Enterprise%20 security%20architecture%20 %20business%20driven%20security
1 like101 views
This document outlines an enterprise security architecture seminar. It introduces security architecture and the SABSA framework. SABSA is a step-by-step approach that involves identifying business drivers, attributes, threats, control objectives, and security services. A worked example is provided that protects customer information. The seminar covers developing a contextual and conceptual security understanding, logical security architecture components, and deliverables including control frameworks.
Enterprise%20 security%20architecture%20 %20business%20driven%20security
- 1. Enterprise Security Architecture Business-driven security April 2012
- 2. Page 2 Agenda ► Facilities and safety information ► Introduction ► Overview of the problem ► Introducing security architecture ► The SABSA approach ► A worked example ► Security architecture components ► Facilitated discussion 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 3. The Problem: Information Security The business perspective Page 3 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 4. The problem: answering the difficult questions How do we ensure security supports the business? How do we demonstrate alignment with the business risks? Are we spending too much or on the right things? How do we keep business and security aligned? How do we minimise security gaps and remediation costs How do we embed security in the wider business? Page 4 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 5. Introducing security architecture? Traditional architecture vs. security architecture ► Designing a secure business information system could take a number of directions, but there is considerable potential for the security and business requirements to clash and neither party is satisfied with the end result. ► The answers to these questions provide the architect with the business requirements which can then be fed into the design process. ► What type of structure do I want? ► Why do I want this structure? ► How will it be used? ► Who will be the users of the structure? ► Where should the structure be located? ► When will it be used? Building a physical structure ► What type of information system is being considered and what will it do? ► Why is it needed? ► How will it be used? ► Who will use it? ► Where will it be used? ► When will it be used? Protecting business information Page 5 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 6. How do I solve this problem What is business security architecture? ► The challenge in developing the architecture is to balance between risk, cost and usability ► Security architecture controls are composed of people, process and technology controls An organisation needs security controls that are: ► Driven by business requirements rather than technical considerations ► Directly traceable to business objectives ► Designed from the outset to be cost-effective, avoiding remediation effort ► Meet legal, regulatory and policy compliance requirements by design ► Are appropriate to both the business risks and organisation’s risk appetite Risk Usability Cost Page 6 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 7. Why do this? Benefits of the security architecture approach Customised information security control framework ► Driven by the organisation’s business requirements ► Meeting compliance ► Alignment with the business’ risk appetite Reduces information security, IT and security audit costs ► Eliminates redundant controls ► Reduces ad hoc security implementation ► Provides detailed agreed security requirements Informs executive management about security risk ► Articulates impact of information security risk in business terms ► Provides structured control framework to evaluate compliance ► Creates foundation for quantitative assessment of security ROI Page 7 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 8. The SABSA approach Step by step Business attributes Threat analysis Impact analysis Control objectives Security services Business Driver ► Identify the business drivers/ objectives. ► Prioritise drivers. Business Attributes ► Translate drivers into business security attributes. ► Security attributes are provided by SABSA framework. Threat analysis ► Perform threat analysis. ► Identify actual threats to business attributes/ business drivers. Impact analysis ► Use qualitative or quantitative methods to define impact of the realisation of the threat on the identified business objectives. Control Objectives ► Define control objectives to mitigate the identified threats to acceptable levels. Security services ► Identify security services to provide the required controls objectives. Business driver Page 8 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 9. The SABSA approach An architect’s perspective – Here comes the science! Assets (What) Process (How) Location (Where) People (Who) Time (When) Motivation (Why) Contextual The Business Business Process Model Business Geography Business Organization and Relationships Business Time Dependencies Business Risk Model Conceptual Business Attributes Profile Security Strategies and Architectural Layering Security Domain Model Security Entity Model and Trust Framework Security-Related Lifetimes and Deadlines Control Objectives Logical Security Services Security Domain Definitions and Associations Entity Schema and Privilege Profiles Security Processing Cycle Business Information Model Security Policies Physical Platform and Network Infrastructure Users, Applications and the User Interface Control Structure Execution Business Data Model Security Mechanisms Security Rules, Practices and Procedures Component Processes, Nodes, Addresses and Protocols Identities, Functions, Actions and ACLs Security Step Timing and Sequencing Detailed Data Structures Security Products and Tools Security Standards Operational Assurance of Operational Continuity Security Service Management and Support Security of Sites, Networks and Platforms Application and User Management and Support Security Operations Schedule Operational Risk Management Design Build Business Architect Designer Builder Tradesman Facilities Manager 26 April 2012 ISACA Seminar– Enterprise Security ArchitecturePage 9
