Vijay Rachamadugu and David Snyder September 7, 2006

Slides:



Advertisements
Similar presentations
INTOSAI IT Audit IT Methods Awareness
Advertisements

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.
An Overview of the Federal Segment Architecture Methodology
Gaining Senior Leadership Support for Continuity of Operations
AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
Course: e-Governance Project Lifecycle Day 1
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.
<<Date>><<SDLC Phase>>
Enterprise Security A Framework For Tomorrow Christopher P. Buse, CPA, CISA, CISSP Chief Information Security Officer State of Minnesota.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
Office of the Chief Information Officer EFCOG Annual Meeting Fred Catoe (IM-32) U.S. Department of Energy.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
IT Governance and Management
The Software Product Life Cycle. Views of the Software Product Life Cycle  Management  Software engineering  Engineering design  Architectural design.
Doug Nebert FGDC Secretariat June 2006
The topics addressed in this briefing include:
Vers. national spatial data infrastructure training program Geospatial Business Planning Introduction to FGDC Initiatives Related to Geospatial Business.
Investment Management Concepts Portfolio Management | Segment Architecture March 25, 2009 Adrienne Walker and Kshemendra Paul
Enterprise Architecture
Complying With The Federal Information Security Act (FISMA)
Embedding Records Management into Agency Processes The FEA Records Management Profile Laurence Brewer, CRM National Archives and Records Administration.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.
Campaign Readiness Project Overview Enabling a structured, scalable approach to customer-centric campaigns.
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
NIST Special Publication Revision 1
The Challenge of IT-Business Alignment
Geospatial Enterprise Architecture Community of Practice Working Group Geospatial Community of Practice: Development of an FEA Geospatial Profile Briefing.
IT PMB: Executive Oversight and Decision Authority for Application and Infrastructure Projects at NASA Larry Sweet Chair, IT PMB JSC CIO August 2010.
1 Collaboration and Concept Exploration Nationwide Health Information Organization (NHIO) Gateway March 28, 2007.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
National Institute of Standards and Technology Information Technology Laboratory 1 USG Cloud Computing Technology Roadmap Next Steps NIST Mission: To promote.
Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
1 Geospatial Enterprise Architecture Community of Practice Development of a Federal Enterprise Architecture Geospatial Profile Update for the Federal Geographic.
Presenter’s Name June 17, Directions for this Template  Use the Slide Master to make universal changes to the presentation, including inserting.
EGovOS Panel Discussion CIO Council Architecture & Infrastructure Committee Subcommittee Co-Chairs March 15, 2004.
The DoD Information Enterprise Strategic Plan and Roadmap (SP&R)
Federal Enterprise BOF Rick Murphy Chief Architect, Blueprint Technologies June 7, 2004.
Proventures reconnect session on Project Portfolio Management (PPM)
Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.
Government and Industry IT: one vision, one community Vice Chairs April Meeting Agenda Welcome and Introductions GAPs welcome meeting with ACT Board (John.
NSDI Strategic Plan Update National Geospatial Advisory Committee Meeting December 11, 2013.
© 2006 The MITRE Corporation. All rights reserved EA in the Federal Enterprise Life Cycle September 2006 Steve Decker MITRE Corporation Center for Enterprise.
U.S. Department of Agriculture eGovernment Program Smart Choice Pre-Select Phase Transition September 2002.
1 Industry Advisory Council’s Enterprise Architecture Shared Interest Group (IAC EA SIG) Collaborative Approach to Addressing Common Government- Industry.
Leadership Guide for Strategic Information Management Leadership Guide for Strategic Information Management for State DOTs NCHRP Project Information.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
Business Continuity Planning 101
Security Development Lifecycle (SDL) Overview
Michael J. Novak ASQ Section 0511 Meeting, February 8, 2017
Federal Enterprise Architecture (FEA)
Information Security Review Panel Report
Data Architecture World Class Operations - Impact Workshop.
Identify the Risk of Not Doing BA
Improving Mission Effectiveness By Exploiting the Command’s Implementation Of the DoD Enterprise Services Management Framework - DESMF in the [name the.
Process Improvement With Roles and Responsibilities explained
9/16/2018 The ACT Government’s commitment to Performance and Accountability – the role of Evaluation Presentation to the Canberra Evaluation Forum Thursday,
The Open Group Architecture Framework (TOGAF)
Enterprise Architecture Methods
Vision Facilitation Template
CAF Quarterly Meeting Measuring the Value of an EA Practice
Executive Order No. 23 Update Air & Waste Management Association Conference November 16, 2018 Presentation will focus on the latest policy development.
Employee engagement Delivery guide
Portfolio, Programme and Project
Presentation transcript:

