Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Adaptive Enterprise Security Architecture
John J. Czaplewski | Director of Professional Services | David Lynas Consulting,...
We build, deploy and operate …
Complex IT Systems
21 September 2016 David Lynas Consulting Ltd 2
Supported by …
Often
Not-So-Engineered Security
21 September 2016 David Lynas Consulting Ltd 3
Our technical security architectures focus on ...
Confidentiality, Integrity, Availability
and are becoming better and bet...
But our Enterprises are concerned with much more:
21 September 2016 David Lynas Consulting Ltd 5
We need:
21 September 2016 David Lynas Consulting Ltd 6
a Framework and Methodology
for
Developing
Adaptive Enterprise Sec...
SABSA
21 September 2016 David Lynas Consulting Ltd 7
An internationally recognized methodology for:
• Developing risk-driv...
SABSA
21 September 2016 David Lynas Consulting Ltd 8
• Begins with developing an understanding of key
enterprise business ...
An Adaptive Enterprise Security Architecture
21 September 2016 David Lynas Consulting Ltd 9
Requires a comprehensive set o...
An Adaptive Enterprise Security Architecture:
Frames and Structures all Aspects of Enterprise Security
21 September 2016 D...
An Adaptive Enterprise Security Architecture:
Manages all Aspects of Enterprise Security
21 September 2016 David Lynas Con...
An Adaptive Enterprise Security Architecture:
Accountable Domain Authority
Develops Strategy and Plans
Sets Goals, Objecti...
An Adaptive Enterprise Security Architecture:
Defines Enterprise Security Architecture Capability Maturity Models
21 Septe...
An Adaptive Enterprise Security Architecture:
Super Domain
Domain
A External
Impacted Domain
(customer)
Impacted
Peer Doma...
Risk Context
Assets
at Risk
Overall
likelihood
of loss
Likelihood of
threat
materialising
Likelihood of
weakness
exploited...
Understands and Communicates Technical Risk in Business Terms
An Adaptive Enterprise Security Architecture:
21 September 2...
An Adaptive Enterprise Security Architecture:
Creates Enterprise Policy Frameworks
Contextual Enterprise-wide Business Ris...
David Lynas Consulting Ltd 18
An Adaptive Enterprise Security Architecture:
Business
Legislation
Process
Engineering
Metho...
An Adaptive Enterprise Security Architecture:
Contextual: Meta-ProcessesVerticalSecurityConsistency
Horizontal Security Co...
An Adaptive Enterprise Security Architecture:
Derives Business-Linked Security Controls & Enablers
21 September 2016 David...
An Adaptive Enterprise Security Architecture:
Builds Defence/Strength-in-Depth Control & Enablement Strategies
21 Septembe...
David Lynas Consulting Ltd 22
An Adaptive Enterprise Security Architecture:
Technical
Controls
Management
Controls PCI
SOx...
David Lynas Consulting Ltd 23
An Adaptive Enterprise Security Architecture:
Develops Re-usable Operational Risk Management...
David Lynas Consulting Ltd 24
An Adaptive Enterprise Security Architecture:
Incorporates Business-Linked Risk Monitoring a...
David Lynas Consulting Ltd 25
An Adaptive Enterprise Security Architecture:
Ensures the Enterprise Security Architecture L...
David Lynas Consulting Ltd 26
An Adaptive Enterprise Security Architecture:
• Security is about mitigating threats AND ena...
Nächste SlideShare
Wird geladen in …5
×

Adaptive Enterprise Security Architecture

An overview of the SABSA Methodology and it's uses for Adaptive Enterprise Security Architecture.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

