Integrating Risk and Security within a TOGAF® Enterprise Architecture
- Product Review (submitted on 16 December 2019):
The content is very conventional. I think without the content of this text, architects could also think that security is a transverse concern starting from the preliminary phase until the requirements management. This is hopefully not new.
This paper is considering security just like purchasing or any other function that may be embedded within the enterprise with a specific vocabulary.
1- If we consider that the Enterprise is comprised of multiple functions with some overlapping activities that inter-operate to create value, then some emerging threats and behaviors are expected. The Enterprise's attack surface may not be identifiable from a top-down description approach.
2- Unfortunately, this paper failed to treat security as a system of systems resilience problem. Especially for Corporates, APTs cannot be addressed with this traditional risk management practices effectively. See NIST SP800-160 Nov19 or CERT-RMM
3- Perhaps less important but it is sad that supply chain is not, not even once, mentioned in this paper. We all know that supply chain is a core area of any Enterprise of the 21st century.Thus, it is a core security concern area.