Enterprise information security infrastructure
Here are some information you need to know about the enterprise information security architecture and how to start planning.
A major trend of enterprise safety is to create and adopt an enterprise information security architecture. However, most of the content of this topic is very vague, which may make IT professionals want to know what the enterprise information security architecture is, let alone how to implement it. Under such circumstances, some want to try to simplify things to help enterprises understand the contents of the enterprise information security architecture and how to put them into practice.
To understand what the enterprise information security architecture is and why it is useful, it is necessary to take a step back to examine the traditional way of completing IT security in the enterprise. Historically, enterprise safety is to make organizations as safe as the IT budget allows. IT professionals will use various policies, procedures and products to strengthen organizations to respond to perceived threats (or respond to regulatory requirements).
The enterprise information security architecture attempts to directly bring the IT department's security methods in line with the business needs of the organization. This approach has two main advantages.
First, implementing the enterprise information security architecture forces the IT department to focus on the security challenges that affect the business most. Instead of pursuing the latest security trend, it focuses on the most important issues of business.
Second, enterprise information security architecture involves more than deciding which security products to buy or what security challenges to focus on. The model is closely related to business. It becomes a key part of how we do things. This way of thinking emphasizes the power to take security as part of the business decision-making process.
There is no universal solution.
Of course, this raises the question of how organizations should proceed with the implementation of enterprise information security architecture. To understand the importance of the process, the enterprise information security architecture is a general term. There is no single, fixed process to define the meaning of the organization to implement the model.
So, if there is no clear standard, how does a security awareness organization implement the enterprise information security architecture? Fortunately, there are several frameworks available. Some of the more popular frameworks include SABSA, COBIT and TOGAF.
In order to describe these frameworks, it takes time to go deep into something completely irrelevant. If you have worked in IT for some time, you may have heard of the open system interconnection (OSI) model. The open system interconnection (OSI) model definition defines the layer of the network stack. These layers include application, presentation, conversation, transmission, network, data link and physical layer. Each layer has a specific job to do, and each layer is designed to interface with the layer above it and the layer below it.
Generally speaking, the framework mentioned above also uses a hierarchical approach to define security architecture. For example, the SABSA framework includes layers such as scenarios, concepts, logic, physics and component security architectures. These layers constitute the overall security framework.
In general, various frameworks provide things like architecture diagrams, flowcharts and documents. These resources can be used to drive the realization of enterprise information security architecture within the organization.
Keep in mind that there is no rule that an organization must strictly abide by one of its frameworks. An organization may choose to design its own architecture or create two or more available frameworks for mashup.
No matter how the organization chooses to approach its enterprise information security architecture, the goal should always be to link the organization's security work with its key business objectives. For example, if an enterprise wants to declare that its online store must always be available for customers, the next step of the process will be to identify the risks that may affect the availability of the resource.
Some risks have nothing to do with security, but promote IT decisions in other ways. For example, the power failure of organizing data centers may affect the availability of online stores, so the IT department needs to develop plans to control risks. Similarly, denial of service attacks may prevent customers from accessing online stores. In this case, denial of service attack is a recognized security risk, which is directly related to the key business objectives. This provides a reason for the IT department to focus on preventing denial of service attacks.
(source: Computer room 360)