UNIVERSITI TEKNOLOGI MALAYSIA

FINAL EXAMINATION SEMESTER II, 2012/13

SUBJECT CODE SUBJECT NAME COURSE DURATION DATE VENUE FULL MARK

: MCS 2453 : SECURITY ARC ITECTURE ! MODEL : MC : T"#$ %&$ E'"&

: J()$ 1*+,, 2013 : SEMINAR : 20 &"0#1 ALL, LVL 1 B-%.# N2/"

INSTRUCTION:
1. Plan your answers properly.

This examination paper consists of 2 printed pages INCLUDING this page

GOOD LUCK

2"0+ III 3 C"1$ S+(45 6($1+7%)1 INSTRUCTION: A)18$0 "-- 9($1+7%)1: You are given an article that explains the security planning using Zachman framework for enterprise before the final exam. You already study the detailed description of the security perspective of all the players of an enterprise or the individual rows of the Zachman Framework. You also be able to analyze the relationship of rows that represent the perspective of different players in the process with columns that represent aspects of the process from the given framework. eferring to the article given title !"he Zachman Framework# the $wner%s Perspective & 'ecurity(# you need to analyse the ;".,&") F0"&$8%0# <%0 $"-+,."0$ I)<%0&"+7.1 S+")4"041 given and propose a simple document for the CEO of the related Healthcare Organization that discusses the details of the owners perspective and security & owner perspective point of view. )20 &"0#1*

I)+0%4(.+7%)
Frameworks help people organize integrated models of their enterprises. 'everal popular frameworks have been used to architect enterprises# such as the +epartment of +efense ,rchitecture Framework -+o+,F.# the Federal /nterprise ,rchitecture Framework -F/,F.. "he Zachman framework is an /nterprise ,rchitecture framework for enterprise architecture0 it is a uni1ue approach to provide a logical understanding of ever increasing size and complexities of information systems. 2n the given article Zachman Framework 3/nterprise ,rchitecture3 was generally described as a whole. "he authors discussed the rows and columns that map the perspectives and aspects of an /nterprise respectively. "hey then focused in the 4 nd ow which discusses the $wner%s Perspective. ,ccording to -Zachman 4556.# the owners of the system are the recipient -customers# users. of end product -/nterprise# house# software.. "he authors considered the owners are the business people who run the organization. "his article discussed the ules of the framework and how is it possible to accept the security to be part of the framework without contradicting with ule 71 that says 3 Do Not Add Rows or Columns to the Framewor 3. "hey made no change to the nature of the framework itself. "hey kept it 8 ows 9 8 :olumns and emphasize on the need of the security re1uirement for business. 2n fact today;s world security must not be underestimated. <owever# the only way that someone can make security part of the 3/nterprise ,rchitecture3 is by making security a supplement to the framework# which does not contradict any rule.

;".,&") F0"&$8%0#, the !wner"s #erspecti$e

"he second row 3 ow 43 in the Zachman framework depicts the $wner;s perspective. "he owners of the business are those who run it. 2t# the $wner;s perspective# represents the viewpoint of the owners of the system. =sually# they provide more details about business specific things. >ike each perspective of the Zachman Framework. $wner;s perspective has 8 different aspects. ,ccording to the Zachman 3= Y3# 3= EN3# 3= O3# 3= AT3# 3 O=3# and 3= ERE3 provides a complete understanding of the sub?ect.

,pplying the Zachman Framework to <ealthcare $rganization each aspect is described as below@ 2n the first column 3= Y3 the $wner identifies and describes the means to 1uantify individual healthfulness and the business ob?ectives of a health care delivery organization. "he $wner also defines enterpriseAwide standards in order to have full control over the 1uality of <ealthcare services. "he owner provides a standard method for 1uantifying the value of individual healthfulness and its contribution to organizations. 2n the second column 3= EN> the $wner determines the order and timing for the processes of fundamental health care services in a care delivery organization. "ypically this is the place where the $wner defines Bwhat activities could occur in what sequenceC 2t is called ;$rganization :alendar;. <ere the owner may provide a standardized process modeling methodology or a conceptual process model which could be a standard for a group of similarly functioning care delivery organizations. 2n the third column 3= O3 the $wner 2dentify and define the roles of individuals participating in health care delivery in an organization. <ere clear distinction between working units are materialized into various departments. Dasically this aspect addresses the human resources within the enterprise by creating an organization chart. "his chart provides a standardized workflow modeling method# or specification which could be a standard for similarly operating care delivery organizations. 2n the fourth column 3= AT3 "he owner defines and describes the essential types of information re1uired for operation of a care delivery organization. "he comprehensive list of these data points provides a standard method for semantic description# narrative or conceptual data model useable for health care delivery. 2n the fifth column 3 O=3 the $wner 2dentifies and describes the fundamental health care# management and support activities in a care delivery organization. /ssentially here is where the owner defines the <ealthcare delivery process. "he owner may provide a standardized activity modeling methodology or a conceptual activity model standardized for organizations which operate in an essentially identical manner.

