SABSA and TOGAF Enterprise Security Architecture at Eskom...SABSA Introduction •Business Driven...
Transcript of SABSA and TOGAF Enterprise Security Architecture at Eskom...SABSA Introduction •Business Driven...
SABSA and TOGAF –Enterprise Security Architecture
at Eskom
March 2015
Maganathin Marcus Veeraragaloo: Chief Advisor Information Security
"What we think, or what we know, or what we believe is, in the end, of little consequence. The only consequence is what we do." -- John Ruskin
Agenda
• The role of IT in Eskom
• SABSA Overview
• TOGAF at Eskom
• Enterprise Security Architecture at Eskom
Building High Performance Group IT
The role of IT in Eskom
Building High Performance Group IT
The role of IT in Eskom
Building High Performance Group IT4
• SAP PM
• GPSS
• THEMSE
• CSS
• COLLOPS
• MDMS
• FLIP
• SCADA
• MAXIMO/ TERTIARY WIRES
• GTX
• CS-ONLINE
• AVAYA
• VAT – MOBILITY
• SMALLWORLD
• FMS
• ENS
• PRIMAVERA
• SPF
• PRISM
• SMALLWORLD & ENS
• ACNAC
• SMARTPLANT
• ENGINEERING
SYSTEMS
• CIBOODLE
• MV90
• ROUTEMASTER
• AMI
• ALFS
• KSACS MDMS
• CNL
• CS-ONLINE
INTEGRATION
INTEGRATION
INTEGRATION
INTEGRATION
Sherwood Applied Business Security Architecture (SABSA) Overview
Building High Performance Group IT
SABSA Introduction
• Business Driven Architecture
• Being business-driven means never losing site of the organisation’s goals, objectives, success factors and targets, and ensuring that the security strategy demonstrably supports, enhances and protects them.
• SABSA has a layered mapping approach for traceability
Building High Performance Group IT
SABSA Meta Model
Building High Performance Group IT
SABSA Matrix
Building High Performance Group IT
Alignment, Integration & Compliance Strategy
Strategy & Planning Phase Alignment Risk Management Method Alignment
Performance & Reporting Methods Control Objectives Libraries & Standards
Controls Frameworks & Libraries
Building High Performance Group IT
Application of Multi-tiered Control Strategy
Building High Performance Group IT
TOGAF at Eskom
Building High Performance Group IT
Eskom Extensions to the TOGAF Reference Model
Building High Performance Group IT
Legend
Eskom
Extension
Togaf Core
Togaf
Extension
Eskom Group IT Project Life Cycle Management
Building High Performance Group IT
Statement of
Architecture Work
Conceptual
Architecture
Definition
(Preferred
Solution)
Logical
Architecture
Definition
Physical
Design
Update
Statement of
Architecture
Work
Update
Statement
of
Architecture
Work
Update
Statement
of
Architecture
Work
Testing Pre-transfer
Modelled in ARIS
Partial Physical Architecture only
Not in ARIS
Physical Config
and
Implementation
design
Salient Facts – Managed in the EA repository
Building High Performance Group IT
Eskom business processes
modeled to logical level
throughout the enterprise
710 Application objects
with life cycle management446 Application interfaces
298 Software Technology
Components228 Logical Data Entities
Integration between IT and
OT artefacts
AND MANY MORE
Enterprise Security Architecture at Eskom
Building High Performance Group IT
SABSA overlay on TOGAF Crop Circle –Guide
Building High Performance Group IT
Preliminary – Enterprise Security Architecture
Building High Performance Group IT
Preliminary – Enterprise Security Architecture
Our purposeTo provide sustainable electricity
solutions to grow the economy and improve the
quality of the life of people in South Africa and in the region
1. Leading and partnering to
keep thelights on
Providing high
availability reliable IT
infrastructure
2.Reducing our carbon footprint
and pursuing low carbon growth opportunities
Introducing green-IT
infrastructure
3.Securing future resource,
requirements, mandate and the required enabling
environment
Centers of excellence
developing talent
4.Implementing coal haulage and the road- to-rail migration plan
World class PMO to
deliver on-time and on-
budget
5.Pursuing private sector
participation
Tools to support the
integration of IPP’s
Business Drivers – Group IT
Preliminary – Enterprise Security Architecture
Information
Security
Policy
Security Principles
Security
Built-in
Define
Security
Boundaries
Security Risk
Mitigation
Unique
Security
Architectures
Security
Architecture
Capability
Security Principles
Preliminary – Enterprise Security Architecture
Key Risk Areas
Departmental Risks
• All group IT departments
• Operations and service delivery
Project Risks
• Top 10 projects (PLCM)
• BAU Projects (<R10 mil)
Compliance Risks
• Compliance to IT regulation
Preliminary – Enterprise Security Architecture
Risk Appetite
Preliminary – Enterprise Security Architecture
Enterprise Security Management
Identity and Access Management
Infrastructure SecurityInformation and
Application Security
Security Categories
Standard Delivery Elements
Security Topics
Security Resource Plan
Requirements Management – Enterprise Security Architecture
Building High Performance Group IT
Requirements Management – Enterprise Security Architecture
Building High Performance Group IT
Business Attributes
User AttributesManagement
AttributesRisk Management
AttributesLegal/Regulatory
Attributes
Technical Strategy
Attributes
Operational Attributes
Business Strategy
Attributes
Business
Attribute Business Attribute Definition Suggested Measurement Approach
Metric
Type
User Attributes
AccessibleInformation to which the user is entitled to
gain access should be easily found and
accessed by that user.
