Enterprise Architecture and Information Security
•Descargar como PPTX, PDF•
6 recomendaciones•2,439 vistas
A thinking tool to ask and describe the alignment requirements of business, information, technology and security to improve and secure the management of process, data, application and infrastructure of performance.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (20)
Similar a Enterprise Architecture and Information Security
Similar a Enterprise Architecture and Information Security (20)
Más de John Macasio
Más de John Macasio (20)
Último
Último (20)
Enterprise Architecture and Information Security
- 1. Information Security & Enterprise Architecture
- 2. Is information security built-in or add-on in the plan, design and execution of information and communication systems?
- 3. Information Security Requirements INFORMATION MANAGEMENT INFORMATION SECURITY Confidentiality Integrity Availability 1. Create 2. Store 3. Utilize 4. Share 5. Dispose
- 4. ENTERPRISE ARCHITECTURE INFORMATION SECURITY ENTERPRISE ARCHITECTURE INFORMATION SECURITY PRINCIPLES LEGAL TECHNICAL GOVERNANCE PROCESS DATA APPLICATION TECHNOLOGY
- 5. ENTERPRISE • "Enterprise" is an entity defined and organized to create value • The value creation is structured to be composed of product, services, people, location, performance, function, process, data, application, technology, infrastructure and providers. johnmacasio@gmail.com
- 6. ARCHITECTURE • Speaks of drawn model to describe the holistic and particular view of the system in actualizing the “value” defined for the organization. • Blueprint which define the baseline of common and differentiated information on how the system is organized and expected to behave to actualize the mandate, mission, principles, vision, goals, objectives and performance. johnmacasio@gmail.com
- 7. Need for Enterprise Architecture johnmacasio@gmail.com
- 8. Need for Enterprise Architecture johnmacasio@gmail.com
- 9. Need for Enterprise Architecture johnmacasio@gmail.com
- 10. Need for Enterprise Architecture johnmacasio@gmail.com
- 11. Need for Enterprise Architecture johnmacasio@gmail.com
- 12. Need for Enterprise Architecture johnmacasio@gmail.com
- 13. Need for Enterprise Architecture johnmacasio@gmail.com
- 14. Need for Enterprise Architecture johnmacasio@gmail.com
- 15. Need for Enterprise Architecture johnmacasio@gmail.com
- 16. VALUE OF ENTERPRISE ARCHITECTURE “You are going to do architecture, because without architecture, you cannot do any of these things: • Alignment • Integration • Change • Reduced Time-to-Market -John Zachman Enterprise Architecture Framework johnmacasio@gmail.com
- 17. VALUE OF ENTERPRISE ARCHITECTURE ALIGNMENT • Enterprise architecture provides the framework to enable better alignment of business and information technology objectives. The architecture used can also serve as a communication tool.
- 18. VALUE OF ENTERPRISE ARCHITECTURE INTEGRATION • Enterprise architecture establishes the infrastructure that enables business rules to be consistently applied across the organization, documents data flows, uses and interfaces.
- 19. VALUE OF ENTERPRISE ARCHITECTURE VALUE CREATION • Enterprise architecture provides better measurement of information technology economic value in an environment where there is a higher potential for reusable hardware and software assets
- 20. VALUE OF ENTERPRISE ARCHITECTURE CHANGE MANAGEMENT • Enterprise architecture establishes consistent infrastructure and formalizing the management of the infrastructure and information assets better enables an organization-wide change management process to be established to handle information technology changes
- 21. VALUE OF ENTERPRISE ARCHITECTURE COMPLIANCE • Enterprise architecture provides the artifacts necessary to ensure legal and regulatory compliance for the technical infrastructure and environment. - Schekkerman, J. (2005). Trends in Enterprise Architecture, Institute for Enterprise ArchitectureDevelopment
- 22. ENTERPRISE ARCHITECTURE DOMAIN TECHNOLOGY INFRASTRUCTURE INFORMATION DATA & APPLICATION BUSINESS FUNCTIONS PROCESS & POLICIES ORGANIZATION & STAKEHOLDERS MANDATE VISION GOALS PROGRAMS 1. Intention 2. Business 3. Information 4. Technology johnmacasio@gmail.com
- 23. ARCHITECTURE DOMAINS 1. BUSINESS ARCHITECTURE Definition of the business strategy, governance, organization, and key business processes of the enterprise 2. APPLICATION ARCHITECTURE Provision of functional blueprint for the individual application system to be deployed, the interaction between application system, and their relationship to the core business processes of the enterprise johnmacasio@gmail.com
