Security architectures must focus on business threats, operational continuity, and recovery activities. In many cases, they begin to implement or expand the overall themes described in the governance planning activities detailed in the previous section. In addition to defining and engineering system redundancy, operational flexibility and a strong infrastructure to build upon, security architectures focus on the business requirements that must be supported.
Weaving together multiple threads of process, resources and technology, security planners span the what if world to the how world within the confines of budget, schedule and technical capability. Given the uncertainty of the type of threats, where they might come from, and what impact they might cause, some might say the planning challenge is overwhelming. In some cases it is, which requires a return to the underlying assumptions and objectives to revalidate them. In other cases, significant thought and cross-organizational planning become the only way to successfully overcome the challenges.
Best Practice | Criticality | Frequency | Participants | Activity Results |
---|---|---|---|---|
Review and verify the current threat matrix against current assumptions | High | Six months | Management, security | Current and accurate threat matrix to proactively plan responses against |
Verify all architectures are aligned against current SLAs | Medium | Six months | Management, security, IT operations, finance | Maximum leverage of IT resources and operations |
Review current security barriers to ensure they provide reasonable protection against newly defined risks | High | Quarterly | Management, security, IT operations | Defensible security practices and procedures against current risks |
Review all processes concerning the protection of IT resources from internal attack or loss | High | Quarterly | Management, security, IT operations, | Reduced risk or loss from internal attack |
Review and verify all disaster recovery plans are current and deployable | High | Six months | Management, security, IT operations, finance | Achievable and deployable disaster recovery plan that reduces impact to employees , customers, shareholders and management |