This document is The Open Group Guide addressing how to integrate considerations of security and risk into an Enterprise Architecture. It provides guidance for security practitioners and Enterprise Architects who need to work with the TOGAF® standard, a standard of The Open Group, to develop an Enterprise Architecture.
This Guide was revised in March 2019 to update references to the TOGAF Standard, Version 9.2.
- Additional Information
Reference G152 Author(s) The Open Group Security Forum, in collaboration with The SABSA® Institute US ISBN 1-937218-66-9 Published 1 Apr 2019 Pages 42 Type Guides Subject Security
- Standards Information
Standards Information Base
Common Name TOGAF Security & Risk Status Adopted Service Category Software Engineering Services Service Architecture Type The Open Group Guide
Customer Reviews 1 item(s)
- A perfect paper for 20th century enterprise security architects
The content is very conventional. I think without the content of this text, architects could also think that security is a transverse concern starting from the preliminary phase until the requirements management. This is hopefully not new.
This paper is considering security just like purchasing or any other function that may be embedded within the enterprise with a specific vocabulary.
1- If we consider that the Enterprise is comprised of multiple functions with some overlapping activities that inter-operate to create value, then some emerging threats and behaviors are expected. The Enterprise's attack surface may not be identifiable from a top-down description approach.
2- Unfortunately, this paper failed to treat security as a system of systems resilience problem. Especially for Corporates, APTs cannot be addressed with this traditional risk management practices effectively. See NIST SP800-160 Nov19 or CERT-RMM
3- Perhaps less important but it is sad that supply chain is not, not even once, mentioned in this paper. We all know that supply chain is a core area of any Enterprise of the 21st century.Thus, it is a core security concern area.