Upload
sabsacourses
View
374
Download
2
Embed Size (px)
Citation preview
Adaptive Enterprise Security Architecture
John J. Czaplewski | Director of Professional Services | David Lynas Consulting, Ltd.
David Lynas Consulting Ltd 2
We build, deploy and operate …
Complex IT Systems
21 September 2016
David Lynas Consulting Ltd 3
Supported by …
OftenNot-So-Engineered Security
21 September 2016
David Lynas Consulting Ltd 4
Our technical security architectures focus on ...
Confidentiality, Integrity, Availability
and are becoming better and better
at adapting to dynamic threat environment
21 September 2016
David Lynas Consulting Ltd 5
But our Enterprises are concerned with much more:
21 September 2016
David Lynas Consulting Ltd 6
We need:
21 September 2016
a Framework and Methodologyfor
DevelopingAdaptive Enterprise Security Architectures
David Lynas Consulting Ltd 7
SABSA
21 September 2016
An internationally recognized methodology for:• Developing risk-driven enterprise information security
and information assurance architectures• Delivering security infrastructure solutions that support
and adapt to critical business initiatives.
David Lynas Consulting Ltd 8
SABSA
21 September 2016
• Begins with developing an understanding of key enterprise business requirements,
• Transforms them into key business drivers for security• Engineers the real business attributes that provide the
core supporting framework for an adaptive, living enterprise security architecture
• Creates a chain of traceability from “Strategy & Planning” through “Design’, “Implement” and ongoing “Manage and Measure” to ensure that the business mandate is preserved.
David Lynas Consulting Ltd 9
An Adaptive Enterprise Security Architecture
21 September 2016
Requires a comprehensive set of frameworks, models and methods
David Lynas Consulting Ltd 10
An Adaptive Enterprise Security Architecture:Frames and Structures all Aspects of Enterprise Security
21 September 2016
David Lynas Consulting Ltd 11
An Adaptive Enterprise Security Architecture:Manages all Aspects of Enterprise Security
21 September 2016
David Lynas Consulting Ltd 12
An Adaptive Enterprise Security Architecture:
Accountable Domain Authority
Develops Strategy and PlansSets Goals, Objectives & ExpectationsSets Performance TargetsSets Risk AppetiteSets Policy to Meet Objectives & Targets
Strategy & Planning Phase
Responsible Entities
Design ProcessesDesign SystemsDesign Staffing ModelDesign Controls & Enablers
DesignEstablish ProcessesImplement SystemsAppoint & Train PeopleEstablish Controls & Enablers
ImplementManage processes & operationsManage peopleManage systemsPerformance & Risk Monitoringagainst KPIs and KRIs
Manage & Measure
Informof Responsibility
ReportPerformance& ComplianceWith Target
Execute DesignTransition
Through-life AssuranceHigher Domain Authority
(SuperdomainShareholdersRegulators)
Consult & Report Performance
Requires an Enterprise Security Architecture Governance Model
21 September 2016
David Lynas Consulting Ltd 13
An Adaptive Enterprise Security Architecture:Defines Enterprise Security Architecture Capability Maturity Models
21 September 2016
Unreliable1
Informal2
Defined3
Monitored4
Optimised5
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Contextual
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Conceptual
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Logical
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Physical
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Component
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
ServiceManagement
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Tim
e
Ass
ets
Mot
ivat
ion
Peo
ple
Tim
e
Ass
ets
Mot
ivat
ion
Peo
ple
Tim
e
Ass
ets
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Loca
tion
Pro
cess
Pro
cess
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Ass
ets
Ass
ets
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Tim
e
Ass
ets
Mot
ivat
ion
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Ass
ets
Peo
ple
Loca
tion
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Loca
tion
Tim
e
Ass
ets
Mot
ivat
ion
Pro
cess
Peo
ple
Tim
e
Mot
ivat
ion
Peo
ple
Tim
e
Peo
ple
Tim
e
David Lynas Consulting Ltd 14
An Adaptive Enterprise Security Architecture:
Super Domain
DomainA External
Impacted Domain
(customer)
ImpactedPeer Domain
C
Consult (C)to definepolicy &
targetC
C
Subdomain
External Provider Domain
(service provider)
Inform (I)policy &target to
R domains
R
I
IR
Inform (I*)performance
to Super&
Impacteddomains
I*
I*I
Models Domain Roles and Responsibilities
21 September 2016
David Lynas Consulting Ltd 15
Risk Context
Assetsat Risk
Overalllikelihood
of loss
Likelihood ofthreat
materialising
Likelihood ofweaknessexploited
NegativeOutcomes
Threats
Loss Event
PositiveOutcomes
Opportunities
Beneficial Event
Overallloss
value
Assetvalue
Negativeimpactvalue
Overallbenefitvalue
Assetvalue
Positiveimpactvalue
Overalllikelihoodof benefit
Likelihood ofopportunity
materialising
Likelihood ofstrengthexploited
Analyses Threats and Opportunities
An Adaptive Enterprise Security Architecture:
21 September 2016
David Lynas Consulting Ltd 16
Understands and Communicates Technical Risk in Business Terms
An Adaptive Enterprise Security Architecture:
21 September 2016
David Lynas Consulting Ltd 17
An Adaptive Enterprise Security Architecture:Creates Enterprise Policy Frameworks
Contextual Enterprise-wide Business Risk Policy
ConceptualPolicies for Enterprise-wide Risk & Opportunity Categories
FinanceRisk
OperationalRisk
EnvironmentRisk
Health &Safety Risk
InformationRisk Etc.
