January 7, 2001, The new millennium

Welcome to the latest issue of the Enterprise-Wide IT Architecture Newsletter!

Supporting the Enterprise-Wide IT Architecture (EWITA) web site at http://www.ewita.com/

Editorial - Keeping it (EWITA) going

New Millennium

Well, congratulations, you made it to the new millennium! I wasn't so sure I was going to make it as I watched the Rose Parade in a hotel room, ice bag to the head, nursing a cup of "coffee", looking forward to a New Years Brunch with the family! My wife and I went out to one of those all nighters with three bands and a lot repeat a LOT of booze.

Looking at the statistics for the site, I see where the accesses for December (a notorious slow time) went up almost a 75% over the prior year. Looks like we are growing.

And some more good news, the site has been upgraded from a three star rating to a fourstar rating by the itmWEB™ Resources for IT Professionals web site at

Over the last year, I have gotten a lot of complements on the site, I think one of the best came in last week from the former CIO of North Carolina. She said "It contains so much useful information. I vote it as "best architecture reference" web site." Quite a compliment, obviously, grit for the KUDOS mill. BTW, check out the KUDOS area (click on KUDOS off the main menu area) of the site to see what some of the comments others have about the site.

Well, I have decided to try to keep the newsletter going myself, Steve Rodgers my associate will be putting articles in intermittently. It was necessary for him to give more attention to his new job and his family.

If you have read the newsletters before, you know I am working at a new career as a consultant's consultant at ACCENTURE, the company formerly know as Andersen Consulting. It has been very interesting watching them rebrand themselves. From the little I saw previously when I established the EWITA site, I knew it would be a problem, but theirs is overwhelming, and it has been very well done. I will keep the newsletter going best I can, but even working part time for them is taking up most of my free time after the "Honey do's" that I seem to have gotten involved in since my "retirement" from the State of California.

To keep the newsletter going, there will be some changes. The changes are:

There he goes again will be titled Editorial.

Site Spotlight will occur only when I find a new site that I feel will be of interest, you of course could recommend a site to look at.

Vendor Spotlight will occur only when I am contacted by a vendor to spotlight their site.

EWITA Web Site Changes will be deleted, you can find all changes to the site in the area called NEW on the main menu or in the administration area.

Hammering away in the garage will continue

Feedback will continue to reflect email and verbal comments received the prior month

Newsletters will be generated only in HTML, Word copies will not be generated

If you have articles, white papers, sites of interest, let us publish them to this exclusive list of IT architectural interested people. Forward articles, white papers and interesting sites to mailto:ewita@ewita.com.


Table of Contents

  1. Editorial
  2. Keeping it (EWITA) going

  3. Hammering away in the garage
  4. Architecting Security

  5. Site Spotlight
  6. None this issue - Recommend a site to be reviewed.

  7. Vendor Spotlight
  8. None this issue - Vendors, here is a chance to reach a selected audience of technical architects, send information to EWITA.

  9. Feedback

Responses to your comments and questions


Hammering away in the garage

Architecting Security

One of the most ignored, or at least downplayed, areas of IT is the matter of security.

This article is an attempt to address that area.

I have worked in shops where security was a matter of obfuscation. Just because we had a weird (technical term) file design we felt, that if anyone accessed the files, the data would remain secure. This was in the old days when everyone did not have a computer. It was a hobby of mine to figure out how I could make a million dollars from those files. Obviously I never did!

Most attention in the security area is concentrated on hackers, though most security breaches are by staff. In the State of California - Employment Development Department Business Driven Architecture (BDA), we created an Architecture Domain for security based on the British Standard (BS) 7799 addressing the following areas.

We used the British standard as we had an IBM guru in doing an audit that showed many of our weak points and he stated the standard was being considered by the IEEE organization. The standard was widely circulated in the organization because of that audit.

Since that attempt at codifying the security architecture, I have spent some time with other experts and a lot of time reading and analyzing the BS7799. I have developed the following table of Best Practices from that standard and my own experience.



Best Practice

Information security policy

Provide management direction and support for information security

  • Management sets a clear policy direction and demonstrates support for, and commitment to, information security through the issue and maintenance of an information security policy across the organization.

Information security infrastructure

Manage information security within the organization.

  • A management framework is established to initiate and control the implementation of information security within the organization.
  • A suitable management forum with management leadership is established to approve the information security policy, assign security roles and co-ordinate the implementation of security across the organization
  • A source of specialist information security advice is established and made available within the organization
  • Contacts with external security specialists is developed to keep up with industrial trends, monitor standards and assessment methods and provide suitable liaison points when dealing with security incidents
  • A multi-disciplinary approach to information security is encouraged, e.g. involving the co-operation and collaboration of managers, users, administrators, application designers, auditors and security staff, and specialist skills in areas such as insurance and risk management.

