Security Architecture
Build security criteria into the design of IT solutions and services — for example, by defining coding protocols, depth of defence, and configuration of security features.
Improvement Planning
Practices-Outcomes-Metrics (POM)
Representative POMs are described for Security Architecture at each level of maturity.
- 2Basic
- Practice
- Provide basic security architectural descriptions (e.g. reflecting consideration of depth of defence and localized configuration management), and ensure new solutions and services conform to this architecture.
- Outcome
- Policies and procedures can be partially aligned with security architecture recommendations.
- Metrics
- % of policies reviewed for compliance with security architecture recommendations.
- % of relevant IT processes reviewed for security architecture alignment.
- % of new IT solutions and services that conform to the architecture.
- % of legacy solutions and services that conform to the architecture.
- 3Intermediate
- Practice
- Define a security architecture that reflects specific standard features (e.g. perimeter defences, network, servers, end devices, and BYOD device information security criteria), and use it in procurement, solutions specifications, and any development, integrations, or interoperations work.
- Outcome
- The security architecture provides a holistic security view and most solutions and services conform to this architecture.
- Metrics
- % of new IT solutions and services that conform to the architecture.
- % of legacy solutions and services that conform to the architecture.
- 4Advanced
- Practice
- Evolve the security architecture so that it is in line with changes in the enterprise architecture, and use it across the entire solutions and services catalogue.
- Outcomes
- Security efforts are deployed consistently, with all solutions and services conforming to the security architecture.
- The risk from weak links is reduced.
- Metrics
- % of new IT solutions and services that conform to the architecture.
- % of legacy solutions and services that conform to the architecture.
- 5Optimized
- Practice
- Continually update the security architecture based on emerging research concepts and recommendations from security agencies and vendors, and use it for all existing and new activities.
- Outcome
- The security architecture is always kept effective and relevant.
- Metrics
- Frequency of review cycle.
- % of new IT solutions and services that conform to the architecture.
- % of legacy solutions and services that conform to the architecture.