MCS 1103- Enterprise Security Architecture Design & Management (Touhid and Sami sir)

What is Enterprise Security Architecture?

Enterprise Security Architecture is the process of translating business security vision and strategy
into effective enterprise change by creating, communicating and improving the key security
requirements, principles and models that describe the enterprise’s future security state and enable
its evolution.
Why is it important?
Enterprise Security Architecture is not about developing for a prediction. it is about ensuring that
we develop in a way that allows us to maintain and sustain our agility to change. We don’t know
where we are going or how we are going to get there but we need to be ready.

Framework
The Zachman Framework is an enterprise architecture framework which provides a formal and
highly structured way of viewing and defining an enterprise. It consists of a two dimensional
classification matrix based on the intersection of six communication questions (What, Where,
When, Why, Who and How) with five levels of reification, successively transforming the most
abstract ideas (on the Scope level) into more concrete ideas (at the Operations level).
The Open Group Architecture Framework (TOGAF) is a framework for enterprise
architecture which provides a comprehensive approach for designing, planning, implementing,
and governing an enterprise information architecture. TOGAF is a high level and holistic
approach to design, which is typically modeled at four levels: Business, Application, Data, and
Technology. It tries to give a well-tested overall starting model to information architects, which
can then be built upon. It relies heavily on modularization, standardization, and already existing,
proven technologies and products.
SABSA (Sherwood Applied Business Security Architecture) is a framework and methodology
for Enterprise Security Architecture and Service Management. It was developed independently
from the Zachman Framework, but has a similar structure. SABSA is a model and a
methodology for developing risk-driven enterprise information security architectures and for
delivering security infrastructure solutions that support critical business initiatives.
The Zachman and TOGAF are true Enterprise Architecture frameworks however SABSA is the
main framework for Enterprise Security Architecture. More importantly The SABSA framework
is most effective when integrated or linked with one of these more robust Enterprise Architecture
frameworks. Today we will be talking about the integration to the Zachman and TOGAF
frameworks.

While Zachman and TOGAF are comprehensive frameworks for enterprise architecture as a
whole, SABSA specializes in enterprise security architecture. Integrating SABSA with Zachman
1|Page
or TOGAF can provide a more holistic approach to enterprise architecture that incorporates both
general enterprise concerns and specific security considerations.
By integrating SABSA with Zachman, organizations can ensure that security requirements and
considerations are effectively integrated into the broader enterprise architecture framework. This
integration helps align security initiatives with business objectives and provides a structured
approach to addressing security concerns at every level of the enterprise.
Similarly, integrating SABSA with TOGAF enables organizations to develop security
architectures that are closely aligned with their overall enterprise architecture. This integration
ensures that security measures are integrated into the planning, design, and implementation of
enterprise solutions, helping to mitigate risks and protect critical assets.
Overall, integrating SABSA with Zachman or TOGAF allows organizations to develop robust
and comprehensive enterprise architectures that address both general enterprise concerns and
specific security requirements, resulting in a more secure and resilient business environment.

Matrix

Business Wisdom
Context
Business Decision Making

The “Big Picture”

Concept
Business Attributes, Risk Objectives

Information, Services
Logical
Processes, Applications

Data, Mechanisms
Physical
Infrastructure, Platforms

Products, Tools
Component Specific Standards, Technologies

2|Page
Describe the Life Cycle of Enterprise Security Architecture.

 Architecture Vision
 Business Architecture
 Information Systems Architecture
 Technology Architecture
 Opportunity and Solutions
 Migration Planning
 Implementation governance
 Architecture Change Management
The life cycle of Enterprise Security Architecture typically follows a structured process to ensure that
security considerations are integrated into every stage of the architecture development and
implementation. Here's an overview of the key phases:
Architecture Vision: This phase involves defining the high-level goals, objectives, and scope of the
enterprise security architecture. It establishes the strategic direction for security initiatives and aligns
them with business objectives.
Business Architecture: In this phase, the focus is on understanding the organization's business
processes, goals, and requirements related to security. It involves analyzing business drivers,
identifying security requirements, and defining security-related business processes and capabilities.
Information Systems Architecture: This phase entails designing the information systems and data
architecture to support the security requirements identified in the previous phase. It involves defining

