The document discusses the need for an adaptive enterprise security architecture. It proposes using SABSA, a risk-driven methodology for developing security architectures that support critical business initiatives. An adaptive enterprise security architecture frames all security aspects, manages security comprehensively, and ensures the architecture remains relevant through governance, maturity models, risk communication and integrated controls.
Report
Share
Report
Share
1 of 26
More Related Content
Adaptive Enterprise Security Architecture
1. Adaptive Enterprise Security Architecture
John J. Czaplewski | Director of Professional Services | David Lynas Consulting, Ltd.
2. We build, deploy and operate …
Complex IT Systems
21 September 2016 David Lynas Consulting Ltd 2
4. Our technical security architectures focus on ...
Confidentiality, Integrity, Availability
and are becoming better and better
at adapting to dynamic threat environment
21 September 2016 David Lynas Consulting Ltd 4
5. But our Enterprises are concerned with much more:
21 September 2016 David Lynas Consulting Ltd 5
6. We need:
21 September 2016 David Lynas Consulting Ltd 6
a Framework and Methodology
for
Developing
Adaptive Enterprise Security Architectures
7. SABSA
21 September 2016 David Lynas Consulting Ltd 7
An internationally recognized methodology for:
• Developing risk-driven enterprise information security
and information assurance architectures
• Delivering security infrastructure solutions that support
and adapt to critical business initiatives.
8. SABSA
21 September 2016 David Lynas Consulting Ltd 8
• Begins with developing an understanding of key
enterprise business requirements,
• Transforms them into key business drivers for security
• Engineers the real business attributes that provide
the core supporting framework for an adaptive, living
enterprise security architecture
• Creates a chain of traceability from “Strategy &
Planning” through “Design’, “Implement” and
ongoing “Manage and Measure” to ensure that the
business mandate is preserved.
9. An Adaptive Enterprise Security Architecture
21 September 2016 David Lynas Consulting Ltd 9
Requires a comprehensive set of frameworks, models and methods
10. An Adaptive Enterprise Security Architecture:
Frames and Structures all Aspects of Enterprise Security
21 September 2016 David Lynas Consulting Ltd 10
11. An Adaptive Enterprise Security Architecture:
Manages all Aspects of Enterprise Security
21 September 2016 David Lynas Consulting Ltd 11
12. An Adaptive Enterprise Security Architecture:
Accountable Domain Authority
Develops Strategy and Plans
Sets Goals, Objectives & Expectations
Sets Performance Targets
Sets Risk Appetite
Sets Policy to Meet Objectives & Targets
Strategy & Planning Phase
Responsible Entities
Design Processes
Design Systems
Design Staffing Model
Design Controls & Enablers
Design
Establish Processes
Implement Systems
Appoint & Train People
Establish Controls & Enablers
Implement
Manage processes & operations
Manage people
Manage systems
Performance & Risk Monitoring
against KPIs and KRIs
Manage & Measure
Inform
of Responsibility
Report
Performance
& Compliance
With Target
Execute DesignTransition
Through-lifeAssurance
Higher Domain Authority
(Superdomain
Shareholders
Regulators)
Consult & Report Performance
Requires an Enterprise Security Architecture Governance Model
21 September 2016 David Lynas Consulting Ltd 12
13. An Adaptive Enterprise Security Architecture:
Defines Enterprise Security Architecture Capability Maturity Models
21 September 2016 David Lynas Consulting Ltd 13
Unreliable1
Informal2
Defined3
Monitored4
Optimised5
Assets
Motivation
Process
People
Location
Time
Contextual
Assets
Motivation
Process
People
Location
Time
Conceptual
Assets
Motivation
Process
People
Location
Time
Logical
Assets
Motivation
Process
People
Location
Time
Physical
Assets
Motivation
Process
People
Location
Time
Component
Assets
Motivation
Process
People
Location
Time
Service
Management
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Time
Assets
Motivation
People
Time
Assets
Motivation
People
Time
Assets
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
Location
ProcessProcess
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
AssetsAssets
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
