Lecture 9 The Role of Security and Privacy in EA.ppt

Full Transcript

CHAPTER 11

The Role of Security and
Privacy in EA

LEARNING OUTCOMES
• Understand the role of information security in the
EA program
• Understand the four basic elements of security
and privacy
• Understand the parts of an Security and Privacy
Plan

9-2

Introduction
• Security is one of the vertical “threads” that has an impact
at all levels of the EA framework. The role of security and
privacy within the EA program is best described as an all
encompassing security solution. The desired image is that
of a vertical thread that weaves through all levels of the EA3
Framework.

1-3

This image was chosen (as opposed to a separate dedicated level) because
security and privacy is most effective: when it is integral to the enterprise’s
strategic initiatives, business services, information flows, applications, and
technology infrastructure.

Security and Privacy Plan
1. Introduction
Purpose of the Security and Privacy Program / Plan
Principles of Security and Privacy
Critical Success Factors
Intended Outcomes
Performance Measures
2. Policy
Executive Guidance
Technical Guidance
Applicable Law and Regulations
Standards
3. Reporting Requirements
Security and Privacy Program Roles and Responsibilities
Security and Privacy Program Schedule and Milestones
Security and Privacy Incident Reporting

Security and Privacy Plan
4. Concept of Operations
Security and Privacy Threat Summary
Security and Privacy Risk Mitigation
Integration with Enterprise Architecture
Component/System Security Plans
5. Security Program Elements
Information Security
Personnel Security
Operational Security
Physical Security
6. Standard Operating Procedures
Test and Evaluation
Risk Assessment
Certification and Accreditation
Disaster Recovery/Continuity of Operations
Records Protection and Archiving
Data Privacy
Security and Privacy Training and Awareness

Importance of The Security and Privacy
Program
 The Security and Privacy Program is intended to provide expertise,
processes, and solutions for the protection of IT resources active in the
business and technology operating environment.
 It supports the EA program by providing requirements for standards
and procedures that are used in the planning and implementation of EA
components and artifacts.

Importance of The Security and
Privacy Program (Cont.)
 It looks at all possible sources of threat, including threats to the
source and validity of information, control of access to the
information, and threats to the physical environment where IT
resources are located.
 It also provides Standard Operating Procedures (SOPs) that help to
organize and improve the development and certification of new
systems, the operation of legacy systems, and the response to
security incidents.

Drivers and Threats of Security
program
•

Drivers for managing risk: come primarily from an enterprise’s need to
integrate processes/systems and share information, with a concurrent need to
protect those resources from unauthorized access and use. Finding the right
balance point in each area of an enterprise is the purpose of the Risk
Management Strategy.

•

Threats to the security: of an enterprise’s business and technology operating
environment come in many forms. This includes fires, floods, earthquakes,
accidents, terrorism, hackers, disgruntled employees, runaway technologies,
and unintentional mistakes. Without an awareness of a threat, or an appreciation
of its relevance, enterprises will not invest in an Security and Privacy Program.

•

One fundamental aspect of IT security: is the realization that there isn’t a
100% proof solution for any enterprise. This means that an security and privacy
solution is selected based on several considerations, including the cost, the level
of protection needed, the effect on end-users and system administrators, and the
effectiveness of available technologies.

The best way to address security
and privacy solutions throughout
the enterprise
• To set controls/solutions within and around key business and
technology resources and services. Using a “defense in depth”
approach, these controls provide an integrated set of risk-adjusted
security solutions in response to physical, personnel, and
operational threats to the proper functioning of EA components.

Four Key Elements of Security & Privacy
Program
There are four key elements of the Security and Privacy Program:
information security, personnel, operations, and physical protection.


Program Key Element #1: Information Security
In the area of information security, the Security and Privacy Program
should promote security-conscious designs, information content
assurance, source authentication, and data access control.

1-11

Program Key Element #1: Information Security

•

Design. These are the physical and logical systems analysis and design
activities that look at data structure, relationships, and flows.
– Whether traditional structured methods are used or the newer object-oriented
methods are used, Security and Privacy should be one of the requirements that
must be met for the design to be approved.
– Security and Privacy issues in this area mainly affect the Business Process and
the Information Flow levels of the EA3 framework.

•

Assurance: This is the protection of information content from being altered
unintentionally or by an unauthorized source.
– Controlling the access to information significantly contributes to assuring the
integrity of that information.
– Security and privacy issues in this area mainly affect the Business Process and
the Information Flow levels of the EA3 framework.

Program Key Element #1: Information
Security (Cont.)
•

Authentication: This refers to being able to verify the source of information.
Some enterprises are using digital signatures and a Public Key Infrastructure
(PKI) to be able to authenticate someone’s handling of information (e.g., banking
transactions, e-commerce, and executive correspondence). Security and privacy
issues in this area affect all levels of the EA3 framework.

•

Access: This focuses on who can access information within the enterprise and
how that access is managed.
The system administrator level of access often enables unrestricted use of a
system, application, or database and as such, has a high level of security
interest and should be monitored closely. IT security issues in this area mainly
affect the Information Flow, Systems/Services, and Technology Infrastructure
levels of the EA3 framework.

