An Overall Security Architecture
OK, so far these have all been stopgap measures, but what’s really needed (in fact required — but more on that later) is an overall security architecture rather than a series of ad-hoc measures. “A high-level security architecture is a set of guiding principals, an orderly arrangement of security components,” says Mark Bouchard, a senior program director at Stamford CT-based Meta Group.
A security architecture should define roles, responsibilities, and a policy framework all the way down to the finest detail in a hierarchy. And the buck must stop with a Head of Information Security, who takes ownership of – and responsibility for – the architecture.
A corporate security architecture will probably include a business process catalogue and a domain structure that divides the organization into manageable – and meaningful – portions with different security requirements. Clearly, valuable R&D data has a different value — and as a result needs a different level of protection — than customer contact details, so these would be in different domains.
Other domains could include an executive domain and a typical user domain. Using a series of tools, models, and templates, appropriate security measures should be defined right down to the level of firewalls and passwords.
The purpose of this division by domains is quite simple — it’s all about risk management. It’s not worth spending $100 on a fence to protect a $10 horse — in other words, the security measures you take should be proportionate to the value of the information you’re protecting.
The purpose of the architecture is to use this process of risk management and codify it into a set of rules with which you can engage business users, who are understandably more interested in doing their jobs than in protecting your company’s assets.
Ultimately, a security architecture is a blueprint for all your security efforts. “Without one to guide you, investments in security will be tactical, reactive. Instead of fixing things, you will probably fix one thing and introduce new vulnerabilities at the same time,” says Bouchard.
There’s one further point in favor of ensuring you have an effective security architecture in place — it’s obligatory. Regulatory and fiduciary responsibilities demand that you take security seriously and address it thoroughly, and the Federal Trade Commission says you need to have a plan. Your security architecture is this plan.