Embed Size (px)
Citation preview
Information Security &Enterprise Architecture
Is information securitybuilt-in or add-onin theplan, design and executionof information and communication systems?
Information Security Requirements
INFORMATION MANAGEMENT
INFORMATION SECURITY
Confidentiality Integrity Availability
1. Create2. Store3. Utilize4. Share5. Dispose
ENTERPRISE ARCHITECTUREINFORMATION SECURITY
ENTERPRISEARCHITECTURE
INFORMATION SECURITY
PRINCIPLES LEGAL TECHNICAL GOVERNANCE
PROCESS
DATA
APPLICATION
TECHNOLOGY
ENTERPRISE
• "Enterprise" is an entity defined and organized to create value
• The value creation is structured to be composed of product, services, people, location, performance, function, process, data, application, technology, infrastructure and providers.
ARCHITECTURE• Speaks of drawn model to describe the
holistic and particular view of the system in actualizing the “value” defined for the organization.
• Blueprint which define the baseline of common and differentiated information on how the system is organized and expected to behave to actualize the mandate, mission, principles, vision, goals, objectives and performance.
VALUE OF ENTERPRISE ARCHITECTURE
“You are going to do architecture, because without architecture, you cannot do any of these things:
• Alignment• Integration• Change• Reduced Time-to-Market
-John ZachmanEnterprise Architecture Framework
VALUE OF ENTERPRISE ARCHITECTURE
ALIGNMENT• Enterprise architecture provides the
framework to enable better alignment of business and information technology objectives. The architecture used can also serve as a communication tool.
VALUE OF ENTERPRISE ARCHITECTURE
INTEGRATION• Enterprise architecture establishes the
infrastructure that enables business rules to be consistently applied across the organization, documents data flows, uses and interfaces.
VALUE OF ENTERPRISE ARCHITECTURE
VALUE CREATION• Enterprise architecture provides better
measurement of information technology economic value in an environment where there is a higher potential for reusable hardware and software assets
VALUE OF ENTERPRISE ARCHITECTURE
CHANGE MANAGEMENT• Enterprise architecture establishes consistent
infrastructure and formalizing the management of the infrastructure and information assets better enables an organization-wide change management process to be established to handle information technology changes
VALUE OF ENTERPRISE ARCHITECTURE
COMPLIANCE• Enterprise architecture provides the artifacts
necessary to ensure legal and regulatory compliance for the technical infrastructure and environment.
- Schekkerman, J. (2005). Trends in Enterprise Architecture, Institute for Enterprise ArchitectureDevelopment
ENTERPRISE ARCHITECTURE DOMAIN
TECHNOLOGY INFRASTRUCTURE
INFORMATIONDATA & APPLICATION
BUSINESSFUNCTIONSPROCESS &
POLICIES
ORGANIZATION &STAKEHOLDERS
MANDATEVISIONGOALS
PROGRAMS
1. Intention
2. Business
3. Information4. Technology
ARCHITECTURE DOMAINS1. BUSINESS ARCHITECTURE
Definition of the business strategy, governance, organization, and key business processes of the enterprise
2. APPLICATION ARCHITECTUREProvision of functional blueprint for the individual application system to be deployed, the interaction between application system, and their relationship to the core business processes of the enterprise
ARCHITECTURE DOMAINS3. DATA ARCHITECTURE
Structural definition of the logical and physical data assets of the enterprise, and the associate data management resources.
4. TECHNOLOGY ARCHITECTUREDefinition of the hardware, software and network infrastructure to support the deployment of core and mission-critical applications. It includes description of technology standards and methodology.