Security of third party access

Maintain the security of organizational information processing facilities and information assets accessed by third parties.

  • Access to the organization's information processing facilities by third parties is controlled.
  • A risk assessment is carried out to determine security implications and control requirements where there is a business need for third party access
  • Controls are agreed to and defined in contracts with the third party.
  • Allowance for designation of other eligible participants and conditions for access is included in third party contracts that allow access


Maintain the security of information when the responsibility for information processing has been outsourced to another organization.

  • Outsourcing arrangements address the risks, security controls and procedures for information systems, networks and/or desk top environments in the contract between the parties.

Accountability for assets

Maintain appropriate protection of organizational assets.

  • All major information assets are accounted for and have a nominated owner.
  • Ownership is identified for all major assets and the responsibility for the maintenance of appropriate controls is assigned
  • Responsibility for implementing controls may be delegated. Accountability remains with the nominated owner of the asset.

Security in job definition and resources

Reduce the risks of human error, theft, fraud or misuse of facilities.

  • Security responsibilities are addressed recruitment stage, included in contracts, and monitored during an individual's employment.
  • Potential recruits are adequately screened, especially for sensitive jobs.
  • All employees and third party users of information processing facilities sign a confidentiality (non-disclosure) agreement.

User training

Ensure that users are aware of information security threats and concerns, and are equipped to support organizational security policy in the course of their normal work.

  • Users are trained in security procedures and the correct use of information processing facilities to minimize possible security risks.

Responding to security incidents and malfunctions

Minimize the damage from security incidents and malfunctions,


  • Monitor and learn from incidents.
  • Incidents affecting security are reported through appropriate management channels as quickly as possible.
  • All employees and contractors are made aware of the procedures for reporting the different types of incidents (security breach, threat, weakness or malfunction) that might have an impact on the security of organizational assets.
  • The organization has a formal disciplinary process for dealing with employees who commit security breaches.
  • Evidence is collected as soon as possible after the occurrence

Secure areas

Prevent unauthorized access, damage and interference to business premises and information.

  • Critical or sensitive business information processing facilities are:
  1. housed in secure areas, protected by a defined security perimeter, with appropriate security barriers and entry controls.
  2. physically protected from unauthorized access, damage and interference.
  • The protection provided is commensurate with the identified risk.
  • A clear desk and clear screen policy reduces the risk of unauthorized access or damage to papers, media and information processing facilities.

Equipment security

Prevent loss, damage or compromise of assets and interruption to business activities

  • Equipment is physically protected from security threats and environmental hazards.
  • Protection of equipment (including that used off-site) is necessary to reduce the risk of unauthorized access to data and to protect against loss or damage.
  • Protection of equipment should also consider equipment siting and disposal
  • Special controls may be required to protect against hazards or unauthorized access, and to safeguard supporting facilities, such as the electrical supply and cabling infrastructure.

General controls

Prevent compromise or theft of information and information processing facilities.

  • Information and information processing facilities is protected from disclosure to, modification of or theft by unauthorized persons, and controls is in place to minimize loss or drainage.

Operational procedures and responsibilities

Ensure the correct and secure operation of information processing facilities

  • Responsibilities and procedures for the management and operation of all information processing facilities are established.
  • Appropriate operating instructions and incident response procedures exist and are used.
  • Segregation of duties are implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.

System planning and acceptance

Minimize the risk of systems failures

  • Advance planning and preparation is done to ensure the availability of adequate capacity and resources.
  • Projections of future capacity requirements are made, to reduce the risk of system overload.
  • The operational requirements of new systems are established, documented and tested prior to their acceptance and use

Protection against malicious software

Protect the integrity of software and information

  • Precautions are required to prevent and detect the introduction of malicious software.
  • Users are made aware of the dangers of unauthorized or malicious software,
  • Managers introduce special controls to detect or prevent its introduction.
  • Precautions are taken to detect and prevent computer viruses on personal computers.


Maintain the integrity and availability of information processing and communication services.

  • Routine procedures are established for carrying out the agreed back-up strategy taking back-up copies of data and rehearsing their timely restoration, 1ogging events and faults and, where appropriate, monitoring the equipment environment
  • Validation of recoverability is done

Network management

Ensure the safeguarding of information in networks and the protection of the supporting infrastructure.

