IT Security and EA3 Framework Quiz

Questions and Answers

What is the best way to describe the role of security and privacy within the EA program?

An all-encompassing security solution integral to strategic initiatives, business services, information flows, applications, and technology infrastructure

What are the four basic elements of the Security and Privacy Plan?

Introduction, Policy, Reporting Requirements, Concept of Operations

Why is security depicted as a vertical thread in the EA framework rather than a separate dedicated level?

Because it is most effective when integral to the enterprise’s strategic initiatives, business services, information flows, applications, and technology infrastructure

What are the intended outcomes of the Security and Privacy Program/Plan?

To ensure security and privacy are integral to the enterprise’s strategic initiatives, business services, information flows, applications, and technology infrastructure

What should be the frequency of security procedures training for end-users and system administrators?

Annually

What does operational security aim to promote?

Development of recovery procedures for major outages

What does risk assessment evaluate within the EA3 Framework?

IT security risk at all levels

What does vulnerability remediation involve?

Correcting IT security vulnerabilities found during testing and evaluation

What does disaster recovery involve?

Assessment and recovery procedures for responding to significant disruptions

What does continuity of operations refer to?

Procedures invoked if all or part of the enterprise are unexpectedly destroyed

What does physical protection in IT security include?

Controls for facilities supporting IT processing

What does building security in IT security focus on?

Controlling personnel access to the enterprise’s buildings where IT resources are used

What do network operation centers, server rooms, and wiring closets control?

Personnel access to places where EA components are physically located

What do cable plants control personnel access to?

Fiber and copper cable connecting the technology infrastructure

What are the key drivers for managing risk in the Security and Privacy Program?

Integrating processes/systems and sharing information while protecting resources from unauthorized access

What is the focus of personnel security in the Security and Privacy Program?

User authentication and security awareness training

What does operational security provide in the Security and Privacy Program?

Standard Operating Procedures (SOPs) for system development, certification, operation, and security incident response

What does physical security involve in the Security and Privacy Program?

Protecting the physical environment where IT resources are located

What is the best approach to security and privacy solutions throughout the enterprise?

Setting controls around key business and technology resources and services using a 'defense in depth' approach

What are the four key elements of the Security and Privacy Program?

Information security, personnel security, operational security, and physical security

What does information security involve in the Security and Privacy Program?

Promoting security-conscious designs, information content assurance, source authentication, and data access control

What is the selection criteria for IT security solutions in the Security and Privacy Program?

Cost, level of protection needed, impact on end-users and system administrators, and the effectiveness of available technologies

What does the Risk Management Strategy aim to achieve in the Security and Privacy Program?

Find the right balance point in each area of an enterprise

What are the various forms of threats to security mentioned in the Security and Privacy Program?

Natural disasters, terrorism, hackers, and unintentional mistakes

What is the acknowledgment requirement for all end-users and administrators in the Security and Privacy Program?

Acknowledging IT Awareness Agreement

What are the four parts of the Security and Privacy Plan?

Policy, Reporting Requirements, Concept of Operations, Introduction

What is the best way to describe the role of security and privacy within the EA program?

An all-encompassing security solution integral to strategic initiatives, business services, and technology infrastructure

What is the purpose of the Security and Privacy Program/Plan?

To establish principles, critical success factors, and performance measures

Why is security depicted as a vertical thread in the EA framework rather than a separate dedicated level?

Because security and privacy is most effective when integral to the enterprise’s strategic initiatives, business services, and technology infrastructure

Study Notes

IT Security Issues and the EA3 Framework

• Security procedures training should be provided to end-users and system administrators annually or after significant security upgrade actions or incidents.
• Operational security should promote the development of SOPs for recovery from major outages or natural disasters and continuity of operations.
• Risk assessment should evaluate IT security risk at all levels of the EA3 Framework, including strategic, business process, information, and support application and IT infrastructure risks.
• Component security testing and evaluation involves identifying IT security vulnerabilities in hardware, software, and procedures, as well as auditing security-related documentation.
• Vulnerability remediation involves correcting IT security vulnerabilities found during testing and evaluation, with the selection of a security solution based on an acceptable level of risk.
• Component certification and accreditation certify that all remediation actions have been properly implemented for an EA component or integrated group of EA components.
• Disaster recovery involves assessment and recovery procedures for responding to significant disruptions or eliminations of IT operations, affecting all levels of the EA3 Framework.
• Continuity of operations refers to procedures invoked if all or part of the enterprise are unexpectedly destroyed or forced to disband, with scripted recovery responses in a Continuity of Operations Plan (COOP).
• Physical protection includes controls for facilities supporting IT processing, access control, fire protection, media storage, and disaster recovery systems.
• Building security focuses on controlling personnel access to the enterprise’s buildings where IT resources are used, affecting Business Process and Technology Infrastructure levels of the EA3 framework.
• Network operation centers, server rooms, and wiring closets control personnel access to places where EA components are physically located, mainly affecting the Business Process and Technology Infrastructure levels of the EA3 framework.
• Cable plants control personnel access to fiber and copper cable connecting the technology infrastructure, mainly affecting the Business Process and Technology Infrastructure levels of the EA3 Framework.

Enterprise Security and Privacy Program Overview

• The Security and Privacy Program aims to protect IT resources in the business and technology operating environment and supports the Enterprise Architecture (EA) program by providing requirements for standards and procedures.
• It addresses threats to information source and validity, access control, and physical environment of IT resources, and provides Standard Operating Procedures for system development, certification, operation, and security incident response.
• Key drivers for managing risk include the need to integrate processes/systems and share information while protecting resources from unauthorized access, and the Risk Management Strategy aims to find the right balance point in each area of an enterprise.
• Threats to security come in various forms including natural disasters, terrorism, hackers, and unintentional mistakes, which underscore the importance of investing in a Security and Privacy Program.
• IT security solutions are selected based on cost, level of protection needed, impact on end-users and system administrators, and the effectiveness of available technologies, acknowledging that there is no 100% proof solution for any enterprise.
• The best approach to security and privacy solutions throughout the enterprise is to set controls around key business and technology resources and services, using a "defense in depth" approach to address physical, personnel, and operational threats.
• The four key elements of the Security and Privacy Program are information security, personnel security, operational security, and physical security.
• Information security involves promoting security-conscious designs, information content assurance, source authentication, and data access control, affecting the Business Process and Information Flow levels of the EA3 framework.
• Personnel security focuses on user authentication and security awareness training, utilizing technologies like passwords, smart cards, identification badges, and biometrics, and ensuring that all end-users and administrators acknowledge IT Awareness Agreement.
• Operational security provides Standard Operating Procedures (SOPs) to organize and improve system development, certification, operation, and security incident response.
• Physical security involves protecting the physical environment where IT resources are located, including measures against threats such as fires, floods, earthquakes, and accidents.
• The Security and Privacy Program is crucial for safeguarding IT resources and ensuring the proper functioning of EA components, addressing various threats and promoting a risk-adjusted security approach.