3|Page
data classification, access controls, encryption, and other security measures to protect sensitive
information.
Technology Architecture: Here, the focus is on selecting and designing the technology solutions and
infrastructure required to implement the security architecture. It involves evaluating and selecting
security products, platforms, and technologies that align with the security requirements and business
goals.
Opportunity and Solutions: This phase involves identifying opportunities for enhancing security and
developing solutions to address security gaps and vulnerabilities. It may include implementing security
controls, processes, and technologies to mitigate risks and improve security posture.
Migration Planning: In this phase, the focus is on planning the implementation and migration of
security solutions into the existing environment. It involves developing a roadmap for deploying
security controls, integrating security solutions with existing systems, and managing the transition
process.
Implementation Governance: This phase involves overseeing the implementation of security solutions
to ensure that they are deployed according to the architecture vision and meet the security requirements.
It involves establishing governance processes, controls, and metrics to monitor and manage the
implementation progress.
Architecture Change Management: Here, the focus is on managing changes to the security architecture
over time. It involves assessing the impact of changes, evaluating alternative solutions, and
implementing updates to the architecture to address evolving security threats and business needs.
Throughout the life cycle, there is continuous communication, collaboration, and feedback loops
between stakeholders, architects, and security professionals to ensure that security considerations are
integrated effectively into the enterprise architecture and aligned with business objectives.

Requirements management plays a central role in architecture work. This is recognized in both
TOGAF and SABSA. The TOGAF method validates and updates business requirements in every
stage of an architecture development project. However, TOGAF does not provide a concrete
technique for describing or documenting requirements. In contrast, SABSA presents its unique
Business Attribute Profiling technique as a means to effectively describe requirements. This
section describes the use of Business Attribute Profiling with respect to security requirements
management, along with the added value this technique offers for requirements management in
general. Together, the TOGAF concept of validating architecture and validating and updating
requirements based upon information uncovered during the development of the architecture and
SABSA’s Business Attribute Profiling improve requirements management, traceability, and
architecture development. Architecturein general should provide continuous alignment of
capabilities with business goals and support achieving these goals in an effective and efficient
manner, even when the environment or business goals change. This alignment is in many cases
the major rationale for using methodologies such as TOGAF and SABSA and therefore both
frameworks define a requirements management process to ensure this continuous alignment.

4|Page
Preliminary
To build the security context, the following security artifacts need to be determined during this
phase. These artifacts can be integrated into existing architecture documentation, but it is
important that they be properly identified and that they convey the necessary information to
make quality decisions:
Business Drivers for Security – the subset of TOGAF business drivers impacting security,
presented as an integral part of the overall architecture business drivers artifact or deliverable.
Security Principles – the subset of Business Principles addressing security architecture. This is
presented as an integral part of the overall Architecture Principles artifact or deliverable. Security
principles like other architecture principles will provide valuable guidance to making business
decisions to comply with the enterprise’s risk appetite.
Key Risk Areas – the list of the key risk areas within the architecture scope. The key risk areas
should be related to the business opportunities which the security architecture enables using the
risk appetite artifact which informs the balance of risk versus opportunity. The key risk area
should be included in the overall architecture risk management deliverable produced during the
Preliminary Phase.
Risk Appetite – describes the enterprise’s attitude towards risk and provides decision- making
guidance to the organization to balance the amount of risk taken to achieve an expected outcome.
The risk appetite could be expressed as, for example, a boundary on a risk/business impact and
likelihood grid, profit, and loss measures or qualitative measures (zero tolerance for loss of life
or regulatory compliance breaches). Risk appetite can also be represented by suitably worded
security principles or produced as a stand-alone deliverable if a key stakeholder exists who needs
to specifically approve it. It defines the level of risk (damage) that the organization is willing to
accept and what their strategy is in defining this level. For risks above this acceptable level, it
defines the strategy used for mitigation (transference, avoidance).
Security Resource Plan – based on the content of the artifacts and the characteristics of the
planned architecture project, it must be decided during the Preliminary Phase which security
resources are required to deliver the security elements. Finding answers to the following
questions through sufficient stakeholder analysis in the Preliminary Phase can help determine the
security-related effort required.

Why is Information Governance important?

 Architecture will define the way.
 Governance will keep you on the path.
What does Information Governance mean?
(Through Simple, Organized, Consistent, Reliable, Educated and Measured.)

5|Page
Information Governance, when viewed through the lens of simplicity, organization, consistency,
reliability, education, and measurement, can be described as follows:

Simple: Policies and procedures are straightforward and easy to understand, making it clear how
information should be managed and accessed.

 Policy
 Standards
 Procedures

 Guidelines

Organized: Information is structured and categorized in a logical manner, making it easy to find
and use when needed.

