Security and Privacy Plan

ea3-secEA3 artifact SP-2: Security Plan

The Security Plan provides both high-level and detailed descriptions of the security program that is in effect throughout the enterprise.  This includes physical, data, personnel, and operational security elements and procedures.

Chapter 11 in Bernard’s book provides additional detail on Security Plans.

  1. Introduction
    • Purpose of the IT Security Program
    • Principles of IT Security
    • Critical Success Factors
    • Intended Outcomes
    • Performance Measures
  2. Policy
    • Executive Guidance
    • Technical Guidance
    • Applicable Law and Regulations
    • Standards
  3. Reporting Requirements
    • IT Security Program Roles and Responsibilities
    • IT Security Program Schedule and Milestones
    • IT Security Incident Reporting
  4. Concept of Operations
    • IT Security Threat Summary
    • IT Security Risk Mitigation
    • Integration with Enterprise Architecture
    • Component/System Security Plans
  5. Security Program Elements
    • Information Security
    • Personnel Security
    • Operational Security
    • Physical Security
  6. Standard Operating Procedures
    • Test and Evaluation
    • Risk Assessment
    • Certification and Accreditation
    • Disaster Recovery/Continuity of Operations
    • Records Protection and Archiving
    • Data Privacy

Security Controls Catalog

ea3-secEA3 artifact SP-1: Security Controls Catalog and Solutions Description

The Security Controls Catalog is

The Security Solutions Description provides a high-level view of how security is provided for selected resources throughout the enterprise.  The solutions cover four dimensions of security: physical, data, personnel, and operations and may include diagrams or matrices.

Operational Security

In the area of operational security, the Security Program should promote the development of standard operating procedures (SOPs) for all EA components that support line of business operations. SOPs should also be developed for recovery from major outages or natural disasters, and for enabling the continuity of operations if all or part of the enterprise becomes disabled.

Data Security

In the area of information security, the Security Program should promote security-conscious designs, information content assurance, source authentication, and data access control. The assessment of types of data being handled for privacy protection concerns should also be done (e.g. customer credit data or employee SSNs).

Personnel Security

In the area of personnel security, the Security Program should promote user authentication and IT security awareness, and new user/recurring training. badges, biometrics, card swipe units, cipher locks, and other methods of combining personnel and physical security solutions should be implemented.

Physical Security

The elements of physical security that should be captured in the EA include protection for the facilities that support IT processing, control of access to IT equipment, networks, and telecommunications rooms, as well as fire protection, media storage, and disaster recovery systems.

 

Facility Blueprints

ea3-infraEA3 artifact I-12: Facility Blueprints

This artifact is a full set of electronic blueprints for all of the physical buildings and rooms throughout the enterprise.  The blueprints aid in planning and decision-making regarding the placement of workspaces, production facilities, warehouses, networks and other business functions.

Asset Inventory

ea3-infraEA3 artifact I-11: Asset Inventory

The Asset Inventory lists all of the hardware and software on the enterprise’s voice, data, and video networks throughout the enterprise.  The list may include bar code numbers or other unique identifiers.

assetinventory

Capital Equipment Inventory

The Capital Equipment Inventory lists all of the non-information technology capital (depreciable) equipment in each line of business throughout the enterprise.  The list may include bar code numbers or other unique identifiers.

capitalequipment

Point of Presence Diagram

ea3-infraEA3 artifact I-10: Point of Presence Diagram

On the Internet, a point-of-presence (POP) is an access point from one place to the rest of the Internet. A POP necessarily has a unique Internet Protocol (IP) address. A POP usually includes routers, digital/analog call aggregators, servers, and frequently frame relays or ATM switches.

point-of-presence-diagram

Wiring Closet Diagram

ea3-infraEA3 artifact I-9: Wiring Closet Diagram

The wiring closet is a  equipment room or server room, that contains hubs, switches, and other network components that is often connected through a vertical backbone cable to the main equipment room, which is usually in the basement of the building (in a multifloor building).

wiring
wiringcloset
wiringcloset2

Data Center/Server Room Diagram

ea3-infraEA3 artifact I-8: Data Center/Server Room Diagram

This artifact is an overhead diagram of the information technology network center.  This diagram can be part of the set of blueprints, and is maintained electronically to support the numerous changes to network center(s) and server rooms that can be expected over a number of years.

datacenter

Rack Elevation Diagrams

ea3-infraEA3 artifact I-7: Rack Elevation Diagram

This diagram provides a front and rear view of each of the information technology equipment racks that  go into a network center, server room, and/or wiring closet.  This diagram supports the NI-5 and NI-6 diagrams and is maintained electronically to support the numerous changes that can be expected over a number of years.

rackelevationdiagram

Wireless Connectivity Diagram

ea3-infraEA3 artifact I-6: Wireless Connectivity Diagram

The use of wireless networks gives possibilities for new forms of connectivity inside and outside the enterprise network.

wireless-connectivity-diagram

Cable Plant Diagram

ea3-infraEA3 artifact I-5: Cable Plant Diagram

The Cable Plant Diagram shows physical connectivity between voice/data/video networks throughout the enterprise and to global suppliers.  The diagram should show the types of cable (fiber, CAT-6, etc.) and the bandwidth (T-1, OC-3, etc.) of each cable run between network centers, server rooms, wiring closets, and external connections.

cableplantdiagram