Adaptive Enterprise Security Architecture
Download as PPTX, PDF9 likes3,165 views
The document discusses the need for an adaptive enterprise security architecture. It proposes using SABSA, a risk-driven methodology for developing security architectures that support critical business initiatives. An adaptive enterprise security architecture frames all security aspects, manages security comprehensively, and ensures the architecture remains relevant through governance, maturity models, risk communication and integrated controls.
Adaptive Enterprise Security Architecture
- 1. Adaptive Enterprise Security Architecture John J. Czaplewski | Director of Professional Services | David Lynas Consulting, Ltd.
- 2. We build, deploy and operate … Complex IT Systems 21 September 2016 David Lynas Consulting Ltd 2
- 3. Supported by … Often Not-So-Engineered Security 21 September 2016 David Lynas Consulting Ltd 3
- 4. Our technical security architectures focus on ... Confidentiality, Integrity, Availability and are becoming better and better at adapting to dynamic threat environment 21 September 2016 David Lynas Consulting Ltd 4
- 5. But our Enterprises are concerned with much more: 21 September 2016 David Lynas Consulting Ltd 5
- 6. We need: 21 September 2016 David Lynas Consulting Ltd 6 a Framework and Methodology for Developing Adaptive Enterprise Security Architectures
- 7. SABSA 21 September 2016 David Lynas Consulting Ltd 7 An internationally recognized methodology for: • Developing risk-driven enterprise information security and information assurance architectures • Delivering security infrastructure solutions that support and adapt to critical business initiatives.
- 8. SABSA 21 September 2016 David Lynas Consulting Ltd 8 • Begins with developing an understanding of key enterprise business requirements, • Transforms them into key business drivers for security • Engineers the real business attributes that provide the core supporting framework for an adaptive, living enterprise security architecture • Creates a chain of traceability from “Strategy & Planning” through “Design’, “Implement” and ongoing “Manage and Measure” to ensure that the business mandate is preserved.
- 9. An Adaptive Enterprise Security Architecture 21 September 2016 David Lynas Consulting Ltd 9 Requires a comprehensive set of frameworks, models and methods
- 10. An Adaptive Enterprise Security Architecture: Frames and Structures all Aspects of Enterprise Security 21 September 2016 David Lynas Consulting Ltd 10
- 11. An Adaptive Enterprise Security Architecture: Manages all Aspects of Enterprise Security 21 September 2016 David Lynas Consulting Ltd 11
- 12. An Adaptive Enterprise Security Architecture: Accountable Domain Authority Develops Strategy and Plans Sets Goals, Objectives & Expectations Sets Performance Targets Sets Risk Appetite Sets Policy to Meet Objectives & Targets Strategy & Planning Phase Responsible Entities Design Processes Design Systems Design Staffing Model Design Controls & Enablers Design Establish Processes Implement Systems Appoint & Train People Establish Controls & Enablers Implement Manage processes & operations Manage people Manage systems Performance & Risk Monitoring against KPIs and KRIs Manage & Measure Inform of Responsibility Report Performance & Compliance With Target Execute DesignTransition Through-lifeAssurance Higher Domain Authority (Superdomain Shareholders Regulators) Consult & Report Performance Requires an Enterprise Security Architecture Governance Model 21 September 2016 David Lynas Consulting Ltd 12
- 13. An Adaptive Enterprise Security Architecture: Defines Enterprise Security Architecture Capability Maturity Models 21 September 2016 David Lynas Consulting Ltd 13 Unreliable1 Informal2 Defined3 Monitored4 Optimised5 Assets Motivation Process People Location Time Contextual Assets Motivation Process People Location Time Conceptual Assets Motivation Process People Location Time Logical Assets Motivation Process People Location Time Physical Assets Motivation Process People Location Time Component Assets Motivation Process People Location Time Service Management Assets Motivation Process People Location Time Assets Motivation Process People Time Assets Motivation People Time Assets Motivation People Time Assets Time Assets Motivation Process People Location Time Assets Motivation Process Location ProcessProcess Assets Motivation Process People Location Time Assets Motivation Process People Location AssetsAssets Assets Motivation Process People Location Time Assets Motivation Process People Location Time Assets Motivation Process People Location Time Assets Motivation Process Time Assets Motivation Assets Motivation Process People Location Time Assets Motivation Process People Location Assets People Location Assets Motivation Process People Location Time Assets Motivation Process People Location Time Assets Motivation Process People Time Motivation People Time People Time
