Enterprise security refers to the part of enterprise security architecture focused on information security throughout the enterprise. It is the practice of applying a comprehensive and strict method for describing the structure and behavior for an organization’s security processes, information security systems, personnel and organizational sub-units, so that they align with the organization’s core goals and strategic direction. Enterprise security architecture is becoming a common practice within the financial institutions industry. The primary purpose of creating an enterprise information security architecture is to ensure that business strategy and IT security are aligned. In essence, enterprise security architecture allows traceability from the business strategy down to the underlying technology.
A strong enterprise security architecture process helps to answer the following basic questions:
- What is the information security risk exposure of the organization?
- Is the current architecture supporting and adding value to the security of the organization?
- How could the security architecture be modified so that it adds more value to the organization?
- Based on what we know about what the organization and we want to accomplish in the future, will the current security architecture support or hinder that?
Implementing enterprise security architecture usually starts with documenting the organization strategy, where and how it operates. The process then follows to document discrete core competencies, business processes, and how the organization interacts with itself and with external parties such as customers, suppliers, and government entities. After the organization’s strategy, structure, and architecture process are documented, follow the discrete information technology components such as:
- Organization charts, activities, and process flows of how the IT Organization operates
- Organization cycles, periods and timing
- Suppliers of technology hardware, software, and services
- Applications and software inventories and diagrams
- Interfaces between applications – that is: events, messages and data flows
- Intranet, Extranet, Internet, eCommerce, EDI links with parties within and outside of the organization
- Data classifications, Databases and supporting data models
- Hardware, platforms, hosting: servers, network components and security devices and where they are kept
- Local and wide area networks, Internet connectivity diagrams