This post explains what is an enterprise information security architecture framework, and summarizes some of the existing ones.
List of Enterprise IT Security Architecture Frameworks
What is an Information Security Architecture Framework?
Enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of organizations.
Enterprise information security architecture (EISA) is a subset of enterprise architecture that focus on information security.
A framework is a basic structure underlying a system, concept, or text.
An architecture framework is a foundational structure that can be used for developing a broad range of different architectures.
Then, an information security application framework is an architecture framework specific to information security.
The architecture would be the specific solution, while the architecture framework would be a set of references to design the solution.
What is the difference between a IS architecture framework and a cybersecurity framework?
I have never seen this question answered before, so I will try to explain what are my conclusion about the difference in plain words.
A framework denotes that it is a reference, not a final solution.
A information security framework would be a reference about how to implement information security, in its broader term.
Cybersecurity frameworks would be specific to cybersecurity instead of information security. Remember that the difference of information security and cybersecurity is that the first is a broader term for all type of information (written, digital, etc.) and the second is specific to digitial.
The concepts of enterprise architecture were explained in the previous section.
As a conclusion, information security architecture frameworks would be a subset of information security (or cybersecurity) frameworks, specific to architecture.
You can find cybersecurity frameworks that are not considered architecture frameworks on this post. The most populars of them are ISO-27000 series and NIST CSF.
List of Enterprise IT Security Architecture Frameworks
The most popular are:
- Zachman Framework
- TOGAF
- COBIT
- SABSA
Alternative architectures are:
- Open Security Architecture (OSA)
- E2AF
- AGATE
- Integrated Architecture Framework of Capgemini
- IDABC
- MIKE2.0 / SAFE
- MDA
- NIH Enterprise Architecture Framework
- OBASHI
- SOMF
- MODAF
- DoDAF
- FEA
- NIH Enterprise Architecture Framework
Zachman Framework
https://www.zachman.com/about-the-zachman-framework/
Zachman Framework for Enterprise architecture.
TOGAF
https://www.opengroup.org/togaf
TOGAF stands for The Open Group Architecture Framework.
Developed by the Open Group.
SAP Enterprise Architecture Framework would be an extension of TOGAF.
COBIT
https://www.isaca.org/resources/cobit
COBIT is an acronym for Control Objectives for Information and related Technology. It is developed by ISACA.
COBIT is a framework for IT management and governance. Thus, it is not specific for security, but it includes one process called “Manage Enterprise Architecture” that deals this topic.
Latest version is COBIT 2019 (released in 2018), but COBIT 5 (released in 2012) is still popular.
SABSA
Sherwood Applied Business Security Architecture (SABSA) is an enterprise security architecture.
It is very theoretical and not used in real industry.
OSA
https://www.opensecurityarchitecture.org/
Open Security Architecture (OSA).
E2AF
E2AF is an acronym for Extended Enterprise Architecture Framework.
E2AF was published in 2006 by the Institute For Enterprise Architecture Developments (IFEAD), whose president was Jaap Schekkerman. The official website of IFEAD is down, but you can access its archive version from this external link.
Considering that latest version of E2AF is from 2006 and that IFEAD web is down, I can conclude that this framework is no longer maintained. Anyway, I have seen it still quoted in some sources.
The E2AF Essentials Guide can be still viewed from this external link.
You might also be interested in…
- IT Security Frameworks for Organizations
- Information Security Controls
- How to get CISSP-ISSAP certification
External references
- “CISM Review Manual 15th Edition”, section 1.11.2 “Enterprise Information Security Architecture(s)”, pp. 57-58; ISACA (2016)
- “PECB ISO/IEC 27001 Lead Implementer courseware”; PECB
- “What is the difference between NIST, CIS/SANS 20, ISO 27001 Compliance Standards?“; Kedar Ghule; Cloudanix Blog
- Alexander S. Gillis; “Enterprise architecture”; TechTarget
[…] There are several security architecture frameworks that are described on this post. […]