Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vijay Rachamadugu and David Snyder September 7, 2006

Published byHadian Sugiarto Modified over 5 years ago

Similar presentations

Presentation on theme: "Vijay Rachamadugu and David Snyder September 7, 2006"— Presentation transcript:

1 Vijay Rachamadugu and David Snyder September 7, 2006
MITRE’s 1st Federal Enterprise Architecture (FEA) TEM Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) Vijay Rachamadugu and David Snyder September 7, 2006

2 Outline Program Background FEA SPP Challenges Overview of the FEA SPP FEA SPP Methodology Review of the validation effort Questions

3 FEA SPP Background

4 Federal CIO Council Architecture and Infrastructure Committee (AIC)
Early 2003, called for the development of an “Information Security Architecture” OBJECTIVE: Overlay the existing reference models Provide managers and systems architects with guidelines regarding the design and deployment of appropriate measures to ensure protection of information and information resources. Develop an Information Security Architecture Profile that will become a part of the FEA. APPROACH: Assemble a suitable set of architectural principles and guidelines Based on existing FEA reference models, legislation, government agencies, as well as private companies Quickly produce an initial version of an Information Security Architecture Profile that will be available for use by Federal agencies and used to guide future updates to the FEA reference models.   PARTICIPATION: Industry Advisory Council (IAC) Security Committee and industry organizations as appropriate Provide information security and privacy architecture experts to review, refine and expand the Phase I product. RESOURCES: Sponsoring government and industry organizations will provide the necessary resources to complete this effort. From Federal CIO Council Architecture and Infrastructure Committee Terms of Reference

5 Background John Gilligan, Former Air Force CIO, develops statement of need for security guidance in the FEA Phase 1: (August – September 2003) A small working group is formed to define the content of an FEA “Security Profile” Output shared with the Industry Advisory Council and government for review and comment Phase 2: (June – December 2004) FEA Security Profile under development based on the ideas and feedback from phase 1. Phase 3: (October 2005 – April 2006) FEA SPP Validation & Draft

6 FEA SPP Timeline

7 Security Implementation
MITRE R&D Results: Roadmap of Information Security Across the Enterprise (RISE) Mission Develop/ Acquire Test & Evaluate Authorize & Deploy Business Strategy Security Strategy Security Implementation & Management Business Drivers Legislative Governance / Standards Personnel / Training Operations / Processes Environment / Infrastructure Assess &/or Construct Enterprise Policies Capabilities Assets Security Risks Strategy for Addressing Target Architecture with Integrated Throughout Gap Analysis Prioritization Sequencing Plan Security Management

8 RISE Relationship to EA Components
Mission Assess &/or Construct Enterprise Policies Capabilities Assets Security Risks Strategy for Addressing Target EA with Integrated Architecture Gap Analysis Prioritization Sequencing Plan As-Is EA Security As Enablers Target Goals and Req’ments Akin to FIPS 199 Data Arch Business Arch Infrastructure Arch Trade-offs “SLAs” Information Security Control Selection Executive Decisions Release Planning Develop/ Acquire Test & Evaluate Authorize & Deploy

9 FEA SPP Challenges

10 FEA SPP Challenges Address security and privacy at the enterprise level Ensure that security and privacy are considered in the earliest stages of an initiative Support project planning Costing Exhibit 300 and 53 development Integrate security and privacy across the entire EA Address requirements of the FEA Reference Models Development of guidance relevant and applicable to agencies with widely varying levels of EA maturity Integrate planning across cultures and domains EA folks Financial folks Business domain folks Security folks Integrate best practices and avoid creating new work!

11 FEA SPP Overview

12 What is the FEA SPP A scaleable and repeatable methodology for addressing information security and privacy from a business-centric enterprise perspective. Integrates the disparate perspectives of program, security, privacy, and capital planning into a coherent process, using an organization’s enterprise architecture efforts. Enterprise architecture provides a common language for discussing security and privacy in the context of agencies’ business and performance goals, enabling better coordination and integration of efforts and investments across organizational or business activity stovepipes

13 What is the FEA SPP (cont’d)
Evaluates enterprise-level security and privacy in the context of the Federal Enterprise Architecture (FEA) FEA focused on analyzing operations from common business, performance, services, technologies, and data views. EA enables enterprise change management by describing how an organization operates today, intends to operate in the future, and intends to invest in technology to transition to that future state.

14 Overview of the Relationship of the FEA SPP to NIST Guidance
… the FEA SPP methodology focuses on enterprise-level decisions at the front end of the development life cycle as a program is initiated, providing a bridge to NIST’s system development and risk mitigation guidance.

15 FEA SPP Value Proposition
Promotes an understanding of an organization’s security and privacy requirements, its capability to meet those requirements, and the risks to its business associated with failures to meet requirements. Helps program executives select the best solutions for meeting requirements and improving current capabilities, leveraging standards and services that are common to the enterprise or the Federal government as appropriate. Improves agencies’ processes for incorporating privacy and security into major investments and selecting solutions most in keeping with enterprise needs.

