Fri Apr 8 06:51:39 PDT 2016

Control Architecture: Control Architecture: When is a systematic security architecture created and updated?


Options:

Option 1: Never create a security architecture.
Option 2: Create or update security architecture as part of enterprise information infrastructure design or redesign.
Option 3: Create or update security architecture based on changing operational modes.
Option 4: Periodically revisit security architecture as technology and systems change.
Option 5: Continuously update security architecture.
Option 6: Create a security architecture.

Decision:

IF risks are low, THEN Never create a security architecture.
OTHERWISE IF large-scale information infrastructure changes are being made, THEN Create or update security architecture as part of enterprise information infrastructure design or redesign.
OTHERWISE IF the business moves over a size threshold (typically small to medium, medium to large, and at or around $1B), THEN Create or update security architecture based on changing operational modes.
OTHERWISE IF a security architecture is already in place, THEN Periodically revisit security architecture as technology and systems change.
OTHERWISE IF risks are high, THEN Continuously update security architecture.
OTHERWISE Create a security architecture,

Basis:

Never create a security architecture.
A substantial amount of time and effort as well as other resources are required to create a security architecture. Unless risks justify getting systematic, the benefits don't warrant the costs.

Create or update security architecture as part of enterprise information infrastructure design or redesign.
Whenever a major redesign is undertaken, it is an ideal time to architect security along with the new infrastructure. This will help to integrate protection issues into enterprise infrastructure design and save time and money in retrofits and avoid unnecessarily weak protection. Costs will be small compared to the costs of the rest of the effort, and benefits will likely be large.

Create or update security architecture based on changing operational modes.
As businesses change the manner in which they operate, which most often happens when they pass particular thresholds of size, or when they go public, it becomes important to re-evaluate issues related to information protection to meet the substantial changes in the way management and operations function.

Periodically revisit security architecture as technology and systems change.
At least once a year, existing security architecture should be reviewed for changes. In addition, for enterprises that are Defined or higher maturity levels, enterprise inventory and risk control processes should define work flows that cause architectural reviews when risks associated with changes justify such a revisitation.

Continuously update security architecture.
For high risk situations, security architecture should be intimately tied to every element of design and operation, and minor adaptations to each should be made in concert with each other over time. However; these changes should be at the design level whenever possible and architectural changes should only be made when justified, even if the architecture is revisited often.

Create a security architecture.
All other things being equal, if no security architecture is in place, and if none of the other conditions hold, a security architecture should be put in place.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved