FAQ for Security Architecture Program, Dallas, 2006

FAQ for Security Architecture Program, last presented in Dallas, 2006

Contact Esther

Abstract: Security Architecture Simplified

How to design a security process that integrates information Asset protection with business requirements

The goal of a security architecture is to offer a blueprint for managing security that’s proactive, ahead of the curve. Implemented properly, an organization no longer needs to fear the next threat, including whether they are compliant with new legislation. We’ll review the essential elements of a security architecture with an emphasis on the “must haves”. We’ll discuss how and why these fundamental elements get complicated and how to overcome the complexities and integrate these elements successfully in an existing organization.

This FAQ

Dallas, 2006, was the first presentation of this program and the materials in it. I encouraged people to comment and follow up with questions; I’ll update this FAQ based on comments and questions received. I also promised to post some references that may be otherwise difficult to find. Please let me know what you think!

Contact Esther

Security and Executive Ownership

The need to place responsibility at the ownership level of the company is a major theme in this presentation. In addition to mentioning some of the classic regulations that require a strong management and Board of Director involvement, I mentioned an article on “Convergence of Enterprise Security Organizations” that offers strong support for this position. This 16 page paper was funded by an international alliance that includes ASIS, ISACA and ISSA.

Metrics

One need for metrics related to security is for their use in quantitative risk analysis, primarily to determine the likelihood or probability of an adverse event. I mentioned a possible reference in Dallas from the ASIS/ISACA/ISSA document on Convergence (see above) but the source didn’t prove to be useful for this purpose. The resource, for what it’s worth is FEMA’s National Incidence Management System (NIMS).

Another requirement for metrics, in order to improve security practices over time, and more tightly align them to business goals; it’s important to measure and evaluate current protections. These metrics can be difficult to develop and examples are hard to find.

The Corporate Information Security Working Group, CISWG, offers a rare example in their “REPORT OF THE BEST PRACTICES AND METRICS TEAMS, from a Subcommittee of the Government Reform Committee, United States House of Representatives. It defines best practices and gives example measurements for Boards of Directors, Management and Technical staff.

Abstract and links to document on AICPA site

Abstract and links to documents on educause web site

NIST publication 800-55 (about 100 pages) discusses metrics and a program to implement them in great detail. Samples are included.

Back to top