Enterprise Architecture: The Evolution of an Opportunity

Information assurance and enterprise architecture are not new concepts or programs. In fact, for those in the federal government, they are both mandated activities, with requirements and reporting detailed in various policies, regulations, and laws. Increasingly in the corporate world as well, through legislation such as HIPAA in the health services sector, Sarbanes-Oxley Act for public accounting and audit firms, and the Gramm-Leach-Bliley Act for financial services companies, information assurance programs are becoming a requirement. There are no legal or regulatory mandates for enterprise architecture in the private sector, although many companies choose to adopt some form of it as a best practice.

Why is enterprise architecture used in government? Federal agencies are being called upon to account for their information technology spending, and to demonstrate how their information technology systems are supporting the accomplishment of their mission. Enterprise architecture efforts are involving more than just the information technologists of an organization. In fact, initial government-wide steps taken to define the federal enterprise architecture involve establishing a business reference model, to be followed later by data and technical reference models.

Enterprise architecture programs in both the civilian agencies of the federal government, as well as in the Department of Defense provide a variety of perspectives, linking business, operational, and technical views of a mission or process. Just as the home architect provides each specialist with his or her own perspective, the government architectures provide a centrally controlled, related set of views. Managers can see an operational prespective, while information technology specialists can see technical views.

In the past, there has been very little reference to, or integration of information assurance into enterprise architecture, even in the federal government where both programs are mandated activities. That is beginning to change as a broader acceptance of the importance of information assurance spreads throughout federal agencies, and references to elements of information assurance are beginning to appear in the latest editions of the federal enterprise architecture framework.

It does not matter whether you take an approach such as the Federal Enterprise Architecture Framework, or the DOD Architecture Framework, or any other approach that an organization adopts and maintains that holistically includes business and operational, as well as technical elements.

Some may also suggest some modification of the Zachman framework, although both of these approaches are strongly rooted in information technology architecture, and may be somewhat limited when attempting to describe the total context in which information may have to be assured (Zachman, 2001).

A holistic approach is preferred because we want our context to focus on information, and not just information systems or technology. We want ultimately to determine our requirements for information assurance, not IS or IT assurance. It is the loss of information, not any system or technology that we are trying to prevent, and assuring information as opposed to systems or technology is an entirely different problem (Von Solms, 2001).