Enterprise Security Architecture

Preface

• Benefits
• The Evolution of Information Security
• Information Security Literature
• How to Use This Course
• About the SABSA® Model
• Relationship to Other Methods, Models and Standards
• And Finally...

The Meaning of Security

• The Cultural Legacy: Business Prevention
• Measuring and Prioritising Business Risk
• Information Security as the Enabler of Business
• Adding Value to the Core Product
• Empowering the Customers
• Protecting Relationships and Leveraging Trust
• To Summarise: What Does ‘Security’ Mean?

The Meaning of Architecture

• The Origins of Architecture
• Managing Complexity
• Information Systems Architecture
• Enterprise Security Architecture
• Why Architectures Sometimes Fail to Deliver Benefit – and How to Avoid that Fate
• Security Architecture Needs a Holistic Approach
• To Summarise: What Does Architecture Mean?

Security Architecture Model

• The SABSA® Model
• The Architect’s View
• The Designer’s View
• The Builder’s View
• The Tradesman’s View
• The Facilities Manager’s View
• The Inspector’s View
• The SABSA® Matrix
• Detailed SABSA® Matrix for the Operational Layer
• To Summarise: The Security Architecture Model

Case Study

• Intergalactic Banking and Financial Services Inc
• Interviews at IBFS
• To Summarise: IBFS Inc

A Systems Approach

• The Role of Systems Engineering
• Why a Systems Approach?
• What Does the Systems Approach Make You Do?
• The Need for Systems Engineering in Security Architectures
• Some Basic Concepts
• The Control System Concept
• Using the Systems Approach in Security Architecture
• Case Study
• Advanced Modelling Techniques
• To Summarise: A Systems Approach

Measuring Return on Investment in Security Architecture

• What Is Meant by ‘Return on Investment’?
• Why Do You Need Metrics?
• The Security Management Dashboard
• The Balanced Scorecard Approach
• Business Drivers and Traceability
• Business Attributes and Metrics
• Setting Up a Metrics Framework
• Maturity Models Applied to Security Architecture

Using This Course as a Practical Guide

• Using the SABSA® Model to Define a Development Process
• Strategy and Concept Phase
• Design Phase
• Implementation Phase
• Manage and Measure Phase
• To Summarise: How to Use This Course as a Practical Guide

Managing the Security Architecture Programme

• Selling the Benefits of Security Architecture
• Getting Sponsorship and Budget
• Building the Team
• Getting Started: Fast Track™ Workshops
• Programme Planning and Management
• Collecting the Information You Need
• Getting Consensus on the Conceptual Architecture
• Architecture Governance and Compliance
• Architecture Maintenance
• Long-Term Confidence of Senior Management
• To Summarise: Managing the Security Architecture Programme

Contextual Security Architecture

• Business Needs for Information Security
• Security As a Business Enabler
• Digital Business
• Operational Continuity and Stability
• Safety-Critical Dependencies
• Business Goals, Success Factors and Operational Risks
• Operational Risk Assessment
• Business Processes and Their Need for Security
• Organisation and Relationships Affecting Business Security-Needs
• Location Dependence of Business Security Needs
• Time Dependency of Business Security Needs
• To Summarise: Contextual Security Architecture

Conceptual Security Architecture

• Conceptual Thinking
• Business Attributes Profile
• Control Objectives
• Security Strategies and Architectural Layering
• Security Entity Model and Trust Framework
• Security Domain Model
• Security Lifetimes and Deadlines
• Assessing the Current State of your Security Architecture
• To Summarise: Conceptual Security Architecture

Logical Security Architecture

• Business Information Model
• Security Policies
• Security Services
• Application and System Security Services
• Security Management Services
• Entity Schema and Privilege Profiles
• Security Domain Definitions and Associations
• Security Processing Cycle
• Security Improvements Programme
• To Summarise: Logical Security Architecture

Physical Security Architecture

• Business Data Model
• Security Rules, Practices and Procedures
• Security Mechanisms
• User and Application Security
• Platform and Network Infrastructure Security
• Control Structure Execution
• To Summarise: Physical Security Architecture

Component Security Architecture

• Detailed Data Structures
• Security Standards
• Security Products and Tools
• Identities, Functions, Actions and ACLs
• Processes, Nodes, Addresses and Protocols
• Security Step-Timing and Sequencing
• To Summarise: Component Security Architecture

Security Policy Management

• The Meaning of Security Policy
• Structuring the Content of a Security Policy
• Policy Hierarchy and Architecture
• Corporate Security Policy
• Policy Principles
• CA and RA Security Policies
• Application System Security Policies
• Platform Security Policies
• Network Security Policies
• Other Infrastructure Security Policies
• Security Organisation and Responsibilities
• Security Culture Development
• Outsourcing Strategy and Policy Management
• To Summarise

Operational Risk Management

• Introduction to Operational Risk Management
• Regulatory Drivers for Operational Risk Management
• The Complexity of Operational Risk Management
• Approaches to Risk Assessment
• Managing Operational Risk
• Risk Mitigation
• Risk-Based Security Reviews
• Risk Financing
• The Risk Management Dashboard
• To Summarise

Assurance Management

• Assurance of Operational Continuity
• Organisational Security Audits
• System Security Audits
• System Assurance Strategy
• Functional Testing
• Penetration Testing
• To Summarise

Security Administration and Operations

• Introduction to Security Management and Administration
• Managing the People
• Managing Physical and Environmental Security
• Managing ICT Operations and Support
• Access Control Management
• Compliance Management
• Security-Specific Operations
• Managed Security Services
• Product Evaluation and Selection
• Business Continuity Management
• To Summarise

Appendix A: List of Acronyms