The roots of our "security program" came from the United Kingdom in 1995. The British Standard 7799 (BS7799) is the outlines we use for our information security management system (ISMS). There was a strong need for centralization because there was so many various security controls developed by different organizations. The BS7799 actually has two parts, part one outlines control objectives and how to achieve those objectives and part two outlines how a security program is set up and maintained. The BS7799 covers a wide range of topics including:
1. Information security policy for the organization
2. Creation of information security infrastructure
3. Asset classification and control
4. Personnel security
5. Physical and environmental security
6. Communication and operations management
7. Access control
8. System development and maintenance
9. Business continuity management
10. compliance
When organizations around the world need to develop an internal security program, all they had to go by was the BS7799. Therefor, there was a strong need to globally standardize BS7799.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) took on the role to globally standardize BS7799. ISO is the world's largest developer and publisher of international standards. The ISO and IEC went through and modularize the different components of the ISMS and came up with the ISO/IEC 27000 series. ISO follows Plan-Do-Check-Act (PDCA) cycle, which is an interactive process that is used in business process quality control programs. Planning establishes objectives and makes plans, Do deals with the implementation of the plan, Check measures results to understand if objectives are met and Act guides you on how to improve the plans to bette achieve success.
Enterprise Architecture Development:
An enterprise security architecture is the guide when implementing solutions to ensure business needs are met. Also enterprise security architecture provides standard protection across environment and reduces the unknown risks. The advantage of having an enterprise architecture is that it allows you to not only understand the company from different views, but also you can understand how a change that takes place in one level will affect items at other levels as well.
To develop an architecture, the first step is to identify stakeholders. Stakeholders are individuals who will be looking at and using the architecture. The next step is to develop the views, how the information important to different stakeholders will be illustrated in the most useful manner.
Zachman Architecture Framework:
The Zachman framework is a two-dimensional model that uses six basic communication interrogatives (What, How, Where, Who, When, and Why) intersecting with different viewpoints (Planner, Owner, Designer, Builder, Implementer, and Worker) to give an understanding of the enterprise. This framework was developed in the 1980s on the bases of the principles of classical business architecture and the goal was to be able to look at the same organization from different views.
You can find more information about the Zachman Architecture Framework at: https://www.zachman.com/.
The Open Group Architecture Framework (TOGAF):
TOGAF has its origins in the U.S. Department of Defense and it is used to develop architecture types such as Business, Data, Applications, and Technology Architecture.
This method is iterative and cyclic process which allows requirements to be continuously reviewed and you can update the individual architectures as needed. Several other architectures discussed in the book includes:
- Department of Defense Architecture Framework (DoDAF)
- British Ministry of Defense Architecture Framework (MODAF)
- Enterprise security architecture
- Sherwood Applied Business Security Architecture (SABSA)
No comments:
Post a Comment