Time
Assets
Motivation
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Assets
People
Location
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Location
Time
Assets
Motivation
Process
People
Time
Motivation
People
Time
People
Time
14. An Adaptive Enterprise Security Architecture:
Super Domain
Domain
A External
Impacted Domain
(customer)
Impacted
Peer Domain
C
Consult (C)
to define
policy &
target
C
C
Subdomain
External
Provider Domain
(service provider)
Inform (I)
policy &
target to
R domains
R
I
I
R
Inform (I*)
performance
to Super
&
Impacted
domains
I*
I*
I
Models Domain Roles and Responsibilities
21 September 2016 David Lynas Consulting Ltd 14
15. Risk Context
Assets
at Risk
Overall
likelihood
of loss
Likelihood of
threat
materialising
Likelihood of
weakness
exploited
Negative
Outcomes
Threats
Loss Event
Positive
Outcomes
Opportunities
Beneficial Event
Overall
loss
value
Asset
value
Negative
impact
value
Overall
benefit
value
Asset
value
Positive
impact
value
Overall
likelihood
of benefit
Likelihood of
opportunity
materialising
Likelihood of
strength
exploited
Analyses Threats and Opportunities
An Adaptive Enterprise Security Architecture:
21 September 2016 David Lynas Consulting Ltd 15
16. Understands and Communicates Technical Risk in Business Terms
An Adaptive Enterprise Security Architecture:
21 September 2016 David Lynas Consulting Ltd 16
17. An Adaptive Enterprise Security Architecture:
Creates Enterprise Policy Frameworks
Contextual Enterprise-wide Business Risk Policy
Conceptual
Policies for Enterprise-wide Risk & Opportunity Categories
Finance
Risk
Operational
Risk
Environment
Risk
Health &
Safety Risk
Information
Risk
Etc.
Logical
Policies for Logical
Domains
Policies for Logical
Domains
Policies for Logical
Domains
Physical
Procedures for Physical
Domains
Procedures for Physical
Domains
Procedures for Physical
Domains
Component
Standards for Nodes,
Addressed, Components
Standards for Nodes,
Addressed, Components
Standards for Nodes,
Addressed, Components
21 September 2016 David Lynas Consulting Ltd 17
18. David Lynas Consulting Ltd 18
An Adaptive Enterprise Security Architecture:
Business
Legislation
Process
Engineering
Methods
Business
Governance
Frameworks
Business
Sector
Regulation
Point of Primary
Integration for
any Standard
Requiring
measurable
Targets
Total Quality
Framework
Aligns and Integrates Business Requirements
21 September 2016
19. An Adaptive Enterprise Security Architecture:
Contextual: Meta-ProcessesVerticalSecurityConsistency
Horizontal Security Consistency
Conceptual: Strategic View of Process
Logical: Information Flows & Transformations
Physical: Data Flows & System Interactions
Component: Protocols
& Step Sequences
Delivers Top-Down, End-to-End Process Security
21 September 2016 David Lynas Consulting Ltd 19
20. An Adaptive Enterprise Security Architecture:
Derives Business-Linked Security Controls & Enablers
21 September 2016 David Lynas Consulting Ltd 20
21. An Adaptive Enterprise Security Architecture:
Builds Defence/Strength-in-Depth Control & Enablement Strategies
21 September 2016 David Lynas Consulting Ltd 21
22. David Lynas Consulting Ltd 22
An Adaptive Enterprise Security Architecture:
Technical
Controls
Management
Controls PCI
SOx
HIPAA
NIST
CobiT
ISO 27002
Integrates Controls Frameworks & Libraries
21 September 2016
24. David Lynas Consulting Ltd 24
An Adaptive Enterprise Security Architecture:
Incorporates Business-Linked Risk Monitoring and Reporting Dashboards
21 September 2016
Risk Management
Attributes
Legal / Regulatory
Attributes
Access-controlled
Accountable
Assurable Enforceable
Compliant
Admissible
Business Attributes
Business Requirements
Business Drivers for Security
25. David Lynas Consulting Ltd 25
An Adaptive Enterprise Security Architecture:
Ensures the Enterprise Security Architecture Lives
21 September 2016
26. David Lynas Consulting Ltd 26
An Adaptive Enterprise Security Architecture:
• Security is about mitigating threats AND enabling
opportunities
• Change the security conversation to focus on
delivering value to the Enterprise
• Include security at the strategy and planning table
• Develop Enterprise Security Architecture that
enables the Enterprise to meet its mission, goals
and objectives
21 September 2016