![Page 1: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/1.jpg)
Information Security &Enterprise Architecture
![Page 2: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/2.jpg)
Is information securitybuilt-in or add-onin theplan, design and executionof information and communication systems?
![Page 3: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/3.jpg)
Information Security Requirements
INFORMATION MANAGEMENT
INFORMATION SECURITY
Confidentiality Integrity Availability
1. Create2. Store3. Utilize4. Share5. Dispose
![Page 4: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/4.jpg)
ENTERPRISE ARCHITECTUREINFORMATION SECURITY
ENTERPRISEARCHITECTURE
INFORMATION SECURITY
PRINCIPLES LEGAL TECHNICAL GOVERNANCE
PROCESS
DATA
APPLICATION
TECHNOLOGY
![Page 5: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/5.jpg)
ENTERPRISE
• "Enterprise" is an entity defined and organized to create value
• The value creation is structured to be composed of product, services, people, location, performance, function, process, data, application, technology, infrastructure and providers.
![Page 6: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/6.jpg)
ARCHITECTURE• Speaks of drawn model to describe the
holistic and particular view of the system in actualizing the “value” defined for the organization.
• Blueprint which define the baseline of common and differentiated information on how the system is organized and expected to behave to actualize the mandate, mission, principles, vision, goals, objectives and performance.
![Page 16: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/16.jpg)
VALUE OF ENTERPRISE ARCHITECTURE
“You are going to do architecture, because without architecture, you cannot do any of these things:
• Alignment• Integration• Change• Reduced Time-to-Market
-John ZachmanEnterprise Architecture Framework
![Page 17: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/17.jpg)
VALUE OF ENTERPRISE ARCHITECTURE
ALIGNMENT• Enterprise architecture provides the
framework to enable better alignment of business and information technology objectives. The architecture used can also serve as a communication tool.
![Page 18: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/18.jpg)
VALUE OF ENTERPRISE ARCHITECTURE
INTEGRATION• Enterprise architecture establishes the
infrastructure that enables business rules to be consistently applied across the organization, documents data flows, uses and interfaces.
![Page 19: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/19.jpg)
VALUE OF ENTERPRISE ARCHITECTURE
VALUE CREATION• Enterprise architecture provides better
measurement of information technology economic value in an environment where there is a higher potential for reusable hardware and software assets
![Page 20: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/20.jpg)
VALUE OF ENTERPRISE ARCHITECTURE
CHANGE MANAGEMENT• Enterprise architecture establishes consistent
infrastructure and formalizing the management of the infrastructure and information assets better enables an organization-wide change management process to be established to handle information technology changes
![Page 21: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/21.jpg)
VALUE OF ENTERPRISE ARCHITECTURE
COMPLIANCE• Enterprise architecture provides the artifacts
necessary to ensure legal and regulatory compliance for the technical infrastructure and environment.
- Schekkerman, J. (2005). Trends in Enterprise Architecture, Institute for Enterprise ArchitectureDevelopment
![Page 22: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/22.jpg)
ENTERPRISE ARCHITECTURE DOMAIN
TECHNOLOGY INFRASTRUCTURE
INFORMATIONDATA & APPLICATION
BUSINESSFUNCTIONSPROCESS &
POLICIES
ORGANIZATION &STAKEHOLDERS
MANDATEVISIONGOALS
PROGRAMS
1. Intention
2. Business
3. Information4. Technology
![Page 23: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/23.jpg)
ARCHITECTURE DOMAINS1. BUSINESS ARCHITECTURE
Definition of the business strategy, governance, organization, and key business processes of the enterprise
2. APPLICATION ARCHITECTUREProvision of functional blueprint for the individual application system to be deployed, the interaction between application system, and their relationship to the core business processes of the enterprise
![Page 24: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/24.jpg)
ARCHITECTURE DOMAINS3. DATA ARCHITECTURE
Structural definition of the logical and physical data assets of the enterprise, and the associate data management resources.
4. TECHNOLOGY ARCHITECTUREDefinition of the hardware, software and network infrastructure to support the deployment of core and mission-critical applications. It includes description of technology standards and methodology.