Adaptive Enterprise Security Architecture

  1. 1. Adaptive Enterprise Security Architecture John J. Czaplewski | Director of Professional Services | David Lynas Consulting, Ltd.
  2. 2. We build, deploy and operate … Complex IT Systems 21 September 2016 David Lynas Consulting Ltd 2
  3. 3. Supported by … Often Not-So-Engineered Security 21 September 2016 David Lynas Consulting Ltd 3
  4. 4. Our technical security architectures focus on ... Confidentiality, Integrity, Availability and are becoming better and better at adapting to dynamic threat environment 21 September 2016 David Lynas Consulting Ltd 4
  5. 5. But our Enterprises are concerned with much more: 21 September 2016 David Lynas Consulting Ltd 5
  6. 6. We need: 21 September 2016 David Lynas Consulting Ltd 6 a Framework and Methodology for Developing Adaptive Enterprise Security Architectures
  7. 7. SABSA 21 September 2016 David Lynas Consulting Ltd 7 An internationally recognized methodology for: • Developing risk-driven enterprise information security and information assurance architectures • Delivering security infrastructure solutions that support and adapt to critical business initiatives.
  8. 8. SABSA 21 September 2016 David Lynas Consulting Ltd 8 • Begins with developing an understanding of key enterprise business requirements, • Transforms them into key business drivers for security • Engineers the real business attributes that provide the core supporting framework for an adaptive, living enterprise security architecture • Creates a chain of traceability from “Strategy & Planning” through “Design’, “Implement” and ongoing “Manage and Measure” to ensure that the business mandate is preserved.
  9. 9. An Adaptive Enterprise Security Architecture 21 September 2016 David Lynas Consulting Ltd 9 Requires a comprehensive set of frameworks, models and methods
  10. 10. An Adaptive Enterprise Security Architecture: Frames and Structures all Aspects of Enterprise Security 21 September 2016 David Lynas Consulting Ltd 10
  11. 11. An Adaptive Enterprise Security Architecture: Manages all Aspects of Enterprise Security 21 September 2016 David Lynas Consulting Ltd 11
  12. 12. An Adaptive Enterprise Security Architecture: Accountable Domain Authority Develops Strategy and Plans Sets Goals, Objectives & Expectations Sets Performance Targets Sets Risk Appetite Sets Policy to Meet Objectives & Targets Strategy & Planning Phase Responsible Entities Design Processes Design Systems Design Staffing Model Design Controls & Enablers Design Establish Processes Implement Systems Appoint & Train People Establish Controls & Enablers Implement Manage processes & operations Manage people Manage systems Performance & Risk Monitoring against KPIs and KRIs Manage & Measure Inform of Responsibility Report Performance & Compliance With Target Execute DesignTransition Through-lifeAssurance Higher Domain Authority (Superdomain Shareholders Regulators) Consult & Report Performance Requires an Enterprise Security Architecture Governance Model 21 September 2016 David Lynas Consulting Ltd 12
  13. 13. An Adaptive Enterprise Security Architecture: Defines Enterprise Security Architecture Capability Maturity Models 21 September 2016 David Lynas Consulting Ltd 13 Unreliable1 Informal2 Defined3 Monitored4 Optimised5 Assets Motivation Process People Location Time Contextual Assets Motivation Process People Location Time Conceptual Assets Motivation Process People Location Time Logical Assets Motivation Process People Location Time Physical Assets Motivation Process People Location Time Component Assets Motivation Process People Location Time Service Management Assets Motivation Process People Location Time Assets Motivation Process People Time Assets Motivation People Time Assets Motivation People Time Assets Time Assets Motivation Process People Location Time Assets Motivation Process Location ProcessProcess Assets Motivation Process People Location Time Assets Motivation Process People Location AssetsAssets Assets Motivation Process People Location Time Assets Motivation Process People Location Time Assets Motivation Process People Location Time Assets Motivation Process Time Assets Motivation Assets Motivation Process People Location Time Assets Motivation Process People Location Assets People Location Assets Motivation Process People Location Time Assets Motivation Process People Location Time Assets Motivation Process People Time Motivation People Time People Time