ENTERPRISE ARCHITECTURE COMPONENTS IN ICT SERVICES
USE CASE
APPLICATIONSYSTEM
DATASERVICES
APPLICATION
SERVICES
CONNECTIVITY
SERVICES
USERSACCESS
BUSINESSPROCESSE
SMEMBERSH
IP
COLLECTION
BENEFITS
ACCREDITATION
DATAELEMENTS
DATABASESYSTEM
NETWORKINFRASTRUCTURE
POINT OF PRESENCE
CUSTOMERCLIENTS
PROVIDERSSUPPLIERS
PERFORMANCE METRICS
QUALITY OF [email protected]
E
Membership Collection Benefits Accreditation
CUSTOMER RELATIONSHIP MANAGEMENT
ENTERPRISE RESOURCE PLANNING
Planning Audit Risks Legal/Policy
ENTERPRISE PERFORMANCE MANAGEMENT
Finance Human Resource
AssetsFacilities Technology
DATAAPPLICATION
BUSINESSPROCESS
TECHNOLOGYINFRASTRUCTURE
CASE: BUSINESS INFORMATION SYSTEM INTEGRATION VIEW
INFORMATIONSECURITY
ENTERPRISE
ARCHITECTURE
Enterprise Architecture Information Security
QuestionsInformationSecurityPrinciples
InformationSecurity
Risks
Information Security
Methodology
BUSINESSFUNCTIONPROCESS
BUSINESSDATA &
APPLICATION
BUSINESSTECHNOLOGY
INFRASTRUCTURE
ENTERPRISEINFORMATION
SECURITY
Information Security
Governance
NETWORKED INFORMATION SUPPLIER & CUSTOMER
Information Security Means…
Information Security
Confidentiality
Availability
Integrity
Secrecy, Privacy and Authority
Accurate, Complete and Reliable
Accessible, Immediate and Uptime
Information Insecurity Means…
StolenMisrepresented
Breached
Information is not secure
when something is
Misused
IncompleteUnauthorized
Compromised Denied
CASE: HEALTH INSURANCEINFORMATION SECURITY
MEMBERSHIPMANAGEMENT
COLLECTIONMANAGEMENT
BENEFITSMANAGEMENT
ACCREDITATIONMANAGEMENT
confi
denti
ality
integrity
availabilitypayment
identificationclaims certification
CASE: HEALTH INSURANCE INFORMATION SECURITY
FINANCIALMANAGEMENT
PERSONNELMANAGEMENT
ASSETMANAGEMENT
LEGALMANAGEMENT
confi
denti
ality
integrity
availability
CASE: HEALTH INSURANCE INFORMATION SECURITY
AUDITMANAGEMENT
STRATEGYMANAGEMENT
RISKMANAGEMENT
PROJECTMANAGEMENT
confi
denti
ality
integrity
availability
CASE: HEALTH INSURANCE INFORMATION SECURITY
INFRASTRUCTUREMANAGEMENT
NETWORKMANAGEMENT
APPLICATIONMANAGEMENT
DATAMANAGEMENT
confi
denti
ality
integrity
availability
Mitigating InformationSecurity Risk
Information Security
Risk Mitigation
Assessment
Policy Governance
Technology
Why Who
What How
Security Policy RequirementGovernance
•Functional Organization
•Roles and Responsibilities
Competencies
•Knowledge, Skills and Attitudes Requirements
•Training Program and Certification
Process•Business Workflow, Procedures and Rules
•Risk Audit and Control Procedures
Data
Infrastructure
•Acceptable Use•Data Management•Risk Audit and Control Procedures
•Infrastructure Management
•Sourcing & Procurement
•Risk Audit and Control
GovernanceGuidance andImplementation
CompetencyReference andAssessment
FunctionsProcessModels andControlGuidance
Data and Application Security Models andAcceptable Use
Physical ConfigurationNetwork ModelsService SourcingTrusted TechnologyAcceptable Use
No Need toReinvent the Wheel
1. Recognize security needs & question2. Find the fitted practitioner standards3. Apply standards to real life condition4. Assess and improve the practice
Governance
Competency
Process
Data
Infrastructure
Information Security Risk Assessment
Information Asset
Inventory(Information Systems)
Risk MitigationTreatmentPrevention
Impact Rating of
Vulnerability
IdentificationVulnerability
Threat Source
1. Organization2. Process3. Data4. Application5. Infrastructure
What it means to secure information…
1. Establish the governance and management organization of information security that comply to best practice standards.
What it means to secure information…
2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.
What it means to secure information…
3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information.
What it means to secure information…
4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats.
Basic Security Steps
Authorized Access
Device Integrity
Data ExchangeProtocol
Monitoring& Audit
NetworkHardening
Service Agreements
InformationSystemsSecurity
Standards
RiskAssessment& Policies
SecurityServices
UserTraining
CHANGE…
1. We can only evaluate that which is measurable
2. We can only test that which is agreed.
3. We can only improve that which is actualized.
4. We can only change that which is established.