Logical Policies for Logical Domains
Policies for Logical Domains
Policies for Logical Domains
Physical Procedures for Physical Domains
Procedures for Physical Domains
Procedures for Physical Domains
Component Standards for Nodes, Addressed, Components
Standards for Nodes, Addressed, Components
Standards for Nodes, Addressed, Components
21 September 2016
David Lynas Consulting Ltd 18
An Adaptive Enterprise Security Architecture:
BusinessLegislation
ProcessEngineering
Methods
BusinessGovernanceFrameworks
BusinessSector
Regulation
Point of Primary Integration for any Standard
Requiring measurable
Targets
Total Quality Framework
Aligns and Integrates Business Requirements
21 September 2016
David Lynas Consulting Ltd 19
An Adaptive Enterprise Security Architecture:
Contextual: Meta-Processes
Vertical Security C
onsistency
Horizontal Security Consistency
Conceptual: Strategic View of Process
Logical: Information Flows & Transformations
Physical: Data Flows & System Interactions
Component: Protocols & Step Sequences
Delivers Top-Down, End-to-End Process Security
21 September 2016
David Lynas Consulting Ltd 20
An Adaptive Enterprise Security Architecture:Derives Business-Linked Security Controls & Enablers
21 September 2016
David Lynas Consulting Ltd 21
An Adaptive Enterprise Security Architecture:Builds Defence/Strength-in-Depth Control & Enablement Strategies
21 September 2016
David Lynas Consulting Ltd 22
An Adaptive Enterprise Security Architecture:
TechnicalControls
ManagementControls PCI
SOx
HIPAA
NIST
CobiT
ISO 27002
Integrates Controls Frameworks & Libraries
21 September 2016
David Lynas Consulting Ltd 23
An Adaptive Enterprise Security Architecture:Develops Re-usable Operational Risk Management Architectures
Attributes
with performance targets & risk appetite thresholds
Risk Assessment Ratings
Threat
Opportunity
Vulnerability
Strength
- Impact
+ Impact
Integrated Controls & Enablers Library – MTCS Modelled
Service 1
Mechanism 1
Component 1
Activity 1
Service 2
Mechanism 2
Component 2
Activity 2
Service 3
Mechanism 3
Component 3
Activity 3
21 September 2016
David Lynas Consulting Ltd 24
An Adaptive Enterprise Security Architecture:Incorporates Business-Linked Risk Monitoring and Reporting Dashboards
21 September 2016
Risk Management
Attributes
Legal / RegulatoryAttributes
Access-controlled
Accountable
Assurable Enforceable
Compliant
Admissible
Business Attributes
Business RequirementsBusiness Drivers for Security
David Lynas Consulting Ltd 25
An Adaptive Enterprise Security Architecture:Ensures the Enterprise Security Architecture Lives
21 September 2016
David Lynas Consulting Ltd 26
An Adaptive Enterprise Security Architecture:
• Security is about mitigating threats AND enabling opportunities
• Change the security conversation to focus on delivering value to the Enterprise
• Include security at the strategy and planning table• Develop Enterprise Security Architecture that
enables the Enterprise to meet its mission, goals and objectives
21 September 2016