Although enterprise risk management and IT security have become mature disciplines, and professional tools exist to detect a wide variety of vulnerabilities in IT systems and infrastructure, their use in the support of management decisions related to security investments is still very limited. This is due to the fact that the findings of these tools are presented in a very technical way, only fully understandable to experts. In most cases, it is unclear how these technical vulnerabilities will impact the business.
By incorporating the findings of so-called penetration tests of computer devices and networks into an Enterprise Architecture model of the organization, it becomes possible to analyze and visualize the impact that the technical risks have on the business processes. Also, an Enterprise Architecture model can also help to focus penetration tests on the IT infrastructure that supports the most critical business processes, thus making the tests more efficient and effective.
This webinar will initially look at the work being carried out in the Architecture and ArchiMate® Forums, both Forums of The Open Group, around risk and security modeling. We will then go on to present a method for business impact analysis of technical risks, which combines the disciplines of technical risk analysis and Enterprise Architecture. Our method is supported by software tooling to (semi-)automatically import results of a penetration test into an Enterprise Architecture model, and to analyze and visualize the business impact of these technical risks. This both enhances the value of penetration testing and increases the return-on-investment of the Enterprise Architecture effort. We will illustrate our method by applying it to a realistic case study an end with an interactive Q&A session.
- Additional Information
Reference D104 Author(s) Henk Jonkers (Senior Research Consultant, BiZZdesign), Jim Hietala (VP Security and Healthcare, The Open Group) Published 21 May 2014 Duration 1 hour 4 minutes Type Webinars Subject Security