Enterprise Information Se

The Architectural Model

The security architecture clickable diagram depicts the elements of organizational security architecture and how they interact with each other. The presentation here is slanted toward a corporate view in terms of the usage, but essentially all elements are always present.

People Things Sales Workflow Transforms Supply Collections Services Shrinkage Business Model Laws Owners Board Auditors CEO Duty To Protect Oversight How To Protect What To Protect Business People Systems Data Life Cycles Match Surety to Risk Threats Vulnerabilities Consequences Accept Transfer Avoid Mitigate Interdependencies Defenses Risk Management Security Management Security Policy Security Standards Security Processes Security Documentation Security Audit Security Testing Security Technology Personnel Security Incident Handling Legal Issues Physical Security Security Knowledge Security Awareness Organizational Issues Organizational Perspectives Organizational Governance Executive Security Management Executive Security Management Change Control Authorization Perimeters Funactional Units Access Controls Integrity Availability Confidentiality Accountability Use Control Control Objectives Control Architecture Control Architecture Perception Structure Content Behavior Content and its Business Utility Protection Mechanisms Workflow Deter Prevent Detect React Adapt Defense Process At Rest In Use In Motion Data State Protection Processes Time Location Purpose Behavior Identity Method Context Technical Security Architecture

Get a better view. Download this image in a Word doc here.


At the top is the notion of how the "business" works. At a detailed level this may be codified in terms of process diagrams and associated details such as timeliness requirements, consequences of failures of different sorts, internal and external interdependencies, and so forth. At a higher level it is divided into different common functions, such as sales, marketing, and brand - or resources that get transformed and produce value. These comprise the basic functions of the organization and the foundation for analysis of the value and import of its function or utility.

Oversight comes from laws, owners, the board of directors or similar entity, auditors, and the chief executive officer. It produces a set of duties to protect that include legal and regulatory duties, contractual duties, and self-imposed duties. It is also tasked with responsibility for making certain that the duties imposed are carried out.

The business risk management function seeks to transform the duties to protect into a set of identified things to protect and surety levels associated with that protection matched to the risks associated with failures. As a side effect of this process understanding of risks in the form of threats, vulnerabilities, and consequences; event sequences that could induce potentially serious negative consequences; decisions about risk acceptance, avoidance, transfer, and mitigation; and notions of acceptable residual risk are provided to enterprise security management for their use and oversight for their approval.

Enterprise security management transforms the duty to protect, what to protect, and the other outcomes of oversight and risk management process into the actions taken by the organization to implement protection through the use of power and influence. While the Chief Information Security Officer (CISO) or other responsible party tasked with these issues typically has little budget, their position and standing provide them with the necessary influence to get the job done if they know how to apply that influence effectively. Specifically, they have positional power that grants them access to information required in order to get feedback from the organizational processes they influence and adequate influence to adapt those processes to meet the needs of the organization. If these conditions are not met then the program will fail and the enterprise will suffer the consequences.

The enterprise operates protection through the creation, operation, and adaptation of a control architecture. The control architecture includes structural mechanisms that obtain security objectives through access control, functional units, change control, and lower surety non-architectural units.

The technical security architecture implements technical controls by defining protection processes in the form of defensive processes associated with data states and contexts over life cycles of systems and data and protective mechanisms in the form of perception, structure, content, and behavior that directly contact the content and assure its business utility.

In summary, content and business utility are protected by mechanisms, processes, and architectures that are structured through the and managed via influence on organizational elements by the CISO. The CISO acts to meet the duties to protect by determining how to protect the things that need to be protected and controlling the organization so as to affect those protections. The risk management process and feedback mechanisms guide the CISO and acts as the means by which oversight is accomplished with the ultimate objective of assuring that business processes are not interfered with in ways that cause serious negative consequences.

For more details and in-depth coverage of these issues, buy the Governance Guidebook.


This was first published in January 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: