The Role of Security and Privacy

Course Overview
The role of security and privacy as part of an EAprogram and
architecture. Security is one of the vertical “threads” that has an
impact at all levels of the EA framework. The enterprise’s Security
and Privacy Program is described in four basic parts: information
security, personnel security, operational security, and physical
security.
Course Objective
• Understand the role of security and privacy in the EA program
• Understand the role of security and privacy in managing risk
• Understand balance between information sharing and protection
• Understand the eight basic elements of a security framework
• Understand the parts of an example Security and Privacy Plan
Course Contents
• Introduction
• Risk Management and Security/Privacy
• Driver and Threats
• Creating an Integrated Set of Controls
• The Security and Privacy Program/Plan
• Key Elements of the Security and Privacy Program
• Summary
Introduction … (1)
• The role of security and privacy within an EA program is best
described as a comprehensive set of controls that pervade all
architectural domains and are a key part of an organization’s risk
management strategy
• One can think of this as a vertical thread that weaves through all
levels of the architecture
• The thread metaphor is used because security and privacy are
most effective when they are integral to the enterprise’s strategic
initiatives, business services, information flows, applications, and
technology infrastructure.
Risk Management &
Security/Privacy … (1)
• Effective security and privacy controls should operate
throughout the architecture and reflect a comprehensive
and integrated risk management solution for the
enterprise.
• This is implemented through a Security and Privacy
Program comprised of eight areas that are implemented
and maintained in the context of an enterprise-wide EA
and risk management strategy, those are : Governance,
Operations, Personnel, Workflow, Information,
Applications, Infrastructure, and Physical
Risk Management &
Security/Privacy … (2)
Drivers and Threats
• Drivers for managing risk come primarily from an enterprise’s
need to integrate processes/systems and share information.
• Purpose of the Risk Management Strategy : Finding the right
balance point in each area of an enterprise
• Threats to the security: fires, floods, earthquakes, accidents,
terrorism, hackers, disgruntled employees, runaway technologies,
and unintentional mistakes
• The best way to address security and privacy is to a set of
controls/solutions within and around key business and
technology resources and services.
• These controls provide an integrated set of risk-adjusted security
solutions in response to physical, personnel, and operational
threats to the proper functioning of EA components
Creating an Integrated Set of
Controls
• Created by including these considerations security in the planning,
design, implementation, and operation of all EA components and
artifacts.
• Security and privacy controls should also be a consideration in
business process reengineering and improvement activities, and
should be a requirement for the design of information flows
• Security and privacy should also be key checklist items when
making acquisition decisions for systems, hardware, software, and
support services at the Systems/Services level and the Technology
Infrastructure level of an architecture.
• Security and privacy controls should function to reduce or
eliminate external and internal threats.
The Security and Privacy
Program/Plan ….(1)
• Intended to provide expertise, processes, and solutions for the
protection of IT resources active in the business and technology
operating environment.
• Supports the EA by providing requirements for standards and
procedures that are used in the planning and implementation of EA
components and artifacts.
• Looks at all possible sources of threat, including threats to the
source and validity of information, control of access to the
information, and threats to the physical environment where IT
resources are located.
• Also provides Standard Operating Procedures (SOPs) that help to
organize and improve the development and certification of new
systems, the operation of legacy systems, and the response to
security incidents.
The Security and Privacy
Program/Plan ….(2)
• Should be managed by a specialist in this field, and increasingly
enterprises are establishing positions for an Information Systems
Security Manager (ISSM).
• The ISSM should have business and IT operating experience in addition
to training in the various elements of IT security.
• The ISSM should report to the CIO and work collaboratively with the
Chief Architect to ensure that EA component and artifact design,
implementation, and operational activities have effective security as a
requirement
• The ISSM should also be responsible for the development,
implementation, and maintenance of the enterprise’s Security and
Privacy Plan, in alignment with the Risk Management Plan and the EA
• The Security and Privacy Plan should provide the security related
policies and procedures for the documentation, testing, certification,
accreditation, operation, and disposal of EA components and artifacts at
all levels of the EA framework
Example Security and Privacy Plan
Format
Key Elements of Security and
Privacy Program
•Information Security
•Personnel
•Operations
•Physical protection
Program #1 : Information Security
• In the area of information security, the Security and
Privacy Program should promote :
• Security and privacy-conscious designs
• Information Content assurance
• Source authentication
• Data access control.
Information security : Design

