Security and Architecture SUZANNE GRAHAM

Similar documents
CCISO Blueprint v1. EC-Council

Manchester Metropolitan University Information Security Strategy

Certified Information Security Manager (CISM) Course Overview

Accelerate Your Enterprise Private Cloud Initiative

Security Policies and Procedures Principles and Practices

Information Security Controls Policy

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Objectives of the Security Policy Project for the University of Cyprus

Protecting your data. EY s approach to data privacy and information security

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Big data privacy in Australia

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Position Description IT Auditor

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

QuickBooks Online Security White Paper July 2017

Apex Information Security Policy

HIPAA Compliance Checklist

IoT & SCADA Cyber Security Services

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

The Common Controls Framework BY ADOBE

Information Technology Branch Organization of Cyber Security Technical Standard

Corporate Information Security Policy

Canada Life Cyber Security Statement 2018

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

M&A Cyber Security Due Diligence

Information Security Data Classification Procedure

Cyber Criminal Methods & Prevention Techniques. By

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

CISM Certified Information Security Manager

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Cloud Security Standards Supplier Survey. Version 1

Run the business. Not the risks.

The University of Queensland

Secure Product Design Lifecycle for Connected Vehicles

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Compliance: How to Manage (Lame) Audit Recommendations

Google Cloud & the General Data Protection Regulation (GDPR)

Healthcare Security Success Story

THE POWER OF TECH-SAVVY BOARDS:

Vendor: The Open Group. Exam Code: OG Exam Name: TOGAF 9 Part 1. Version: Demo

SECURITY & PRIVACY DOCUMENTATION

CompTIA CASP (Advanced Security Practitioner)

OG0-091 Q&As TOGAF 9 Part 1

Choosing the Right Solution for Strategic Deployment of Encryption

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

Nine Steps to Smart Security for Small Businesses

An ICS Whitepaper Choosing the Right Security Assessment

POSITION DESCRIPTION

Building a Resilient Security Posture for Effective Breach Prevention

INFORMATION SECURITY ARCHITECTURE & RISK MANAGEMENT ADEYEMI DINA & SHITTU O. SHITTU

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

IT Expert (Enterprise Network and Infrastructure Architect)

01.0 Policy Responsibilities and Oversight

Data Governance Quick Start

Technical Security Standard

IT Consulting and Implementation Services

EXAM PREPARATION GUIDE

University of Pittsburgh Security Assessment Questionnaire (v1.7)

INTELLIGENCE DRIVEN GRC FOR SECURITY

Smart Data Center Solutions

External Supplier Control Obligations. Cyber Security

BCS Practitioner Certificate in Information Risk Management Syllabus

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Certified Information Systems Auditor (CISA)

INFORMATION ASSURANCE DIRECTORATE

Security and Privacy Governance Program Guidelines

IT risks and controls

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

POSITION DESCRIPTION

Security Secure Information Sharing

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

GDPR Update and ENISA guidelines

Choosing the Right Security Assessment

GDPR: A QUICK OVERVIEW

Digital Health Cyber Security Centre

Information Technology General Control Review

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Checklist: Credit Union Information Security and Privacy Policies

Jeff Wilbur VP Marketing Iconix

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

ITG. Information Security Management System Manual

DIGITAL TRUST AT THE CORE

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Keys to a more secure data environment

Security by Default: Enabling Transformation Through Cyber Resilience

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

The NIST Cybersecurity Framework

Cloud Security Standards and Guidelines

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

WORKSHARE SECURITY OVERVIEW

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Cloud First Policy General Directorate of Governance and Operations Version April 2017

Transcription:

Security and Architecture SUZANNE GRAHAM

Why What How When

Why Information Security Information Assurance has been more involved with assessing the overall risk of an organisation's technology and working to mitigate that risk. Pillars generally considered to be; Integrity Availability Confidentiality Non-repudiation Authentication Security has four strands to enable determent Physical Personnel Procedural Technical - Typical examples being; Firewall Intrusion Detection/Prevention Systems (Counter) Hacking Penetration testing Vulnerability Analysis of systems

Source : Techopedia Why Security in architecture Security architecture is a unified security design that addresses the necessities and potential risks involved in a certain scenario or environment. It also specifies when and where to apply security controls. The design process is generally reproducible. In security architecture, the design principles are reported clearly, and in-depth security control specifications are generally documented in independent documents. System architecture can be considered a design that includes a structure and addresses the connection between the components of that structure.

