Security Architecture
Build security criteria into the design of IT solutions – for example, by defining coding protocols, depth of defence, configuration of security features, and so on.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Architecture at each level of maturity.
- 1Initial
- Practice
- Set minimal security concepts like firewalls and anti-virus in the architecture.
- Outcome
- Significant volumes of unwanted external traffic are blocked at the firewall.
- Metric
- # Staff for firewall maintenance. # Open/close requests by port
- 2Basic
- Practice
- Provide basic architectural security descriptions.
- Outcome
- Security layers and depth of defence, while considered, may not always be implemented or provisioned in delivered solutions. However, policies and procedures can be partially aligned with security recommendations.
- Metric
- % Policies reviewed for security compliance % Relevant IT processes reviewed for security alignment
- 3Intermediate
- Practice
- Develop and document a shared vision for security layers and most security architecture features across IT and some business units.
- Outcome
- Concepts such as depth of defence are enabled. Security efforts are aligned and consistent.
- Metric
- % Components mapped to security layers % Components reviewed for security compliance
- 4Advanced
- Practice
- Develop, document and implement organization-wide security architecture layers across the organization.
- Outcome
- Security measures are deployed consistently and the risk from weak links is reduced.
- Metric
- % Devices compliant with security policy. % Sites compliant with security policy
- 5Optimized
- Practice
- Apply the multi-layered security architecture framework across the business ecosystem.
- Outcome
- Security is extended beyond the organization. Supplier and customer touch points are reviewed and restricted as appropriate. Externally visible security measures boost consumer and business partnership confidence.
- Metric
- % Suppliers reviewed for security % Customers reporting security matters % External facing interfaces reviewed for security features