Integrating Risk and Security within a TOGAF^® Enterprise Architecture

The Open Group

The Open Group is a global consortium that enables the achievement of business objectives through technology standards. With more than 870 member organizations, we have a diverse membership that spans all sectors of the technology community – customers, systems and solutions suppliers, tool vendors, integrators and consultants, as well as academics and researchers.

The mission of The Open Group is to drive the creation of Boundaryless Information Flow™ achieved by:

• Working with customers to capture, understand, and address current and emerging requirements, establish policies, and share best practices
• Working with suppliers, consortia, and standards bodies to develop consensus and facilitate interoperability, to evolve and integrate specifications and open source technologies
• Offering a comprehensive set of services to enhance the operational efficiency of consortia
• Developing and operating the industry’s premier certification service and encouraging procurement of certified products

Further information on The Open Group is available at www.opengroup.org.

The Open Group publishes a wide range of technical documentation, most of which is focused on development of Standards and Guides, but which also includes white papers, technical studies, certification and testing documentation, and business titles. Full details and a catalog are available at www.opengroup.org/library.

The SABSA^® Institute

The SABSA Institute is the professional member and certification body for Enterprise Security Architects of all specialisms and at all career levels. It governs the ongoing development and management of SABSA intellectual property and the associated certification and education programs worldwide.

The SABSA Institute envisions a global business world of the future, leveraging the power of digital technologies, enabled in the management of information risk, information assurance, and information security through the adoption of SABSA as the framework and methodology of first choice for commercial, industrial, educational, government, military, and charitable enterprises, regardless of industry sector, nationality, size, or socio-economic status, and leading to enhancements in social well-being and economic success.

Further information on The SABSA Institute can be found at www.sabsa.org.

The TOGAF^® Standard, a Standard of The Open Group

The TOGAF Standard is a proven enterprise methodology and framework used by the world’s leading organizations to improve business efficiency.

This Document

This document is a TOGAF^® Series Guide to Integrating Risk and Security within a TOGAF Enterprise Architecture. It provides guidance for security practitioners and Enterprise Architects who need to work with the TOGAF Standard, a standard of The Open Group, to develop an Enterprise Architecture. It has been developed and approved by The Open Group Security Forum.

Integrating security and risk management in Enterprise Architecture strongly supports The Open Group vision of Boundaryless Information Flow™, by informing well-justified design decisions, which maximize business opportunity whilst minimizing business risk.

This document is structured as follows:

• Chapter 1 provides a high-level introduction to this Guide, introducing the topic of Enterprise Security Architecture, how it relates to Enterprise Architecture, and how this Guide supports the TOGAF Standard
• Chapter 2 describes the relationship with other IT security and risk standards
• Chapter 3 describes the concept of Enterprise Security Architecture in detail; it describes Information Security Management (ISM) and Enterprise Risk Management (ERM), two processes used by Security Architects
• Chapter 4 describes Security Architecture, which is a cross-cutting concern, pervasive through the whole Enterprise Architecture
• Chapter 5 explains in detail the core security concepts and how they can be applied for each phase of the TOGAF ADM

The intended audience for this document is as follows:

• Enterprise Architects, Security Architects

More information is available, along with a number of tools, guides, and other resources, at www.opengroup.org/architecture.

About the TOGAF^® Series Guides

The TOGAF^® Series Guides contain guidance on how to use the TOGAF Standard and how to adapt it to fulfill specific needs.

The TOGAF^® Series Guides are expected to be the most rapidly developing part of the TOGAF Standard and are positioned as the guidance part of the standard. While the TOGAF Fundamental Content is expected to be long-lived and stable, guidance on the use of the TOGAF Standard can be industry, architectural style, purpose, and problem-specific. For example, the stakeholders, concerns, views, and supporting models required to support the transformation of an extended enterprise may be significantly different than those used to support the transition of an in-house IT environment to the cloud; both will use the Architecture Development Method (ADM), start with an Architecture Vision, and develop a Target Architecture on the way to an Implementation and Migration Plan. The TOGAF Fundamental Content remains the essential scaffolding across industry, domain, and style.

Trademarks

ArchiMate, DirecNet, Making Standards Work, Open O logo, Open O and Check Certification logo, Platform 3.0, The Open Group, TOGAF, UNIX, UNIXWARE, and the Open Brand X logo are registered trademarks and Boundaryless Information Flow, Build with Integrity Buy with Confidence, Commercial Aviation Reference Architecture, Dependability Through Assuredness, Digital Practitioner Body of Knowledge, DPBoK, EMMM, FACE, the FACE logo, FHIM Profile Builder, the FHIM logo, FPB, Future Airborne Capability Environment, IT4IT, the IT4IT logo, O-AA, O-DEF, O-HERA, O-PAS, Open Agile Architecture, Open FAIR, Open Footprint, Open Process Automation, Open Subsurface Data Universe, Open Trusted Technology Provider, OSDU, Sensor Integration Simplified, SOSA, and the SOSA logo are trademarks of The Open Group.

