Enterprise Information Security Architecture
Definition: Enterprise Information Security Architecture (EISA) is the process of
instituting a complete information security solution to the architecture of an enterprise,
ensuring the security of business information at every point in the architecture.
The security of commercial data has always been a primary concern in business. Both for
ensuring the safety and integrity of customer data and protecting the competitive advantage
that comes with superior
business intelligence, information security is vital.
While security has always been a concern, it has become even more so since the introduction
of the Internet. Whereas in the past enterprises needed only to protect the flow of information
within the business, today they must consider the threat from outside – from attacks on the
security of the corporate Intranet, for instance, or electronic data interchange (EDI) between
the enterprise, clients and suppliers.
EISA is not, however, simply a matter of building a wall between the IT systems of an
enterprise and the outside world. Instead, the security architecture must align with the strategies
and objectives of the enterprise, taking into consideration the importance of the free flow of
information within an enterprise - and with partners, customers and suppliers.
Aspects of EISA
The goal of the Information Security Architecture
(developed by Gartner) is to align security strategies between three functional areas of an organization:
Above all else, the security architecture must be aligned with the goals and objectives of the
enterprise. Without proper alignment there will be an inevitable disconnect between business
strategy and security.
To enable this alignment it is vital to accurately outline the business architecture in place to
achieve the objectives of the organization by asking several questions:
What does the enterprise do?
Who does it?
What information do they use to achieve their goals?
Where do they do it?
By answering these questions it becomes possible for the security architecture framers to develop a
comprehensive map of the strategies of the enterprise, along with a range of organizational charts
and business process maps.
Using these plans, security architecture framers can understand the optimal flow of information within the
enterprise. What applications are used to achieve the objectives of the business? What data do these applications
require in order to achieve those objectives, and what integration methods are in place to enable the sharing of that information?
Only by understanding these technologies and processes can it be possible for the framers to develop a strategy
for ensuring the security of this data while allowing vital business processes to progress unimpeded.
Finally, it is necessary to study the technology architecture in place to support these applications and
processes. The technology architecture of most enterprises is highly complex, involving a range of different
technologies running on different platforms, each relying on a range of heterogeneous legacy systems.
Ensuring the security of these technologies while allowing business processes sufficient access to
information can be a daunting task.
In order to ensure the
security of data within this architecture it is necessary to build a map of
every piece of that architecture, and to understand how information moves between its components.
Primarily, it is vital to understand the hardware that supports business processes – the location and
purpose of servers, for instance, and the way in which computers access the information held on those servers.
Perhaps most importantly in the modern day is the need to build an Internet connectivity diagram for
the enterprise. Only by understanding the various connections between the information architecture and
the outside world is it possible to protect those connections.
In a Nutshell
Clearly, the process of developing a functional information security architecture is more complex than it may seem. Not only must the framers of such an architecture be aware of every piece of technology that exists within the business architecture, but they must also understand how and why all of these technologies interact with each other to achieve the objectives of the enterprise. Only once they have this understanding can they set about the task of developing best practices to ensure the security of information passing along these connections while optimizing the passage of information to protect the interests of the enterprise.