1 / 52

Vijay Rachamadugu and David Snyder September 7, 2006

MITRE ’ s 1 st Federal Enterprise Architecture (FEA) TEM Federal Enterprise Architecture Security and Privacy Profile (FEA SPP). Vijay Rachamadugu and David Snyder September 7, 2006. Outline. Program Background FEA SPP Challenges Overview of the FEA SPP FEA SPP Methodology

jswenson
Download Presentation

Vijay Rachamadugu and David Snyder September 7, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MITRE’s 1st Federal EnterpriseArchitecture (FEA) TEMFederal Enterprise Architecture Security and Privacy Profile (FEA SPP) Vijay Rachamadugu and David Snyder September 7, 2006

  2. Outline • Program Background • FEA SPP Challenges • Overview of the FEA SPP • FEA SPP Methodology • Review of the validation effort • Questions

  3. FEA SPP Background

  4. Federal CIO Council Architecture and Infrastructure Committee (AIC) • Early 2003, called for the development of an “Information Security Architecture” • OBJECTIVE: • Overlay the existing reference models • Provide managers and systems architects with guidelines regarding the design and deployment of appropriate measures to ensure protection of information and information resources. • Develop an Information Security Architecture Profile that will become a part of the FEA. • APPROACH: • Assemble a suitable set of architectural principles and guidelines • Based on existing FEA reference models, legislation, government agencies, as well as private companies • Quickly produce an initial version of an Information Security Architecture Profile that will be available for use by Federal agencies and used to guide future updates to the FEA reference models.   • PARTICIPATION: • Industry Advisory Council (IAC) Security Committee and industry organizations as appropriate • Provide information security and privacy architecture experts to review, refine and expand the Phase I product. • RESOURCES: • Sponsoring government and industry organizations will provide the necessary resources to complete this effort. From Federal CIO Council Architecture and Infrastructure Committee Terms of Reference

  5. Background • John Gilligan, Former Air Force CIO, develops statement of need for security guidance in the FEA • Phase 1: (August – September 2003) • A small working group is formed to define the content of an FEA “Security Profile” • Output shared with the Industry Advisory Council and government for review and comment • Phase 2: (June – December 2004) • FEA Security Profile under development based on the ideas and feedback from phase 1. • Phase 3: (October 2005 – April 2006) • FEA SPP Validation & Draft

  6. FEA SPP Timeline

  7. Mission Business Drivers Operations / Processes Environment / Infrastructure Assess Mission Capabilities Develop/ Acquire Test & Evaluate Authorize & Deploy Gap Analysis Prioritization Sequencing Plan Assess &/or Construct Enterprise Policies Construct Target Architecture with Security Integrated Throughout Strategy for Addressing Policies Assess Security Risks Assess Mission Assets Governance / Standards Personnel / Training Legislative Drivers Security Management Security Implementation & Management Security Strategy Business Strategy MITRE R&D Results:Roadmap of Information Security Across the Enterprise (RISE)

  8. Mission Assess Mission Capabilities Assess &/or Construct Enterprise Policies Construct Target EA with Integrated Security Architecture Strategy for Addressing Policies Assess Security Risks Assess Mission Assets Develop/ Acquire Test & Evaluate Authorize & Deploy Gap Analysis Prioritization Sequencing Plan Business Arch Business Arch Policies Trade-offs Data Arch Data Arch Information Security Control Selection Goals and Req’ments “SLAs” Infrastructure Arch Infrastructure Arch Akin to FIPS 199 As-Is EA Target EA Executive Decisions Release Planning Security As Enablers RISE Relationship to EA Components

  9. FEA SPP Challenges

  10. FEA SPP Challenges • Address security and privacy at the enterprise level • Ensure that security and privacy are considered in the earliest stages of an initiative • Support project planning • Costing • Exhibit 300 and 53 development • Integrate security and privacy across the entire EA • Address requirements of the FEA Reference Models • Development of guidance relevant and applicable to agencies with widely varying levels of EA maturity • Integrate planning across cultures and domains • EA folks • Financial folks • Business domain folks • Security folks • Integrate best practices and avoid creating new work!

  11. FEA SPP Overview

  12. What is the FEA SPP • A scaleable and repeatable methodology for addressing information security and privacy from a business-centric enterprise perspective. • Integrates the disparate perspectives of program, security, privacy, and capital planning into a coherent process, using an organization’s enterprise architecture efforts. • Enterprise architecture provides a common language for discussing security and privacy in the context of agencies’ business and performance goals, enabling better coordination and integration of efforts and investments across organizational or business activity stovepipes

  13. What is the FEA SPP (cont’d) • Evaluates enterprise-level security and privacy in the context of the Federal Enterprise Architecture (FEA) • FEA focused on analyzing operations from common business, performance, services, technologies, and data views. • EA enables enterprise change management by describing how an organization operates today, intends to operate in the future, and intends to invest in technology to transition to that future state.

