Security Governance Flashcards
What are the goals of the ISO/IEC 27000?
- Outlined how an InfoSec mgmt System should be built and maintained
- Goal to provide guidance to orgs on how to design, implement and maintain policies, processes and technologies to manage risks to sensitive info assets
- Std was needed to centrally manage the various security controls deployed throughout an org. w/ this std controls should not be managed in an ad hoc way
What are components of Enterprise Architecture Development?
- Model for developing enterprise architecture
- Org. has choices in attempting to secure the env.
- Ad hoc approach - constantly putting out fires
- Managed Approach - by taking time to understand their env, layout the sec. req. of the biz env
- Allows you to understand the org from different views and how changes take place at one level will affect other levels
- Allows you to understand all things that will need to change to support a new biz function
- Architecture allows you to understand the org as a complete organism and illustrate how changes to one internal component can directly affect another
what are the steps in developing Enterprise Security Architecture?
Guide when implementing solutions to:
1. to ensure business needs are met
2. provide standard protection across the env
3. reduce the act of security surprises in the org
Implementing ESA is not the final solution to all sec. problems but it reduces the chaos and puts the org in a proactive instead of reactive stance
What are the basics of Enterprise Architecture?
- Encompasses the essential and unifying components of an org. it expresses the ent. structure (form) and behavior (function), it embodies the ent. components their relationships to each other and their relationships to the env
- use framework as a guideline on how to build an architecture that best fits the org’s needs; each org starts with the same blueprint/framework/guideline and customizes it 4 their business
What steps are involved in developing an Ent. Architecture?
- ID Stakeholders - people looking at and using the architecture
- Develop views - which is how the info that is most imp to the diff stakeholders will be illustrated in a useful manner.
According to NIST companies have several viewpoints:
- executives need to understand the company from a biz POV
- Biz process developers need to understand what they of info needs to be collected to support biz activities
-app dev need to know the structure of data
All groups are looking at an architecture of the same org it just being presented from different perspectives
What is SMART?
S- specific M - Measurable A - actionable R - Realistic T - Timed
What is the Zachman Architecture Framework?
- Generic model and framework done in Info Security
- 2 dimensional model uses 6 basic communication interrogates: who, what, where, how, when why
- Based on the principle of classical biz architecture that contain rules that governs an ordered set of relationships
- Goal is to be able to look at the same org from diff. perspectives - IT, executives, biz, operations
- Different groups w/in a company need the same info but presented in ways that directly relate to their responsibilities
What is TOGAF?
The Open Group Architecture Framework
- provides an approach to design implement and govern an enterprise info architecture
- TOGAF can be used to dev the following architecture framework:
1. Biz architecture
2. Data Architecture
3. Application architecture
4. Technology architecture
What are the characteristics of TOGAF?
TOGAF:
- used to create the individual architecture types through the use of it Architecture Development Model (ADM)
- ADM - iterative method that allows requirements to be continuously reviewed and the individual architectures updated as required. The different architectures can allow a technology engineer to understand from 4 perspectives (biz, app, data and tech) to ensure teams dev the necessary tech to work with in the env and all the components that make up that env and meet biz requirements
What is Military Oriented Architecture Framework?
MODAF
- enterprise architecture documentation required for military procurement based on Dept of Defense (DOD) Architecture Framework) DoDAF
- documentation illustrate how they will properly integrate into the current infrastructure
- focus on DoDAF is on command, control, communications, computer, intelligence, surveillance and reconnaissance systems and processes.
- important that different devices communicate using the same protocol and interoperable software components and use the same data item
What is MoDAF?
Ministry of Defense Architecture Framework - (British) - Goal able to get data in the right format to the right people at the right time based on DoDAF
How to determine which Enterprise Architecture framework is correct for your org?
- to determine which framework is best for your org, start with stakeholders requests. Architecture needs to represent the org and be useful to folks who understand it best
- architects need to design system that reflect biz needs and represents the design based on the individuals perspective. if folks need to understand the org from a biz, tech, security perspective design needs to be presented in those views
- one difference b/w the various architecture frameworks is what type of info they provide and how they provide it
What is Enterprise Security Architecture?
