Information Technology Reference
In-Depth Information
approach to design; SE is an engineering discipline imposed on the design process.
Therefore, design uses the discipline of SE to devise the specifics of the solution.
IA design addresses the risks inherent in the services and mechanisms that com-
prise the solution. Additionally, IA design attempts to integrate IA design specifics
into those services and mechanisms.
2.11.7
IA Services
IA services include business processes, functions, workflow, and tasks that provide
IA to the organization. IA services include compliance management; IA policy,
standards, and procedures development, dissemination, and management; IA edu-
cation, training, and awareness; security management; privacy management; com-
puter security incident response; vulnerability assessments and other assessments
surrounding compliance, risk, business impact, as well as audits; business continu-
ity; and digital forensics. IA services may use IA mechanisms.
2.11.8
IA Mechanisms
IA mechanisms are the technologies of IA. IA policy provides insight to strategic
objectives for IA. IA standards specify what to use to implement and enforce policy.
IA procedures specify how to implement and enforce policy. Therefore, standards
may specify IA mechanisms. Standards complement enterprise systems engineer-
ing that looks at the enterprise implications of technology standards, services, and
mechanisms, including those for IA. IA mechanisms include anti-malware, fire-
walls, intrusion detection systems (IDSs), honeypots, content filters, identity and
privilege management (e.g., public key infrastructure [PKI]), and secure operating
systems and configurations.
2.11.9
Vendor Selection
When systems engineering and design specify capabilities in terms of IA services
and IA mechanisms, there are no vendors or products selected. Architecture,
enterprise systems engineering, and design are vendor and product agnostic.
The point is to architect, engineer, and design to capabilities and business objec-
tives—
not to products
.
With a clear idea of the desired capabilities, the IA architect reviews vendor and
product options and proceeds to select the most qualified. There may be constraints
on the selection process. The IA standards may specify a particular vendor and mul-
tiple products to choose from that vendor. The IA standards may specify a capabil-
ity and the vendor selection is open as long as the vendors provide the capabilities
specified in the standards. IA standards may provide a list of vendors and the proj-
