Compliance-driven security programmes aim at satisfying the compliance itch and hope that an effective security posture will fall out of compliance with the ever-changing collection of compliance requirements. It’s possible, but many organisations end up hoping to pull a security rabbit out of the compliance hat.
Compliance with well-recognised, seemingly comprehensive, security standards is not, in and of itself, enough. Implementing a compliance-based security programme can be a recipe for a false sense of security. “Best Practices” may work for some organisations but break others in short order. Reference Architectures and standard security patterns, in the wrong hands, can become the wrong tools addressing the wrong scenarios. While security standards are useful and, when incorporated into regulations, necessary, more is required to ensure they enable enterprises to reach their business goals and objectives. A rational, repeatable process for tailoring and using standards, guidelines, and “Best Practices” is required. The answer is to architect enterprise security to meet organisations’ unique and changing business requirements.
Architected security is business-driven, aligned, integrated, monitored, and continuously improved to enable the enterprise to pursue its goals and objectives reliably. The SABSA Enterprise Security Architecture (ESA) Framework and Methodology delivers mature, vital, business-enabling ESA. SABSA provides the guidebook for the ESA journey that begins with real business requirements and traverses a complex landscape of shifting threats and opportunities. ESA’s destination is living, adaptive, continuously improving and up-to-date enterprise security. SABSA’s four-phase life cycle begins with Strategy & Planning, and moves through Design, Implementation, and Manage & Measure to iterate through the lifecycle as the organisation evolves. Let’s start with a look at ESA Strategy & Planning.
ESA Strategy & Planning Phase
The Strategy & Planning Phase often begins with an ESA Maturity Assessment. The Maturity Assessment focusses on current security programme processes and the artefacts produced and used. ESAs vary considerably in scope and maturity. ESA scope may include the enterprise as a whole, business units, lines-of-business, infrastructure, an application, or other elements requiring security. ESA maturity is positioned somewhere along a continuum running from barely existing to continuously improved.
ESA Maturity Assessment
The Maturity Assessment considers enterprise security from an architectural perspective, based on the SABSA ESA methodology. It develops a clear understanding of the current state of the organisation’s enterprise security programme, relevant business requirements, existing architecture activities. The ESA Maturity Assessment also assesses the results delivered and the architecture’s capability to enable and add value to the enterprise. The SABSA ESA Framework is used to evaluate security programme elements, organise and correlate assessment results, and document the architecture’s current state. The Maturity Assessment provides an understanding of the security programme, its underlying security architecture capabilities, and its ability to support the enterprise’s pursuit of its goals and objectives. The assessment provides critical input for the next step, developing an ESA Strategy & Roadmap.
ESA Strategy & Planning
The ESA Strategy & Plan defines a vision for the future-state ESA that will enable the business to effectively manage its unique, enterprise-relevant risks within defined risk appetites. Risks include business-relevant threats and opportunities. The SABSA Methodology addresses mitigating threats and enabling opportunities in the business context. The ESA Strategy articulates a vision for planning, designing, implementing, and managing the security and security architecture activities and artefacts required by the business. An ESA Roadmap is the next step, charting a high-level course for designing and implementing the business-aligned ESA.
ESA Roadmap
The ESA Roadmap maps alignment of ESA resources and capabilities to the organisation’s strategic goals, tactical objectives, and supporting IT initiatives. The ESA Roadmap visualises the ESA Strategy across an adjustable timeline aligned to changing planning and budget cycles. It is a powerful communication aid for sharing the ESA Strategy with stakeholders at all levels. The ESA Design Phase follows.
ESA Design Phase
The ESA Design Phase delivers the ESA Design, a comprehensive framework for transforming the ESA Strategy into a functional, business-enabling ESA. The ESA Design identifies and defines the architectural activities and artefacts required to implement the ESA Strategy. While ESA designs will include similar elements and relationships between element, each is unique to its enterprise. SABSA helps assure ESA design elements are traceable to the organisation’s unique set of business requirements. And traceability assures that the implemented ESA will be complete and fully justified. The ESA Design must be implementable in the context of the organisation, the next phase.
ESA Implementation Phase
The Implement Phase delivers the ESA Implementation Plan for operationalising the ESA Design. The ESA Implementation Plan requires the approval of senior management and alignment to the enterprise budget cycle to assure funding. Adoption of the design is next, followed by alignment to, and integration with relevant and impacted organisation elements and stakeholders. The ESA Implementation Plan guides uptake of ESA capabilities into the organisation’s continuing business, IT, and security programmes through carefully identified and prioritised in-flight or planned initiatives. There is a fine art to implementation, driven by risk-prioritised targeting of capabilities. The following ESA Manage & Measure Phase covers ESA operations that deliver value through security.
ESA Manage & Measure Phase
The Manage & Measure Phase delivers on-going trusted business operations, enhanced by integrated ESA continuous improvement capabilities. Continuous improvement assures the ESA remains business-driven and fully aligned with evolving business needs. Managing the ESA requires integrated measurement and reporting capabilities. These provide management and leadership with the information they need to manage enterprise risks within defined risk appetite. Continuous ESA Improvement and ESA Vitality Assurance capabilities work in combination, architected to reinforce each other to deliver cost-effective security.
The ESA Journey
Once begun, the ESA journey never ends. It enables organisations to continuously improve effective management of dynamic threats and exploit opportunities with an agility that provides a competitive advantage. Start the ESA journey to the right security, in the right place, at the right time, for the right cost. The SABSA Framework and Methodology is the guide to delivering business-enabling enterprise security.