- 10. Contextual & conceptual security Understanding the business and its risks ► Business strategy ► Business processes and functions ► Organisational structure – personnel, geographical, partnerships ► Budgets, technical constraints, time dependencies ► Use the business attributes database to describe the business in terms of strategy, related assets, business goals and objectives → business attribute profile ► Perform a threat analysis on the business assets, goals and objectives ► Define the business impact of the realisation of the threats ► Identify technical and procedural vulnerabilities Gather, assess and analyse business requirements Describe the business requirements Analyse the business risks Page 10 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 11. An overview of SABSA attributes database Page 11 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 12. A logical security architecture What does it look like? Business Attributes Profile Control objectives Security strategies Security services Business Attributes Profile ► Select business attributes (mapped to business drivers). ► Define enterprise- specific business attributes, a measurement approach, metrics and targets. Control objectives ► Derive control objectives from the Business Attributes Profile and the Business Risk Model developed at the Conceptual layer. Security strategies ► Define appropriate security strategies based on the business process model, the Business Attributes profile, the control objectives and the assessment of the current state of security Security services ► Layered model of security services, including: ► Prevention ► Containment ► Detection and notification ► Event collection and tracking ► Recovery ► Assurance Page 12 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 13. A worked example Business drivers ► Customer data is disclosed to internal users through inappropriate access controls ► Staff leak customer information to unauthorised third parties ► Customer information is disclosed in transit to third- party processor. ► Sensitive* customer data is disclosed to unauthorised parties Compliant Access-controlled Protected Protect customer information Business driver Business attributes Threats Prioritised Page 13 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 14. A worked example Control objectives Operations, process and procedures ► User access management ► Monitoring user access levels and user activity, particularly third parties ► Incident response for data breach Technology ► Identity management ► Authentication and authorisation ► Database and network encryption to protect personal data in storage and in transit ► Auditing and logging of access to sensitive* personal data People ► Training and awareness for all staff on data protection ► Focussed training for high-risk areas, e.g., call centres Governance ► Nominated Data Protection Officer ► Data protection policies, standards and procedures ► Third party risk management framework ► Data protection assurance Compliant Access- controlled Protected Control Objectives: Protect customer information Business attributes – Compliant, access-controlled and protected Page 14 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 15. A worked example Security services ► Identity management tools ► Authentication ► Access control ► Authorisation ► Auditing ► Storage encryption ► Link encryption ► Breach ► Security management ► Incident management ► Policies, standards, procedures, guidelines ► Training and awareness ► Proactive reviews ► Third party management frameworks Technical security services Technical security services Page 15 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 16. Security architecture deliverables What do you get? Contextual Architecture ► Business Drivers ► Prioritised drivers ► Impact Assessment Conceptual Architecture ► Business Attribute Profile ► Business Risk Model ► Security Domain Model Logical Security Architecture ► Security Domains and associations ► Logical security services framework Physical and Component Architecture ► Detailed infrastructure and component solution design ► Documented controls against control objectives Operational security control framework Page 16 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 17. Portrait of a successful security architect An architect’s skill-set is different from a tradesman Understands the business strategy and objectives ► There are more than just ‘security’ requirements Thinks in business terms at all times ► Why are we doing this? ► What are we trying to do? Has good communication skills ► Bridges the gaps between business and technology Maintains strength of character ► Defends the security architecture ► Meets the constant challenge Page 17 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 18. Optimising your investment in security architecture – measuring success ► Characteristics of a good business security architecture ► Strategic alignment: aligned to the current business strategy ► Agility: designing a security architecture to deal with the changing legal, regulatory and client requirements ► Extensibility: expanding the architecture on a phased based throughout an organisation ► Robustness: demonstrates a thorough development with appropriate input, review and approval and will withstand critical evaluation from detractors ► Pragmatism: reflects the operating environment of the organisation and imposes appropriate security controls for the people and culture. Page 18 Good security controls Driven by business requirements rather than technical considerations Directly traceable to business objectives Designed from the project outset to be cost-effective thereby avoiding remediation effort Meets regulatory, audit and compliance requirements by design Appropriate to both the business risks and organisation’s risk appetite 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 19. Security Architecture Summary Page 19 26 April 2012 ISACA Seminar– Enterprise Security Architecture
- 20. EY Contacts Security architecture experience Hugh Callaghan Director Direct Tel: +353 (0)1 221 2411 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)87 983 8511 E-mail: hugh.callaghan@ie.ey.com Patricia O’Gara Senior Manager Direct Tel: +353 (0)1 221 2008 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)87 235 6023 E-mail: patricia.ogara@ie.ey.com Vasilijs Mihailovs Assistant Direct Tel: +353 (0)1 221 2653 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)86 176 6444 E-mail: vasilijs.mihailovs@ie.ey.com Eoin O’Reilly Senior Manager Direct Tel: +353 (0)1 221 2698 Direct Fax: +353 (0)1 475 0557 Mobile: +353 (0)86 770 9820 E-mail: eoin.oreilly@ie.ey.com 26 April 2012 ISACA Seminar– Enterprise Security ArchitecturePage 20
- 21. Thank you