@ISACA Volume 15  25 July 2018

Implementing Enterprise Architecture


Almost all global best practices for information security, governance of IT and risk management recommend that organizations must implement information systems enterprise architecture (EA). There are many frameworks available for EA, such as the PRISM architecture framework, the US National Institute of Standards and Technology (NIST) architecture framework, The Open Group Architecture Framework (TOGAF), and the Zachman Framework. The majority of frameworks try to describe different models, however, their common focuses have been on business and data, and applications and technology. Marrying business and data is not easy. Different models on EA further add to that difficulty. EA teams adapting a model to their business and data often get confused, resulting in misconceptions about what EA should be and should not be.

A formal definition of EA from the Federation of Enterprise Architecture Professional Organizations states:

Enterprise Architecture is a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a holistic approach at all times, for the successful development and execution of strategy. Enterprise Architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies. These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes.

COBIT 5 has a process, Align, Plan and Organize 03 (APO03), for managing enterprise architecture, which has been mapped with TOGAF’s methods. According to the COBIT 5 framework, the enterprise architecture should follow certain principles:

  • Adopt good practices.
  • Use common components to add reuse, scalability and agility.
  • Design EA as simply as possible.

Performance of effective EA teams generally includes:

  • Leveraging guidance for strategy from a business strategy for developing EA
  • Providing advice to the IT strategic planning efforts along with the chief technology officer (CTO), senior IT staff, business leaders and users
  • Participating in performance management efforts relating to critical business processes
  • Deciding, not dictating, implementation details

Despite the benefits of the EA approach, EA implementation includes multiple challenges and success is limited. Several experts have stated various reasons for the limited success, but the major reasons are:

  • Frequently, the EA framework follows best practices rather than a tailored approach to meet an organization’s requirements.
  • Accountability for implementing an EA framework is not always clearly identified. This might happen when an EA team does not consider operational challenges while designing the architecture.

To create value from implementing an EA framework, the following should be considered:

  • Instead of adopting a global EA framework, adapt the framework considering the organization’s people, process and technological needs.
  • Map these needs against the global frameworks and select the aspects most suitable to the organization.
  • Involve business and operational professionals along with IT in designing an EA framework, including a strategy and a roadmap. This will help ensure that everyone’s requirements are met.
  • Outcomes of an EA framework must provide guidance to users that can be translated into actions.

Following these tips will help you and your organization set up a successful EA for your enterprise. This will help you not only follow global best practices for information security, governance of IT and risk management, but also tailor the EA to your greatest business needs.

Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


How to Apply the Cybersecurity Kill Chain


Source: PaperBoat
Creative; Getty Images

The Cyber Kill Chain was created by Lockheed Martin’s Computer Incident Response Team and is based on military doctrine. This intelligence-driven defense process allows cybersecurity professionals to proactively remediate and mitigate advanced cyberthreats. In a world where the advanced persistent threat (APT) is ever present, professionals must learn to defend like an attacker. Applying the Cyber Kill Chain helps combat well-resourced and trained adversaries who conduct multiyear intrusion campaigns targeting highly sensitive economic, proprietary or national security information.

To learn more about applying the Cyber Kill Chain to mitigate threats, ISACA presents the “Cybersecurity Kill Chain” webinar. This webinar takes place on 26 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

William (Bill) Crowe, CISA, CRISC, CISM, CSXF, CRMA, NCA, is the Citizens Property Insurance Corporation’s IT security manager. Crowe will use his 20 years of experience in cybersecurity, information security, risk and controls and IT audit to help you incorporate the Cyber Kill Chain to your enterprise’s defense plan.

To learn more about this webinar or to register for it, visit the Cybersecurity Kill Chain page of the ISACA website.


The Deep Web Gets Deeper: The Darknet


The Internet is more than a single, homogeneous entity. It is made up of different types of content that can be accessed via differing methods with varying degrees of risk and legality. Some of this content is, at best, unsettling and, at worst, criminal.

The most commonly known Internet is the surface web, i.e., the publicly available web that is familiar to you, your browser and your search engine. It is used for communication, retail, advertising and news dissemination. The other Internet is the deep web. The deep web is only accessible to users who know how to get there. ISACA’s The Darknet tech brief explains an even deeper layer of the deep web—the darknet.

This complimentary tech brief details to the layperson the world of content that exists on overlay networks (such as Tor) whose uniform resource locator (URL) addresses are hidden. The darknet uses a .onion domain and its URLs are random and hard to remember because they feature nonsensical numbers and letters and can change every few hours. Accessing the darknet requires special software that uses a randomized path to its destination, obscuring users’ locations and identities and protecting their anonymity.

The Darknet tech brief, like other tech briefs in the series, is intended to offer a quick overview of a topic at a nontechnical level. Tech briefs are a great resource for IT professionals to use when educating their business partners on the basics of a technology that might hold potential in their industry.

To learn more and download this tech brief, visit The Darknet page of the ISACA website.


Read the 2018 North America CACS and EuroCACS Conference Highlights Now


Cyberrisk is ever present, and boards of directors are interested in what they need to know to stay abreast of risk. If you were unable to attend North America CACS or EuroCACS, the CACS conference report is now available. In one of its highlights of North America CACS, Rob Clyde, CISM, ISACA 2018-19 Board Chair, provides guidelines for how to successfully update your board on current cyberrisk:

  1. Give a summary of good and bad news up-front. (Do not hold the punchline.) If you have an ask, mention it at the beginning of your presentation, not the end.
  2. Be clear and concise, both in your discussion and in the advance materials for board packet.
  3. Be transparent and honest. Do not give unfounded assurances.
  4. If you do not know something, say so and promise to get back to them.
  5. Avoid tech speak and acronyms.
  6. Use analogies to aid understanding for non-cyber experts.
  7. Articulate business impact, risk, mitigations and plans.
  8. Clearly identify anything that requires board action or consideration.
  9. Do not surprise your chief executive officer—brief her or him in advance.

And remember: Competitive risk may be bigger than cyberrisk, so explore new technologies and their potential impact. Avoid becoming a roadblock that slows growth and progress, and enable the safe adoption of new technologies and processes.

Read other highlights like Clyde’s in the CACS 2018 Conference Report.


2019 ISACA Awards: Call for Nominations


Do you know of outstanding colleagues who have dedicated themselves to advancing ISACA’s core areas of audit, information security, risk and IT governance? Have you worked with an outstanding volunteer within your chapter or through an international role who has contributed to ISACA’s success? Now is the time to recognize those individuals. You are invited to nominate colleagues and peers who have made exceptional contributions to ISACA for the 2019 ISACA Awards. Nominations are due 15 August 2018.

If you are interested in learning more about previous awards recipients, you can view the 2018 ISACA Global Achievement Award recipients, recognized at EuroCACS by 2017-18 ISACA Board Chair, Theresa Grafenstine, CISA, CRISC, CGEIT, CGAP, CGMA, CIA, CISSP, CPA, on the Past ISACA Awards Recipients page and check out this video from the ISACA Board of Directors highlighting the importance of recognizing excellence and inspiring future generations. There are awards honoring the best book/author, meritorious performance for key volunteers in leadership positions, the best speaker, contributions to the common body of knowledge used by the ISACA community, outstanding achievement, and making an exceptional impact on ISACA or the industry.

2018 ISACA Global Achievement Award recipients with 2017-18 Board Chair Theresa Grafenstine.

Learn more about the ISACA Global Achievement Awards and Chapter Awards and submit a nomination on the new ISACA Awards Portal.