Enterprise Information Security Architecture (EISA) is a part of Enterprise Architecture focusing on information security throughout the enterprise. Enterprise Architecture is the practice of applying a comprehensive and rigorous method for describing a current or future structure for an organizations processes, information systems, personnel and organizational sub-units, so that they align with the organizations core goals and strategic direction. ...

Definition:

Enterprise Information Security Architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units, so that they align with the organization's core goals and strategic direction. Although often associated strictly with information security technology, it relates more broadly to the security practice of business optimization in that it addresses business security architecture, performance management and security process architecture as well. A practice refers to a way that something is done. ... In mathematics, optimization is the discipline which is concerned with finding the maxima and minima of functions, possibly subject to constraints. ...

Enterprise Information Security Architecture is becoming a common practice within the financial institutions around the globe. The primary purpose of creating an enterprise information security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise information security architecture allows traceability from the business strategy down to the underlying technology. A financial institution acts as an agent that provides financial services for its clients. ... A globe This article is on a planet-representation device. ... Traceability refers to the completeness of the information about every step in a process chain. ...

Positioning EISA

Enterprise information security architecture was first formally positioned by Gartner in their whitepaper called “Incorporating Security into the Enterprise Architecture Framework”. This was published on 25 January 2006. Since this publication, security architecture has moved from being a silo based architecture to an enterprise focused solution that incorporates business, information and technology. The picture below represents a one dimensional view of Enterprise Architecture as a Service orientated architecture. It also reflects the new addition to the enterprise architecture family called “Security”. Business Architecture, Information Architecture and Technology architecture use to be called BIT for short. Now with security as part of the architecture family it has become BITS. Gartner logotype. ... A white paper is a government report outlining policy or authoritative report on a major issue. ... Wall Street, Manhattan is the location of the New York Stock Exchange and is often used as a symbol for the world of business. ... Information as a concept bears a diversity of meanings, from everyday usage to technical settings. ... It has been suggested that Techie be merged into this article or section. ...

Security architectural change imperatives now include things like::

• - Business roadmaps
• - Legislative and legal requirements
• - Technology roadmaps
• - Best Practises
• - Industry trends
• - Visionaries

A legislature is a governmental deliberative body with the power to adopt laws. ... This article is about law in society. ... In software engineering, a requirement is a description of what a system should do. ... Technology roadmaps are an established management technique used to forecast technology development and track changes in available technology choices. ...

Goal of EISA

• - Provide structure, coherence and cohesiveness.
• - Must enable business-to-security alignment
• - Defined top-down beginning with business strategy
• - Ensure that all models and implementations can be traced back to the business strategy, specific business requirements and key principles.
• - Provide abstraction so that complicating factors, such as geography and technology religion, can be removed and reinstated at different levels of detail only when required.
• - Establish a common "language" for information security within the organization

Look up Structure in Wiktionary, the free dictionary. ... Coherence is from Latin cohaerere = stick together, to be connected with, logically consistent. ... An alignment refers to adjustment of an object in relation with other objects. ... Wall Street, Manhattan is the location of the New York Stock Exchange and is often used as a symbol for the world of business. ... In software engineering, a requirement is a description of what a system should do. ... The term moral obligation has a number of meanings in moral philosophy, in religion, and in laymans terms. ... Abstraction is the process of reducing the information content of a concept, typically in order to retain only information which is relevant for a particular purpose. ... It has been suggested that Techie be merged into this article or section. ...

Enterprise information security architecture methodology:

The practice of Enterprise Information Security Architecture involves developing an architecture security framework to describe a series of "current", "intermediate" and "target" reference architectures and applying them to align programs of change. These frameworks detail the organizations, roles, entities and relationships that exist or should exist to perform a set of business processes. This framework will provide a rigorous taxonomy and ontology that clearly identifies what processes a business performs and detailed information about how those processes are executed and secured. The end product is a set of artifacts that describe in varying degrees of detail exactly what and how a business operates and what security controls are required. These artifacts are often graphical.

Given these descriptions, whose levels of detail will vary according to affordability and other practical considerations, decision makers are provided the means to make informed decisions about where to invest resources, where to realign organizational goals and processes, and what policies and procedures will support core missions or business functions.

