Opinion: Enterprise Security Architecture as a discipline – the three viewpoints.

Enterprise Security Architecture for an organisation as a discipline is required to outline an enterprise wide risk-driven approach to information security and deliver infrastructure solutions in response to the organisations threat profile. Enterprise Security Architecture is required to drive and support the standardisation and management of an organisations information security discipline.

Enterprise Security Architecture is a term used loosely by organisations today, and depending on the maturity of the discipline, it may be limited to a technology only function that looks to address the organisations security concerns through technical solutions, that provide point in time protection without an appreciation of a broader strategy encompassing the ever important people and process domains.

As an example, for a web based business the focus is availability and continuous uptime, the Enterprise Security Architecture for such an organisation will be focused at a minimum on the protection of its web servers, ensuring the associated web applications are secured and not susceptible to man in the middle or SQL injection attacks, further this organisation would ensure that technology controls are in place to prevent a Distributed Denial of Service (DDOS) Attack.

Alternatively, if an organisations core business is manufacturing and distribution, the core focus will be on the protection of core systems, the unavailability of which will have an impact on its corresponding manufacturing cycles and in turn adversely affect the distribution of its products. The protection of these systems may be a mixture of network, hosting and end point technologies with potentially minimal appreciation of supporting people and process controls. The protection mechanism and the corresponding security architecture for these two organisations will be different when compared to the security architecture at a financial services organisation that is required to address the security concerns and manage the treat vectors across people, process and technology domains.

In my view a comprehensive Enterprise Security Architecture should focus across people, process and technology domains, but additionally have three distinct views that explain information security from multiple aspects including but not limited to a ‘Business Viewpoint’, ‘Technology Management Viewpoint’ and ‘Security Practitioners Viewpoint’ addressing the requirements across people, process and technology domains.

The Business viewpoint of an Enterprise Security Architecture should provide for an understanding of the Governance, Risk and Compliance (GRC) posture of information security at an executive level, followed through by an appreciation of the required People and Identity factors that influence information security. In addition, the business viewpoint of enterprise security architecture should highlight the organisations Information Assets and the threat posture of its IT Infrastructure including but not limited to network components, server instances and end points.

The Technology Management and Security Practitioner viewpoint should build on the Business viewpoint and explain in detail the requirements and principles for information security management supported by the organisations security policy, standards that include identity and access management, threat and vulnerability management operating procedures, and a framework for security reporting.

The Security Practitioner view will specifically focus on and provide details of the security capability and associated infrastructure components that are required to support the management view and the business view by detailing in no particular order the;

  •  System security policy management and compliance reporting system,
  •  Security information and event management systems,
  •  Network security including network intrusion detection/prevention systems,
  •  Data leakage prevention systems,
  •  Host and end point security systems,
  •  Data storage security,
  •  Security operations reporting and metrics system,
  •  Application and business system security etc.

The Enterprise Security Architecture within an organisation should ensure that the above viewpoints are understood and not be limited to a technology only function. A successful Enterprise Security Architecture should provide guidance across the three domains of people, process and technology to ensure that the organisation continues to operate anytime and anywhere in a secure manner whilst maintaining a competitive compliance posture.

About CSO Opinion writer Puneet Kukreja

Puneet Kukreja is the Managing Director of Affirm Risk Pty Ltd. a boutique information security and risk advisory firm. He has demonstrated experience in successfully delivering enterprise security programs and establishing integrated security delivery functions within complex multi vendor and multi stakeholder environments. He is an experienced information security and systems auditor with in-depth controls advisory experience. He holds the following certifications CRISC,  CISM, MSP, CEA,  ITIL ICT (M), MCSE (Security), CCNA, CCSP, Security +.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityopinionsecurity architecture

More about CSPetworkISMTechnologyViewpoint

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts