The EA Domain Team for Security is built upon five EA Conceptual Principles and four EA Principles for Security:
- Standardize the Security Infrastructure
- Educate the Enterprise
- Coordinate Enterprise Security
- Protect Enterprise IT Assets
1. Standardize the Security Infrastructure
All authentication, authorization, and auditing be consistent across the enterprise.
Benefits:
- Elimination of multiple sign-on administration and risk factors
- Elimination of multiple sign-on help desk support
- User service level is improved
- Reduced risk of confidential breeches
- Better handling of termination issues
- Transparency to user of application security functions between multiple hosts
Implications:
- Use of common authentication processes (traditionally driven by operating system and applications)
- Implies ability to authenticate against a common directory
- Cost of supporting a common directory needs to be addressed at an enterprise level
- Initial migration will require up-front investments
- All agencies must participate
- All vendor solutions/proposals will need to address the security requirements of the enterprise
- Development projects need to include/address security issues in the early stages/design function
Counterarguments:
- Reduces flexibility of agency specific solutions
- Potential increased cost of supporting an enterprise-wide solution
- Risk of greater exposure to enterprise through a single sign-on
2. Educate the Enterprise
Inform all stakeholders of information security policies, standards, guidelines & procedures.
Benefits:
- Everyone knows what to expect
- Everyone knows what is expected of them
- Consistency across the enterprise
- Reduced duplication of effort
Implications:
- Coordinated formal training program will be created
- Mandatory agency participation
Counterarguments:
- Formal training provided may not meet agency needs (timeframe, content)
- No perceived benefit to agency
3. Coordinate Enterprise Security
Implement coordinated and consistent incident prevention/response through proactive communication.
Benefits:
- Consistent method of communication
- Timely and appropriate incident response
- Consistent expectations
- Education
- Reduce total cost of ownership
- Reduce vulnerabilities
Implications:
- Centralized repository of logs
- Testing of process
- Formal Enterprise SIRT ‘Security Incident Response Team'
- Requires additional education
- Agency designated security officer
- Incident response tracking database
Counterarguments:
- Process may place too much burden on individual agencies This includes cost, human resource, complexity and overhead
- Not broken why fix it?
4. Protect Enterprise IT Assets
Apply and maintain best practices for protection of enterprise technology and information assets.
Benefits:
- Improved availability
- Improved system integrity
- Improved data integrity
- Improved data confidentiality
- Decreased exposure to risks
- Improved reaction to disaster/business continuity issues
Implications:
- Software patches need to be kept current
- Unnecessary services/ports need to be disabled
- Virus protection must be current
- Strong passwords enforced
- Regular review of user authentication and asset authorization
- Increased usage of physical access restrictions
- Increased usage of data encryption, in transmission and at rest
- Backups kept current and offsite
- Redundancy of critical IT assets
- Expanded utilization of dmz's and firewalls
- Implement anti-spam philosophy
- Coordinated and documented research
- Non-enterprise personnel must adhere to all enterprise policies when using enterprise assets
Counterarguments:
- Barriers to information assets
- Protection requirements can best be solved at an agency level
North Dakota Information Technology Department (ITD)
The ITD team did a excellent job...thank you so much.