• These are the physical and logical systems analysis and

design activities that look at data structure, relationships,
and flows
• Security and privacy issues in this area affect the Business
Process and the Information Flow levels of the
architecture
Information Security : Assurance
• This is the protection of information content from being
altered unintentionally or by an unauthorized source
• Controlling the access to information significantly
contributes to assuring the integrity of that information.
• Security and privacy issues in this area mainly affect the
Business Process and the Information Flow levels of the
architecture
Information Security :
Authentication
• This refers to being able to verify the source of
information.
• It is often important to know, without a doubt,
who it was that created or manipulated
information
• Some enterprises are using digital signatures and
a Public Key Infrastructure (PKI) to be able to
authenticate someone’s handling of information
• Security and privacy issues in this area affect all
levels of the architecture
Information Security : Access
• This focuses on who can access information within the enterprise
and how that access is managed
• Some applications use what is called “user rights and permissions”
to limit the extent of access that a particular user has.
• There are often several levels of rights and permissions, including:
normal user; super user; and system administrator.
• The system administrator level of access often enables unrestricted
use of a system, application, or database and as such, has a high
level of security interest and should be monitored closely
• Security and privacy issues in this area mainly affect the
Information Flow, Systems/Services, and Technology Infrastructure
levels of the architecture.
Program #2 : Personnel

• In the area of personnel security, the Security and Privacy

Program should promote :
• User Authentication
• Awareness Training
• Procedures Training
Personnel : User Authentication
• The verification of the identity of employees, contractors, and
others who use the enterprise’s facilities and systems, and other
resources
• Technologies that can help in this area include personal passwords,
smart cards, identification badges, and biometrics
• Security and privacy issues in this area mainly affect the Systems
/Services and Technology Infrastructure levels of the architecture
Personnel : Awareness Training

• Security and privacy awareness training should be provided to all

of the enterprise’s end-users and system administrators
• IT awareness training should be repeated annually to reinforce
compliance
• Security and privacy issues in this area affect all levels of the
architecture.
Personnel : Procedure Training
• Security and privacy procedures training should be provided to
end-users and system administrators to build proficiency in
avoiding security breaches, recognizing threats, and reacting to
security incidents
• Procedures training should be repeated annually or as follow-up
to significant security upgrade actions or incidents. Security and
privacy issues in this area mainly affect the Systems/Services and
Technology Infrastructure levels of the architecture.
Program #3 : Operations

• In the area of operations security, the Security and

Privacy Program should promote :
• Risk assessment
• Testing and evaluation
• Vulnerability remediation
• Certification and accreditation
• SOP
• Disaster recovery
• Continuity of Operations
Operations : Risk Assessment
• EA components at different levels of the architecture have different
security risks.
• Strategic risks include not promoting IT security if the enterprise is
information-centric, not identifying desired outcomes and enabling
initiatives, and not providing sufficient resources for the IT Security
Program.
• Business process risks include activities that expose information,
applications, and/or the technology infrastructure to unauthorized
access and manipulation
• Information risks center on the protection of the source and
integrity of data.
• Support application and infrastructure risks include corruption
and/or disablement.
• Security and privacy issues in this area affect all levels of the
architecture
Operations : Testing & Evaluation
• This is the testing of EA components or integrated groups of EA
components in order to identify security or privacy vulnerabilities
• Testing is performed on the hardware, software, and procedures
of each EA component as well as auditing security-related
documentation
• Security and privacy issues in this area affect all levels of the
architecture
Operations : Vulnerability Remediation