- 24. ARCHITECTURE DOMAINS 3. DATA ARCHITECTURE Structural definition of the logical and physical data assets of the enterprise, and the associate data management resources. 4. TECHNOLOGY ARCHITECTURE Definition of the hardware, software and network infrastructure to support the deployment of core and mission-critical applications. It includes description of technology standards and methodology. johnmacasio@gmail.com
- 25. ENTERPRISE ARCHITECTURE COMPONENTS IN ICT SERVICES USE CASE APPLICATION SYSTEM DATA SERVICES APPLICATION SERVICES CONNECTIVITY SERVICES USERS ACCESS BUSINESS PROCESSES MEMBERSHIP COLLECTION BENEFITS ACCREDITATION DATA ELEMENTS DATABASE SYSTEM NETWORK INFRASTRUCTURE POINT OF PRESENCE CUSTOMER CLIENTS PROVIDERS SUPPLIERS johnmacasio@gmail.com
- 26. E Membership Collection Benefits Accreditation CUSTOMER RELATIONSHIP MANAGEMENT ENTERPRISE RESOURCE PLANNING Planning Audit Risks Legal/Policy ENTERPRISE PERFORMANCE MANAGEMENT Finance Human Resource Assets Facilities Technology DATA APPLICATION BUSINESS PROCESS TECHNOLOGY INFRASTRUCTURE CASE: BUSINESS INFORMATION SYSTEM INTEGRATION VIEW INFORMATION SECURITY E N T E R P R I S E A R C H I T E C T U R E johnmacasio@gmail.com
- 27. SUCCESS COMPONENTS OF INFORMATION SYSTEM Agency Citizen DeLone and McLean Model johnmacasio@gmail.com
- 28. Enterprise Architecture Information Security Questions Information Security Principles Information Security Risks Information Security Methodology BUSINESS FUNCTION PROCESS BUSINESS DATA & APPLICATION BUSINESS TECHNOLOGY INFRASTRUCTURE ENTERPRISE INFORMATION SECURITY johnmacasio@gmail.com Information Security Governance NETWORKED INFORMATION SUPPLIER & CUSTOMER
- 29. Information Security Means… Information Security Confidentiality Availability Integrity Secrecy, Privacy and Authority Accurate, Complete and Reliable Accessible, Immediate and Uptime johnmacasio@gmail.com
- 30. johnmacasio@gmail.com Information Insecurity Means… StolenMisrepresented Breached Information is not secure when something is Misused IncompleteUnauthorized Compromised Denied
- 31. CASE: HEALTH INSURANCE INFORMATION SECURITY MEMBERSHIP MANAGEMENT COLLECTION MANAGEMENT BENEFITS MANAGEMENT ACCREDITATION MANAGEMENT payment identification claims certification johnmacasio@gmail.com
- 32. CASE: HEALTH INSURANCE INFORMATION SECURITY FINANCIAL MANAGEMENT PERSONNEL MANAGEMENT ASSET MANAGEMENT LEGAL MANAGEMENT johnmacasio@gmail.com
- 33. CASE: HEALTH INSURANCE INFORMATION SECURITY AUDIT MANAGEMENT STRATEGY MANAGEMENT RISK MANAGEMENT PROJECT MANAGEMENT johnmacasio@gmail.com
- 34. CASE: HEALTH INSURANCE INFORMATION SECURITY INFRASTRUCTURE MANAGEMENT NETWORK MANAGEMENT APPLICATION MANAGEMENT DATA MANAGEMENT johnmacasio@gmail.com
- 35. Mitigating Information Security Risk Information Security Risk Mitigation Assessment Policy Governance Technology johnmacasio@gmail.com Why Who What How
- 36. Security Policy Requirement Governance •Functional Organization •Roles and Responsibilities Competencies •Knowledge, Skills and Attitudes Requirements •Training Program and Certification Process •Business Workflow, Procedures and Rules •Risk Audit and Control Procedures Data Infrastructure •Acceptable Use •Data Management •Risk Audit and Control Procedures •Infrastructure Management •Sourcing & Procurement •Risk Audit and Control Governance Guidance and Implementation Competency Reference and Assessment Functions Process Models and Control Guidance Data and Application Security Models and Acceptable Use Physical Configuration Network Models Service Sourcing Trusted Technology Acceptable Use No Need to Reinvent the Wheel 1. Recognize security needs & question 2. Find the fitted practitioner standards 3. Apply standards to real life condition 4. Assess and improve the practice johnmacasio@gmail.com Governance Competency Process Data Infrastructure
- 37. Information Security Risk Assessment Information Asset Inventory (Information Systems) Risk Mitigation Treatment Prevention Impact Rating of Vulnerability Identification Vulnerability Threat Source johnmacasio@gmail.com 1. Organization 2. Process 3. Data 4. Application 5. Infrastructure
- 38. What it means to secure information… 1. Establish the governance and management organization of information security that comply to best practice standards. johnmacasio@gmail.com
- 39. What it means to secure information… 2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information. johnmacasio@gmail.com
- 40. What it means to secure information… 3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information. johnmacasio@gmail.com
- 41. What it means to secure information… 4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats. johnmacasio@gmail.com
- 42. Basic Security Steps Authorized Access Device Integrity Data Exchange Protocol Monitoring & Audit Network Hardening Service Agreements Information Systems Security Standards Risk Assessment & Policies Security Services User Training johnmacasio@gmail.com