16 FEA SPP Methodology

17 FEA SPP Methodology Overview
Consists of 3 stages Stage 1: Identification Stage 2: Analysis Stage 3: Selection Each stage consists of a set of standard questions

18 FEA SPP Methodology Overview (cont’d)
Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government. Identify gaps between requirements and current or planned capabilities. Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives. Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.

19 Stage 1 - Identification
Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government.

20 Stage 1 - Identification

21 Stage 1 – Identification Objectives
Identify and understand security and privacy drivers, and ensure that they are documented in the agency EA. Drivers include: Legal requirements Business requirements Organizational commitments Identify currently deployed security and privacy-supportive processes and technologies (components), and ensure that they are documented in the agency EA. Match drivers to components, and ensure that the connections are documented in the agency EA. Assess risks associated with unmatched drivers to determine which driver will require a component in the next zero to five years.

22 Stage 2 – Analysis Overview
Outcomes of Stage Identify gaps between requirements and current or planned capabilities. Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives.

23 Stage 2 – Analysis Overview

24 Stage 2 – Analysis Overview (cont’d)

25 Stage 2 – Analysis Objectives
Identify gaps between requirements and current or planned capabilities Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives

26 Stage 3 – Selection Overview
Outcomes of Stage Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.

27 Stage 3 – Selection Overview
…an enterprise evaluation of the solutions proposed in Stage II and the selection of major investments. In Stage III the FEA SPP implementation team works with the CFO and ITIRB to integrate outputs from previous stages into the agency wide CPIC process.

28 Stage 3 – Selection Objectives
Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.

29 FEA SPP Validation Effort

30 Review of the Validation Effort
Validation exercises were conducted at the Department of Housing and Urban Development (HUD)(11/05), and the Department of Justice (DOJ) (1/06). The assumptions for each validation effort were: An enterprise architecture compliant with or with mappings to the FEA. A governance process that requires the use of the EA in the IT Investment Review process. An existing security program that has responded to FISMA reporting requirements and a designated CISO (or equivalent). An existing privacy program and a designated Chief Privacy Officer (or equivalent). Willingness of the agency to share security and privacy policies, risk assessments, plans, controls, and budget information. Agencies gained increased awareness of their security and privacy risks and support infrastructure. This will support improved processes for managing security and privacy risks, and investment processes. Validation staff observed validation activities to gather frank and constructive feedback on the utility and adequacy of the FEA SPP methodology. June 2006, FEA Version 2.0 was approved by the CIO Council and released to the public.

31 FEA SPP Questions

32 FEA SPP Backup Slides

33 Steps Applied During Stage 1 – Identification

34 Steps Applied During Stage 1 – Identification (cont’d)

35 Steps Applied During Stage 1 – Identification (cont’d)

36 Steps Applied During Stage 1 – Identification (cont’d)

37 Steps Applied During Stage 2 – Analysis

38 Steps Applied During Stage 2 – Analysis (cont’d)

39 Steps Applied During Stage 2 – Analysis (cont’d)

40 Steps Applied During Stage 2 – Analysis (cont’d)

41 Steps Applied During Stage 2 – Analysis (cont’d)

42 Steps Applied During Stage 2 – Analysis (cont’d)

43 Steps Applied During Stage 2 – Analysis (cont’d)

44 Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

45 Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

46 Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

47 Steps Applied During Stage 3 – Selection

48 Steps Applied During Stage 3 – Selection (cont’d)

49 Steps Applied During Stage 3 – Selection (cont’d)

50 Steps Applied During Stage 3 – Selection (cont’d)

51 Steps Applied During Stage 3 – Selection (cont’d)

52 Steps Applied During Stage 3 – Selection (cont’d)

Download ppt "Vijay Rachamadugu and David Snyder September 7, 2006"

Similar presentations

INTOSAI IT Audit IT Methods Awareness

INTOSAI IT Audit IT Methods Awareness
What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.
An Overview of the Federal Segment Architecture Methodology

An Overview of the Federal Segment Architecture Methodology
Gaining Senior Leadership Support for Continuity of Operations

Gaining Senior Leadership Support for Continuity of Operations
AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.

State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.

© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.

Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.

Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
IT Governance and Management

IT Governance and Management
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.

The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Doug Nebert FGDC Secretariat June 2006

Doug Nebert FGDC Secretariat June 2006
The topics addressed in this briefing include:

The topics addressed in this briefing include:
Vers. national spatial data infrastructure training program Geospatial Business Planning Introduction to FGDC Initiatives Related to Geospatial Business.

Vers. national spatial data infrastructure training program Geospatial Business Planning Introduction to FGDC Initiatives Related to Geospatial Business.

Similar presentations

Ads by Google