Vijay Rachamadugu and David Snyder September 7, 2006 MITRE’s 1st Federal Enterprise Architecture (FEA) TEM Federal Enterprise Architecture Security and Privacy Profile (FEA SPP) Vijay Rachamadugu and David Snyder September 7, 2006

Outline Program Background FEA SPP Challenges Overview of the FEA SPP FEA SPP Methodology Review of the validation effort Questions

FEA SPP Background

Federal CIO Council Architecture and Infrastructure Committee (AIC) Early 2003, called for the development of an “Information Security Architecture” OBJECTIVE: Overlay the existing reference models Provide managers and systems architects with guidelines regarding the design and deployment of appropriate measures to ensure protection of information and information resources. Develop an Information Security Architecture Profile that will become a part of the FEA. APPROACH: Assemble a suitable set of architectural principles and guidelines Based on existing FEA reference models, legislation, government agencies, as well as private companies Quickly produce an initial version of an Information Security Architecture Profile that will be available for use by Federal agencies and used to guide future updates to the FEA reference models.   PARTICIPATION: Industry Advisory Council (IAC) Security Committee and industry organizations as appropriate Provide information security and privacy architecture experts to review, refine and expand the Phase I product. RESOURCES: Sponsoring government and industry organizations will provide the necessary resources to complete this effort. From Federal CIO Council Architecture and Infrastructure Committee Terms of Reference

Background John Gilligan, Former Air Force CIO, develops statement of need for security guidance in the FEA Phase 1: (August – September 2003) A small working group is formed to define the content of an FEA “Security Profile” Output shared with the Industry Advisory Council and government for review and comment Phase 2: (June – December 2004) FEA Security Profile under development based on the ideas and feedback from phase 1. Phase 3: (October 2005 – April 2006) FEA SPP Validation & Draft

FEA SPP Timeline

Security Implementation MITRE R&D Results: Roadmap of Information Security Across the Enterprise (RISE) Mission Develop/ Acquire Test & Evaluate Authorize & Deploy Business Strategy Security Strategy Security Implementation & Management Business Drivers Legislative Governance / Standards Personnel / Training Operations / Processes Environment / Infrastructure Assess &/or Construct Enterprise Policies Capabilities Assets Security Risks Strategy for Addressing Target Architecture with Integrated Throughout Gap Analysis Prioritization Sequencing Plan Security Management

RISE Relationship to EA Components Mission Assess &/or Construct Enterprise Policies Capabilities Assets Security Risks Strategy for Addressing Target EA with Integrated Architecture Gap Analysis Prioritization Sequencing Plan As-Is EA Security As Enablers Target Goals and Req’ments Akin to FIPS 199 Data Arch Business Arch Infrastructure Arch Trade-offs “SLAs” Information Security Control Selection Executive Decisions Release Planning Develop/ Acquire Test & Evaluate Authorize & Deploy

FEA SPP Challenges

FEA SPP Challenges Address security and privacy at the enterprise level Ensure that security and privacy are considered in the earliest stages of an initiative Support project planning Costing Exhibit 300 and 53 development Integrate security and privacy across the entire EA Address requirements of the FEA Reference Models Development of guidance relevant and applicable to agencies with widely varying levels of EA maturity Integrate planning across cultures and domains EA folks Financial folks Business domain folks Security folks Integrate best practices and avoid creating new work!

FEA SPP Overview

What is the FEA SPP A scaleable and repeatable methodology for addressing information security and privacy from a business-centric enterprise perspective. Integrates the disparate perspectives of program, security, privacy, and capital planning into a coherent process, using an organization’s enterprise architecture efforts. Enterprise architecture provides a common language for discussing security and privacy in the context of agencies’ business and performance goals, enabling better coordination and integration of efforts and investments across organizational or business activity stovepipes

What is the FEA SPP (cont’d) Evaluates enterprise-level security and privacy in the context of the Federal Enterprise Architecture (FEA) FEA focused on analyzing operations from common business, performance, services, technologies, and data views. EA enables enterprise change management by describing how an organization operates today, intends to operate in the future, and intends to invest in technology to transition to that future state.

Overview of the Relationship of the FEA SPP to NIST Guidance … the FEA SPP methodology focuses on enterprise-level decisions at the front end of the development life cycle as a program is initiated, providing a bridge to NIST’s system development and risk mitigation guidance.

