cisspills #3.03
DESCRIPTION
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students. Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP. IN THIS ISSUE: Domain 3: Information Security Governance and Risk Management - Enterprise Architectures - Enterprise Security Architectures - Capability Maturity Model Integration (CMMI)TRANSCRIPT
DOMAIN 3: Information Security Governance and Risk Management
# 3.03
CISSPills Table of Contents ´ Enterprise Architectures
´ Enterprise Security Architectures
´ Capability Maturity Model Integration (CMMI)
CISSPills Enterprise Architectures
Security can be implemented following an ad hoc basis or trying to understand the environment it will fit into. By following this second approach, it is possible to build an overarching framework, which aligns the Business and the Information Security, so that they work together effectively.
It’s worth taking into account that Information Security needs to upheld and co-operate with existing processes and procedures within an Organisation, and as such it is important to understand the elements that make up the Company and their relationships.
An architecture is a conceptual representation aimed at easing the understanding of a complex entity, such as an Organisation, by splitting it in chunks simpler to ‘digest’.
CISSPills Enterprise Architectures (cont’d)
An enterprise architecture encompasses the essential and unifying components of an Organisation, outlining their relationships to each other and to the environment.
When developing an architecture, it is important identifying:
´ Stakeholders: the people interested in taking a look at the architecture;
´ Views: a way to provide stakeholders with the information they need, presented in a fashion they can understand.
By using views, different stakeholders can take a look the same organisation from a perspective related to their tasks.
Architectures allow to understand the company from different point of views, as well as they allow to understand how a change at one level could impact the other ones.
CISSPills Enterprise Architectures (cont’d)
There are several frameworks that can be used to build enterprise architecture and none of them is suitable for all the situations.
When choosing the framework, it is important understanding who will need to look at the architecture (stakeholders) and what information needs to be shown (views).
The main differences among the enterprise architectures, are the type of information they provide and the way this are presented. Examples of enterprise architectures are:
´ Zachman Architecture Framework: a bi-dimensional model that uses 6 communication interrogatives (what, how, where, who, when and why), which are intersected with 6 viewpoints (Planner, Owner, Designer, Builder, Implementer and Worker). It allows to look at the same organisation from different views;
´ TOGAF: it provides a framework to design, implement and govern an enterprise architecture. It allows to develop 4 different architectures (Business, Data, Application and Technology), which in turn allow to understand the organisation from 4 different views.
CISSPills Enterprise Security Architectures
An enterprise security architecture is a subset of an enterprise architecture and defines how the information security strategy (consisting of solutions, processes and procedures) links strategically (long-term), tactically (short-term) and operationally (day-by-day) across the Enterprise.
It describes the structure and the behaviour of all the components that make up a Security Program and allows security to align with the Business in a cost-effective way, by integrating security processes and controls (administrative, technical and physical) into the IT infrastructure, business processes and organisation’s culture.
Sherwood Applied Business Security Architecture (SABSA) is an enterprise security architecture framework and methodology. It is bi-dimensional model, like the Zachman framework, where 6 levels (Contextual, Conceptual, Logical, Physical, Component and Operational) intersect 6 questions (Assets – What, Motivation – Why, Process – How, People – Who, Location – Where and Time – When). Each level decreases in abstraction and moves from policy to practical implementation.
CISSPills Enterprise Security Architectures (cont’d)
To be successful, an enterprise security architecture must allow:
´ Strategic alignment: technology is not the Business’ mission, but a tool to enable organisations to carry out their own business. It is important that technology supports the Business without being an obstacle. Both the technology and the Business need to work together to be effective;
´ Business enablement: again, organisations exist to do business, so technology must be beneficial to this process, facilitating and not interfering with the Business;
´ Process enhancement: implementing security means taking a closer look at the some of existing processes and this sometimes could allow for their improvements;
´ Security effectiveness: applying safeguards, defining processes and policies is not enough. Security needs to be measurable in order to understand if the controls put in place are effective or not. Metrics, Service Level Agreements (SLAs) and balanced scorecards are ways to measure how security is performing.
CISSPills Capability Maturity Model Integration (CMMI)
CMMI is a model to define a pathway aimed at accomplishing structured incremental improvements.
Security programs involves processes, technologies, people, etc.; simply put, security progrmas involve an organisation as a whole, thus it’s not always easy and feasible implementing a mature ISMS from the beginning. Sometimes it’s more feasible following an incremental improvement approach, which allows to increase the maturity of the security program over several iterations.
CMMI can be used to define the starting point (where the program is) and the target (where the program needs to go) and then to define a pathway with intermediate stages that allow the security program to evolve from one maturity level to the next one.
It is important to understand that security programs haven’t an end date, they are iterative processes that need to be continuously evaluated and improved.
CISSPills That’s all Folks!
We are done, thank you for the interest! Hope you have enjoyed these pills as much as I have had fun in writing them.
For comments, typos, complains or whatever your want, drop me an e-mail to:
cisspills <at> gmail <dot> com
More resources:
´ Stay tuned on for the next issues;
´ Join ”CISSP Study Group Italia” if you are preparing your exam.
Brought to you by Pierluigi Falcone. More info about me at