What Security Architecture and Design The design and architecture of security services facilitates the management of business risk exposure objectives. Risk management Benchmarking and good practice Financial Legal and regulatory Security Architecture is the design artefacts that describe how the security controls (= security countermeasures) are positioned and how they to the overall systems architecture.

What Architectural Principles Example set (Source : TOGAF) Business Principles Principle 1: Primacy of Principles Principle 2 : Maximize Benefit to the Enterprise Principle 3: Information Management is Everybody's Business Principle 4: Business Continuity Principle 5: Common Use Applications Principle 6: Compliance with Law Principle 7: IT Responsibility Principle 8: Protection of Intellectual Property Application Principles Principle 15: Technology Independence Principle 16: Ease of Use Technology Principles Principle 17: Requirements-Based Change Principle 18: Responsive Change Management Principle 19: Control Technical Diversity Principle 20: Interoperability Data Principles Principle 9: Data is an Asset Principle 10: Data is Shared Principle 11: Data is Accessible Principle 12: Data Trustee Principle 13: Common Vocabulary and Data Definitions Principle 14: Data Security

What Architectural Principles : Data Security (Source : TOGAF) Principle 14: Data Security Statement: Data is protected from unauthorized use and disclosure. In addition to the traditional aspects of national security classification, this includes, but is not limited to, protection of pre-decisional, sensitive, source selection-sensitive, and proprietary information. Rationale: Open sharing of information and the release of information via relevant legislation must be balanced against the need to restrict the availability of classified, proprietary, and sensitive information. Existing laws and regulations require the safeguarding of national security and the privacy of data, while permitting free and open access. Pre-decisional (work-in-progress, not yet authorized for release) information must be protected to avoid unwarranted speculation, misinterpretation, and inappropriate use. Implications: Aggregation of data, both classified and not, will create a large target requiring review and de-classification procedures to maintain appropriate control. Data owners and/or functional users must determine whether the aggregation results in an increased classification level. We will need appropriate policy and procedures to handle this review and de-classification. Access to information based on a need-to-know policy will force regular reviews of the body of information. The current practice of having separate systems to contain different classifications needs to be rethought. Is there a software solution to separating classified and unclassified data? The current hardware solution is unwieldy, inefficient, and costly. It is more expensive to manage unclassified data on a classified system. Currently, the only way to combine the two is to place the unclassified data on the classified system, where it must remain. In order to adequately provide access to open information while maintaining secure information, security needs must be identified and developed at the data level, not the application level. Data security safeguards can be put in place to restrict access to "view only", or "never see". Sensitivity labeling for access to pre-decisional, decisional, classified, sensitive, or proprietary information must be determined. Security must be designed into data elements from the beginning; it cannot be added later. Systems, data, and technologies must be protected from unauthorized access and manipulation. Headquarters information must be safeguarded against inadvertent or unauthorized alteration, sabotage, disaster, or disclosure. Need new policies on managing duration of protection for pre-decisional information and other works-in-progress, in consideration of content freshness.

How Attributes of Security Architecture Relationships and Dependencies: Signifies the relationship between the various components inside IT architecture and the way in which they depend on each other. Benefits: The main advantage of security architecture is its standardisation, which makes it affordable. Security architecture is cost-effective due to the re-use of controls described in the architecture. Form: Security architecture is associated with IT architecture; however, it may take a variety of forms. It generally includes a number of conventional controls in addition to relationship diagrams, principles, and so on. There are four approaches.

