Determine the placement of the system within the enterprise architecture.
Potential Inputs: Security and privacy requirements; organization- and system-level risk assessment results; enterprise architecture information; security architecture information; privacy architecture information; asset information.
Expected Outputs: Updated enterprise architecture; updated security architecture; updated privacy architecture; plans to use cloud-based systems and shared systems, services, or applications.
Primary Responsibility: Mission or Business Owner; Enterprise Architect; Security Architect; Privacy Architect.
Supporting Roles: Chief Information Officer; Authorizing Official or Authorizing Official Designated Representative; Senior Agency Information Security Officer; Senior Agency Official for Privacy; System Owner; Information Owner or Steward.
System Development Life Cycle Phase: New – Initiation (concept/requirements definition). Existing – Operations/Maintenance.
Discussion: Enterprise architecture is a management practice used to maximize the effectiveness of mission/business processes and information resources and to achieve mission and business success. An enterprise architecture can provide greater understanding of information and operational technologies included in the initial design and development of information systems and is a prerequisite for achieving resilience and survivability of those systems in an environment of increasingly sophisticated threats. Enterprise architecture also provides an opportunity for organizations to consolidate, standardize, and optimize information and technology assets. An effectively implemented architecture produces systems that are more transparent and therefore, easier to understand and protect. Enterprise architecture also establishes an unambiguous connection from investments to measurable performance improvements. The placement of a system within the enterprise architecture is important as it provides greater visibility and understanding about the other systems (internal and external) that are connected to the system and can also be used to establish security domains for increased levels of protection for the system.
The security architecture and the privacy architecture are integral parts of the enterprise architecture. These architectures represent the parts of the enterprise architecture related to the implementation of security and privacy requirements. The primary purpose of the security and privacy architectures is to ensure that security and privacy requirements are consistently and cost-effectively met in organizational systems and are aligned with the risk management strategy. The security and privacy architectures provide a roadmap that facilitates traceability from the strategic goals and objectives of organizations, through protection needs and security and privacy requirements, to specific security and privacy solutions provided by people, processes, and technologies.
References: [SP 800-39] (Mission/Business Process Level); [SP 800-64]; [SP 800-160 v1] (System Requirements Definition Process); [NIST CSF] (Core [Identify Function]; Profiles); [OMB FEA].