ► Driven by the organisation’s business requirements ► Meeting compliance ► Alignment with the business’ risk appetite Reduces information security, IT and security audit costs ► Eliminates redundant controls ► Reduces ad hoc security implementation ► Provides detailed agreed security requirements Informs executive management about security risk ► Articulates impact of information security risk in business terms ► Provides structured control framework to evaluate compliance ► Creates foundation for quantitative assessment of security ROI Page 7 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 8. The SABSA approach Step by step Business attributes Threat analysis Impact analysis Control objectives Security services Business Driver ► Identify the business drivers/ objectives. ► Prioritise drivers. Business Attributes ► Translate drivers into business security attributes. ► Security attributes are provided by SABSA framework. Threat analysis ► Perform threat analysis. ► Identify actual threats to business attributes/ business drivers. Impact analysis ► Use qualitative or quantitative methods to define impact of the realisation of the threat on the identified business objectives. Control Objectives ► Define control objectives to mitigate the identified threats to acceptable levels. Security services ► Identify security services to provide the required controls objectives. Business driver Page 8 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 9. The SABSA approach An architect’s perspective – Here comes the science! Assets (What) Process (How) Location (Where) People (Who) Time (When) Motivation (Why) Contextual The Business Business Process Model Business Geography Business Organization and Relationships Business Time Dependencies Business Risk Model Conceptual Business Attributes Profile Security Strategies and Architectural Layering Security Domain Model Security Entity Model and Trust Framework Security-Related Lifetimes and Deadlines Control Objectives Logical Security Services Security Domain Definitions and Associations Entity Schema and Privilege Profiles Security Processing Cycle Business Information Model Security Policies Physical Platform and Network Infrastructure Users, Applications and the User Interface Control Structure Execution Business Data Model Security Mechanisms Security Rules, Practices and Procedures Component Processes, Nodes, Addresses and Protocols Identities, Functions, Actions and ACLs Security Step Timing and Sequencing Detailed Data Structures Security Products and Tools Security Standards Operational Assurance of Operational Continuity Security Service Management and Support Security of Sites, Networks and Platforms Application and User Management and Support Security Operations Schedule Operational Risk Management Design Build Business Architect Designer Builder Tradesman Facilities Manager 26 April 2012 ISACA Seminar– Enterprise Security ArchitecturePage 9
  • 10. Contextual & conceptual security Understanding the business and its risks ► Business strategy ► Business processes and functions ► Organisational structure – personnel, geographical, partnerships ► Budgets, technical constraints, time dependencies ► Use the business attributes database to describe the business in terms of strategy, related assets, business goals and objectives → business attribute profile ► Perform a threat analysis on the business assets, goals and objectives ► Define the business impact of the realisation of the threats ► Identify technical and procedural vulnerabilities Gather, assess and analyse business requirements Describe the business requirements Analyse the business risks Page 10 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 11. An overview of SABSA attributes database Page 11 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 12. A logical security architecture What does it look like? Business Attributes Profile Control objectives Security strategies Security services Business Attributes Profile ► Select business attributes (mapped to business drivers). ► Define enterprise- specific business attributes, a measurement approach, metrics and targets. Control objectives ► Derive control objectives from the Business Attributes Profile and the Business Risk Model developed at the Conceptual layer. Security strategies ► Define appropriate security strategies based on the business process model, the Business Attributes profile, the control objectives and the assessment of the current state of security Security services ► Layered model of security services, including: ► Prevention ► Containment ► Detection and notification ► Event collection and tracking ► Recovery ► Assurance Page 12 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 13. A worked example Business drivers ► Customer data is disclosed to internal users through inappropriate access controls ► Staff leak customer information to unauthorised third parties ► Customer information is disclosed in transit to third- party processor. ► Sensitive* customer data is disclosed to unauthorised parties Compliant Access-controlled Protected Protect customer information Business driver Business attributes Threats Prioritised Page 13 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 14. A worked example Control objectives Operations, process and procedures ► User access management ► Monitoring user access levels and user activity, particularly third parties ► Incident response for data breach Technology ► Identity management ► Authentication and authorisation ► Database and network encryption to protect personal data in storage and in transit ► Auditing and logging of access to sensitive* personal data People ► Training and awareness for all staff on data protection ► Focussed training for high-risk areas, e.g., call centres Governance ► Nominated Data Protection Officer ► Data protection policies, standards and procedures ► Third party risk management framework ► Data protection assurance Compliant Access- controlled Protected Control Objectives: Protect customer information Business attributes – Compliant, access-controlled and protected Page 14 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 15. A worked example Security services ► Identity management tools ► Authentication ► Access control ► Authorisation ► Auditing ► Storage encryption ► Link encryption ► Breach ► Security management ► Incident management ► Policies, standards, procedures, guidelines ► Training and awareness ► Proactive reviews ► Third party management frameworks Technical security services Technical security services Page 15 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 16. Security architecture deliverables What do you get? Contextual Architecture ► Business Drivers ► Prioritised drivers ► Impact Assessment Conceptual Architecture ► Business Attribute Profile ► Business Risk Model ► Security Domain Model Logical Security Architecture ► Security Domains and associations ► Logical security services framework Physical and Component Architecture ► Detailed infrastructure and component solution design ► Documented controls against control objectives Operational security control framework Page 16 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 17. Portrait of a successful security architect An architect’s skill-set is different from a tradesman Understands the business strategy and objectives ► There are more than just ‘security’ requirements Thinks in business terms at all times ► Why are we doing this? ► What are we trying to do? Has good communication skills ► Bridges the gaps between business and technology Maintains strength of character ► Defends the security architecture ► Meets the constant challenge Page 17 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 18. Optimising your investment in security architecture – measuring success ► Characteristics of a good business security architecture ► Strategic alignment: aligned to the current business strategy ► Agility: designing a security architecture to deal with the changing legal, regulatory and client requirements ► Extensibility: expanding the architecture on a phased based throughout an organisation ► Robustness: demonstrates a thorough development with appropriate input, review and approval and will withstand critical evaluation from detractors ► Pragmatism: reflects the operating environment of the organisation and imposes appropriate security controls for the people and culture. Page 18 Good security controls Driven by business requirements rather than technical considerations Directly traceable to business objectives Designed from the project outset to be cost-effective thereby avoiding remediation effort Meets regulatory, audit and compliance requirements by design Appropriate to both the business risks and organisation’s risk appetite 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 19. Security Architecture Summary Page 19 26 April 2012 ISACA Seminar– Enterprise Security Architecture
  • 20. EY Contacts Security architecture experience Hugh Callaghan Director Direct Tel: +353 (0)1 221 2411 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)87 983 8511 E-mail: hugh.callaghan@ie.ey.com Patricia O’Gara Senior Manager Direct Tel: +353 (0)1 221 2008 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)87 235 6023 E-mail: patricia.ogara@ie.ey.com Vasilijs Mihailovs Assistant Direct Tel: +353 (0)1 221 2653 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)86 176 6444 E-mail: vasilijs.mihailovs@ie.ey.com Eoin O’Reilly Senior Manager Direct Tel: +353 (0)1 221 2698 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)86 770 9820 E-mail: eoin.oreilly@ie.ey.com 26 April 2012 ISACA Seminar– Enterprise Security ArchitecturePage 20