2n the last column 3= ERE3 the $wner specifies and describes the layout of health care facilities and their interconnection. "his leads to the most critical !communication( part of the business. "he $wner must consider various scenarios before defining the layout for the health care facilities and their interconnection.

;".,&") F0"&$8%0#, the !wner"s #erspecti$e % &ecurit'

Eow that the <ealthcare /nterprise ,rchitecture has been discussed from the $wner;s Perspective we would like to discuss the same perspective with security as supplement part of it. /ach aspect of the $wner;s perspective will be produced again but this time with embedded within it.

= Y
2n this column the owner identifies and describes the means to 1uantify individual healthfulness and the business ob?ectives of a health care delivery organization. "his defines a logical reasoning for business decisions. "he security here should be able to validate these decisions and should properly 1uantify individual healthfulness. 2t should also be able to mitigate in case of failures.

= EN
2n this aspect the $wner determines the order and timing for the processes for fundamental health care services in a care delivery organization. "his timing is called ;:ompany :alendar;. "he security here is to make sure the <ealthcare services are delivered with tolerable time delay. 2n some cases there may be no tolerable time delay. <owever# this level of assurance should be able to assess the risk associated with each time line and mitigate those risks in worst cases.

= O
2n this aspect the $wner 2dentifies and defines the roles of individuals participating in health care delivery in an organization. <ere clear distinction between working units are materialized into various departments. "hus# the security here is that every department in the <ealthcare organization should have distinct level of access to data. <owever# the strength of <ealthcare $rganization is as strong as its structure. "herefore# this affects the access control and the authorization of 3F<,"3# the robustness of 3<$F3# and the logistics between <ealthcare departments in 3F</ /3 column.

= AT
"his aspect should classify the <ealthcare data in three levels@ Highly Sensitive# Sensitive# and Public. Highly Sensitive data is only available to few people. For example# in the <ealthcare $rganization <ighly 'ensitive data# such as laboratory test# is only available to the patient doctors. "he doctors need to know these details about their patient in order to provide a proper treat to them. $n the other hand# a nurse or doctor;s secretary needs not to know about the data in this level. "he nurse# for instance# can be classified as Sensitive and therefore she can view 'ensitive data. , secretary may only view the personal 2nfo of the patient and his appointments with the doctor hence this data can be classified as Public. <owever# based on these categories there should an approach or mechanism to impose these classifications. "herefore# various security services were introduced. For example# these services include but not limited to@ authorization# access-control# nonrepudiation# confidentiality# Integrity# and availability.

O=
2n this aspect the $wner 2dentifies and describes the fundamental health care# management and support activities in a care delivery organization. /ssentially here is where the owner defines the <ealthcare delivery process. "hus# securing the <ealthcare delivery process will guarantee the strengths of the process and will provide a failAsafe measures. For example# the validation of process of entering the health records of a patient. 2f the input is faulty# that is to say health record for patient , was mistakenly entered for patient D# it is hard to validate the output from a process. "herefore# to handle such scenarios defining access control and authorization on process could assist to modify the process or the se1uence of the process securely and appropriately. = ERE 2n this aspect the $wner specifies and describes the layout of health care facilities and their interconnection. "his leads to the most critical !communication( part of the business. "his includes communication channels and logistics. "he security here would means there is no disconnection among <ealthcare $rganization layouts. 2t also implies physical security of <ealthcare delivery locations# buildings under any conditions. For example# avoiding building facilities to caught up in fire0 provide sufficient source of oxygen to ensure the safety of those with critical situation to be able to survive.

R$<$0$).$
Zachman# G. -4556.. "he Zachman framework for enterprise architecture@ Primer for enterprise engineering and manufacturing. Gohn ,. Zachman.