|
 |
|
|||
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
In many respects, the information security architecture is analogous to the architecture associated with buildings. It begins as a concept, a set of design objectives that must be met (e.g., the function it will serve; whether it will be a hospital, a school, etc.). It then progresses to a model, a rough approximation of the vision forged from raw materials (read: services). This is followed by the preparation of detailed blueprints, or tools that will be used to transform the vision/model into a real and finished product. Finally there is the building itself, the realization, or output, of the prior stages. The important points of this analogy are twofold. The architecture is more than a mere blueprint; it also includes both the vision/concepts that led to it, as well as all that is derived from it. The caution here is to keep detailed information (such as corporate standards for products and their configuration) separate from the blueprint, perhaps in the form of references or appendices. This will enable the high-level architecture to remain visible and manageable, which is critical to the second point. Specifically, it should not be viewed as static and immutable; rather it should be revisited periodically to ensure continued alignment with changing corporate objectives (just as a building may be modified over time).
It is also important to understand the relationship between the information security architecture and other enterprise security and architecture initiatives. Establishing the framework of the security architecture should be among the first steps in developing a security program, with subsequent steps yielding the next-level details (e.g., trust modeling tools, policy and process definitions, mechanisms for technology, and product selection). As such, the information security architecture is essentially a product of the overall security program. From an enterprise architecture perspective, information security would typically be treated as a domain within the enterprise technical architecture. A loose mapping of these components would have the domain constructs of design principles and technologies correlating to "mechanisms" in the security architecture, and standards, products, and configurations correlating to "as-built."
Business impact
Bottom line
Information Security Architecture Is your organization setting the groundwork for a security architecture? TalkBack below or e-mail us with your thoughts.
[an error occurred while processing this directive]
 [an error occurred while processing this directive] Comments? Questions? Tell us what you think. |
| |
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Copyright © 2002 CNET Networks, Inc. All rights reserved. ZDNet is a registered service mark of CNET Networks, Inc. ZDNet Logo is service mark of CNET Networks, Inc. |