Information Security Architecture

InfoSec Requirements Integration

  • Enterprise Architecture [CNSSI 4009]
    The description of an enterprise’s entire set of information systems: how they are configured, how they are integrated, how they interface to the external environment at the enterprise’s boundary, how they are operated to support the enterprise mission, and how they contribute to the enterprise’s overall security posture.
  • Information Security Architecture
    An embedded, integral part of the enterprise architecture that describes the structure and behavior for an enterprise’s security processes, information security
    systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic
  • Enterprise architecture also promotes the concepts of segmentation, redundancy, and elimination of single points of failure—all concepts that can help organizations more effectively manage risk.
  • The Federal Enterprise Architecture (FEA) defines a collection of interrelated reference models including Performance, Business, Service Component, Data, and Technical as well as more detailed segment and solution architectures that are derived from the enterprise architecture.
    • Organizational assets (including programs, processes, information, applications, technology, investments, personnel, and facilities) are mapped to the enterprise-level reference models to create a segment-oriented view of organizations.
    • Segments are elements of organizations describing mission areas, common/shared business services, and organization-wide services. From an investment perspective, segment architecture drives decisions for a business case or group of business cases supporting specific mission areas or common/shared services. The primary stakeholders for segment architecture are mission/business owners.
    • Following closely from segment architecture, solution architecture defines the information technology assets within organizations used to automate and improve mission/business processes. The scope of solution architecture is typically used to develop and implement all or parts of information systems or business solutions, including information security solutions. The primary stakeholders for solution architectures are information system developers and integrators, information system owners, information system/security engineers, and end users.

Source: NIST SP800-39


Leave a Reply