Enterprise Security Architecture in the TOGAF Context
Enterprise Architecture including its security aspects is all about aligning business systems and supporting information systems to realize business goals in an effective and efficient manner.
One misconception is considering Information security as a separate discipline, isolated from the business processes and Enterprise Architecture. In the business context its part of the enterprise and the information it produces influences the Enterprise Architecture.
Security Architecture is a structure of organizational conceptual, logical and physical components that interact in a coherent fashion in order to achieve and maintain a state of managed risk and security. Security Architecture acts as both a driver and enabler of secure, safe, resilient, and reliable behavior, as well as for addressing risk areas throughout the enterprise.
There are two security concepts:
1. ISM – Information Security Management
2. ERM – Enterprise Risk Management
In TOGAF, the approach is business-driven and supports the integration of two processes. This process orientation will improve understanding of the security concepts and activities at different phases through the TOGAF Architecture Development Method (ADM).
Ref: TOGAF – Essential Security and Risk Concepts and their position in the TOGAF ADM
Risk Management in the TOGAF
Risk Management in the TOGAF Standard primarily focuses on one type of risk: Architecture Project Risk. In particular, ERM focuses on all aspects of operational risk – the risks that a business faces in day-to-day operations that are based on operational capabilities that are produced as the result of Enterprise Architecture work. It is intended that by paying more attention to operational risk downstream of the delivery of Enterprise Architecture work products, the utility, quality, and effectiveness of those work products will be improved and enhanced.
With TOGAF Standard integrating security is not a matter of selecting controls from a checklist. Instead, a holistic approach is recommended with tight cooperation between the ADM and the processes for ISM and ERM. Designing operational security is part of the architecture
- Security controls are bundled into security services
- A security service can be seen as an Architecture Building Block (ABB) which, in the TOGAF Standard, the direct guide for Solution Building Blocks (SBB’s)
- This can apply to all four of the TOGAF domain architectures: Business, Data, Application, and Technology.
Examples of Security Services:
1. Identity and Access Management
2. Continuity Management
3. Security Intelligence
4. Digital Forensics
6. Network Monitoring
7. Compliance Management
8. Training and Awareness Programs
IT Security and Risk Standards:
Some standards to consider for IT Security and Risk Management.
· ISO 27001 – Information Security Management
· ISO 31000 – Risk Management
· NIST Cybersecurity Framework
· COBIT 5 Framework
· The Open Group
- Open FAIR
· SABSA Framework and Methodology
Enterprise Security Architecture
Enterprise Security Architecture (ESA) seeks business alignment of the security measures with the business objectives:
1. By defining relationships between the components on the different architecture layers, thus providing traceability and justification
2. By using ISM and ERM processes to develop the deliverables and to interact with stakeholders.
Enterprise Risk Management (ERM): Risk is a central concept of ERM, we need to “predict the future”. Risk can be seen at any level in the business stack.
Identifying and assessing factors like opportunities, threats, likelihood, and possible outcomes are called “risk assessment” or “risk analysis”
Scope of ERM
- Includes business, system, information, project, privacy, compliance and organizational change risk, etc...
- Focuses on all aspects of operational risk
Enterprise Risk Management strikes a balance between positive and negative outcomes resulting from the realization of either opportunities or threats in order to maximize business value and minimize business loss.
The risk management process aids decision-making by taking account of uncertainty and the possibility of future events or circumstances and their effects on agreed objectives.
Ref: ISO 31000:2009 – Model for Risk Management
The core concepts of ERM:
- Key Risk Areas
- Business Impact Analysis
- Risk Assessment
- Business Risk Model/Risk Register
- Risk Appetite
- Risk Mitigation Plan
Information Security Management (ISM): is a process that defines the security objectives, assigns ownership, also includes a risk assessment, and incident handling. Based on the CIA triad.
Generally accepted areas of concerns in the ISM are
- Asset Protection
- Risk Assessment
- Access Control
According to the ISO 27001:2013, the ISM system:
1. Preserves the security aspects of information by applying a risk management process
2. Gives confidence to interested parties that risks are adequately managed
3. Is part of and is integrated with the organization’s processes and overall management structure.