How Approach 1 Open Enterprise Security Architecture (O-ESA) It gives a comprehensive overview of the key security issues, principles, components, and concepts underlying architectural decisions that are involved when designing effective enterprise security architectures. It does not define a specific enterprise security architecture, and neither is it a "how to" guide to design one, although in places it does indicate some of the "how".

How Approach 2 Secure Collaboration-Oriented Architectures (O- SCOA) This framework specifies the requirements for secure design of enterprise IT architectures that support deperimeterized operations. This collates all the Secure COA Requirements Papers, along with the Jericho Forum Commandments (design principles). It specifies all the essential components required for architecting secure systems for deployment in de-perimeterized environments; i.e., without depending on securing the corporate perimeter.

How Approach 3 SABSA security architecture approach This White Paper documents an approach to enhance the TOGAF Enterprise Architecture methodology with the and thus create one holistic architecture methodology. This White Paper is intended to guide enterprise and security architects in fully integrating security and risk management into enterprise-level architectures, to stimulate review comments and inform the global architecture community of proposed new content from the SABSA perspective.

How Approach 4 Architecture Risk Assessment Evaluates the business influence of vital business assets, and the odds and effects of vulnerabilities and security threats.

How To achieve and support secure design Architects need to; Interact with senior stakeholders across departments and will reach and influence a wide range of people across larger teams and communities Research and apply innovative security architecture solutions to new or existing problems Develop vision, principles and strategy for security architects for one project or technology Work out subtle security needs and will understand the impact of decisions, balancing requirements and deciding between approaches Produce particular patterns and support quality assurance, and is the point of escalation for architects below them Identify responsibility for leading the technical design of systems and services, and are able to justify and communicate these design decisions Recommend security controls and identify solutions that support a business objective Provide specialist advice and recommend approaches across teams and various stakeholders Communicate widely with other stakeholders Advise on key security related technologies and assess the risk associated with proposed changes Inspire and influence others to execute security principles

How Roles & Responsibility of Enterprise Architect Enterprise Architects maintain the organisational abstract view, with a primary objective to ensure that the technology landscape is aligned to the strategic, operational and tactical goals of the organisation. Strategic input into the technology roadmaps of the organisation shape, form and stabilise. Insight understanding the deficiencies of both products and services deployed in the technology landscape. Influence decision makers on technology investment current & future. Provide systems consultancy, guidance and assurance to large programmes. Review and assure Solution Designs produced both internally and by 3rd party suppliers. Ensure that governance mechanisms such as review boards, principles etc. are maintained and supported. Police the standards through Project and Programme engagement. Represent the organisation with 3rd parties, for example Systems Integrators and Standards Bodies. Understand the impact of the introduction of new technology into the technology landscape of the organisation.

How An example of Technical Security The term Public Key Infrastructure (PKI) is used to describe the processes, technologies and practices that are required to provide a secure infrastructure. A PKI could provide the following: Authentication: This can be defined as a means of identification. PKI offers this through digital certificates. Non repudiation: The basis of non-repudiation is that the sender cannot disown any information sent at a later time. Non-repudiation ensures that there is trustworthy means of ensuring ownership of an electronic document. PKI offers non-repudiation through digital signatures. Confidentiality: This can be defined as the secure transmission of information over networks ensuring that it is not accessed by unauthorised individuals. PKI ensures confidentiality through use of encryption algorithms. Integrity: The concept of data integrity is that data should not be altered of modified in any way while traversing the network. Integrity of data is ensured by message hashing. Access Control: The idea of access control is to ensure that only people with the required security privileges are allowed access to information. PKI ensures access control through public and private key pair

When Architecture and Security When do you think? Initial Concept Business Case / Initial Scoping Initial Review Business Analysis / Detailed Scoping Design Business Review Build Benefits Review Organisational Review Training Deployment Post Deployment Review

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback