Developing a Semantic Mapping Between TOGAF and BSI-IT-Grundschutz

Background

Enterprise Architecture (EA) “is a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a holistic approach at all times, for the successful development and execution of strategy” [3]. It uses the architecture principles and practices to help the organizations to adapt to business, information, process, and technology changes needed to implement their strategies [3]. Enterprise Architecture Management (EAM) “is a management practice that establishes, maintains and uses a coherent set of guidelines, architecture principles and governance regimes that provide direction and practical help in the design and development of an enterprise’s architecture to achieve its vision and strategy” [7]. An EAM Framework consists of a conceptual structure containing a set of models, principles, approaches, standards and visualizations which is required for the development and employment of an EA [5]. Since the introduction of the first EAM Framework by Zachman in 1987, many other EAM Frameworks were introduced including TOGAF, DoDAF, FEA and so on [6]. A few years after the introduction of the EAM Framework, Information Security was incorporated into the EAM Framework as Enterprise Information Security Architecture (EISA) as a result of the increasing prevalence of Information Technology in enterprises. EISA is a best practice approach based on security standards such as the ISO27000 series and is used to describe the security processes of an organization and check if these processes align with the organization’s standards and policies [4].

Motivation

The goal of this thesis is to perform a mapping between the processes of ITERGO’s EAM Framework (TOGAF) and an ISM security standard which is the BSI IT-Gruntschutz. BSI ITGruntschutz is a security standard which offers a simple method for protecting the information of an organization [1]. Although, many best practices are being followed to implement the security measures defined by various standards like ISO27000 series, this has been found to fall short as it is generally difficult to audit best practices. Auditing is important to make sure that the security measures undertaken are in line with the organization’s standards and policies. Therefore, mapping ITERGO’s EAM framework to the ISM standard BSI IT-Grundschutz will not just make it auditable but also protects information of all kinds within an organization. BSI ITGrundschutz makes sure that approximately 80 percent of all known attacks are prevented with the implementation of the standard protection safeguards within its framework [1]. We choose BSI IT-Grundschutz over the widely followed information security standards such as ISO27000, ISO27001 and ISO27002 as the former has additionally audited technical aspects which makes it more informative and is also more descriptive than pure ISO certification. Additionally, an official ISO certification is always encompassed in the BSI certification which is in accordance with ISO27001 [2].

Approach

The current idea is to carry out the mapping manually as there exists no specific tool to perform this particular mapping and the related tools available are too complicated and time consuming. The approach starts by identifying the key components such as the inputs, outputs and mechanisms involved in each processes in the TOGAF framework and map it to the BSI ITGrundschutz components. This is done by looking into the IT-Grundschutz catalogue and identifying the sub-module that is equivalent or similar to the TOGAF component. Once the submodule is identified, the corresponding threats along with the safeguards to be implemented to evade these threats can be found out.

Figure 1: Mapping of TOGAF Process Model to BSI-IT Grundschutz

References

[1]. IT-Grundschutz-Catalogues. 13th Version. 2013.

[2]. BSI-Standard 100-1. Version 1.5. 2008.

[3]. Federation of EA Professional Organizations. Common Perspectives on Enterprise Architecture. Architecture and Governance Magazine. November 2013.

[4]. S. Michelle Oda, Huirong Fu, Ye Zhu. Enterprise Information Security Architecture. A Review of Frameworks, Methodology, and Case Studies. IEEE 2009.

[5]. J. A. Zachman. A framework for information systems architecture. IBM Syst. J., vol. 26, no. 3, pp. 276–292, 1987.

[6]. U. Franke, D. Höök, J. König, R. Lagerstrom, P. Narman, J. Ullberg, P. Gustafsson, and M. Ekstedt. EAF2 – A Framework for Categorizing Enterprise Architecture Frameworks. Industrial Information and Control Systems Royal Institute of Technology. 100 44 Stockholm, 2009, Sweden.

[7]. F. Ahlemann et al. (eds.). Strategic Enterprise Architecture Management: Challenges, Best Practices, and Future Developments. Springer-Verlag Berlin Heidelberg, 2012.

Resources

• Slides Proposalpresentation
• Slides Endpresentation