  14. Overview of the Relationship of the FEA SPP to NIST Guidance • … the FEA SPP methodology focuses on enterprise-level decisions at the front end of the development life cycle as a program is initiated, providing a bridge to NIST’s system development and risk mitigation guidance.

  15. FEA SPP Value Proposition • Promotes an understanding of an organization’s security and privacy requirements, its capability to meet those requirements, and the risks to its business associated with failures to meet requirements. • Helps program executives select the best solutions for meeting requirements and improving current capabilities, leveraging standards and services that are common to the enterprise or the Federal government as appropriate. • Improves agencies’ processes for incorporating privacy and security into major investments and selecting solutions most in keeping with enterprise needs.

  16. FEA SPP Methodology

  17. FEA SPP Methodology Overview • Consists of 3 stages • Stage 1: Identification • Stage 2: Analysis • Stage 3: Selection • Each stage consists of a set of standard questions

  18. FEA SPP Methodology Overview (cont’d) Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. • Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government. • Identify gaps between requirements and current or planned capabilities. • Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. • Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives. • Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. • Selection of individual proposals that best support the business, security, and privacy needs of the organization. • Documentation of the updated to-be architecture and sharing of reusable components.

  19. Stage 1 - Identification Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. • Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government.

  20. Stage 1 - Identification

  21. Stage 1 – IdentificationObjectives • Identify and understand security and privacy drivers, and ensure that they are documented in the agency EA. Drivers include: • Legal requirements • Business requirements • Organizational commitments • Identify currently deployed security and privacy-supportive processes and technologies (components), and ensure that they are documented in the agency EA. • Match drivers to components, and ensure that the connections are documented in the agency EA. • Assess risks associated with unmatched drivers to determine which driver will require a component in the next zero to five years.

  22. Stage 2 – AnalysisOverview Outcomes of Stage • Identify gaps between requirements and current or planned capabilities. • Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. • Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives.

  23. Stage 2 – AnalysisOverview

  24. Stage 2 – AnalysisOverview (cont’d)

  25. Stage 2 – AnalysisObjectives • Identify gaps between requirements and current or planned capabilities • Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities • Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives

  26. Stage 3 – SelectionOverview Outcomes of Stage • Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. • Selection of individual proposals that best support the business, security, and privacy needs of the organization. • Documentation of the updated to-be architecture and sharing of reusable components.

  27. Stage 3 – SelectionOverview • …an enterprise evaluation of the solutions proposed in Stage II and the selection of major investments. In Stage III the FEA SPP implementation team works with the CFO and ITIRB to integrate outputs from previous stages into the agency wide CPIC process.

  28. Stage 3 – SelectionObjectives • Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. • Selection of individual proposals that best support the business, security, and privacy needs of the organization. • Documentation of the updated to-be architecture and sharing of reusable components.

  29. FEA SPP Validation Effort

  30. Review of the Validation Effort • Validation exercises were conducted at the Department of Housing and Urban Development (HUD)(11/05), and the Department of Justice (DOJ) (1/06). The assumptions for each validation effort were: • An enterprise architecture compliant with or with mappings to the FEA. • A governance process that requires the use of the EA in the IT Investment Review process. • An existing security program that has responded to FISMA reporting requirements and a designated CISO (or equivalent). • An existing privacy program and a designated Chief Privacy Officer (or equivalent). • Willingness of the agency to share security and privacy policies, risk assessments, plans, controls, and budget information. • Agenciesgained increased awareness of their security and privacy risks and support infrastructure. This will support improved processes for managing security and privacy risks, and investment processes. • Validation staff observed validation activities to gather frank and constructive feedback on the utility and adequacy of the FEA SPP methodology. • June 2006, FEA Version 2.0 was approved by the CIO Council and released to the public.

  31. FEA SPP Questions

  32. FEA SPP Backup Slides

  33. Steps Applied During Stage 1 – Identification

  34. Steps Applied During Stage 1 – Identification (cont’d)

  35. Steps Applied During Stage 1 – Identification (cont’d)

  36. Steps Applied During Stage 1 – Identification (cont’d)

  37. Steps Applied During Stage 2 – Analysis

  38. Steps Applied During Stage 2 – Analysis (cont’d)

  39. Steps Applied During Stage 2 – Analysis (cont’d)

  40. Steps Applied During Stage 2 – Analysis (cont’d)

  41. Steps Applied During Stage 2 – Analysis (cont’d)

  42. Steps Applied During Stage 2 – Analysis (cont’d)

  43. Steps Applied During Stage 2 – Analysis (cont’d)

  44. Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

  45. Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

  46. Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

  47. Steps Applied During Stage 3 – Selection

  48. Steps Applied During Stage 3 – Selection (cont’d)

  49. Steps Applied During Stage 3 – Selection (cont’d)

  50. Steps Applied During Stage 3 – Selection (cont’d)

More Related