PL-08-727 Information Security Architecture

Information Security Architecture

Information Security Architecture
Enterprise Architecture, Roadmap and Emerging Technology
The lack of establishing an enterprise information model may result in application development and decision-supporting activities that are inconsistent with IT plans.
The organization: a. Develops an information security architecture for the information system that: 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and 3. Describes any information security assumptions about, and dependencies on, external services; b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
Information security architecture is designed with consideration to the overall information security strategy of the organization.
No statewide control
Obtain policies and procedures addressing information security architecture and ascertain if: (i) the documentation describes the requirements and approach to protect confidentiality, integrity and availability of organizational information; (ii) the documentation describes the integration with the enterprise architecture; (iii) the documentation describes assumptions about and dependencies on external services; (iv) the information security architecture is reviewed and updated at an appropriate frequency to reflect updates to enterprise architecture; and (v) the changes in information security architecture are reflected in the security plan, CONOPS and organizational procurements/acquisitions.