A strong Enterprise Information Security Architecture process helps to answer basic questions like:

• Is the current architecture supporting and adding value to the security of the organization?
• How might a security architecture be modified so that it adds more value to the organization?
• Based on what we know about what the organization wants to accomplish in the future, will the current security architecture support or hinder that?
• Implementing enterprise information security architecture generally starts with documenting the organization's strategy and other necessary details such as where and how it operates. The process then cascades down to documenting discrete core competencies, business processes, and how the organization interacts with itself and with external parties such as customers, suppliers, and government entities.
• Having documented the organization's strategy and structure, the architecture process then flows down into the discrete information technology components such as:
• Organization charts, activities, and process flows of how the IT Organization operates
• Organization cycles, periods and timing
• Suppliers of technology hardware, software, and services
• Applications and software inventories and diagrams
• Interfaces between applications - that is: events, messages and data flows
• Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization
• Data classifications, Databases and supporting data models
• Hardware, platforms, hosting: servers, network components and security devices and where they are kept
• Local and wide area networks, Internet connectivity diagrams

Wherever possible, all of the above should be related explicitly to the organization's strategy, goals, and operations. The Enterprise Information Security Architecture will document the current state of the technical security components listed above, as well as an ideal-world desired future state (Reference Architecture) and finally a "Target" future state which is the result of engineering tradeoffs and compromises vs. the ideal. Essentially the result is a nested and interrelated set of models, usually managed and maintained with specialised software available on the market. In Organizational Development, goals represent desired future states of organizations. ... Operations is that unit (be it a division or department) of an organization that carries out the actual execution of the core operating functions. ... Computer software (or simply software) refers to one or more computer programs and data held in the storage of a computer for some purpose. ...

Such exhaustive mapping of IT dependencies has notable overlaps with both Metadata in the general IT sense, and with the ITIL concept of the Configuration Management Database. Maintaining the accuracy of such data can be a significant challenge. Along with the models and diagrams goes a set of best practices aimed at securing adaptability, scalability, manageability etc. These systems engineering best practices are not unique to Enterprise Information Security Architecture but are essential to its success nonetheless. They involve such things as componentization, asynchronous communication between major components, standardization of key identifiers and so on. Dependency has a number of meanings: In project management, a dependency is a link amongst a projects terminal elements. ... Metadata (Greek meta after and Latin data information) are data that describe other data. ... Atil, also spelled Itil (Turkic for Big River), was a name of the Volga River and of the capital of Khazaria from the middle of the 8th century until towards the end of the 10th century. ... In science, engineering, industry and statistics, accuracy is the degree of conformity of a measured or calculated quantity to its actual, nominal, or some other reference, value. ... Sample flowchart diagram A diagram is a simplified and structured visual representation of concepts, ideas, constructions, relations, statistical data, anatomy etc used in all aspects of human activities to visualize and clarify the topic. ... In telecommunications and software engineering, scalability indicates the capability of a system to increase total througput under an increased load when resources (typically hardware) are added. ... This page is a candidate to be moved to Wiktionary. ... The term best practice generally refers to the best possible way of doing something; it is used in the fields of business management, software engineering, and medicine. ... Asynchronous communication is sending data without synchronization to an external clock. ... Standardization, in the context related to technologies and industries, is the process of establishing a technical standard among competing entities in a market, where this will bring benefits without hurting competition. ...

Successful application of Enterprise Information Security Architecture requires appropriate positioning in the organization. The analogy of city-planning is often invoked in this connection, and is instructive. An intermediate outcome of an architecture process is a comprehensive inventory of business security strategy, business security processes, organizational charts, technical security inventories, system and interface diagrams, and network topologies, and the explicit relationships between them. The inventories and diagrams are merely tools that support decision making. But this is not sufficient. It must be a living process. Analogy is either the cognitive process of transferring information from a particular subject (the analogue or source) to another particular subject (the target), or a linguistic expression corresponding to such a process. ...

The organization must design and implement a process that ensures continual movement from the current state to the future state. The future state will generally be a combination of one or more:

• Closing gaps that are present between the current organization strategy and the ability of the IT security dimensions to support it
• Closing gaps that are present between the desired future organization strategy and the ability of the security dimensions to support it
• Necessary upgrades and replacements that must be made to the IT security architecture based on supplier viability, age and performance of hardware and software, capacity issues, known or anticipated regulatory requirements, and other issues not driven explicitly by the organization's functional management.
• On a regular basis, the current state and future state are redefined to account for evolution of the architecture, changes in organizational strategy, and purely external factors such as changes in technology and customer/vendor/government requirements.

