Enterprise information security architecture

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article may contain improper use of non-free material. Please review their use according to the criteria and guidelines. (April 2015) (Learn how and when to remove this message) The topic of this article may not meet Wikipedia's general notability guideline. Please help to demonstrate the notability of the topic by citing reliable secondary sources that are independent of the topic and provide significant coverage of it beyond a mere trivial mention. If notability cannot be shown, the article is likely to be merged, redirected, or deleted. Find sources: "Enterprise information security architecture" – news · newspapers · books · scholar · JSTOR (April 2015) (Learn how and when to remove this message) Some of this article's listed sources may not be reliable. Please help improve this article by looking for better, more reliable sources. Unreliable citations may be challenged and removed. (April 2015) (Learn how and when to remove this message) This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Enterprise information security architecture" – news · newspapers · books · scholar · JSTOR (August 2015) (Learn how and when to remove this message) (Learn how and when to remove this message)

Enterprise information security architecture (ZBI) is a part of enterprise architecture focusing on information security throughout the enterprise. The name implies a difference that may not exist between small/medium-sized businesses and larger organizations.

This section does not cite any sources. Please help improve this section by adding citations to reliable sources. Unsourced material may be challenged and removed. (August 2015) (Learn how and when to remove this message)

Enterprise information security architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel, and organizational sub-units so that they align with the organization's core goals and strategic direction. Although often associated strictly with information security technology, it relates more broadly to the security practice of business optimization in that it addresses business security architecture, performance management, and security process architecture as well.

Enterprise information security architecture is becoming a common practice within financial institutions around the globe. The primary purpose of creating an enterprise information security architecture is to ensure that business strategy and IT security are aligned.^[1] As such, enterprise information security architecture allows traceability from the business strategy down to the underlying technology.

Enterprise information security architecture was first formally positioned by Gartner in their whitepaper called “Incorporating Security into the Enterprise Architecture Process”.^[2] This was published on 24 January 2006. Since this publication, security architecture has moved from being a silo-based architecture to an enterprise-focused solution that incorporates business, information and technology. The picture below represents a one-dimensional view of enterprise architecture as a service-oriented architecture. It also reflects the new addition to the enterprise architecture family called “Security”. Business architecture, information architecture and technology architecture used to be called BIT for short. Now with security as part of the architecture family, it has become BITS.

The practice of enterprise information security architecture involves developing an architecture security framework to describe a series of "current", "intermediate" and "target" reference architectures and applying them to align programs of change. These frameworks detail the organizations, roles, entities and relationships that exist or should exist to perform a set of business processes. This framework will provide a rigorous taxonomy and ontology that clearly identifies what processes a business performs and detailed information about how those processes are executed and secured. The end product is a set of artifacts that describe in varying degrees of detail exactly what and how a business operates and what security controls are required. These artifacts are often graphical.

Given these descriptions, whose levels of detail will vary according to affordability and other practical considerations, decision-makers are provided the means to make informed decisions about where to invest resources, where to realign organizational goals and processes, and what policies and procedures will support core missions or business functions.

Implementing enterprise information security architecture generally starts with documenting the organization's strategy and other necessary details such as where and how it operates. The process then cascades down to documenting discrete core competencies, business processes, and how the organization interacts with itself and with external parties such as customers, suppliers, and government entities.

The enterprise information security architecture will document the current state of the technical security components listed above, as well as an ideal-world desired future state (Reference Architecture) and finally a "Target" future state which is the result of engineering tradeoffs and compromises vs. the ideal. Essentially the result is a nested and interrelated set of models, usually managed and maintained with specialised software available on the market.

Such exhaustive mapping of IT dependencies has notable overlaps with both metadata in the general IT sense, and with the ITIL concept of the configuration management database. Maintaining the accuracy of such data can be a significant challenge.

Along with the models and diagrams goes a set of best practices aimed at securing adaptability, scalability, manageability etc. These systems engineering best practices are not unique to enterprise information security architecture but are essential to its success nonetheless. They involve such things as componentization, asynchronous communication between major components, standardization of key identifiers and so on.

Successful application of enterprise information security architecture requires appropriate positioning in the organization. The analogy of city planning is often invoked in this connection and is instructive.

An intermediate outcome of an architecture process is a comprehensive inventory of business security strategy, business security processes, organizational charts, technical security inventories, system and interface diagrams, and network topologies, and the explicit relationships between them. The inventories and diagrams are merely tools that support decision-making. But this is not sufficient. It must be a living process.

Enterprise information security architecture frameworks are only a subset of enterprise architecture frameworks. If we had to simplify the conceptual abstraction of enterprise information security architecture within a generic framework, the picture on the right would be acceptable as a high-level conceptual security architecture framework.

Other open enterprise architecture frameworks are:

• SABSA framework and methodology
• The U.S. Department of Defense (DoD) Architecture Framework (DoDAF)
• Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments.
• Federal Enterprise Architecture of the United States Government (FEA)
• Capgemini's Integrated Architecture Framework^[3]
• The UK Ministry of Defence (MOD) Architecture Framework (MODAF)
• NIH Enterprise Architecture Framework^[4]
• Open Security Architecture^[5]
• Information Assurance Enterprise Architectural Framework (IAEAF)
• Service-Oriented Modeling Framework (SOMF)
• The Open Group Architecture Framework (TOGAF)
• Zachman Framework
• Enterprise Cybersecurity (Book)

• Enterprise architecture
• Enterprise architecture planning
• Information security
• Information assurance

• Carbone, J. A. (2004). IT architecture toolkit. Enterprise computing series. Upper Saddle River, NJ, Prentice Hall PTR.
• Cook, M. A. (1996). Building enterprise information architectures : reengineering information systems. Hewlett-Packard professional books. Upper Saddle River, NJ, Prentice Hall.
• Fowler, M. (2003). Patterns of enterprise application architecture. The Addison-Wesley signature series. Boston, Addison-Wesley.
• SABSA integration with TOGAF.
• Groot, R., M. Smits and H. Kuipers (2005). "A Method to Redesign the IS Portfolios in Large Organisations", Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS'05). Track 8, p. 223a. IEEE.
• Steven Spewak and S. C. Hill (1993). Enterprise architecture planning : developing a blueprint for data, applications, and technology. Boston, QED Pub. Group.
• Woody, Aaron (2013). Enterprise Security: A Data-Centric Approach to Securing the Enterprise. Birmingham, UK. Packt Publishing Ltd.