Documenting an As-Is Security Architecture, part two

This is a continuation from part one.

Documenting current environments

This activity is focused on identifying the physical and logical environments in scope for the business architecture.

A logical and physical model will be created to hold entities describing physical facilities, wide area networks and systems that store, process or transmit information assets that fall within scope of the business architecture. It is likely there will be gaps identified and that these will need to be investigated with stakeholders and partners. This is a model that will evolve with more detail as the projects move into delivery and suppliers are contracted and systems are implemented. Once the first cut of the list has been generated attributes each of these environments will be gathered including

  • Owner
  • Responsible security governance group
  • Type (System, Network, Facility)
  • The level to which the environment is risk managed and/or assured
  • Onward connections to other similar environments
  • Hosting relationships with other environments

Tasks:

  • Review any existing Security Diagrams
  • Contact stakeholders to fill any identified gaps
  • Create Physical and Logical Security Model
  • Contact environment owners to capture environment attributes
  • Create a project management touch-point to ensure updates from projects over time

The output will be a diagrammatic physical and logical security model.

Identifying current security controls

This activity is to identify existing security controls deployed within and between environments within the scope of the business architecture.

The owners of environments identified in the physical and logical security model will be contacted for details regarding the security controls they have deployed. Where existing controls successfully manage risks from the threats they will be identified as possible sources of good practice to re-use elsewhere in the business architecture security view.

The output will be a description of the identified security controls in a textual description and diagrammatically as an overlay on the physical and logical environments model.

Creating the security view

This activity will consolidate the knowledge gathered in the preceding activities into a single view.

A security view will be created to include the environments in scope, the location of threats, the assets in scope (Both at rest and in transit) and the identified controls in and between the environments. The output will be a dedicated security view in the business architecture.
Tasks:

  • Create security view
  • Identify gaps in the security view
  • Perform a risk assessment on the scope of the business architecture
  • Identify and document any un-managed risks in the security view

The output will be a dedicated security view in the business architecture and a security risk register.

List of As-Is outputs

The following should be produced at a variety of levels of detail for each epoch of the Business Architecture:

  1. A scope statement for the security view
  2. A diagrammatic representation of the governance structure
  3. An updated Information model
  4. An information asset list
  5. An architecture threat model
  6. A physical and logical security model
  7. A description of the identified security controls
  8. A comprehensive security view
  9. A security risk register