![Page 25: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/25.jpg)
ENTERPRISE ARCHITECTURE COMPONENTS IN ICT SERVICES
USE CASE
APPLICATIONSYSTEM
DATASERVICES
APPLICATION
SERVICES
CONNECTIVITY
SERVICES
USERSACCESS
BUSINESSPROCESSE
SMEMBERSH
IP
COLLECTION
BENEFITS
ACCREDITATION
DATAELEMENTS
DATABASESYSTEM
NETWORKINFRASTRUCTURE
POINT OF PRESENCE
CUSTOMERCLIENTS
PROVIDERSSUPPLIERS
PERFORMANCE METRICS
QUALITY OF [email protected]
![Page 26: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/26.jpg)
E
Membership Collection Benefits Accreditation
CUSTOMER RELATIONSHIP MANAGEMENT
ENTERPRISE RESOURCE PLANNING
Planning Audit Risks Legal/Policy
ENTERPRISE PERFORMANCE MANAGEMENT
Finance Human Resource
AssetsFacilities Technology
DATAAPPLICATION
BUSINESSPROCESS
TECHNOLOGYINFRASTRUCTURE
CASE: BUSINESS INFORMATION SYSTEM INTEGRATION VIEW
INFORMATIONSECURITY
ENTERPRISE
ARCHITECTURE
![Page 28: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/28.jpg)
Enterprise Architecture Information Security
QuestionsInformationSecurityPrinciples
InformationSecurity
Risks
Information Security
Methodology
BUSINESSFUNCTIONPROCESS
BUSINESSDATA &
APPLICATION
BUSINESSTECHNOLOGY
INFRASTRUCTURE
ENTERPRISEINFORMATION
SECURITY
Information Security
Governance
NETWORKED INFORMATION SUPPLIER & CUSTOMER
![Page 29: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/29.jpg)
Information Security Means…
Information Security
Confidentiality
Availability
Integrity
Secrecy, Privacy and Authority
Accurate, Complete and Reliable
Accessible, Immediate and Uptime
![Page 30: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/30.jpg)
Information Insecurity Means…
StolenMisrepresented
Breached
Information is not secure
when something is
Misused
IncompleteUnauthorized
Compromised Denied
![Page 31: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/31.jpg)
CASE: HEALTH INSURANCEINFORMATION SECURITY
MEMBERSHIPMANAGEMENT
COLLECTIONMANAGEMENT
BENEFITSMANAGEMENT
ACCREDITATIONMANAGEMENT
confi
denti
ality
integrity
availabilitypayment
identificationclaims certification
![Page 32: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/32.jpg)
CASE: HEALTH INSURANCE INFORMATION SECURITY
FINANCIALMANAGEMENT
PERSONNELMANAGEMENT
ASSETMANAGEMENT
LEGALMANAGEMENT
confi
denti
ality
integrity
availability
![Page 33: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/33.jpg)
CASE: HEALTH INSURANCE INFORMATION SECURITY
AUDITMANAGEMENT
STRATEGYMANAGEMENT
RISKMANAGEMENT
PROJECTMANAGEMENT
confi
denti
ality
integrity
availability
![Page 34: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/34.jpg)
CASE: HEALTH INSURANCE INFORMATION SECURITY
INFRASTRUCTUREMANAGEMENT
NETWORKMANAGEMENT
APPLICATIONMANAGEMENT
DATAMANAGEMENT
confi
denti
ality
integrity
availability
![Page 35: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/35.jpg)
Mitigating InformationSecurity Risk
Information Security
Risk Mitigation
Assessment
Policy Governance
Technology
Why Who
What How
![Page 36: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/36.jpg)
Security Policy RequirementGovernance
•Functional Organization
•Roles and Responsibilities
Competencies
•Knowledge, Skills and Attitudes Requirements
•Training Program and Certification
Process•Business Workflow, Procedures and Rules
•Risk Audit and Control Procedures
Data
Infrastructure
•Acceptable Use•Data Management•Risk Audit and Control Procedures
•Infrastructure Management
•Sourcing & Procurement
•Risk Audit and Control
GovernanceGuidance andImplementation
CompetencyReference andAssessment
FunctionsProcessModels andControlGuidance
Data and Application Security Models andAcceptable Use
Physical ConfigurationNetwork ModelsService SourcingTrusted TechnologyAcceptable Use
No Need toReinvent the Wheel
1. Recognize security needs & question2. Find the fitted practitioner standards3. Apply standards to real life condition4. Assess and improve the practice
Governance
Competency
Process
Data
Infrastructure
![Page 37: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/37.jpg)
Information Security Risk Assessment
Information Asset
Inventory(Information Systems)
Risk MitigationTreatmentPrevention
Impact Rating of
Vulnerability
IdentificationVulnerability
Threat Source
1. Organization2. Process3. Data4. Application5. Infrastructure
![Page 38: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/38.jpg)
What it means to secure information…
1. Establish the governance and management organization of information security that comply to best practice standards.
![Page 39: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/39.jpg)
What it means to secure information…
2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.
![Page 40: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/40.jpg)
What it means to secure information…
3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information.
![Page 41: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/41.jpg)
What it means to secure information…
4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats.
![Page 42: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/42.jpg)
Basic Security Steps
Authorized Access
Device Integrity
Data ExchangeProtocol
Monitoring& Audit
NetworkHardening
Service Agreements
InformationSystemsSecurity
Standards
RiskAssessment& Policies
SecurityServices
UserTraining
![Page 43: Enterprise Architecture and Information Security](https://reader033.vdocuments.net/reader033/viewer/2022052418/5876fd211a28abf3398b6959/html5/thumbnails/43.jpg)
CHANGE…
1. We can only evaluate that which is measurable
2. We can only test that which is agreed.
3. We can only improve that which is actualized.
4. We can only change that which is established.