Tutorials

Placeholder for category description of Foundations/Tutorials

In order to determine that OSA has the correct topic coverage we need to define the landscape for security architecture. That way we can identify topics that have poor coverage, determine priorities for new patterns, and help the community co-ordinate their activities.

In the perfect world there would be a classification for security architecture that we could adopt, but we do not know an existing potent slicing and dicing (do you?), and while the standards such as NIST, ISO and ISF divide their materials into chapters these do not translate into a security architecture landscape very well.

Therefore the two authors of this article dare to propose a landscape here, that we hope with the help of the community (that is YOU :-) can be refined over time to give a useful reference for OSA as well as the wider world.

Security Architecture Landscape

 

osa security architecture landscape components

 

The items in this landscape represent the major infrastructure and application architecture topics that keep IT departments busy.

V10: Updated landscape to include additional elements for greater coverage- Legal & Reg, Backup, Change Mgmt, Config and Asset Mgmt, extended Service Operations block, reorganised central security services

The OSA community has not yet decided on the primary reference model in terms of SDLC (Solution/System/Software Development Life Cycle).

The main requirements that influence the choice of the SDLC reference model are:

  • The model must have (at least and extension that offers) an adequate covering of security controls.
  • The model must be publicly available (without costly corporate membership rates)
  • The model must be used across several industries/countries
  • The model must NOT be driven/owned by a single company (e.g. vendor)

The currently considered models are:

  • ISO/IEC 15288, System Life Cycle Processes
  • IEEE STD 1220, Application and Management of the Systems Engineering Process
  • ISO/IEC 21827, Systems Security Engineering Capability Maturity Model (SSE-CMM)
  • ITIL
  • COBIT

The above listed models represent a very wide range of model types and hence it maybe difficult to compare against each other.

Please contribute your experience via This email address is being protected from spambots. You need JavaScript enabled to view it..

The definition for the term SDLC framework is (as listed also in the glossary page): An SDLC framework defines on a high abstraction level which processes are needed to achieve a given set of system qualities. It hence also defines the actors and puts the SDLC processes into the context of related processes (like project management, architectural governance, etc).

More Articles ...