Enterprise Security Architecture defines the info security strategy that consists of layers of solutions, processes and procedures and the way they are linked across the org.
-strategically, tactically and proactively
What are char. of Enterprise Security Architecture? (ESA)
- Rigorous and comprehensive method for describing the structure and behavior of all components that make up a holistic ISMS:
- Reasons to dev. ESA
a. ensure that security efforts align with biz practices in a standardized and cost effective way
b. architecture works at an abstract level and provides a frame of reference. it also allows orgs to better achieve interoperability, integration, ease of use, standardization and governance
What are indicators/components of Enterprise Security Architecture?
- Security should not be in silos throughout the org
- Continuous communications b/w senior mgmt and security staff
- No redundant product purchased for overlapping security needs
- Security programs makeup policies that are implemented and enforced policy and controls for user access centralized and mentored
- No “one offs” efforts take place, must follow standard procedures for info security
- Biz manager aware of sec responsibility and how their responsibility map to legal and regulatory requirements
- Sensitive data defined in policy with controls and monitored; enterprise-wide infused solutions implemented
- Security governance available and the org is viewed in a standardized and holistic way
How is ESA implemented?
- place one person in charge of a team that dev a phased approach ESA rollout with goals to integrate tech oriented and biz centric security processes, link admin, technical and physical controls to properly managed risks and integrate these processed and the org’s culture.
- org do not implemente ESA b/c they do not understand it and ESA seems overwhelming
Define Sherwood Applied Biz Security Architecture (SABSA)?
SABSA - similar to Zachman ESA layered framework with 1st layer defining biz req from a security perspective
- Each layer of the FW decreases in abstraction and increases in detail so it builds on others and moves from policy to practical implementation of tech solutions
- Goal is provide a chain of traceability through the contextual, conceptual, logical, physical component and operational levels, questions to be answered at each level:
- what are you trying to do at this layer - assets to be protected by the sec. architecture
- why are you doing it? motivation for wanting to apply security
- how are you trying to do it? functions needed to achieve security at this layer
- who is involved? people and org aspects
What are SABSA characteristics?
Sherwood Applied Biz Security Architecture
more questions:
- what are you doing? location where are you applying security
- when are you doing it? time related aspect of security
What is SABSA?
SABSA (Sherwood applied business security architecture framework)
- a framework and methodology for enterprise security architecture and service mgmt.
- since its a framework this means it provides a structure for individual architectures to built from.
- Since it’s a methodology it provides the processes to follow to build the methodology
What is the SABSA Lifecycle Model?
SABSA provides a lifecycle model so that the architecture can be constantly monitored and improved upon over time
What are 4 critical components of SABSA?
Strategic Alignment
Business Enablement
Process Enhancements
Security Effectiveness
What is Strategic Alignment (SABSA component)?
Strategic Alignment - business drivers and regulatory and legal requirements are being met by sec. Ent Arch Sec efforts must provide and support an env that allows an org to not only survive but thrive
Technology are tools that support the goals. Therefore IT Sec should support the biz and its strategic objective
What is business enablement (SABSA component)?
- each org exist for one or more purpose; publicly traded company - to increase shareholder value
non-profit - to further a specific cause; Gov - provide services to citizens
components and orgs do not exist for the sole purpose of being secure. security cannot stand in the way of biz processes.
Business enablement means the core biz process are integrated into security operating model. they are standards based and follow a risk tolerance cirteria
What is process enhancements
(SABSA component)?
Re-engineering processes
- an org that is serious about securing it env will take a close look at biz processes that take place on an ongoing basis - continuous improvement - plan - do - check - act;
- typically biz processes are duplicated, manual but process re-engineering can streamline and automate these processes for increase efficiency and ROI.
- Process re-engineering should be integrated to all for security to be built into the daily operations