• This is the act of correcting any security or privacy vulnerabilities

found during EA component Testing and Evaluation.
• Remediation actions are based on an evaluation of the effect of the
vulnerability if it is left uncorrected
• This involves the selection of a security or privacy solution based on
the determination of an acceptable level of risk.
• Level of risk determinations take into consideration various
alternatives for corrective action and the cost and operational affect
of each alternative.
• Higher levels of protection often cost more and have a more intrusive
affect on business services
• Security and privacy issues in this area affect all levels of the
architecture
Operations : Certification and
Accreditation
• This is the certification that all remediation actions have been
properly implemented for an EA component or integrated group
of EA components.
• Accreditation is the acceptance of component certification actions
by the appropriate executive (usually the CIO or ISSM) and the
issuance of a formal letter to operate that EA component in the
configuration in which it was tested and evaluated
• Security and privacy issues in this area affect all levels of the
architecture.
Operations : Standard Operating
Procedures
• The documentation of security and privacy SOPs is important to
ensuring that timely and effective action is taken by end-users and
system administrators when faced with an IT security incident
• SOPs also help in the training of new personnel
• Security and privacy issues in this area affect all levels of the
architecture
Operations : Disaster Recovery

• The assessment and recovery procedures for responding to

a man-made or natural event that significantly disrupts or
eliminates business and technology operations, yet does not
threaten the existence of the enterprise
• This includes sabotage, theft or corruption of resources,
successful large scale hacker/virus attacks, building
damage, ire, flood, and electrical outages
• Two time-related aspects of disaster recovery need to be
immediately and continually evaluated: (1) the method for
recovery, and (2) the affect on mission accomplishment
• Security and privacy issues in this area affect all levels of
the architecture.
Operations : Continuity of Operations
• In this scenario, the enterprise is unable to conduct any
business or IT operations for a period of time.
• The recovery response is scripted in a Continuity of
Operations Plan (COOP) that identifies where, how, and
when business and IT functions would be restored.
• Security and privacy issues in this area affect all levels of
the architecture.
Program #4 : Physical Protection
• In the area of physical protection, the Security and
Privacy Program should promote
• Building security
• Network Operation Centers, Server Rooms, and Wiring Closets
• Cable Plants
Physical Protection : Building
Security
• This focuses on the control of personnel access to the
enterprise’s buildings where IT resources are used.
• Depending on the level of building security that is desired,
a perimeter around the building can be established with
barriers and/or monitoring
• Security and privacy issues in this area mainly affect the
Business Process and the Technology Infrastructure levels
of the architecture
Physical Protection : Network Operation
Centers, Server Rooms, and Wiring Closets
• This refers to the control of personnel access to those places
where EA components are physically located.
• This includes network operation centers, remote server
rooms, and wiring closets where voice, data, and video
cables and patch panels are located
• Access to the power and air-conditioning units that support
these rooms should also be controlled and monitored
• Security and privacy issues in this area mainly affect the
Business Process and the Technology Infrastructure levels of
the architecture
Physical Protection : Cable Plants
• This refers to the control of logical, physical, and personnel access
to the various types of fiber and copper cable that connect the
technology infrastructure together
• Unauthorized tapping is possible, so some level of protection is
recommended
• Security and privacy issues in this area mainly affect the Business
Process level and the Technology Infrastructure level of the
architecture
Summary
• This chapter provided an overview the relationship of
security and privacy considerations to the EA program and
the documentation of EA components.
• The chapter also described the four key areas that should
be included in a Security and Privacy Program and Plan
that articulates and guides the design, implementation, and
use of protective controls for every EA component.
• In this way, an effective, risk-appropriate set of security and
privacy controls are created that encompasses the entire
architecture and that penetrates each level of the
architecture.
Question & Answers