  14. 14. An Adaptive Enterprise Security Architecture: Super Domain Domain A External Impacted Domain (customer) Impacted Peer Domain C Consult (C) to define policy & target C C Subdomain External Provider Domain (service provider) Inform (I) policy & target to R domains R I I R Inform (I*) performance to Super & Impacted domains I* I* I Models Domain Roles and Responsibilities 21 September 2016 David Lynas Consulting Ltd 14
  15. 15. Risk Context Assets at Risk Overall likelihood of loss Likelihood of threat materialising Likelihood of weakness exploited Negative Outcomes Threats Loss Event Positive Outcomes Opportunities Beneficial Event Overall loss value Asset value Negative impact value Overall benefit value Asset value Positive impact value Overall likelihood of benefit Likelihood of opportunity materialising Likelihood of strength exploited Analyses Threats and Opportunities An Adaptive Enterprise Security Architecture: 21 September 2016 David Lynas Consulting Ltd 15
  16. 16. Understands and Communicates Technical Risk in Business Terms An Adaptive Enterprise Security Architecture: 21 September 2016 David Lynas Consulting Ltd 16
  17. 17. An Adaptive Enterprise Security Architecture: Creates Enterprise Policy Frameworks Contextual Enterprise-wide Business Risk Policy Conceptual Policies for Enterprise-wide Risk & Opportunity Categories Finance Risk Operational Risk Environment Risk Health & Safety Risk Information Risk Etc. Logical Policies for Logical Domains Policies for Logical Domains Policies for Logical Domains Physical Procedures for Physical Domains Procedures for Physical Domains Procedures for Physical Domains Component Standards for Nodes, Addressed, Components Standards for Nodes, Addressed, Components Standards for Nodes, Addressed, Components 21 September 2016 David Lynas Consulting Ltd 17
  18. 18. David Lynas Consulting Ltd 18 An Adaptive Enterprise Security Architecture: Business Legislation Process Engineering Methods Business Governance Frameworks Business Sector Regulation Point of Primary Integration for any Standard Requiring measurable Targets Total Quality Framework Aligns and Integrates Business Requirements 21 September 2016
  19. 19. An Adaptive Enterprise Security Architecture: Contextual: Meta-ProcessesVerticalSecurityConsistency Horizontal Security Consistency Conceptual: Strategic View of Process Logical: Information Flows & Transformations Physical: Data Flows & System Interactions Component: Protocols & Step Sequences Delivers Top-Down, End-to-End Process Security 21 September 2016 David Lynas Consulting Ltd 19
  20. 20. An Adaptive Enterprise Security Architecture: Derives Business-Linked Security Controls & Enablers 21 September 2016 David Lynas Consulting Ltd 20
  21. 21. An Adaptive Enterprise Security Architecture: Builds Defence/Strength-in-Depth Control & Enablement Strategies 21 September 2016 David Lynas Consulting Ltd 21
  22. 22. David Lynas Consulting Ltd 22 An Adaptive Enterprise Security Architecture: Technical Controls Management Controls PCI SOx HIPAA NIST CobiT ISO 27002 Integrates Controls Frameworks & Libraries 21 September 2016
  23. 23. David Lynas Consulting Ltd 23 An Adaptive Enterprise Security Architecture: Develops Re-usable Operational Risk Management Architectures Attributes with performance targets & risk appetite thresholds Risk Assessment Ratings Threat Opportunity Vulnerability Strength - Impact + Impact Integrated Controls & Enablers Library – MTCS Modelled Service 1 Mechanism 1 Component 1 Activity 1 Service 2 Mechanism 2 Component 2 Activity 2 Service 3 Mechanism 3 Component 3 Activity 3 21 September 2016
  24. 24. David Lynas Consulting Ltd 24 An Adaptive Enterprise Security Architecture: Incorporates Business-Linked Risk Monitoring and Reporting Dashboards 21 September 2016 Risk Management Attributes Legal / Regulatory Attributes Access-controlled Accountable Assurable Enforceable Compliant Admissible Business Attributes Business Requirements Business Drivers for Security
  25. 25. David Lynas Consulting Ltd 25 An Adaptive Enterprise Security Architecture: Ensures the Enterprise Security Architecture Lives 21 September 2016
  26. 26. David Lynas Consulting Ltd 26 An Adaptive Enterprise Security Architecture: • Security is about mitigating threats AND enabling opportunities • Change the security conversation to focus on delivering value to the Enterprise • Include security at the strategy and planning table • Develop Enterprise Security Architecture that enables the Enterprise to meet its mission, goals and objectives 21 September 2016

×