Enterprise Architecture Body of Knowledge
Organizational Scope and Structure of EA

Security and Risk Management

Authors: Leila Halawi, DBA and Saurabh Mittal, PhD

Enterprise architecture (EA) is widely accepted as an essential mechanism for ensuring agility and consistency, compliance and efficiency. It helps organizations manage change and improve accountability. EA integrates multiple models and pieces such as information architecture, process architecture, business architecture, systems architecture and technology architecture.

Security failures are costly to businesses. There is no general consensus on what security architecture is or why an organization may need one. There is a lack of appreciation of what comprises a security architecture and how it can be central in creating and implementing a security strategy. Much of the security aspects are dealt within the cybersecurity area within the organization but anecdotal research suggests that many organizations do not have a well-defined cybersecurity posture. Nonetheless, the key goal of security is to reduce adverse impacts on the organization to an acceptable level. Security is one component of enterprise risk management. The techniques, methods and metrics used to define security risks should be viewed within a larger context of risk management.

Security is another domain that must be considered in an enterprise architecture; federal EA frameworks such as the Federal EA Framework have explicit domains in their metamodels to describe security concerns of an enterprise architecture. Any enterprise security architecture should focus on supporting business objectives while offering a functional and balanced approach to risk management. In general, there is no single resolution for security architecture, nonetheless, there are mutual elements of security and risk management architecture that organizations should contemplate when developing their plans.

Risk management is the ultimate objective of all information security activities and indeed all organizational assurance efforts. A successful risk management program can be defined as one that efficiently, effectively and consistently meets expectations and attains defined objectives. Risk identification includes the identification of vulnerabilities and threats that exploit those vulnerabilities. The as-is EA enumerates various types of IT assets that the organization has. This information can help determine the existing vulnerabilities in the face of existent threats. Through the EA and a security implementation strategy, the impact of assets being compromised by the threats can be mitigated and in well-managed EA efforts, controlled. The risk management aspect of EA brings together the cybersecurity aspects, various security standards and their alignment with the business operations so that impact assessment and resiliency can be planned in advance. For example, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) view of enterprise risk management is that every constituent assets of EA brings value to the larger EA and is faced with uncertainty at many levels. The challenge continues to be developing EA management practices that maximizes values of the constituent assets for the interested stakeholders.

References

  1. Barateiro, J., Antunes, G., Borbinha, J., (2012) Manage risks through the Enterprise Architecture, in Proceedings of 45th Hawaii International Conference on System Sciences
  2. Frigo, M. and Anderson, R. (2009) A Strategic Framework for Governance, Risk, and Compliance. Strategic Finance 8(90), 2009.
  3. International Standards Organization, (2009) Risk Management Risk assessment techniques (ISO/IEC 31010:2009)
Planning an EA