Related links:

IFEAD
FEAF

 

Enterprise Information Security Architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units...more

Enterprise Information Security Architecture
 


Definition: Enterprise Information Security Architecture (EISA) is the process of instituting a complete information security solution to the architecture of an enterprise, ensuring the security of business information at every point in the architecture.

The security of commercial data has always been a primary concern in business. Both for ensuring the safety and integrity of customer data and protecting the competitive advantage that comes with superior business intelligence, information security is vital.

While security has always been a concern, it has become even more so since the introduction of the Internet. Whereas in the past enterprises needed only to protect the flow of information Enterprise Information Security Architecturewithin the business, today they must consider the threat from outside – from attacks on the security of the corporate Intranet, for instance, or electronic data interchange (EDI) between the enterprise, clients and suppliers.

EISA is not, however, simply a matter of building a wall between the IT systems of an enterprise and the outside world. Instead, the security architecture must align with the strategies and objectives of the enterprise, taking into consideration the importance of the free flow of information within an enterprise - and with partners, customers and suppliers.

Aspects of EISA

The goal of the Information Security Architecture (developed by Gartner) is to align security strategies between three functional areas of an organization:

Business Architecture

Above all else, the security architecture must be aligned with the goals and objectives of the enterprise. Without proper alignment there will be an inevitable disconnect between business strategy and security.

To enable this alignment it is vital to accurately outline the business architecture in place to achieve the objectives of the organization by asking several questions:

What does the enterprise do?

Who does it?

What information do they use to achieve their goals?

Where do they do it?

By answering these questions it becomes possible for the security architecture framers to develop a comprehensive map of the strategies of the enterprise, along with a range of organizational charts and business process maps.

Information Architecture

Using these plans, security architecture framers can understand the optimal flow of information within the enterprise. What applications are used to achieve the objectives of the business? What data do these applications require in order to achieve those objectives, and what integration methods are in place to enable the sharing of that information?

Only by understanding these technologies and processes can it be possible for the framers to develop a strategy for ensuring the security of this data while allowing vital business processes to progress unimpeded.

Technology Architecture

Finally, it is necessary to study the technology architecture inEISA place to support these applications and processes. The technology architecture of most enterprises is highly complex, involving a range of different technologies running on different platforms, each relying on a range of heterogeneous legacy systems. Ensuring the security of these technologies while allowing business processes sufficient access to information can be a daunting task.

In order to ensure the security of data within this architecture it is necessary to build a map of every piece of that architecture, and to understand how information moves between its components.

Primarily, it is vital to understand the hardware that supports business processes – the location and purpose of servers, for instance, and the way in which computers access the information held on those servers.

Perhaps most importantly in the modern day is the need to build an Internet connectivity diagram for the enterprise. Only by understanding the various connections between the information architecture and the outside world is it possible to protect those connections.

In a Nutshell

Clearly, the process of developing a functional information security architecture is more complex than it may seem. Not only must the framers of such an architecture be aware of every piece of technology that exists within the business architecture, but they must also understand how and why all of these technologies interact with each other to achieve the objectives of the enterprise. Only once they have this understanding can they set about the task of developing best practices to ensure the security of information passing along these connections while optimizing the passage of information to protect the interests of the enterprise.