EA based IT Goverance
Back Ground5.THE INTERNATIONAL Governance and compliance framework
COBIT's success as an increasingly internationally accepted set of guidance materials for IT governance has resulted in the creation of a growing family of publications and products designed to assist in the implementation of effective IT governance throughout an enterprise.
The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
^ TOP
Notional Target Architecture Example
The Notional Target Architecture on Enterprise Map.
The Notional Target Architecture analysis
^ TOP
Security Architecture
Enterprise Information Security Architecture
OverviewEnterprise information security architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units, so that they align with the organization's core goals and strategic direction. Although often associated strictly with information security technology, it relates more broadly to the security practice of business optimization in that it addresses business security architecture, performance management and security process architecture as well.
Enterprise information security architecture is becoming a common practice within the financial institutions around the globe. The primary purpose of creating an enterprise information security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise information security architecture allows traceability from the business strategy down to the underlying technology.
^ TOP
EA and service management
The relation between Enterprise Architecture and Service management is analogy to the relation between Engine and Transmission. The Engine generate the power, the transmission deliver the service.Enterprise Architecture enable an simple and agile service management as shown in the following figure. The OCIO Enterprise Architecture is the core for the entire organization to take advantage of technology evolution as shown in the following figure. It established to foundation of infrastructure to support the business operation and enable agile automation support in time for business need.
1.LEA to enable simple and agile service managment
LEA enable a holistic and agile foundation to support best service managment practice. The international community have gradually recognize the value of service managment practice represented ITIL V3 from the UK Office of Goverment Comerece (OGC). The challenge is how to enable an holistci, agile and flexiable service managment to implement this model. LEA is proposed to serve as the foundation to support service strategy, service design and service trasition to adapt change.
ITIL V3
ecio leverage on ITIL. The Information Technology Infrastructure Library (ITIL) also known as Infrastructure Management Service (IMS) is a set of concepts and policies for managing information technology (IT) infrastructure, development and operations.
ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. ITIL is published in a series of books, each of which covers an IT management topic. The names ITIL and IT Infrastructure Library are registered trademarks of the United Kingdom's Office of Government Commerce (OGC).
The IT Infrastructure Library originated as a collection of books each covering a specific practice within IT Service Management. After the initial publication, the number of books quickly grew within ITIL v1 to over 30 volumes. In order to make ITIL more accessible (and affordable) to those wishing to explore it, one of the aims of ITIL v2 was to consolidate the publications into logical 'sets' that grouped related process guidelines into the different aspects of IT management, applications and services.
While the Service Management sets (Service Support and Service Delivery) are by far the most widely used, circulated and understood of ITIL publications, ITIL provides a more comprehensive set of practices as a whole. Proponents believe that using the broader library provides a comprehensive set of guidance to link the technical implementation, operations guidelines and requirements with the strategic management, operations management and financial management of a modern business.
Enterprise Architecture in Higher Education – a practical approach is a blog written by Leo de Sousa.
9. ITIL Small-Scale Implementation
Integrated EA governance processes
ITIL v3, published in May 2007, comprises 5 key volumes:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
Service Strategy
Service strategy is shown at the core of the ITIL v3.1 lifecycle but cannot exist in isolation to the other parts of the IT structure. It encompasses a framework to build best practice in developing a long term service strategy. It covers many topics including: general strategy, competition and market space, service provider types, service management as a strategic asset, organization design and development, key process activities, financial management, service portfolio management, demand management, and key roles and responsibilities of staff engaging in service strategy.
Service Design
The design of IT services conforming to best practice, and including design of architecture, processes, policies, documentation, and allowing for future business requirements. This also encompasses topics such as Service Design Package (SDP), Service catalog management, Service Level management, designing for capacity management, IT service continuity, Information Security, supplier management, and key roles and responsibilities for staff engaging in service design..
Service Transition
Service transition relates to the delivery of services required by the business into live\operational use, and often encompasses the "project" side of IT rather than "BAU" (Business As Usual). This area also covers topics such as managing changes to the "BAU" environment. Topics include Service Asset and Configuration Management, Transition Planning and Support, Release and deployment management, Change Management, Knowledge Management, as well as the key roles of staff engaging in Service Transition.
