Security Architecture Framework would provide comprehensive view of security in the enterprise. It should be the reference model for the structure of any security architecture artifacts delivered and all designs should be based on it.
The security architecture framework can be grouped into four categories – mainly core security services, governance, technology and process.
Core Security Services is the logical grouping of security areas. This may include but not limited to services related to directory, identity, authentication, access attestation, user provisioning, authorization, firewall, facilities security, digital signature, data masking, data integrity, key management, asymmetric & symmetric encryption, event logging & management, threat & vulnerability management, incident handling & response, business continuity & recovery, intrusion detection & prevention, URL/web content filtering, data leakage prevention and end point protection.
At the Governance level, security policies, standards and principles are defined for the above Core Security Services along with identifying various roles and responsibilities at the enterprise. Security metrics are collected and performance of the whole security program should be managed at this level. This will help to manage risk at the enterprise level. The Governance should also drive the security education and awareness program for the enterprise.
The Technology category specifies the reference architecture which is the desired technical positions and recommendations for the identified Core Security Services in the enterprise. It should be based on strategic criteria set by the Governance. Technical positions should provide options based on the business need and existing industry practice. The options should be built following the principle of best-of-need rather than best-of-breed. The structure of a security design document (SDD), which provides the methodology to integrate the reference architecture with existing corporate system development life cycle (SDLC), should be defined at this level. The SDD should be a deliverable for each and every project implementation at the enterprise. It includes the threat risk analysis for the project.
The Process domain defines the operational aspects of the Core Security Services. Processes for each and every service will be based on the governance criteria and the architectural constraints in the Governance and Technology category.