1-13

Four Key Elements of Security & Privacy
Program (cont)
.
 Program
Key Element #2: Personnel
In the area of personnel security, the Security and Privacy Program should
promote user authentication, security awareness and training as follows:
•

User Authentication: The verification of the identity of end-users and system
administrators before they gain access to an EA component. Technologies
that can help in this area include personal passwords, smart cards, identification
badges, and biometrics. IT security issues in this area mainly affect the
Systems/Services and Technology Infrastructure levels of the EA3 framework.

•

Awareness Training: Security awareness training should be provided to all of
the enterprise’s end-users and system administrators. It includes having all endusers and administrators read and sign an IT Awareness Agreement before
they have access to any EA component, which acknowledge that the enterprise
owns these resources and hosted information. IT awareness training should be
repeated annually to reinforce compliance. IT security issues in this area affect
all levels of the EA3 framework.
1-14

Program Key Element #2: Personnel
•

Procedures Training: Security procedures training should be provided to
end-users and system administrators to build proficiency in avoiding security
breaches, recognizing threats, and reacting to IT security incidents.
IT security procedures training should be repeated annually or as follow-up to
significant security upgrade actions or incidents. IT security issues in this area
mainly affect the Systems/Services and Technology Infrastructure levels of
the EA3 framework.

1-15

Four Key Elements of Security & Privacy
Program (cont)


Program Key Element #3: Operations
In the area of operational security, the Security and Privacy Program
should promote the development of SOPs for extreme events such as
recovery from major outages or natural disasters, and enabling the
continuity of operations if all or part of the enterprise becomes disabled.
Additional information on this area is as follows:

•

Risk Assessment: An overall evaluation of IT security risk at all levels of
the EA3 Framework. EA components at different levels of the EA
framework have different security risks;
Strategic risks, Business process risks , Information risks & Support
application and IT infrastructure risks.

•

Component Security Testing and Evaluation: This is the testing of EA
components or integrated groups of EA components in order to identify IT
security vulnerabilities. Testing is performed on the hardware, software, and
procedures of each EA component as well as auditing security-related
documentation (system and firewall logs, administrator files, reports, etc.).
1-16

Four Key Elements of Security & Privacy
Program (cont)
• Vulnerability Remediation: This is the act of correcting any IT security
vulnerabilities found during EA component Testing and Evaluation. This
involves the selection of a security solution based on the determination of an
acceptable level of risk. Higher levels of security protection often cost more
and have a more intrusive affect on business services. IT security issues in
this area affect all levels of the EA3 Framework.
•

Component Certification and Accreditation: This is the certification that all
remediation actions have been properly implemented for an EA component or
integrated group of EA components. IT security issues in this area affect all
levels of the EA3 Framework.

•

Standard Operating Procedures: The documentation of IT security SOPs is
important to ensuring that timely and effective action is taken by end-users
and system administrators when faced with an IT security incident.

Four Key Elements of Security & Privacy
Program (cont)
•

Disaster Recovery: The assessment and recovery procedures for
responding to a man-made or natural event that significantly disrupts or
eliminates IT operations, yet does not threaten the existence of the
enterprise. This includes sabotage, theft or corruption of resources,
successful large scale hacker/virus attacks, building damage, fire, flood, and
electrical outages. IT security issues in this area affect all levels of the EA3
Framework.

•

Continuity of Operations: This refers to procedures that are invoked if all or
part of the enterprise are unexpectedly destroyed or forced to disband. In this
scenario, the enterprise is unable to conduct any business or IT operations
for a period of time. The recovery response is scripted in a Continuity of
Operations Plan (COOP) that identifies where, how, and when business and
IT functions would be restored. IT security issues in this area affect all levels
of the EA3 Framework.

1-18

Four Key Elements of Security & Privacy
Program (cont)
 Program Key Element #4: Physical Protection
• The aspects of physical protection that should be captured in the EA include
controls for the facilities that support IT processing, control of access to
buildings, equipment, networks, and telecommunications rooms, as well as fire
protection, media storage, and disaster recovery systems.
•

Building Security: This focuses on the control of personnel access to the
enterprise’s buildings where IT resources are used. Depending on the level of
building security that is desired, a perimeter around the building can be
established with barriers and/or monitoring. IT security issues in this area
mainly affect the Business Process and the Technology Infrastructure levels of
the EA3 framework.

1-19

Four Key Elements of Security & Privacy
Program (cont)
•

Network Operation Centers, Server Rooms, and Wiring Closets: This refers
to the control of personnel access to those places where EA components are
physically located. This includes network operation centers, remote server
rooms, and wiring closets where voice, data, and video cables and patch panels
are located. IT security issues in this area mainly affect the Business Process
and the Technology Infrastructure levels of the EA3 framework.

•

Cable Plants: This refers to the control of personnel access to the various
types of fiber and copper cable that connect the technology infrastructure
together. Unauthorized tapping is possible, so some level of protection is
recommended. IT security issues in this area mainly affect the Business
Process level and the Technology Infrastructure level of the EA3 Framework.

1-20

Summary & Reference
•

IT security should be an integral part of the planning, design,
implementation, testing, and operation of every EA component. In this way,
an effective security solution is created that encompasses the entire
architecture and that penetrates each level of the EA3 Framework.

•

Finally, there should be awareness that absolute security is not possible
because EA components are designed and managed by humans, and
“insider” access is the ultimate threat which cannot completely be
overcome. Therefore, effective risk-adjusted solutions throughout the EA3
Framework are the goal of the Security and Privacy Program.

•

Refer to : Chapter 11: The Role of Security and Privacy