Enterprise Cybersecurity Architecture
Holistic
Enterprise Cybersecurity Architecture requires a holistic approach when dealing with complex systems across an organization. This means having a proper understanding of requirements, design philosophy, interoperability, component integration, and how the system will operate. Likewise, holistic is not a checklist-based approach, or other necessary components, either technical or process-oriented, may get missed.
Business-Driven
Risk-Driven
Enterprise Cybersecurity Architecture encompasses many, many other areas.
- Securely Enables Business
- Supports Business Strategy
- Supports Technology Strategy
- Informs Security Strategy
- Informs Capital Planning & Investment Control
- Meets Regulatory Compliance
- Meets Contractual Requirements
- Meets Industry Standards
- Supports Procurement Processes
- Integrates with Portfolio Management
- Integrates with Program Management
- Integrates with Project Management
- Supports Measurement and Metrics
- Supports Security Governance
- Supports Risk Management
- Supports Risk Assessment
- Supports Risk Analysis
- Supports Vendor Risk Management
- Integrates Security Operations
- System Engineering Focus
- Provides Trustworthiness
- Supports Two-Way Traceability of Requirements
- Maintains Continuous Improvement
- Is NOT Checklist Based
- Is NOT Set It and Forget It
- Is Proactive Across Enterprises
Enterprise Cybersecurity Architecture-Reference
SABSA is the copyright and trademark of the SABSA Institute, all rights reserved.
TOGAF is the copyright and trademark of The Open Group, all rights reserved.
Enterprise Cybersecurity Architecture Paradigm-Reference
Be mindful the lifecycle ties into the current state, target state, and transition state architectures. In general terms, this means integration with portfolio management, program management, and project management in terms of cybersecurity mechanism and tooling, strategy, capability development, and architecture deployment, be it architecture capability, business capability, or both.
SABSA is the copyright and trademark of the SABSA Institute, all rights reserved.
Cybersecurity and Technology Operations Paradigm-Reference
It does not make sense to build walls and towers around the castle and then have no sentries to man them or not enough sentries to be effective. In this sense, all architectures need to be right-sized operationally, fit-for-purpose, or they will not be effective regardless of how many tools are thrown at the problem.
Anyone can use this public domain document and modify it to suit their own needs.
Secure Design Principles-Reference
According to the Merriam-Webster dictionary, a principle is:
- a comprehensive and fundamental law, doctrine, or assumption
- a rule or code of conduct
- the laws or facts of nature underlying the working of an artificial device
- an underlying faculty or endowment
Secure Design Principles provides a directive for developing a secure system’s underlying and comprehensive doctrine, assumption, and rule of conduct. Regardless, any system should adhere to secure design principles from design, development, testing, deployment, and during the system’s running lifecycle. In addition, the secure design principles are ever-present but extendable to account for MITRE ATT&CK and D3FEND. Finally, anyone can use this public domain document and modify it to suit their own needs.
Policy and Harmonized Control Framework-Reference
The policy and harmonized control framework-reference architecture presented is a single point of view but provides a reference from left to right for a potential direction. The reference architecture utilizes a core set of influences with the NIST 800-53 Rev. 4 as the base. The perspective presented is not rigid, just a starting point. The NIST 800-53 could easily be swapped out for ISO 27001 or the CIS CSC v8, or the CSA-Matrix as the base. Some organizations might favor a NIST CSF direction. Adopt and adapt as appropriate to the organization.
The main policy architecture viewpoint is based on the policy architecture presented by SABSA in the SABSA Big Blue book (the first book listed on the Library page) and within training from the SABSA Institute. Therefore, it is a good starting point for developing organizational policies as well as application-level policies. Finally, anyone can use this public domain document and modify it to suit their own needs.
SABSA is the copyright and trademark of the SABSA Institute, all rights reserved.
Defeating Chaos
Enterprise cybersecurity architecture is not a silver bullet or one size fits all. Instead, it recognizes a particular fact that standardization, organization, structure, ordering, planning, and many other aspects of enterprise cybersecurity architecture are about controlling the things you can and minimizing the impact from the things you cannot. In addition, the enterprise cybersecurity architecture practice is concerned with continuous improvement while growing overall maturity which also helps reduce chaos.
No environment or business is chaos-free. No environment or business will remain the same forever. However, change can be managed, accounted for, and integrated into daily tasks and efforts.