 Standards
 Procedures

 Guidelines

Consistent: Standards and guidelines are established and followed consistently across the
organization, ensuring uniformity in how information is managed and maintained.

 Data Type
 Data Storage
 Communication

Reliable: Information is accurate, up-to-date, and trustworthy, allowing stakeholders to rely on it

for decision-making and operations.

 Consistent Performance Metrics

 Reduction in Risks
 Proactive Users

Educated: Employees are educated and trained on information governance policies and practices
to ensure they understand their roles and responsibilities in managing information securely and
compliantly.

 Clear and Concise Definitions

 Effective Communicating
 End User Awareness

Measured: Performance metrics and indicators are used to assess the effectiveness of information
governance practices and identify areas for improvement.

6|Page
In summary, Information Governance ensures that an organization's information is managed
effectively, securely, and in alignment with business goals, while also promoting simplicity,
organization, consistency, reliability, education, and measurement.

What is Enterprise Security Architecture?

The translation of the businesses vision and strategy into effective enterprise change by
creating, communicating and improving the key requirements, principles and models that
describe the enterprise’s future information security state and enable its evolution.
Enterprise Security Architecture refers to the structured approach and framework for designing,
implementing, and managing security solutions within an organization. It involves defining the
principles, standards, processes, and technologies required to protect the organization's
information assets, infrastructure, and systems from security threats and vulnerabilities.
Enterprise Security Architecture aims to align security measures with business objectives,
regulatory requirements, and industry best practices, ensuring that security investments are
effectively prioritized and integrated into the overall enterprise architecture.

What is Information Governance?

The discipline and framework to ensure simplicity, organization, consistency, reliability,
education, and measurements are well-articulated and achievable.
Information Governance, on the other hand, refers to the framework and set of practices for
managing, controlling, and utilizing an organization's information assets effectively and
responsibly. Information Governance involves establishing policies, procedures, and controls to
ensure that information is managed in a consistent, reliable, secure, and compliant manner
throughout its lifecycle. It encompasses various aspects of information management, including
data quality, security, privacy, compliance, and risk management, and aims to optimize the
value of information while minimizing risks and ensuring regulatory compliance.

Enterprise Security Architecture + Information Governance= Successful & Robust

Information Security Management Program

Enterprise Security Architecture Framework

Enterprise Security Architecture Framework from different perspectives within an organization,
highlighting the features, advantages, and views of various stakeholders such as the CEO, CFO,
COO, CRO, CIO, CISO, and CTO/Architect.Here's a summary of each section:
CEO View: Emphasizes the business-driven nature of the framework, its focus on value
assurance, protection of corporate reputation, compliance with governance requirements,

7|Page
scalability, agility, open-source nature, auditability, and transparency in expenditure and value
returned.
CFO View: Focuses on the financial aspects, highlighting the framework's role in ensuring
efficient return on investment, predictability, consistency, scalability in budgeting, agility in
managing costs, cost reduction through open-source standards, minimizing management time in
audits, and enabling full auditability of expenditure.
COO View: Stresses performance management, process improvement, end-to-end process
coverage, agility in integrating legacy and future environments, simplification of recruitment
and training through standardization, minimizing adverse effects of audit findings, and
measuring efficiency and effectiveness of processes and resources.
CRO View: Highlights the flexibility in fitting with industry regulations, support for enterprise
risk and opportunity management, integration into a fully-integrated risk management strategy,
agility in increasing maturity incrementally, global acceptability for auditors and regulators,
managing compliance risk effectively, and demonstrating compliance levels effectively.
CIO View: Focuses on enabling a digital information-age business, identifying information
exploitation opportunities, sustaining through-life information architecture, agility in
technology-neutral information management strategies, providing a future-proof framework,
facilitating smooth audits of systems and processes, and encouraging fully integrated solutions.
CISO View: Emphasizes alignment of security strategy with business goals, prioritization of
security and risk-control solutions, addressing all business security and control concerns, agility
in project-focused security development, sustainability in security integration, supporting
security, risk, and opportunity review processes, and providing traceability of business-aligned
security implementations.
CTO / Architect View: Highlights leveraging the power of information technology, managing
information system risk, applicability at any project size or complexity level, holistic and
integrated architectural approach, avoidance of vendor dependence and lock-in, improving
interactions with auditors and reviewers, and verifying justification and completeness of
technical solutions.
Each perspective underscores the importance of the Enterprise Security Architecture
Framework in addressing key business, financial, operational, risk, technology, and
architectural concerns within the organization.

8|Page