Enterprise Architecture, Roadmap and Emerging Technology
MOD, HIGH
P1
No
The lack of establishing an enterprise information model may result in application development and decision-supporting activities that are inconsistent with IT plans.
The organization:
a. Develops an information security architecture for the information system that:
1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;
2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and
3. Describes any information security assumptions about, and dependencies on, external services;
b. Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and
c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
Information security architecture is designed with consideration to the overall information security strategy of the organization.
No statewide control
Obtain policies and procedures addressing information security architecture and ascertain if:
(i) the documentation describes the requirements and approach to protect confidentiality, integrity and availability of organizational information;
(ii) the documentation describes the integration with the enterprise architecture;
(iii) the documentation describes assumptions about and dependencies on external services;
(iv) the information security architecture is reviewed and updated at an appropriate frequency to reflect updates to enterprise architecture; and
(v) the changes in information security architecture are reflected in the security plan, CONOPS and organizational procurements/acquisitions.
