Thu Mar 5 22:02:57 PST 2015
Control Architecture: Establishment: Is a control architecture formally established?
Option 1: Formally establish a control architecture for the enterprise.
Option 2: Use an informal control architecture for the enterprise.
IF the enterprise is to operate a maturity of Defined or above, THEN formally establish a control architecture for the enterprise,
OTHERWISE use an informal control architecture for the enterprise.
Formally establish a control architecture for the enterprise.
A formally established control architecture includes establishment and documentation of:
- Control objectives and defining a model of how to associate and apply those objectives to content.
- An access control model of how to decide on what accesses and actions are permitted.
- Functional units and how they fit together in an architecture.
- Perimeter topology and what perimeters are supposed to do.
- Access methodology and how accesses are supported.
- A trust model and how the model is to be applied.
- Change controls and the methodology to be used to manage changes.
- Other related models as may be appropriate to the enterprise.
Use an informal control architecture for the enterprise.
If no formal model exists that covers the issues identified above,
then an informal model is in use, regardless of whether there is an
awareness of its existence. It is highly likely that this model
differs from person to person and group to group and that the
inconsistencies between them creates complexity and vulnerability
as well as a general lack of control.
Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved