Integrating Risk and Security within a TOGAF® Enterprise Architecture

The TOGAF® Standard

---

Provide feedback on this page

---

Table of Contents

Preface

1 Introduction

1.1 How does this Guide Support the TOGAF Standard?

1.2 What about Risk Management?

1.3 Where is the Controls Checklist?

2 Relationship to Other IT Security and Risk Standards

2.1 ISO/IEC 27001:2013: Information Security Management

2.2 ISO 31000:2009: Risk Management – Principles and Guidelines

2.3 National Cybersecurity Frameworks

2.4 COBIT®

2.5 O-ESA

2.6 O-ISM3

2.7 Open FAIR

2.8 SABSA®

3 Enterprise Security Architecture

3.1 Enterprise Risk Management

3.1.1 Definition of Risk

3.1.2 Core Concepts for Enterprise Risk Management

3.2 Information Security Management

3.2.1 Security

3.2.2 Privacy

3.2.3 Core Concepts for Information Security Management

3.2.4 Operational Security Processes

4 Security as a Cross-Cutting Concern

5 Security and Risk Concepts in the TOGAF ADM

5.1 Preliminary Phase

5.1.1 Business Drivers/Business Objectives

5.1.2 Security Principles

5.1.3 Risk Appetite

5.1.4 Key Risk Areas/Business Impact Analysis

5.1.5 Security Resource Plan

5.2 Phase A: Architecture Vision

5.3 Phase B: Business Architecture

5.3.1 Security Policy Architecture

5.3.2 Security Domain Model

5.3.3 Trust Framework

5.3.4 Risk Assessment

5.3.5 Business Risk Model/Risk Register

5.3.6 Applicable Law and Regulation Register

5.3.7 Applicable Control Framework Register

5.4 Phase C: Information Systems Architectures

5.4.1 Security Services Catalog

5.4.2 Security Classification

5.4.3 Data Quality

5.5 Phase D: Technology Architecture

5.6 Phase E: Opportunities and Solutions

5.6.1 Risk Mitigation Plan

5.7 Phase F: Migration Planning

5.8 Phase G: Implementation Governance

5.8.1 Security Audit

5.8.2 Security Training and Awareness

5.9 Phase H: Architecture Change Management

5.10 Requirements Management

5.10.1 Business Attribute Profile

5.10.2 Control Objectives/Security Objectives

5.10.3 Security Standards

5.11 The TOGAF Architecture Content Metamodel

5.12 Use of the ArchiMate® Modeling Language

2 Relationship to Other IT Security and Risk Standards

This chapter documents relationships among selected standards in this subject area.

2.1 ISO/IEC 27001:2013: Information Security Management

“ISO/IEC 27001:2013 is a standard that specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. This International Standard also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.” [4]

The core concepts of ISO/IEC 27001:2013 are taken as a basis for the ISM process in this Guide. This explains a sound security management process and helps readers to understand the logic behind specific risk concepts that are needed in the TOGAF framework. However, no fixed mapping has been made to that standard. It is seen as one of the good references that is very useful for this work.

2.2 ISO 31000:2009: Risk Management – Principles and Guidelines

ISO 31000:2009 [6] sets out principles, a framework, and a process for the management of risk that are applicable to any type of organization in the public or private sector. It does not mandate a “one size fits all” approach, but rather emphasizes the fact that the management of risk must be tailored to the specific needs and structure of the particular organization. It has a related standard IEC 31010:2009 [7] that describes examples of qualitative risk assessment methods.

The core concepts of ISO 31000:2009 are taken as a basis for the ERM process in this Guide. Just as with ISO/IEC 27001:2013, no fixed mapping has been made to that standard but it is seen as one of the good references that is very useful for this work.

2.3 National Cybersecurity Frameworks

Internationally there are many country-specific cybersecurity standards. A leading example is the NIST Cybersecurity Framework, introduced in 2014. This framework aims to help organizations in critical infrastructure sectors to reduce risk, and protect their critical infrastructure. The NIST Cybersecurity Framework groups security functions into these five areas: Identify, Protect, Detect, Respond, and Recover. Many of the security and risk concepts introduced in this Guide and in future work (including the Security Services Catalog) will be highly useful to Security Architects in critical infrastructure areas seeking to integrate security and risk into their TOGAF Standard practices, and into their Enterprise Architectures.

2.4 COBIT^®

“COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT. Simply stated, it helps enterprises create optimal value from Information Technology (IT) by maintaining a balance between realizing benefits and optimizing risk levels and resource use. COBIT 5 for Information Security builds on the COBIT 5 framework in that it focuses on information security and provides more detailed and more practical guidance for information security professionals and other interested parties at all levels of the enterprise.” [10]

COBIT 5 for Information Security is regarded as a relevant framework for security governance. However, in this Guide the structure of ISO/IEC 27001:2013 is used because that is a broader recognized definition of a security management system.

2.5 O-ESA

The Open Enterprise Security Architecture (O-ESA) standard [14], published by The Open Group in 2011, is a reference Security Architecture and guide to building a security program. While it contains useful information on information security governance, security principles, and technology components and services needed in Security Architectures, this reference architecture can be also applied to support the implementation of security and risk in Enterprise Architectures using the TOGAF Standard.

2.6 O-ISM3

The Open Information Security Management Maturity Model (O-ISM3) standard [9], published by The Open Group in 2011, describes a process-based approach towards building and operating an Information Security Management System (ISMS). Successful operation of the ISMS is generally a prerequisite for Enterprise Architectures to meet the security objectives established by an organization. A chapter of the Security Architecture Practitioners Guide will be devoted to the relationship between Enterprise Architecture, the TOGAF Standard, and ISMSs. The O-ISM3 standard defines security services as strategic, tactical, or operational processes, and provides a metrics-based approach to continuous improvement of the processes. Many of the services or processes described in the O-ISM3 standard are expected to be referenced in the Security Services Catalog Project as well.

2.7 Open FAIR

The Open FAIR Body of Knowledge comprises the Risk Taxonomy (O-RT) Standard [15] and the Risk Analysis (O-RA) Standard [16]. These standards help organizations to better measure their information security and operational risks. The Open FAIR quantitative risk analysis approach is highly useful during threat assessments and helps to understand the impact of threat mitigation options during the ADM cycle. Open FAIR can be thought of as a tool or technique in analyzing risk throughout the TOGAF ADM.

2.8 SABSA^®

SABSA is a methodology for developing risk-driven enterprise information security and information assurance architectures and for delivering security infrastructure solutions that support critical business initiatives. It is an open standard, comprising a number of frameworks, models, methods, and processes. As an Enterprise Security Architecture framework, it allows for the usage of existing standards and practices (such as ISO/IEC 27001:2013, COBIT, and ISO 31000:2009) within the Security Architecture. SABSA is free for use by all, with no licensing required for end-user organizations that make use of the standard in developing and implementing architectures and solutions.

SABSA is well described in the SABSA^® Blue Book [2]. In addition, new SABSA thinking is published at www.sabsa.org [3]. The fundamental idea behind SABSA is that the Security Architecture is there to facilitate the business. This is in line with TOGAF concepts.

return to top of page