COBIT is a registered trademark of ISACA, registered in the United States and other countries.

SABSA is a registered trademark of The SABSA Institute.

All other brands, company, and product names are used for identification purposes only and may be trademarks that are the sole property of their respective owners.

Acknowledgements

(Please note affiliations were current at the time of approval.)

The Open Group gratefully acknowledges the contribution of the following people in the development of this Guide (in alphabetical order):

• Geoff Besko, Seccuris: Co-lead
• Randy Caraway, HP
• Piotr Ciepiela, Ernst & Young
• Pascal de Koning, i-to-i: Co-lead
• Thorbjørn Ellefsen, DIFI
• Brian Golumbeck, HP
• Kirk Hansen, Kirk Hansen Consulting
• Jim Hietala, The Open Group: VP, Business Development and Security
• David Hornford, Conexiam
• Andrew Josey, The Open Group: VP, Standards and Certification
• Christian Mark, IBM Security: Co-lead
• Robert Martin, MITRE
• Martin W. Murhammer, IBM
• Matthew Olsen, Ernst & Young
• Miroslaw Ryba, Ernst & Young
• John Sherwood, Founder, The SABSA Institute: Lead SABSA Contributor
• John Sluiter, PricewaterhouseCoopers (PwC)
• Eric Stephens, Oracle
• Tony Yin, HP

Where appropriate, this Guide includes excerpts from the SABSA^® Blue Book [2] and the TOGAF^® and SABSA^® Integration White Paper [13], with the full approval and permission of The SABSA Institute.

Referenced Documents

The following documents are referenced in this TOGAF^® Series Guide:

(Please note that the links below are good at the time of writing but cannot be guaranteed for the future.)

[1] The TOGAF^® Standard, 10^th Edition, a standard of The Open Group (C220), published by The Open Group, April 2022; refer to: www.opengroup.org/library/c220.

[2] SABSA^® Blue Book: Enterprise Security Architecture: A Business-Driven Approach, by John Sherwood, Andy Clark, David Lynas, 2005.

[3] The SABSA^® Institute: www.sabsa.org.

[4] ISO/IEC 27001:2013: Information Security Management; refer to: www.iso.org/iso/home/standards/management-standards/iso27001.htm.

[5] ISO/IEC 27002:2013: Information Technology – Security Techniques – Code of Practice for Information Security Controls; refer to: www.iso.org/iso/catalogue_detail?csnumber=54533.

[6] ISO 31000:2009: Risk Management – Principles and Guidelines; refer to: www.iso.org/iso/home/standards/iso31000.htm.

[7] IEC 31010:2009: Risk Management – Risk Assessment Techniques; refer to: www.iso.org/iso/catalogue_detail?csnumber=51073.

[8] ArchiMate^® 3.1 Specification, a standard of The Open Group (C197), published by The Open Group, November 2019; refer to: www.opengroup.org/library/c197

[9] Open Information Security Management Maturity Model (O-ISM3), a standard of The Open Group (C102), published by The Open Group, February 2011; refer to: www.opengroup.org/library/c102.

[10] Control Objectives for Information and Related Technology (COBIT^®), Version 5.0, IT Governance Institute, 2012.

[11] An Enterprise Architecture and Data Quality Framework, Jerome Capirossi, NATEA Consulting and Pascal Rabier, La Mutuelle Generale, 2007; accessed at: http://innovation-regulation2.telecom-paristech.fr/wp-content/uploads/2007/05/DEDM13_An-Enterprise-Architecture-and-Data-quality-framework.pdf.

[12] Modeling Enterprise Risk Management and Security with the ArchiMate^® Language, White Paper (W150), published by The Open Group, January 2015; refer to: www.opengroup.org/library/w150.

[13] TOGAF^® and SABSA^® Integration: How SABSA and TOGAF complement each other to create better architectures, White Paper (W117), published by The Open Group, October 2011; refer to: www.opengroup.org/library/w117.

[14] Open Enterprise Security Architecture (O-ESA): A Framework and Template for Policy-Driven Security, The Open Group Guide (G112), published by Van Haren Publishing, April 2011; refer to: www.opengroup.org/library/g112.

[15] Risk Taxonomy (O-RT) Version 2.0, a standard of The Open Group (C13K), published by The Open Group, October 2013; refer to: www.opengroup.org/library/c13k.

[16] Risk Analysis (O-RA), a standard of The Open Group (C13G), published by The Open Group, October 2013; refer to: www.opengroup.org/library/c13g.