Fri Apr 8 06:47:17 PDT 2016
Control Architecture: Control Architecture: When is a systematic security architecture created and updated?
Option 1: Never create a security architecture.
Option 2: Create or update security architecture as part of enterprise information infrastructure design or redesign.
Option 3: Create or update security architecture based on changing operational modes.
Option 4: Periodically revisit security architecture as technology and systems change.
Option 5: Continuously update security architecture.
Option 6: Create a security architecture.
Never create a security architecture.
A substantial amount of time and effort as well as other
resources are required to create a security architecture. Unless risks
justify getting systematic, the benefits don't warrant the costs.
Create or update security architecture as part of enterprise information infrastructure design or redesign.
Whenever a major redesign is undertaken, it is an ideal time to
architect security along with the new infrastructure. This will help
to integrate protection issues into enterprise infrastructure design
and save time and money in retrofits and avoid unnecessarily weak
protection. Costs will be small compared to the costs of the rest
of the effort, and benefits will likely be large.
Create or update security architecture based on changing operational modes.
As businesses change the manner in which they operate, which most
often happens when they pass particular thresholds of size, or when
they go public, it becomes important to re-evaluate issues related to
information protection to meet the substantial changes in the way
management and operations function.
Periodically revisit security architecture as technology and systems change.
At least once a year, existing security architecture should be
reviewed for changes. In addition, for enterprises that are Defined or
higher maturity levels, enterprise inventory and risk control
processes should define work flows that cause architectural reviews
when risks associated with changes justify such a revisitation.
Continuously update security architecture.
For high risk situations, security architecture should
be intimately tied to every element of design and operation, and minor
adaptations to each should be made in concert with each other over
time. However; these changes should be at the design level whenever
possible and architectural changes should only be made when justified,
even if the architecture is revisited often.
Create a security architecture.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved
All other things being equal, if no security architecture is in
place, and if none of the other conditions hold, a security
architecture should be put in place.