Service Operation
Best practice for achieving the delivery of agreed levels of services both to end-users and the customers (where "customers" refer to those individuals who pay for the service and negotiate the SLAs). Service Operations is the part of the lifecycle where the services and value is actually directly delivered. Also the monitoring of problems and balance between service reliability and cost etc are considered. Topics include balancing conflicting goals (e.g. reliability v cost etc), Event management, incident management, problem management, event fulfillment, asset management, service desk, technical and application management, as well as key roles and responsibilities for staff engaging in Service Operation.....
Continual Service Improvement (CSI)
^ TOP
EA and security
Enterprise information security architecture (EISA) is the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization's security processes, information security systems, personnel and organizational sub-units, so that they align with the organization's core goals and strategic direction. Although often associated strictly with information security technology, it relates more broadly to the security practice of business optimization in that it addresses business security architecture, performance management and security process architecture as well.
Enterprise information security architecture is becoming a common practice within the financial institutions around the globe. The primary purpose of creating an enterprise information security architecture is to ensure that business strategy and IT security are aligned. As such, enterprise information security architecture allows traceability from the business strategy down to the underlying technology.
The FEA-SPP is a scalable, repeatable and risk-based conceptual methodology for addressing information security and privacy requirements within and across architecture segments. It provides a common language for discussing security and privacy in the context of federal agencies’ business and performance goals. The FEA-SPP provides best practices and recommendations that promote the successful incorporation of information security and privacy into an organization’s enterprise architecture. The FEA-SPP:
• Provides a roadmap that assists agencies in integrating IT security and privacy with enterprise architecture;
• Provides a mechanism for identifying and documenting security and privacy requirements;
• Promotes inclusion of security and privacy in business activities and processes;
• Integrates the NIST Risk Management Framework (RMF) and System Development Life Cycle (SDLC) processes to ensure that relevant security and privacy requirements are integrated; and
• Helps program executives understand how the Federal Information Processing Standards (FIPS) 199 of confidentiality, integrity, and availability and the eight privacy Fair Information Practice Principles (FIPPs) fit within enterprise architecture planning, while leveraging standards and services that are common to the enterprise and the federal government.
Risk management
Implementing Security Controls Across All Levels of the Enterprise
Implementing security and privacy controls within Enterprise-level (Organization), Segment-level (Mission or Business Process), and Solution/System-level architectures is accomplished by applying FEA reference model principles and the RMF methodology. The FEA provides relevant information in the development of the enterprise, segment, and solution architectures. The RMF, on the other hand, provides the required controls needed to ensure that each architecture is compliant with laws, regulations, standards, guidelines, and the organizations risk requirements (see Figure 1).
The Relationship Between the FEA and the RMF
The FEA-SPP provides a risk-based framework to incorporate security and privacy into the enterprise architecture for federal operations. This FEA-SPP, however, evidences that security and privacy, while interrelated concepts, are not identical in their methodologies or in the maturity of their existing documentation. The privacy community is continuing to develop best practice tools to support privacy programs throughout the federal government and will supplement the FEA-SPP with these tools as they are developed.
The FEA-SPP brings together the concepts of the FEA and the RMF (as described in NIST SP 800-39) to derive a security profile at the enterprise, segment and solution (or system) levels of the agency. The FEA-SPP also recognizes the influence of SDLC and maintenance processes in that it provides a sequence of program activities. The FEA-SPP uses this and other agency governance processes to ensure proper compliance with program management best practices and information security regulations regarding the management of information security process, activities and controls. Figure 6 shows the relationship between the FEA and RMF which serve as the foundation for the FEA-SPP:
FEA-SPP methodology
The FEA-SPP methodology is a three stage, sixteen activity procedure which documents enterprise-level information security and privacy solutions (see Figure 3 for an overview of the methodology). Each stage has goals, objectives, implementing activities, and output products for formal inclusion in the agency’s enterprise architecture and capital planning and investment control (CPIC) process.
^ TOP