+ All Categories
Home > Documents > SABSA and TOGAF Enterprise Security Architecture at...

SABSA and TOGAF Enterprise Security Architecture at...

Date post: 25-Jul-2018
Category:
Upload: trinhkhuong
View: 297 times
Download: 14 times
Share this document with a friend
40
SABSA and TOGAF Enterprise Security Architecture at Eskom March 2015 Maganathin Marcus Veeraragaloo: Chief Advisor Information Security "What we think, or what we know, or what we believe is, in the end, of little consequence. The only consequence is what we do." -- John Ruskin
Transcript
Page 1: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

SABSA and TOGAF –Enterprise Security Architecture

at Eskom

March 2015

Maganathin Marcus Veeraragaloo: Chief Advisor Information Security

"What we think, or what we know, or what we believe is, in the end, of little consequence. The only consequence is what we do." -- John Ruskin

Page 2: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Agenda

• The role of IT in Eskom

• SABSA Overview

• TOGAF at Eskom

• Enterprise Security Architecture at Eskom

Building High Performance Group IT

Page 3: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

The role of IT in Eskom

Building High Performance Group IT

Page 4: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

The role of IT in Eskom

Building High Performance Group IT4

• SAP PM

• GPSS

• THEMSE

• CSS

• COLLOPS

• MDMS

• FLIP

• SCADA

• MAXIMO/ TERTIARY WIRES

• GTX

• CS-ONLINE

• AVAYA

• VAT – MOBILITY

• SMALLWORLD

• FMS

• ENS

• PRIMAVERA

• SPF

• PRISM

• SMALLWORLD & ENS

• ACNAC

• SMARTPLANT

• ENGINEERING

SYSTEMS

• CIBOODLE

• MV90

• ROUTEMASTER

• AMI

• ALFS

• KSACS MDMS

• CNL

• CS-ONLINE

INTEGRATION

INTEGRATION

INTEGRATION

INTEGRATION

Page 5: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Sherwood Applied Business Security Architecture (SABSA) Overview

Building High Performance Group IT

Page 6: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

SABSA Introduction

• Business Driven Architecture

• Being business-driven means never losing site of the organisation’s goals, objectives, success factors and targets, and ensuring that the security strategy demonstrably supports, enhances and protects them.

• SABSA has a layered mapping approach for traceability

Building High Performance Group IT

Page 7: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

SABSA Meta Model

Building High Performance Group IT

Page 8: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

SABSA Matrix

Building High Performance Group IT

Page 9: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Alignment, Integration & Compliance Strategy

Strategy & Planning Phase Alignment Risk Management Method Alignment

Performance & Reporting Methods Control Objectives Libraries & Standards

Page 10: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Controls Frameworks & Libraries

Building High Performance Group IT

Page 11: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Application of Multi-tiered Control Strategy

Building High Performance Group IT

Page 12: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

TOGAF at Eskom

Building High Performance Group IT

Page 13: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Eskom Extensions to the TOGAF Reference Model

Building High Performance Group IT

Legend

Eskom

Extension

Togaf Core

Togaf

Extension

Page 14: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Eskom Group IT Project Life Cycle Management

Building High Performance Group IT

Statement of

Architecture Work

Conceptual

Architecture

Definition

(Preferred

Solution)

Logical

Architecture

Definition

Physical

Design

Update

Statement of

Architecture

Work

Update

Statement

of

Architecture

Work

Update

Statement

of

Architecture

Work

Testing Pre-transfer

Modelled in ARIS

Partial Physical Architecture only

Not in ARIS

Physical Config

and

Implementation

design

Page 15: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Salient Facts – Managed in the EA repository

Building High Performance Group IT

Eskom business processes

modeled to logical level

throughout the enterprise

710 Application objects

with life cycle management446 Application interfaces

298 Software Technology

Components228 Logical Data Entities

Integration between IT and

OT artefacts

AND MANY MORE

Page 16: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Enterprise Security Architecture at Eskom

Building High Performance Group IT

Page 17: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

SABSA overlay on TOGAF Crop Circle –Guide

Building High Performance Group IT

Page 18: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Building High Performance Group IT

Page 19: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Our purposeTo provide sustainable electricity

solutions to grow the economy and improve the

quality of the life of people in South Africa and in the region

1. Leading and partnering to

keep thelights on

Providing high

availability reliable IT

infrastructure

2.Reducing our carbon footprint

and pursuing low carbon growth opportunities

Introducing green-IT

infrastructure

3.Securing future resource,

requirements, mandate and the required enabling

environment

Centers of excellence

developing talent

4.Implementing coal haulage and the road- to-rail migration plan

World class PMO to

deliver on-time and on-

budget

5.Pursuing private sector

participation

Tools to support the

integration of IPP’s

Business Drivers – Group IT

Page 20: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Information

Security

Policy

Security Principles

Security

Built-in

Define

Security

Boundaries

Security Risk

Mitigation

Unique

Security

Architectures

Security

Architecture

Capability

Security Principles

Page 21: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Key Risk Areas

Departmental Risks

• All group IT departments

• Operations and service delivery

Project Risks

• Top 10 projects (PLCM)

• BAU Projects (<R10 mil)

Compliance Risks

• Compliance to IT regulation

Page 22: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Risk Appetite

Page 23: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Enterprise Security Management

Identity and Access Management

Infrastructure SecurityInformation and

Application Security

Security Categories

Standard Delivery Elements

Security Topics

Security Resource Plan

Page 24: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Requirements Management – Enterprise Security Architecture

Building High Performance Group IT

Page 25: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Requirements Management – Enterprise Security Architecture

Building High Performance Group IT

Business Attributes

User AttributesManagement

AttributesRisk Management

AttributesLegal/Regulatory

Attributes

Technical Strategy

Attributes

Operational Attributes

Business Strategy

Attributes

Business

Attribute Business Attribute Definition Suggested Measurement Approach

Metric

Type

User Attributes

AccessibleInformation to which the user is entitled to

gain access should be easily found and

accessed by that user.

