Information Technology Reference
In-Depth Information
date of creation, last modification date, classification level, and source of data. Judg-
ments on the quality and accuracy of the data may come in part from the metadata.
IA 2 assists in identifying potential risks to metadata corruption (integrity), meta-
data disclosure (confidentiality), and access to metadata (availability). How does
one ensure metadata integrity? Confidentiality? One method is to bind metadata
with the data it belongs to and encrypt it (crypto-binding of metadata).
10.3.2.6  IA 2  Alignment Deliverables
As you can see, the complexities of FEA begin to emerge. The size and complexity
may vary tremendously with permutations of details among PRM, BRM, SRM,
TRM, and DRM. Moreover, the FEA artifacts (documents and diagrams) may be
very lengthy and complex. IA 2 deliverables in support of FEA may include:
n
n
A rather long narrative of the FEA IA 2 Process and findings
Tables of reference models with IA 2 components in terms of:
Managing business risk, solution risk, project risk
CIA—confidentiality-integrity-availability
PAU—possession-authenticity-utility
PAN—privacy-authorized use-nonrepudiation
Traceability matrix aligning business drivers to IA services and mechanisms
via the many FEA RMs
n
The templates in the appendix provide a starting point. Rather than provide
additional documents to the FEA set, insert the IA details to the PRM, BRM,
SRM, TRM, and DRM as appropriate. This provides for IA integration from incep-
tion and carries the IA concepts throughout the inherent alignment of business to
performance, service to business, technical to service and business, and data.
10.3.3
FEA Security and Privacy Profile,
FEA Security and Privacy Profile, , version 2.0, June 2006 (SPP) is a supplement to
the FEA that addresses information security and privacy from a business enterprise
perspective. The SPP is a methodology that uses the FEA framework; therefore, there
it is not a distinct framework for security and privacy separate from the FEA itself.
SPP depends on the FEA reference models for structure and flow. SPP attempts
to align the security controls specified in the NIST standards with the architectural
components of FEA. If you are working on an FEA project, you should produce
results consistent with the form and flow of FEA and the SPP as a supplement to
FEA. The SPP is not nearly the breadth and depth of IA 2 . IA 2 may be stand-alone
www.cio.gov/documents/Security_and_Privacy_Profile_v2.pdf.
 
Search WWH ::




Custom Search