- 43. CHANGE… 1. We can only evaluate that which is measurable 2. We can only test that which is agreed. 3. We can only improve that which is actualized. 4. We can only change that which is established. johnmacasio@gmail.com
Notas del editor
- Manual re-keying Manual re-keying might not be the biggest cost companies pay from bad architecture, but it’s certainly the most obvious one. Hiring human beings to serve as the interface engine connecting incompatible applications isn’t just expensive; it’s de-humanizing.
- Collection of point solutions Everyone wants their work supported by a “best of breed” solution. Define “their work” too narrowly, though, and everyone has to visit so many applications to get their work done that there isn’t enough time to get their work done. Meanwhile, unless IT spends a lot of time building interfaces to connect all of these point solutions, you’re back to re-keying again.
- Redundant applications Every business application solves business problems. Solving business problems is good, so solving them more than once must be even better, right? Of course not, and yet a lot of companies keep lots of redundant applications around, either because they overlap but still have a few unique areas they support, or because they’ve grown through mergers and acquisitions but aren’t very good at integrating everyone into one business after the papers have been signed. Either way, the money spent to support all of this redundancy is pure waste.
- Redundant data Very often, different applications need the same information to get their jobs done. You have two choices: Point them all to the same underlying database, which isn’t always possible, or synchronize their separate databases, which is often pretty messy. Or there’s always that manual re-keying option....
- Too many interfaces When you have redundant data and you decide to keep it synchronized, you need to build an interface. Even if you don’t, you often have to feed one system with results from a different one. Either way, the more systems and databases you have, the more interfaces you end up building. It’s better than not having them, but as they accumulate, your architecture becomes more and more fragile, and you spend more and more time managing the interfaces instead of building new functionality.
- Faux-elegant integration So you decide to solve your interface dilemma with an elegant enterprise application integration system, or a services bus, or some other form of middleware-plus-metadata that keeps everything clean. And then, your developers figure two things out: (1) what your cool new system does is make solving the easy problems even easier; and (2) it doesn’t solve the hard problems at all. So instead of arguing with you, they rebuild the same old spiderweb of interfaces, but hide it inside the EAI system so you don’t know about it.
- Kludges and workarounds Maybe you were competing with an outside developer who lowballed a project. Maybe the business sponsor insisted on too short a deadline. Or maybe building a solution well would have ruined the business case for the project. Whatever the reason, you wake up one day to discover a lot of your systems are held together with Band-Aids, chewing gum, and duct tape. If you’re lucky, nobody will notice until after you leave or retire.
- Obsolete technology It’s mission-critical! It satisfies the business need perfectly! What do you mean you have to spend money to maintain it? When you’ve built something on a version of Visual Basic that Microsoft hasn’t supported in a decade, that can’t read and write from any version of SQL Server that isn’t at least seven years old, and the only versions of Windows they’ll run on don’t have drivers for any of the printers you have in production -- that’s what you mean. You have to spend money to maintain it.
- White papers You see a bunch of warning signs. You organize an enterprise technical architecture management group. You hire an expert or two. And their productivity is enormous. Enormous, that is, if you measure productivity in terms of the number of white papers they publish. Changing how work gets done in IT? Of course they’ll change it. So long, that is, as everyone reads their white papers, admires their business, and follows their instructions.
- Confidentiality: This means that information is only being seen or used by people who are authorized to access it. Integrity: This means that any changes to the information by an unauthorized user are impossible (or at least detected), and changes by authorized users are tracked. Availability: This means that the information is accessible when authorized users need it.