InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Enterprise architecture (EA) and information security must work together seamlessly to ensure security is fully integrated across all organizational initiatives. This piece explores the integration points between information security and EA and details
the possible organizational constructs in which the two can function.
EA is responsible for alignment of business and enterprise initiatives, serving as an advisor to business management on business and information integration strategies and auditing compliance with EA standards.
Security architecture, on the other hand, describes an organization’s core security principles and procedures for securing data—including not just in storage and other systems, but also personnel teams and their roles and functions. This information
is provided in the context of organizational requirements, priorities, risk tolerance and related factors to help ensure security architecture reflects both current and future business needs. Security architecture is narrower than EA and focuses on
hardware and software security controls and how to use those components to design, architect and evaluate secure computer systems.
READ: Enterprise Security Architecture Best Practices
The NIST SP 800-37 Risk Management Framework and SP 800-53 Privacy Framework call out
security architecture in the configuration management, planning, program management, and system and services acquisition security and privacy control families. Key responsibilities of security architecture include:
There are two typical ways in which EA and security architecture can align:
A good way to get the best of both worlds is to create a dotted-line reporting relationship to the other function. For example, if security architecture is a subcomponent of EA, create a dotted-line relationship between security architecture and information
security. However, leadership must be very intentional about this. Multiple reporting relationships, if not aligned properly, can be a significant cause of consternation to the impacted individuals—and security architects are in high demand.
READ: How to Structure the Information Security Function
A general responsible-accountable-consulted-informed (RACI) model is helpful to break down different functions across roles.
Figure 1 shows a sample RACI chart that prescribes the roles and responsibilities for security initiatives. However, please treat this as a starting point only for your situation because organizations and their technology deployment practices may differ
substantially. You may need to adapt this model for your specific needs (e.g., for DevOps or Agile variants in use within your organization).
It’s beneficial to consider and include security architecture at the inception point of enterprise architecture. Defining the framework for it may seem challenging, but to increase your chances of success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
December 6, 2022
By IANS Research
Improve your attack surface management plan using 9 steps to mitigate risk and strengthen enterprise security posture.
December 1, 2022
By IANS Faculty
Improve your vendor management program using six focus areas to benchmark program maturity and identify key pitfalls to avoid.
November 29, 2022
Learn how to integrate IT, OT and physical security programs to reduce risk, improve efficiency and streamline processes across the organization.