As a fresh Security Architect you may wonder: What is information security architecture all about?
Enterprise information security architecture (EISA) is about using a methodology to create or modify an organization’s security processes and information security systems. The objective is to fulfill the requirements for information security in your organization as well as the business goals and strategic direction.
The security architecture ensures that services are properly managed, delivered and supported in addition to meeting the needs of the business.
Frameworks, standards and methodologies
There are many tools for you to use in your day-to-day work as a security architect. The trick is to choose what suits your situation best and combine methodologies and frameworks in a way that meets your needs but won’t make the process more complex than necessary.
SABSA is a popular methodology for developing business-driven, risk and opportunity focused security architectures at the enterprise level. It can be adapted for use in projects but also for use with cloud architecture.
SABSA ensures that the needs of your Enterprise are met completely and that security services are designed delivered and supported as an integral part of your business and IT management infrastructure. Although copyright protected, SABSA is an open-use methodology, not a commercial product.
SABSA is comprised of a series of integrated frameworks, models, methods and processes, used independently or as an holistic integrated enterprise solution, including:
- Business Requirements Engineering Framework (known as Attributes Profiling)
- Risk and Opportunity Management Framework
- Policy Architecture Framework
- Security Services-Oriented Architecture Framework
- Governance Framework
- Security Domain Framework
- Through-life Security Service Management & Performance Management Framework
SABSA does not replace ITIL or ISO 27001 or NIST, but rather incorporates them into a holistic vew of the enterprise architecture.
NIST has a comprehensive cybersecurity framework consisting of three main components: Core, Implementation Tiers and Profiles. The Framework Core provides a set of activities using common language that is easy to understand. The Core guides organizations in managing their cybersecurity risks in a way that complements an organization’s existing risk management processes.
The Framework Implementation Tiers provides context on how an organization views cybersecurity risk management. The Tiers guide organizations in building their cybersecurity programs and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
The NIST CSF framework can successfully be used for cloud security architecture. See the introductory video to find out how.
ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
Cloud Security Alliance (CSA) CCM
The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing, composed of 197 control objectives. These are organized in 17 domains covering all aspects of the cloud technology. It can be used as an assessment tool for a cloud implementation, and provides information about which security controls should be implemented by the cloud customer or provider. The controls in the CCM are mapped against industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53,
All these frameworks can be combined and used together in a structured way. By using SABSA as the main methodology, you can incorporate NIST CSF, ISO 27001 and CSA CCM into your architecture artifacts for different architectural layers. However, is important that your tailor the methodology to your own organizations use and incorporate the framework your consider most appropriate for your business needs.
I hope you have gotten at least a few answers to the question: What is information security architecture? Follow the links in the article to read more about the frameworks and mehtodology. Feel free to post a comment or question below.
Are you interested in learning more about cloud security architecture? Please consider taking the comprehensive course.