putting the business in information security architecture

Information Security Information Security

JuggernautJuggernaut

Putting the Business in Enterprise Information Security

Architecture

By Ravila Helen White, CISSP, CISM, CISA, GCIH

ijijMaking it better without making Making it better without making it complexit complex

DisclaimerDisclaimerThis presentation and the concepts

herein are my opinions through private research, practice and chatting with other professionals.

It is not the opinion of past, present or future employers.

AgendaAgendaAS IS – The current state of

affairs…Getting There – The return of

Systems Thinking…To Be – Becoming agile…

As IsAs IsThe current state of affairs….

Sherwood Applied Business Security Architecture (SABSA) 1995

Structure and Content of an Enterprise Information Security Architecture by Gartner 2006

Security Architecture and the ADM by TOGAF

SOA

LegacyLegacy

Where is the security Where is the security architect?architect?

Conflicting RolesConflicting RolesCISO/ISOSecurity Engineer/AdministratorCISO/Analyst/EngineerSecurity Architect

Definition DichotomyDefinition DichotomyFrameworkGuidelinesTaxonomyPolicyProcedureStandardKnowing is not understanding. There is a great

difference between knowing and understanding: you can know a lot about something and not really understand it. [Charles Kettering]

Artifact HandlingArtifact HandlingWhat are they?Where are they?How are they used?

Architectural Artifact—A specific document, report, analysis, model, or other tangible that contributes to an architectural description. [Roger Sessions]

One EA’s Point of ViewOne EA’s Point of View"EA provides a filter on siloed thinking; I know

the solution you proposed makes sense to you, but we provide a wider perspective that can help you make sense for other people as well."

"Information Security professionals sometimes forget that the rest of the organization is there."

"Security professionals often fail to consider the incremental cost that accrues to a policy. Over time, a good policy can incur so much cost that it no longer makes sense from an EA perspective."

Nick Malik – Inside Architecture Blogger

Disparate StatesDisparate States

Revolutionary Evolutionary(1) of, pertaining to,

characterized by, or of the nature of a revolution, or a sudden, complete, or marked change. (2) radically new or innovative; outside or beyond established procedure, principles, etc

A gradual process in which something changes into a different and usually more complex or better form

Opportunities of Opportunities of OptimizationOptimizationSystemic integration of

information security architecture in to the business.

Adoption of a meta framework to drive information security architecture to business alignment and visibility.

Development of a modular schema to support the use of the most widely used security architecture methodologies.

Getting ThereGetting ThereThe return to Systems Thinking…

Systems Thinking not Systems Thinking not AnalyticsAnalyticsWhat it isWhy you need itHow you get it

Does not follow the traditional analysis focuses of separating individual pieces of what is being studied. Systems thinking, in contrast, focuses on how the thing being studied interacts with the other constituents of the system—a set of elements that interact to produce behavior—of which it is a part.

Security is a practice Security is a practice within the business/not within the business/not

the businessthe business

Information Security Focus Enterprise Perspective

CISSPCISACISMCIPP*GIAC (SANS)

Business Process Modeling

Enterprise Architecture

Information DesignSoftware Engineering

How to apply as How to apply as middlewaremiddlewareBusiness Process Modeling –

translates what you have to offer in terms and techniques used by the business.

Enterprise Architecture – aligns IT initiatives to business needs.

Information Design –takes the complex and makes it consumable.

Software Engineering– reverse engineering and agile development

Benefits of Systems Benefits of Systems ThinkingThinkingBusiness Process Modeling –

communicates intent and value to the organization

Enterprise Architecture – sets the context of information security within the business

Information Design – helps non-infosec partners quickly orient themselves in a complex environment

Software Engineering– provides synthesis of complex information into a whole

The Controls of Systems The Controls of Systems ThinkingThinkingStandardsRegulationsGuidelinesLogic ModelsSetting Context

Controls are used in business to prevent the taking on of too much risk and reduce the risk of an existing or potential weakness. When too much risk is taken against a system it is weakened systemically and typically results in system-wide failure.

TO BeTO BeBecoming Agile…

Synthesizing business Synthesizing business modelingmodelingA business model describes the

rationale of how an organization creates, delivers and captures value

a logic model is a systematic and visual way to present and share your understanding of the relationships among the resources you have to operate your program, the activities you plan, and the changes or results you hope to achieve.

Adapted from Alex Osterwalder’s Business Model Canvas

Defining ArtifactsDefining ArtifactsAuthoritative

◦sets the direction◦the business validates its decisions◦the business executes against◦the business captures resource

requirements◦the business verifies the activities

necessary to support a solutionHistorical

◦Project plans◦Proposals, RFPs,

Artifact HandlingArtifact HandlingResult in deliverables to the

business Contain sensitive information

Setting ContextSetting ContextCommunicates to the business

and peers what services are provided

Sets the scope of activities

Contextualized Infosec Contextualized Infosec ArchitectureArchitecture

Component ArchitectureComponent Architecture

Plan of ActionPlan of Action1. Apply a business model2. Choose your metadata sources3. Adopt a common terminology

taxonomy4. Define artifacts and storage

location5. Research current and future6. Develop component architecture

AGILE Infosec ArchitectureAGILE Infosec Architecture

Credits & ReferencesCredits & References

General Professional Influencers

Business Model Generation www.dictionary.com Google: www.Google.com Information Design Handbook Logic Model Development

Guide: http://www.wkkf.org/Pubs/Tools/Evaluation/Pub3669.pdf

Oxford Dictionary Thinking Page:

www.thinking.net TOGAF: www.opengroup.org SABSA:

www.sabsa-institute.org/ Wikipedia: www.wikipedia.com

Deborah Arline

Copyright InformationCopyright InformationSome works in this presentation

have been licensed under the Creative Common license (CC). Please respect the license when using the concepts or adapting them.

For more information please go here:

www.creativecommons.org

Thank you…Thank you…

Questions and Comments

Contact me via slidshare.net