- 14. An Adaptive Enterprise Security Architecture: Super Domain Domain A External Impacted Domain (customer) Impacted Peer Domain C Consult (C) to define policy & target C C Subdomain External Provider Domain (service provider) Inform (I) policy & target to R domains R I I R Inform (I*) performance to Super & Impacted domains I* I* I Models Domain Roles and Responsibilities 21 September 2016 David Lynas Consulting Ltd 14
- 15. Risk Context Assets at Risk Overall likelihood of loss Likelihood of threat materialising Likelihood of weakness exploited Negative Outcomes Threats Loss Event Positive Outcomes Opportunities Beneficial Event Overall loss value Asset value Negative impact value Overall benefit value Asset value Positive impact value Overall likelihood of benefit Likelihood of opportunity materialising Likelihood of strength exploited Analyses Threats and Opportunities An Adaptive Enterprise Security Architecture: 21 September 2016 David Lynas Consulting Ltd 15
- 16. Understands and Communicates Technical Risk in Business Terms An Adaptive Enterprise Security Architecture: 21 September 2016 David Lynas Consulting Ltd 16
- 17. An Adaptive Enterprise Security Architecture: Creates Enterprise Policy Frameworks Contextual Enterprise-wide Business Risk Policy Conceptual Policies for Enterprise-wide Risk & Opportunity Categories Finance Risk Operational Risk Environment Risk Health & Safety Risk Information Risk Etc. Logical Policies for Logical Domains Policies for Logical Domains Policies for Logical Domains Physical Procedures for Physical Domains Procedures for Physical Domains Procedures for Physical Domains Component Standards for Nodes, Addressed, Components Standards for Nodes, Addressed, Components Standards for Nodes, Addressed, Components 21 September 2016 David Lynas Consulting Ltd 17
- 18. David Lynas Consulting Ltd 18 An Adaptive Enterprise Security Architecture: Business Legislation Process Engineering Methods Business Governance Frameworks Business Sector Regulation Point of Primary Integration for any Standard Requiring measurable Targets Total Quality Framework Aligns and Integrates Business Requirements 21 September 2016
- 19. An Adaptive Enterprise Security Architecture: Contextual: Meta-ProcessesVerticalSecurityConsistency Horizontal Security Consistency Conceptual: Strategic View of Process Logical: Information Flows & Transformations Physical: Data Flows & System Interactions Component: Protocols & Step Sequences Delivers Top-Down, End-to-End Process Security 21 September 2016 David Lynas Consulting Ltd 19
- 20. An Adaptive Enterprise Security Architecture: Derives Business-Linked Security Controls & Enablers 21 September 2016 David Lynas Consulting Ltd 20
- 21. An Adaptive Enterprise Security Architecture: Builds Defence/Strength-in-Depth Control & Enablement Strategies 21 September 2016 David Lynas Consulting Ltd 21
- 22. David Lynas Consulting Ltd 22 An Adaptive Enterprise Security Architecture: Technical Controls Management Controls PCI SOx HIPAA NIST CobiT ISO 27002 Integrates Controls Frameworks & Libraries 21 September 2016
- 23. David Lynas Consulting Ltd 23 An Adaptive Enterprise Security Architecture: Develops Re-usable Operational Risk Management Architectures Attributes with performance targets & risk appetite thresholds Risk Assessment Ratings Threat Opportunity Vulnerability Strength - Impact + Impact Integrated Controls & Enablers Library – MTCS Modelled Service 1 Mechanism 1 Component 1 Activity 1 Service 2 Mechanism 2 Component 2 Activity 2 Service 3 Mechanism 3 Component 3 Activity 3 21 September 2016
- 24. David Lynas Consulting Ltd 24 An Adaptive Enterprise Security Architecture: Incorporates Business-Linked Risk Monitoring and Reporting Dashboards 21 September 2016 Risk Management Attributes Legal / Regulatory Attributes Access-controlled Accountable Assurable Enforceable Compliant Admissible Business Attributes Business Requirements Business Drivers for Security
- 25. David Lynas Consulting Ltd 25 An Adaptive Enterprise Security Architecture: Ensures the Enterprise Security Architecture Lives 21 September 2016
- 26. David Lynas Consulting Ltd 26 An Adaptive Enterprise Security Architecture: • Security is about mitigating threats AND enabling opportunities • Change the security conversation to focus on delivering value to the Enterprise • Include security at the strategy and planning table • Develop Enterprise Security Architecture that enables the Enterprise to meet its mission, goals and objectives 21 September 2016