FEA SPP Value Proposition Promotes an understanding of an organization’s security and privacy requirements, its capability to meet those requirements, and the risks to its business associated with failures to meet requirements. Helps program executives select the best solutions for meeting requirements and improving current capabilities, leveraging standards and services that are common to the enterprise or the Federal government as appropriate. Improves agencies’ processes for incorporating privacy and security into major investments and selecting solutions most in keeping with enterprise needs.

FEA SPP Methodology

FEA SPP Methodology Overview Consists of 3 stages Stage 1: Identification Stage 2: Analysis Stage 3: Selection Each stage consists of a set of standard questions

FEA SPP Methodology Overview (cont’d) Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government. Identify gaps between requirements and current or planned capabilities. Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives. Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.

Stage 1 - Identification Outcomes of Stage Fully identify program and enterprise-level security and privacy requirements, including previously unknown requirements. Fully identify program and enterprise-level security and privacy capabilities, including current and planned future requirements. Document requirements and capabilities in an agency’s enterprise architecture using a nomenclature that is common across the Federal government.

Stage 1 - Identification

Stage 1 – Identification Objectives Identify and understand security and privacy drivers, and ensure that they are documented in the agency EA. Drivers include: Legal requirements Business requirements Organizational commitments Identify currently deployed security and privacy-supportive processes and technologies (components), and ensure that they are documented in the agency EA. Match drivers to components, and ensure that the connections are documented in the agency EA. Assess risks associated with unmatched drivers to determine which driver will require a component in the next zero to five years.

Stage 2 – Analysis Overview Outcomes of Stage Identify gaps between requirements and current or planned capabilities. Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities. Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives.

Stage 2 – Analysis Overview

Stage 2 – Analysis Overview (cont’d)

Stage 2 – Analysis Objectives Identify gaps between requirements and current or planned capabilities Identify opportunities to increase interoperability between or reduce costs of current or planned capabilities Propose solutions to address gaps or improve capabilities based on an informed trade-off analysis of alternatives

Stage 3 – Selection Overview Outcomes of Stage Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.

Stage 3 – Selection Overview …an enterprise evaluation of the solutions proposed in Stage II and the selection of major investments. In Stage III the FEA SPP implementation team works with the CFO and ITIRB to integrate outputs from previous stages into the agency wide CPIC process.

Stage 3 – Selection Objectives Evaluation of individual proposals so that each fully reflects the outputs of Stages I and II. Selection of individual proposals that best support the business, security, and privacy needs of the organization. Documentation of the updated to-be architecture and sharing of reusable components.

FEA SPP Validation Effort

Review of the Validation Effort Validation exercises were conducted at the Department of Housing and Urban Development (HUD)(11/05), and the Department of Justice (DOJ) (1/06). The assumptions for each validation effort were: An enterprise architecture compliant with or with mappings to the FEA. A governance process that requires the use of the EA in the IT Investment Review process. An existing security program that has responded to FISMA reporting requirements and a designated CISO (or equivalent). An existing privacy program and a designated Chief Privacy Officer (or equivalent). Willingness of the agency to share security and privacy policies, risk assessments, plans, controls, and budget information. Agencies gained increased awareness of their security and privacy risks and support infrastructure. This will support improved processes for managing security and privacy risks, and investment processes. Validation staff observed validation activities to gather frank and constructive feedback on the utility and adequacy of the FEA SPP methodology. June 2006, FEA Version 2.0 was approved by the CIO Council and released to the public.

FEA SPP Questions

FEA SPP Backup Slides

Steps Applied During Stage 1 – Identification

Steps Applied During Stage 1 – Identification (cont’d)

Steps Applied During Stage 1 – Identification (cont’d)

Steps Applied During Stage 1 – Identification (cont’d)

Steps Applied During Stage 2 – Analysis

Steps Applied During Stage 2 – Analysis (cont’d)

Steps Applied During Stage 2 – Analysis (cont’d)

Steps Applied During Stage 2 – Analysis (cont’d)

Steps Applied During Stage 2 – Analysis (cont’d)

Steps Applied During Stage 2 – Analysis (cont’d)

Steps Applied During Stage 2 – Analysis (cont’d)

Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

Exhibition 300 Business Case Evaluation Criteria as Supported by the FEA SPP

Steps Applied During Stage 3 – Selection

Steps Applied During Stage 3 – Selection (cont’d)

Steps Applied During Stage 3 – Selection (cont’d)

Steps Applied During Stage 3 – Selection (cont’d)

Steps Applied During Stage 3 – Selection (cont’d)

Steps Applied During Stage 3 – Selection (cont’d)