Search tree depth necessary to find the

information Soft

Accurate

The information provided to users should

be accurate within a range that has been

preagreed upon as being applicable to the

service being delivered.

Acceptance testing on key data to

demonstrate compliance with design rules Hard

AnonymousFor certain specialized types of service, the

anonymity of the user should be protected.

Rigorous proof of system functionality

Red team review

Hard

Soft

Consistent

The way in which log-in, navigation, and

target services are presented to the user

should be consistent across different times,

locations, and channels of access.

Conformance with design style guides Red

team review

Soft

Current

Information provided to users should be

current and kept up to date, within a range

that has been pre-agreed upon as being

applicable for the service being delivered.

Refresh rates at the data source and

replication of source and replication of

refreshed data to the destination. Hard

Business Attribute Profile

Page 26: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Requirements Management – Enterprise Security Architecture

Building High Performance Group IT

Statement of

Architecture Work

Conceptual

Architecture

Definition

(Preferred

Solution)

Logical

Architecture

Definition

Physical

Design

Update

Statement of

Architecture

Work

Update

Statement

of

Architecture

Work

Update

Statement

of

Architecture

Work

Testing Pre-transfer

Modelled in ARIS

Partial Physical Architecture only

Not in ARIS

Physical Config

and

Implementation

design

Control Objectives / Architecture Requirements

Page 27: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Architecture Vision – Enterprise Security Architecture

Building High Performance Group IT

Page 28: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Architecture Vision – Enterprise Security Architecture

Security Stakeholders

Page 29: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Business Architecture – Enterprise Security Architecture

Building High Performance Group IT

Page 30: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Business Architecture – Enterprise Security Architecture

Building High Performance Group IT

Departmental Risks

•All group IT departments

•Operations and service delivery

Project Risks

•Top 10 projects (PLCM)

•BAU Projects (<R10 mil)

Compliance Risks

• Compliance to IT regulation

Business Risk Model

Page 31: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Business Architecture – Enterprise Security Architecture

ITIL

ISO 27002

CobiT

CIS

King III

PFMA

Control Frameworks

Page 32: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Information Systems Architecture –Enterprise Security Architecture

Building High Performance Group IT

Page 33: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Preliminary – Enterprise Security Architecture

Enterprise Security Management

Identity and Access Management

Infrastructure SecurityInformation and

Application Security

Security Categories

Standard Delivery Elements

Security Topics

Security Services Catalog

Classification of Services

Page 34: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Technology Architecture – Enterprise Security Architecture

Building High Performance Group IT

Page 35: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Technology Architecture – Enterprise Security Architecture

Change Management & Training

Information

security policy

Data

Privacy

Logical access

Mgt/access control

Information

classification

Remote access

Management controls

reviews

Procedures

Clauses: and SO requirements

Strategic

Alignment

Regulations,

legislations &

contracts)

Security threat

environment

• Cryptography :32-387

• Server room/physical & environmental security:

32-894

• Malicious code:32-375

• Remote access??

• Wireless: 32-382

• Network security: 240-50201762

• IT service continuity: 240-49448549

• Password standards

• Physical asset classification and control: 32-369

• Removable media: 32-389

• Mobile computing

• Identity management

• Firewall: 32-377

• System Development, Acquisition and

Maintenance standard(clause A.14.2.5)

• Security Monitoring

• Open IP and open port: 32-354

• Logical access : 32-351

• System classification: 32-438

• Inventory of assets (clause A.8.1.1)

• Access control (clause A.9.1.1)

• Secure system engineering principles

(clause A.14.2.5)

• Access management(clause A.15.1.1)

Standards

• Asset & info. Classification:32-363

• Access control: 32-359

• Open IP & open port: 240-

75879464

• Password reset : 32-364

• Remote access: 32-398

• Third party access :32-359

• Incident management procedure (clause A.16.1.5)

• Server backups((clause A.17.1.2)

Procedure

objective

Process for

deviations&

exceptions

Applicability

statement

Clauses RACIProcess for deviations

& exceptions

Standards

objectives

RACI

Procedure flows

& sub-

procedures

Clauses Monitoring

RACIPolicy

objectivesProcess for deviations &

exceptionsManagement controls

Guidelines

Supplier

security

Security Rules, Practices and Procedures

Security Standards

Page 36: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Implementation Governance – Enterprise Security Architecture

Building High Performance Group IT

Page 37: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Implementation Governance – Enterprise Security Architecture

Building High Performance Group IT

1. Security Management

a. Operational Models

2. Security Audit

a. Continuous Audits

b. Test Centre of Excellence (TCoE)

3. Security Awareness

a. Continuous Security Awareness Programme’s.

Page 38: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Architecture Change Management –Enterprise Security Architecture

Building High Performance Group IT

Page 39: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Architecture Change Management –Enterprise Security Architecture

Building High Performance Group IT

1. Risk Management

a. Business Processes – Process Control Manual’s

b. Risk Management Tools

2. Security Architecture Governance

a. Architecture Governance Committees and Forum’s

i. Architecture Design Review

ii. Enterprise Architecture Body

iii. Enterprise Architecture Review Board

iv. Cyber Security Forum IT/OT

Page 40: SABSA and TOGAF Enterprise Security Architecture at Eskomopengroup.co.za/sites/default/files/presentations/Enterprise... · SABSA and TOGAF – Enterprise Security Architecture at

Building High Performance Group IT


Recommended