Search tree depth necessary to find the
information Soft
Accurate
The information provided to users should
be accurate within a range that has been
preagreed upon as being applicable to the
service being delivered.
Acceptance testing on key data to
demonstrate compliance with design rules Hard
AnonymousFor certain specialized types of service, the
anonymity of the user should be protected.
Rigorous proof of system functionality
Red team review
Hard
Soft
Consistent
The way in which log-in, navigation, and
target services are presented to the user
should be consistent across different times,
locations, and channels of access.
Conformance with design style guides Red
team review
Soft
Current
Information provided to users should be
current and kept up to date, within a range
that has been pre-agreed upon as being
applicable for the service being delivered.
Refresh rates at the data source and
replication of source and replication of
refreshed data to the destination. Hard
Business Attribute Profile
Requirements Management – Enterprise Security Architecture
Building High Performance Group IT
Statement of
Architecture Work
Conceptual
Architecture
Definition
(Preferred
Solution)
Logical
Architecture
Definition
Physical
Design
Update
Statement of
Architecture
Work
Update
Statement
of
Architecture
Work
Update
Statement
of
Architecture
Work
Testing Pre-transfer
Modelled in ARIS
Partial Physical Architecture only
Not in ARIS
Physical Config
and
Implementation
design
Control Objectives / Architecture Requirements
Architecture Vision – Enterprise Security Architecture
Building High Performance Group IT
Architecture Vision – Enterprise Security Architecture
Security Stakeholders
Business Architecture – Enterprise Security Architecture
Building High Performance Group IT
Business Architecture – Enterprise Security Architecture
Building High Performance Group IT
Departmental Risks
•All group IT departments
•Operations and service delivery
Project Risks
•Top 10 projects (PLCM)
•BAU Projects (<R10 mil)
Compliance Risks
• Compliance to IT regulation
Business Risk Model
Business Architecture – Enterprise Security Architecture
ITIL
ISO 27002
CobiT
CIS
King III
PFMA
Control Frameworks
Information Systems Architecture –Enterprise Security Architecture
Building High Performance Group IT
Preliminary – Enterprise Security Architecture
Enterprise Security Management
Identity and Access Management
Infrastructure SecurityInformation and
Application Security
Security Categories
Standard Delivery Elements
Security Topics
Security Services Catalog
Classification of Services
Technology Architecture – Enterprise Security Architecture
Building High Performance Group IT
Technology Architecture – Enterprise Security Architecture
Change Management & Training
Information
security policy
Data
Privacy
Logical access
Mgt/access control
Information
classification
Remote access
Management controls
reviews
Procedures
Clauses: and SO requirements
Strategic
Alignment
Regulations,
legislations &
contracts)
Security threat
environment
• Cryptography :32-387
• Server room/physical & environmental security:
32-894
• Malicious code:32-375
• Remote access??
• Wireless: 32-382
• Network security: 240-50201762
• IT service continuity: 240-49448549
• Password standards
• Physical asset classification and control: 32-369
• Removable media: 32-389
• Mobile computing
• Identity management
• Firewall: 32-377
• System Development, Acquisition and
Maintenance standard(clause A.14.2.5)
• Security Monitoring
• Open IP and open port: 32-354
• Logical access : 32-351
• System classification: 32-438
• Inventory of assets (clause A.8.1.1)
• Access control (clause A.9.1.1)
• Secure system engineering principles
(clause A.14.2.5)
• Access management(clause A.15.1.1)
Standards
• Asset & info. Classification:32-363
• Access control: 32-359
• Open IP & open port: 240-
75879464
• Password reset : 32-364
• Remote access: 32-398
• Third party access :32-359
• Incident management procedure (clause A.16.1.5)
• Server backups((clause A.17.1.2)
Procedure
objective
Process for
deviations&
exceptions
Applicability
statement
Clauses RACIProcess for deviations
& exceptions
Standards
objectives
RACI
Procedure flows
& sub-
procedures
Clauses Monitoring
RACIPolicy
objectivesProcess for deviations &
exceptionsManagement controls
Guidelines
Supplier
security
Security Rules, Practices and Procedures
Security Standards
Implementation Governance – Enterprise Security Architecture
Building High Performance Group IT
Implementation Governance – Enterprise Security Architecture
Building High Performance Group IT
1. Security Management
a. Operational Models
2. Security Audit
a. Continuous Audits
b. Test Centre of Excellence (TCoE)
3. Security Awareness
a. Continuous Security Awareness Programme’s.
Architecture Change Management –Enterprise Security Architecture
Building High Performance Group IT
Architecture Change Management –Enterprise Security Architecture
Building High Performance Group IT
1. Risk Management
a. Business Processes – Process Control Manual’s
b. Risk Management Tools
2. Security Architecture Governance
a. Architecture Governance Committees and Forum’s
i. Architecture Design Review
ii. Enterprise Architecture Body
iii. Enterprise Architecture Review Board
iv. Cyber Security Forum IT/OT
Building High Performance Group IT