Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Enterprise architecture (EA) and information security must work together seamlessly to ensure security is fully integrated across all organizational initiatives. This piece explores the integration points between information security and EA and details
the possible organizational constructs in which the two can function.
EA is responsible for alignment of business and enterprise initiatives, serving as an advisor to business management on business and information integration strategies and auditing compliance with EA standards.
Security architecture, on the other hand, describes an organization’s core security principles and procedures for securing data—including not just in storage and other systems, but also personnel teams and their roles and functions. This information
is provided in the context of organizational requirements, priorities, risk tolerance and related factors to help ensure security architecture reflects both current and future business needs. Security architecture is narrower than EA and focuses on
hardware and software security controls and how to use those components to design, architect and evaluate secure computer systems.
READ: Enterprise Security Architecture Best Practices
The NIST SP 800-37 Risk Management Framework and SP 800-53 Privacy Framework call out
security architecture in the configuration management, planning, program management, and system and services acquisition security and privacy control families. Key responsibilities of security architecture include:
There are two typical ways in which EA and security architecture can align:
A good way to get the best of both worlds is to create a dotted-line reporting relationship to the other function. For example, if security architecture is a subcomponent of EA, create a dotted-line relationship between security architecture and information
security. However, leadership must be very intentional about this. Multiple reporting relationships, if not aligned properly, can be a significant cause of consternation to the impacted individuals—and security architects are in high demand.
READ: How to Structure the Information Security Function
A general responsible-accountable-consulted-informed (RACI) model is helpful to break down different functions across roles.
Figure 1 shows a sample RACI chart that prescribes the roles and responsibilities for security initiatives. However, please treat this as a starting point only for your situation because organizations and their technology deployment practices may differ
substantially. You may need to adapt this model for your specific needs (e.g., for DevOps or Agile variants in use within your organization).
It’s beneficial to consider and include security architecture at the inception point of enterprise architecture. Defining the framework for it may seem challenging, but to increase your chances of success:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 21, 2023
By IANS Faculty
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.
September 14, 2023
Learn how to use a three-step approach to defending and managing public and private APIs while avoiding common mistakes.