Architecture, according to the ancient Greek architect Vitruvius, is based on three main principles - strength, usefulness and beauty. In the 15th century, Alberti added a fourth principle - expediency. For hundreds of years, these principles have not undergone any changes. The architecture should contain interconnected components, combined into a single whole (strength). Architecture should actively use the principle of “everything ingenious is simple” and not use complex and, as a result, ugly decisions and approaches. In addition, the architecture should be not only beautiful, but also aimed at achieving the goals that have value to the owners.
The content of information security architecture is usually divided into five logical parts: Information security architect
Information . In this section, we determine the classification of information from the point of view of information security, describe the types of presentation, etc. This will allow us not to forget that the information can be not only in the form of files or emails, but also in the form of a telephone conversation, a video session, a paper document and even oral speech (for example, at a meeting of the board of directors).
Infrastructure . This section helps us understand where the information to be protected is circulating. This is not only computers, telecommunications equipment and system software, but also office equipment, archives, office and other places of creation, processing, storage and transmission or transfer of information to be protected.
Information systems . This section allows you to understand in which application systems the data needed by the business is processed, analyzed, and consolidated. It can be ERP-, CRM-, SCM-, SCADA-systems, billing and many other types of application software. If the company has implemented a service methodology (for example, ITIL), then this section also includes the services that various services (IT, marketing, etc.) provide to the business.
Information Security . It defines how information security will achieve its goals. No technical details are required here -
rather, this is a description of the key areas of activity and the principles of ensuring information security. In particular,
what is the remedy policy? Are they developed on their own or purchased as ready-made solutions? How will the tasks be solved - on their own or will outsourcing be required? Will a service level agreement be used? Etc.
IB service . This section describes the goals of the information security department, its tasks, structure, personnel management methods and other similar issues.
When developing architecture, an analysis of the current state of information security at the enterprise should be carried out. The answer to the question “as is” will help pave the way to the answer to the question “how should it be” (see Fig. 3 ), therefore, each of the logical sections of the architecture described above will contain two subsections - “as is” and “as will be”.
It is worth repeating business goals in this architecture only if the company does not have a documented business strategy. In this case, the key points should be reflected in the architecture of information security in order to understand the source data from which we build.
The content of information security architecture is usually divided into five logical parts: Information security architect
Information . In this section, we determine the classification of information from the point of view of information security, describe the types of presentation, etc. This will allow us not to forget that the information can be not only in the form of files or emails, but also in the form of a telephone conversation, a video session, a paper document and even oral speech (for example, at a meeting of the board of directors).
Infrastructure . This section helps us understand where the information to be protected is circulating. This is not only computers, telecommunications equipment and system software, but also office equipment, archives, office and other places of creation, processing, storage and transmission or transfer of information to be protected.
Information systems . This section allows you to understand in which application systems the data needed by the business is processed, analyzed, and consolidated. It can be ERP-, CRM-, SCM-, SCADA-systems, billing and many other types of application software. If the company has implemented a service methodology (for example, ITIL), then this section also includes the services that various services (IT, marketing, etc.) provide to the business.
Information Security . It defines how information security will achieve its goals. No technical details are required here -
rather, this is a description of the key areas of activity and the principles of ensuring information security. In particular,
what is the remedy policy? Are they developed on their own or purchased as ready-made solutions? How will the tasks be solved - on their own or will outsourcing be required? Will a service level agreement be used? Etc.
IB service . This section describes the goals of the information security department, its tasks, structure, personnel management methods and other similar issues.
When developing architecture, an analysis of the current state of information security at the enterprise should be carried out. The answer to the question “as is” will help pave the way to the answer to the question “how should it be” (see Fig. 3 ), therefore, each of the logical sections of the architecture described above will contain two subsections - “as is” and “as will be”.
It is worth repeating business goals in this architecture only if the company does not have a documented business strategy. In this case, the key points should be reflected in the architecture of information security in order to understand the source data from which we build.
No comments:
Post a Comment