A strategy is a long term plan of action designed to achieve a particular goal, as differentiated from tactics or immediate actions with resources at hand. ... Dimension (from Latin measured out) is, in essence, the number of degrees of freedom available for movement in a space. ... A strategy is a long term plan of action designed to achieve a particular goal, as differentiated from tactics or immediate actions with resources at hand. ... Dimension (from Latin measured out) is, in essence, the number of degrees of freedom available for movement in a space. ...

Relationship to other IT disciplines:

Enterprise Information Security architecture is a key component of the Information Security technology governance process at any organization of significant size. More and more companies are implementing a formal enterprise security architecture process to support the governance and management of IT. However, as noted in the opening paragraph of this article it ideally relates more broadly to the practice of business optimization in that it addresses business security architecture, performance management and process security architecture as well. Enterprise Information Security Architecture is also related to IT security portfolio management and Metadata in the enterprise IT sense. A company in the broadest sense is an aggregation of people who stay together for a common purpose. ... Management (from Old French ménagement the directing, from Latin manu agere to lead by the hand) characterises the process of leading and directing all or part of an organisation, often a business, through the deployment and manipulation of resources (human, financial, material, intellectual or intangible). ... // Finance Main article portfolio (finance) In finance, a portfolio is a collection of investments held by an institution or a private individual. ... Metadata (Greek meta after and Latin data information) are data that describe other data. ...

Enterprise information security architecture frameworks is only a subset of Enterprise Architecture frameworks:

If we had to simplify the conceptual abstraction of Enterprise Information Security Architecture within a generic framework, the following picture would be acceptable as a high-level conceptual security architecture framework. A concept is an abstract, universal psychical entity that serves to designate a category or class of entities, events or relations. ... Abstraction is the process of reducing the information content of a concept, typically in order to retain only information which is relevant for a particular purpose. ... A concept is an abstract, universal psychical entity that serves to designate a category or class of entities, events or relations. ... The Parthenon on top of the Acropolis, Athens, Greece Architecture (from Latin, architectura and ultimately from Greek, αρχιτεκτων, a master builder, from αρχι- chief, leader and τεκτων, builder, carpenter) is the art and science of designing buildings and structures. ... In software development, a framework is a defined support structure in which another software project can be organized and developed. ...

• Another open Enterprise Architecture Framework is the Extended Enterprise Architecture Framework] (E2AF) from the Institute For Enterprise Architecture Developments. Extended Enterprise Architecture Framework.
• The U.S. Department of Defense (DoD) Architecture Framework (DoDAF)
• Zachman Framework
• The Open Group Architecture Framework (TOGAF)
• Capgemini's Integrated Architecture Framework
• United States Government Federal Enterprise Architecture (FEA)
• The UK Ministry of Defence (MOD) Architecture Framework (MODAF)
• NIH Enterprise Architecture Framework

The U.S. Department of Defense Architecture Framework (DoDAF) is a framework for development of a systems architecture or Enterprise architecture (EA). ... The Zachman Framework is a formal, highly structured, way of defining an enterprises systems architecture. ... To meet Wikipedias quality standards and make it easier to understand, this article or section may require cleanup. ... The Federal Enterprise Architecture is an Office of Management and Budget initiative to comply with the Clinger-Cohen Act and provide a common methodology for information technology acquisition in the U. S. federal government. ... The UK Ministry of Defence Architectural Framework (MODAF) provides a model of a military system and its operation. ...

References

• Gartner - "Incorporating Security into the Enterprise Architecture Framework".
• Carbone, J. A. (2004). IT architecture toolkit. Enterprise computing series. Upper Saddle River, NJ, Prentice Hall PTR.
• Cook, M. A. (1996). Building enterprise information architectures : reengineering information systems. Hewlett-Packard professional books. Upper Saddle River, NJ, Prentice Hall.
• Fowler, M. (2003). Patterns of enterprise application architecture. The Addison-Wesley signature series. Boston, Addison-Wesley.
• Groot, Remco; Martin Smits, Halbe Kuipers, 2005. "A Method to Redesign the IS Portfolios in Large Organisations," Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS'05) - Track 8 p. 223a (IEEE)
• Spewak, S. H. and S. C. Hill (1993). Enterprise architecture planning : developing a blueprint for data, applications, and technology. Boston, QED Pub. Group.

More information:

- Direct reference to wikipedia's Enterprise Architecture Enterprise Architecture is the practice of applying a comprehensive and rigorous method for describing a current or future structure for an organizations processes, information systems, personnel and organizational sub-units, so that they align with the organizations core goals and strategic direction. ...