This article examined the field of security architecture from the point of view of security governance. It explains how security architecture governance can be created as a sub-field of security governance and how the principles and structure of the same can be applied to security architecture governance to build an overarching security environment that is easy to understand, change, monitor and maintain. This report was built by Nidhi Agarwal & Arnab Chattopadhyay & was earlier touched upon at SACON ( India's only Security Architecture Conference).
Here is a brief Executive Summary:
Situation:
- Security architecture program tends to focus heavily on technology, often neglecting people, process policies needed to manage the program
- Activities in the program often planned as unrelated parts of specific problems to be delivered in a given time window thereby losing overarching view of the architecture and also losing ability to confidently claim that the security objectives are met.
- Many cases it seems like a daunting task and often pushed backward
Problems:
This leads to several problems
- The security architecture team/security team doesn’t know whether it is supporting business goals.
- The organization lose sense of direction in terms of defining security priorities and initiatives.
- Risk treatment becomes non-definitive.
- To make security architecture development better managed, security architecture governance is ‘must have’.
- The security architecture governance process must be part of and in sync with an overarching security governance program.
- The security architecture governance program must be customised to suit specific organisational needs.
- Begin by defining the organisational pressure that shape and define organisational security posture and use best practice as a guide to determine what the security architecture program must include.The pressure would be referred as ‘security pressure position’ in rest of the document.
- Conduct gap analysis to identify the initiatives needed to reach to the target state of security architecture posture.
- Create an action plan and implement the project using industry best practices, tools, templates and using external expertise where
Comments