Information Technology Reference
In-Depth Information
Architecture: Federal Enterprise Architecture (FEA)
Design:
ISO/IEC 27002
Develop:
SEI-CMMI, FIPS 140-2
Test:
NIST SP 800-42, ISO 9000, Common Criteria (for product
categorization)
Implement:
NIST SP 800-53
Train:
NIST SP 800-50
O&M:
ISO TR 13335, NIST SP 800-18, NIST SP 800-34, Control
Objectives for Information and Related Technology (COBIT)
Retire:
NIST SP 800-4A, ISO 9001
NIST SP 800-64 directly addresses security within the SDLC, and verifi-
cation standards exist for each SDLC phase. These include formal methods to
assess architecture (e.g., OMB Enterprise Architecture Assessment Framework
and Government Accountability Office (GAO) EA Management Maturity
Framework). There are also formal methods for certification and accreditation
(C&A) applied post-implementation (e.g., NIST SP 800-37). Standards must
also apply to retiring technology products and media. Personal privacy man-
dates (e.g., HIPA A Privacy) and individual awareness of personal privacy expo-
sure (e.g., tax records and other personal data) mean that policies and standards
are needed to govern disposition of donated or discarded PCs, floppies, CDs,
and hard drives.
The above is a technical focus; additionally, there are business-focused stan-
dards that include enterprise life cycle management (ELCM), earned value (EV),
risk management, contingency planning, and more. Chapter 8 contains additional
details on standards and policy.
he IA
2
Framework permits the use of a variety of security standards
depending on the situation at hand: ISO/IEC 27002 and ISO/IEC 27001 for
the application of best practices; ISO TR 13335 for managing and planning
and mapping safeguards to threats; SEI-CMMI for software quality assurance;
SSE-CMM for security engineering; and Common Criteria, an internation-
ally accepted standard for product security. The examples do not advocate any
standard over another; the point is that the flexibility of IA
2
accommodates any
security standard.
he IA
2
Framework and IA
2
Process are themselves standards for IA architec-
ture and provide a common lexicon, taxonomies, and an IA architecture devel-
opment methodology. An IA architecture developed using IA
2
implies at least
a minimal level of consistency and quality. Applied IA
2
ensures a consistent,
security-aware, business-driven approach to the selection and implementation of
IA mechanisms and products. The rest of the chapter looks at some of these
mechanisms in detail.
