Enterprise security architecture (ESA) is the methodology and process used to develop a risk-driven security framework and business controls. The focus of an enterprise architect should be to align information security controls and processes with business strategy, goals and objectives.
Normally, developing an effective ESA is achieved following these steps:
• Defining the business’s goals and objectives
• Understanding business risk and threats
• Understanding compliance, regulation and legal requirements
• Identifying the appropriate framework and architecture vision
• Identifying the appropriate security controls (gap analysis)
• Managing and implementing the security controls
• Monitoring and evaluating the security controls
• Assessing and identifying gaps before repeating the cycle
The previously mentioned steps are considered a part of ESA life cycle management. It is important to note that ESA is not a one-off task but a continuous process.
Guidance on How to Choose Architecture Framework and Controls
Consider the following steps when selecting a framework:
- Pick a framework that is relevant to your business and applicable regulations (e.g., US National Institute of Standards and Technology [NIST] Cybersecurity Framework, International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC], COBIT).
- Customize the controls to fit your business’s purpose and align them with goals and objectives. Make sure all business risk and threats are managed with appropriate controls. Tune and finalize the framework and document the requirements
Guidance on Business Risk Identification
Business risk identification is a fundamental part of setting up an architecture. One way to identify business risk is to look at current threats to your business goals and objectives.
However, I suggest you start your business risk identification with business attribute profiling. Business attribute profiling is a useful concept introduced by the SABSA framework and can be used to identify business risk.
To begin your business attribute profiling, you need to identify all attributes that are important to your business. For example, you may find that industry regulation compliance, assured customer privacy and assured customer satisfaction are important. Once you have established the important attributes for your business, you can find the risk associated with each corresponding attribute.
Guidance on Gap Analysis
Gap analysis needs to be performed to identify the requirements to progress the current architecture to the desired architecture. Normally, maturity models, like the Capability Maturity Model Integration (CMMI), can be used to identify the current level of maturity for each control and their respective required level of maturity. After this is established, a relevant migration plan can be created and implemented.
Read Rassoul Ghaznavi Zadeh’s recent Journal article:
“Enterprise Security Architecture—A Top-Down Approach,” ISACA Journal, volume 4, 2017.