8 years, 3 months ago

Designing secure organizations. Risk management, Enterprise security management and ArchiMate.

<p><span style="color: #505050; font-size: 11px; line-height: 19px;">No one is allowed to enter the building without proper authorization; all incoming e-mail messages are filtered; personal computers that are used to store sensitive data do not have a direct connection to the internet, and therefore cannot be accessed remotely. With these </span><strong style="color: #505050; font-size: 11px; line-height: 19px;">enterprise security</strong><span style="color: #505050; font-size: 11px; line-height: 19px;"> rules, we have ensured that our private information is safe, right? Wrong! </span></p><p>Cyber-attacks are getting increasingly sophisticated, using a combination of digital, physical and social engineering techniques. A typical example is the so-called “road apple attack”. A would-be intruder “accidentally” leaves a USB flash drive – with company logo – in a public spot such as the company car park. An employee picks it up, and chances are that he will not be able to suppress his curiosity and plug it into his PC. Surprise: the drive is infected with malware which, unless proper measures have been taken, will infect the PC and send sensitive information to the intruder.</p><p><img class="left" src="http://www.bizzdesign.com/assets/BlogDocuments-2/_resampled/resizedimage600395-Risk-Management.png" width="600" height="395" alt="" title=""/></p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p> </p><p>Of course, there are several ways to prevent this from happening. The system administrator may decide to completely disable the use of USB drives, but perhaps this is too restrictive, causing employees to find ways to circumvent this. Or perhaps a policy against the use of unverified storage devices suffices, if people are disciplined enough to comply with it… There is no easy way to determine how much security is enough, and how much is too much. In other words, how do we find the optimal position on the trade-off between security, usability and costs?</p><p>Most of the present-day security and <strong><a title="risk management, secuirity measures" href="http://www.bizzdesign.com/consultancy/governance-risk-and-compliance/">risk management </a></strong>approaches are based on checklists, heuristics and best practices. Security measures are applied in a bottom-up way, often neglecting the social aspects. This may lead to an overkill of preventive security measures, also in cases where cheaper (and less intrusive) curative measures may suffice. On the other hand, less obvious threats or vulnerabilities in the organization may easily be overlooked.</p><p> </p><div class="captionImage left" style="width: 424px;"><img class="left" src="http://www.bizzdesign.com/assets/BlogDocuments-2/Enterprise-security-management-ArchiMate.png" alt="Enterprise Secuirity Management" title="enterprise security management, model-based approach " width="424" height="458"/><p class="caption">enterprise security management, Archimate core</p></div><p><span style="font-size: 11px; line-height: 19px;">To avoid this, we advocate a model-based approach to </span><strong style="font-size: 11px; line-height: 19px;">enterprise security management</strong><span style="font-size: 11px; line-height: 19px;">, in which security aspects are fully integrated in the design chain: from strategy and business model, through enterprise architecture, to the design and implementation of the organization and IT support. For this purpose, risk-related concepts are included in existing architecture and design languages. At the </span><strong style="font-size: 11px; line-height: 19px;"><a title="enterprise architecture, Archimate" href="http://www.bizzdesign.com/consultancy/enterprise-architecture-management/">enterprise architecture</a></strong><span style="font-size: 11px; line-height: 19px;"> level, </span><strong style="font-size: 11px; line-height: 19px;"><a title="ArchiMate open standard" href="http://www.bizzdesign.com/consultancy/enterprise-architecture-management/archimate/">ArchiMate</a></strong><span style="font-size: 11px; line-height: 19px;">, as a broadly accepted open standard (with available tool support) that is suitable to describe business and IT aspects in an integrated way, is an obvious choice. Architectures described in </span><strong style="font-size: 11px; line-height: 19px;"><a title="ArchiMate goals, principles and requirements" href="http://www.bizzdesign.com/consultancy/enterprise-architecture-management/archimate/">ArchiMate</a></strong><span style="font-size: 11px; line-height: 19px;"> can be linked to goals, principles and requirements, and to detailed design models expressed in languages such as BPMN or UML. The resulting models provide the input for risk and vulnerability analysis, highlighting the areas in the architecture that are most susceptible to attack. In addition, they will guide the design of effective and efficient security measures.</span></p><p>With this approach, <strong><a title="Bizzdesign the Netherlands Contact" href="http://www.bizzdesign.com/contact/netherlands/">BiZZdesign</a></strong> can help you to design a secure organization – without unduly restricting your people in their daily work. </p>