This university sets the national standards for higher education, with a proud tradition of excellence in learning and teaching. To support a new business strategy, the IT organisation needed to ensure it was able to deliver the transformation required to support its objectives, to simplify and consolidate systems, optimise processes and deliver enhanced business capability. Within this context, the university sought to extend its architectural efforts to the development of an enterprise security architecture extending across the business, information systems and technology portfolios.
The objective of the engagement was to establish an enterprise security architecture practice and to deliver:
- A current state enterprise architecture to define enterprise assets at risk.
- A current state enterprise security architecture across business, application and data architecture domains, defining the security capabilities required to implement the information security requirements and security and IT risk processes.
- An organic target enterprise security architecture and roadmap and insights to inform the security strategy.
The delivered models informed the establishment of security governance, information security management, IT risk management and security service management capabilities. The models provided views of:
- Security motivation, including security goals, objectives and measures defined to support the IT and business goals.
- Enterprise Security Architecture Service Catalogue.
- Security Capability Model aligned to the business and organisational context.
- Information systems and technology reference models with data and application security classifications mapped to the security objectives regarding auditability, authenticity, access-control, confidentiality and integrity, internal compliance and external compliance.
- Enterprise Security Capability Roadmap with the target security capability maturity levels and the required work packages to establish the capabilities.
- Aggregated view of risks across all architecture domains and their impact on business capabilities, security, IT and business objectives.
Post-engagement, the IT group had an enterprise security architecture framework, covering information security management, IT policy planning, IT risk management and business continuity planning. The framework allowed the security group to articulate the value of security to the rest of the organisation and now assists the architecture team to communicate to the University the IT risks emerging out of people, processes and tools and the enterprise security capabilities required to mitigate risks and better support IT and business at the university.