The Architectural Model
The security architecture clickable diagram depicts the elements of organizational security architecture and how they interact with each other. The presentation here is slanted toward a corporate view in terms of the usage, but essentially all elements are always present.
At the top is the notion of how the "business" works. At a detailed level this may be codified in terms of process diagrams and associated details such as timeliness requirements, consequences of failures of different sorts, internal and external interdependencies, and so forth. At a higher level it is divided into different common functions, such as sales, marketing, and brand - or resources that get transformed and produce value. These comprise the basic functions of the organization and the foundation for analysis of the value and import of its function or utility.
Oversight comes from laws, owners, the board of directors or similar entity, auditors, and the chief executive officer. It produces a set of duties to protect that include legal and regulatory duties, contractual duties, and self-imposed duties. It is also tasked with responsibility for making certain that the duties imposed are carried out.
The business risk management function seeks to transform the duties to protect into a set of identified things to protect and surety levels associated with that protection matched to the risks associated with failures. As a side effect of this process understanding of risks in the form of threats, vulnerabilities, and consequences; event sequences that could induce potentially serious negative consequences; decisions about risk acceptance, avoidance, transfer, and mitigation; and notions of acceptable residual risk are provided to enterprise security management for their use and oversight for their approval.
Enterprise security management transforms the duty to protect, what to protect, and the other outcomes of oversight and risk management process into the actions taken by the organization to implement protection through the use of power and influence. While the Chief Information Security Officer (CISO) or other responsible party tasked with these issues typically has little budget, their position and standing provide them with the necessary influence to get the job done if they know how to apply that influence effectively. Specifically, they have positional power that grants them access to information required in order to get feedback from the organizational processes they influence and adequate influence to adapt those processes to meet the needs of the organization. If these conditions are not met then the program will fail and the enterprise will suffer the consequences.
The enterprise operates protection through the creation, operation, and adaptation of a control architecture. The control architecture includes structural mechanisms that obtain security objectives through access control, functional units, change control, and lower surety non-architectural units.
The technical security architecture implements technical controls by defining protection processes in the form of defensive processes associated with data states and contexts over life cycles of systems and data and protective mechanisms in the form of perception, structure, content, and behavior that directly contact the content and assure its business utility.
In summary, content and business utility are protected by mechanisms, processes, and architectures that are structured through the control architecture and managed via influence on organizational elements by the CISO. The CISO acts to meet the duties to protect by determining how to protect the things that need to be protected and controlling the organization so as to affect those protections. The risk management process and feedback mechanisms guide the CISO and acts as the means by which oversight is accomplished with the ultimate objective of assuring that business processes are not interfered with in ways that cause serious negative consequences.
For more details and in-depth coverage of these issues, download and read "Enterprise Information Protection"