How to conduct Security Architecture Reviews?

[Arun Pillai]

Hi ,

Are there any Security Architecture Review frameworks available which can be leveraged or customized. I found few SABSA , TOGAF, etc which could be leverage however need lot of customization to fit into my organization Risk scenarios. Any recommendation on if anyone has taken an approach on adoption of any of these frameworks or customized it leveraging other open frameworks like ISO 27001 to build a solution which helps in conducting security architecture reviews.

Major challenge faced when adopting framework like SABSA and TOGAF is we tend to miss controls as it was no build considering various industry specific risk scenarios. Thus despite following a modelling approach it leads to missing controls or ineffective security recommendation from a business risk standpoint. 

Reference: http://www.sabsa.org/ 

                 http://pubs.opengroup.org/architecture/togaf9-doc/arch/

Thanks & Regards,

Arun Pillai 

[Rajesh Deo]

It has been our experience that it is better to use these as reference models since they are very generic to the IT process.

SABSA is probably the best approach but you must marry it with OWASP and other guidelines to arrive at your ground truth framework.

A substantial component of threat modelling must also be considered.

Best resources for this seem to be from the CISO Platform group. Please checkout their presentations and possibly reach out to them for further recommendations. If I recall they have built a customised frameworks for these purposes.

https://www.slideshare.net/cisoplatform7/enterprise-security-architecture-design

regards,

Rajesh

--
______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

[Rishabh Dangwal]

I generally follow a custom framework based NIST cyber security framework, SABSA & industry specific standards. The only variable that changes is industry as we have to adapt accordingly as per engagement in hand. For example, typically for banking industry, we add swift & PCI controls in our framework, for networks ISO 27033-x, while for telecommunications, we refer and add ITU-T standards.

Thanks 

rish

[bganeshmail .]

ISO 27001-ISMS  -It covers Governance and RMF for IS.

FEA-Federal Enterprise Architecture-General Arch

NIST-800-39-RMF for IS

PCI-DSS-Finance and Banking

As a whole you can incorporate IS arch into Enterprise Architecture.

--

[Arun Pillai]

Hi All,

Is there any framework which could be a very neutral solution for any type of reviews right from COTS product to Cloud solutions. All of the recommended appears to be addressing specifics to particular pain areas, either it talks about how to do, what to do but doesn't address the holistic requirement. I was thinking on the ground to take best from ISO 27001 with SABSA, NIST and build pattern and component level mapping. 

To segregate all adopting a Risk framework which will get inputs from users and then map the inputs with threat model to rate the risk. After deriving the risk rating using the patterns to recommend controls. I am not sure please advice if heading in the wrong direction.

Thanks & Regards,

Arun

[bganeshmail .]

Enterprise Architecture from Cloud Security Alliance.

--

[nandan b]

Can make use of Microsoft DREAD and STRIDE methodologies for architecture reviews.

--

______________________________________________________________________________
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+unsubscribe@googlegroups.com.
Visit this group at https://groups.google.com/group/null-co-in.
For more options, visit https://groups.google.com/d/optout.

--

Regards,

Nandan B