Enterprise Security Architecture - Security Controls Matrix.
This piece of intellectual capital I have developed over the last 15 years adding to it as the Security Landscape has changed. I have used it on many engagements adapting it to suit the given environment and task.
Is it complete - no, it can't be. Security professionals and the control sets they work with change with the threat landscape and so this view needs to continually evolve.
Version 2.5 is a major update where I have re-engineered the structure underneath using layers to better structure the document and make it easier to update in the future. I have also revamped and modified a number of controls. Still more to do…
What is it? It is a generic control set which can be used to pick and choose the controls you need in a given situation. I use it for the following purposes
1. Gap Analysis. When auditing or reviewing an architecture I use this model as reference to ensure I have covered all the bases.
2. Requirements Definition and Control Selection. I use the model to make sure I don't miss any inputs when defining the requirements for security and make sure I have considered all the different control groups when deciding which controls are most suitable for a given set of threats within the constraints of the environment I am working in.
3. Capability Reviews or Definition. I use this model in the development of Capability Views (another product I generate which describes how the people, process and control sets work together to deliver the capability). These Capability views are used when describing or analysing the operation effectiveness of a capability. For example a lot of organisations will build something like a Certificate Management or SIEM solution without fully capitalising on the investment by making sure the operational processes are complete and effective, and that the right information is going to the correct stakeholders. The PDCA cycle can't operate effectively if you can't close the loop.
It can be put to other uses but these are the main use cases I use it for.
I have shared this as it is something I use regularly with great effect and hope others might find it useful. It is my intellectual capital but anyone is free to use it if they find it useful. I am also open to suggestions as to how it might be made better so feel free to contact me if you want to discuss.
Contact me on esa@assuredcontrol.com or via linkedin
For downloadable versions look at the useful tools page
For my Architecture Models look at the Archi Page
Is it complete - no, it can't be. Security professionals and the control sets they work with change with the threat landscape and so this view needs to continually evolve.
Version 2.5 is a major update where I have re-engineered the structure underneath using layers to better structure the document and make it easier to update in the future. I have also revamped and modified a number of controls. Still more to do…
What is it? It is a generic control set which can be used to pick and choose the controls you need in a given situation. I use it for the following purposes
1. Gap Analysis. When auditing or reviewing an architecture I use this model as reference to ensure I have covered all the bases.
2. Requirements Definition and Control Selection. I use the model to make sure I don't miss any inputs when defining the requirements for security and make sure I have considered all the different control groups when deciding which controls are most suitable for a given set of threats within the constraints of the environment I am working in.
3. Capability Reviews or Definition. I use this model in the development of Capability Views (another product I generate which describes how the people, process and control sets work together to deliver the capability). These Capability views are used when describing or analysing the operation effectiveness of a capability. For example a lot of organisations will build something like a Certificate Management or SIEM solution without fully capitalising on the investment by making sure the operational processes are complete and effective, and that the right information is going to the correct stakeholders. The PDCA cycle can't operate effectively if you can't close the loop.
It can be put to other uses but these are the main use cases I use it for.
I have shared this as it is something I use regularly with great effect and hope others might find it useful. It is my intellectual capital but anyone is free to use it if they find it useful. I am also open to suggestions as to how it might be made better so feel free to contact me if you want to discuss.
Contact me on esa@assuredcontrol.com or via linkedin
For downloadable versions look at the useful tools page
For my Architecture Models look at the Archi Page