Information Security Requires Continual Improvement
These principles have been developed in line with global and national information security best practice and have been thoroughly reviewed and endorsed by the Australian IT Security
Experts Advisory Group (ITSEAG * ) They are intended to allow organisations to better meet their obligations in achieving corporate governance requirements for information security, including legal and regulatory compliance
1 AusCERT, Computer Crime and Security Survey, 2006, http://www.auscert.org.au/images/ACCSS2006.pdf
2 Computer Security Institute, CSI/FBI Computer Crime and Security Survey, 2006, http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf
3 S Grose, ‘Federal Government to Toughen Information Security’, ZDNet Australia, 2006, http://www.zdnet.com.au/news/security/soa/Federal-government-to-toughen-information- security/0,130061744,139249593,00.htm
4 G Wang ‘Strategies and Influence for Information Security’, Information System Control Journal, vol 1, 2005, Information Systems Audit and Control Association
The principles of secure enterprise strategy and architecture are essential across all industries for effective design, development, and maintenance By implementing these principles organization-wide, management can confidently take responsibility for safeguarding information assets in a rapidly evolving environment, which is a crucial goal of information security governance Furthermore, grasping these principles and integrating them throughout the system lifecycle is a critical component of a comprehensive information security management framework.
Integrating security principles into daily activities fosters a 'culture of security' within the organization, enhancing the integrity of information assets and ensuring compliance with legal and regulatory obligations.
Organizations today must navigate continuous and significant changes driven by market dynamics, competition, technological advancements, and rising customer expectations Additionally, global factors such as corporate governance reforms, security threats from terrorism, and escalating malicious online activities demand that organizations cultivate resilience to thrive amid competition and uncertainty.
In order to adapt to this environment, organisational design needs to be reconsidered
Enterprise Architecture, which serves as a formal description and comprehensive plan for an organization, must possess the flexibility to adapt to changing needs Many organizations face the challenge of developing a user-centric architecture while simultaneously fostering a strong culture of security.
5 ITSEAG (Trusted Information Sharing Network), Leading Practices and Guidelines for Enterprise Security
Governance, 2006, http://www.dcita.gov.au/ data/assets/pdf_file/41308/IT_Security and Governance.pdf
6 L Friedman & H Gyr, ‘Business Strategy Tools for OD Practitioners: Creating the Dynamic Enterprise,
Vision/Action Journal of the Bay Area OD Network’, 1998
A particular challenge for Enterprise Architecture today is convergence: the integration of elements and functionalities within the Enterprise Architecture, including:
• An increasing interconnectedness of organisations through shared networks;
• Deployment of service oriented architectures (SOA);
• Simplification of applications through the use of ubiquitous web interfaces;
• Integration of voice and data networks on single infrastructures; and
• Wide deployment of multifunctional handheld and network devices
Convergence offers organizations numerous advantages such as enhanced operational efficiency, faster market delivery, improved customer service, and quicker returns on investment However, the elimination of security barriers from traditionally defined and segregated organizational structures introduces substantial challenges.
• Potential degradation in quality of service over shared infrastructure;
• Issues associated with distribution of and added complexity to authentication and authorisation mechanisms;
• Increased points through which systems and organisations can be attacked;
• Increased confusion about where and to whom responsibility and accountability apply; and
• Incident detection and response issues in interconnected environments with many external parties
Critical business information is increasingly stored on devices like laptops, PDAs, USB keys, and portable hard drives, which often fall outside the traditional secure perimeter of an organization This perimeter is evolving to encompass customers, suppliers, business partners, and a mobile workforce, thereby redefining security boundaries in today's business landscape.
‘mobile perimeter’ that increases enterprise risk In order to manage the secure evolution of this perimeter, the adoption of an enterprise wide, strategic approach to information security is critical
Relationship between Principles of Information Security, Enterprise Architecture and Convergence
In today's landscape, safeguarding enterprise information—both physical and electronic—from leakage, accidental or malicious destruction, and unauthorized alterations is increasingly challenging Establishing a robust governance framework is essential for effectively managing security risks and ensuring clear distribution of responsibilities.
In meeting these contemporary challenges, The IT Security Expert Advisory Group * of the Trusted Information Sharing Network † has developed this resource which includes:
• Seven key information security principles (as noted above and illustrated in the outer ring in the image above) for developing an enterprise strategy for information security;
• Approaches for linking these seven key information security principles to your enterprise architecture (as shown by the inner ring in the image above);
• Recommendations for information security to ensure the integration of security controls throughout the categories of ‘people, process and technology’; and
• A self-assessment Checklist for validating an enterprise strategy for information security
To ensure that information security is effectively integrated within an organization, it is essential to adhere to key principles that address security considerations in the context of Enterprise Architecture.
Each principle is accompanied by a series of recommendations designed for implementation across an organization Practical case studies demonstrate how these recommendations can be effectively applied in real-world situations pertinent to critical infrastructure organizations.
This article explores the application of key principles in the realm of Enterprise Architecture, specifically focusing on Security Architecture Development It systematically follows a well-known Enterprise Architecture development process, examining each phase in detail Throughout the discussion, it highlights important considerations related to information security principles, supplemented by practical examples that illustrate their implementation.
Technical case studies on convergence demonstrate the practical application of architectural principles through modern examples of design evolution, highlighting various components of architecture.
• Information Systems Architecture (Data and Application Architecture);
• Technology Architecture (Technical Architecture); and
Convergence is reshaping the information landscape for critical infrastructure organizations, yet the fundamental principles for securing this information remain consistent As the impacts of convergence become increasingly evident, applying "first principles" can guarantee that security architecture remains enforceable, measurable, and effective in safeguarding the organization.
This paper outlines the business and technology context essential for developing an enterprise strategy for information security The subsequent sections can be examined separately for a focused understanding.
The section titled 'Principles of Information Security' outlines key principles accompanied by best-practice recommendations for effective implementation across the organization Each recommendation includes specific action items that demonstrate practical steps for execution.
Figure 1: Principles of information security structure
This section includes various case studies that illustrate the practical application of the principles discussed, highlighting how these principles can help prevent issues in real-life scenarios.
The second section entitled “Security Architecture Development” applies the information security principles within the context of Enterprise Architecture development