  • Methods and responsibilities of security management of networks spanning organizational boundaries are developed.
  • Additional controls are provided to protect sensitive data passing over public networks.

Media handling and security

Prevent damage to assets and interruptions to business activities.


  • Media is controlled and physically protected.
  • Appropriate operating procedures are established to protect documents, computer media (tapes, disks, cassettes), input/output data and system documentation from damage, theft and unauthorized access.

Exchanges of information and software

Prevent loss, modification or misuse of information exchanged between organizations.

  • Exchanges of information and software between organizations are controlled and is compliant with any relevant legislation
  • Exchanges are carried out on the basis of formal agreements.
  • Procedures and standards to protect information and media in transit is established.
  • The business and security implications associated with electronic data interchange, electronic commerce and electronic mail and the requirements for controls are considered

Business requirement for access control

Control access to information

  • Access to information, and business processes are controlled on the basis of business and security requirements.
  • Policies for information dissemination and authorization must be available.

User access management

Prevent unauthorized access to information systems

  • Formal procedures are in place to control the allocation of access rights to information systems and services.
  • Procedures cover all stages in the life-cycle of user access, from the initial registration of new users to the final de-registration of users who no longer require access to information systems and services.
  • Tightly control the allocation of privileged access rights, which allow users to override system controls

User responsibilities

Prevent unauthorized user access

  • Users are made aware of their responsibilities for maintaining effective access controls, particularly regarding the use of passwords and the security of user equipment.
  • The cooperation of any authorized user is essential for effective security

Network access control

Protect of networked services

  • Access to both internal and external networked services is controlled.
  • Ensure that users who have access to networks and network services do not compromise the security of these network services by establishing:
  1. appropriate interfaces between the organization's network and networks owned by other organizations, or public networks;
  2. appropriate authentication mechanisms for users and equipment;
  3. control of user access to information services.

Operating system access control

Prevent unauthorized computer access

  • Security facilities at the operating system level are used to restrict access to computer resources. These facilities are capable of the following:
  1. identify and verify the identity, terminal and location of each authorized user;
  2. record successful and failed system accesses;
  3. provide appropriate means for authentication; I
  4. password management systems ensure quality passwords];
  5. restrict the connection times of users.
  • Other access control methods, such as challenge-response, are used if justified on the basis of business risk

Application access control

Prevent unauthorized access to information held in information systems. Security facilities is used to restrict access within application systems

  • Logical access to software and information is restricted to authorized users. Application systems will:
  1. control user access to information and application system functions, in accordance with a defined business access control policy;
  2. provide protection from unauthorized access for any utility and operating system software that is capable of overriding system or application controls;
  3. protect the security of other systems with which information resources are shared;
  4. provide access to information to the owner only, other nominated authorized individuals, or defined groups of users.

Monitoring system access and use

Detect unauthorized activities

  • Systems are monitored to detect deviation from access control policy and record monitored events to provide evidence in case of security incidents.
  • System monitoring allows the effectiveness of controls to be checked and if they conformity to access policy modes.

Mobile computing and telecommuting

Ensure information security when using mobile computing and telecommuting facilities.

  • The protection required is commensurate with the risks
  • Address the  risks of working in an unprotected environment
  • Develop appropriate protection for the unprotected environment.
  • Apply protection to the telecommuting site and ensure that suitable arrangements are in place.

Security requirements of systems

Ensure that security is built into information systems

  • Security requirements are identified and agreed and documented prior to the development of information systems.
  • All security requirements, including the need for failback arrangements, are identified at the requirements phase of a project and justified, agreed and documented as part of the overall business case for an information system.

Security in application systems

Prevent loss, modification or misuse of user data in application systems

  • Appropriate controls and audit trails or activity logs are designed into application systems, including user written applications.
  • Appropriate controls will include the validation of input data, internal processing and output data.
  • Additional controls are required for systems that process, or have an impact on, sensitive, valuable or critical organizational assets.
  • Security controls are determined on the basis of security requirements and risk assessment.
  • When systems interface the security controls for the most critical are implemented in the other systems.

Cryptographic controls

Protect the confidentiality, authenticity or integrity of information.

  • Cryptographic systems and techniques are used for the protection of information that is considered at risk and for which other controls do not provide adequate protection

Security in development and support processes

Maintain the security of application system software and information

  • Project and support environments are strictly controlled.
  • Managers responsible for application systems should also be responsible for the security of the project or support environment. Managers will ensure that all proposed system changes are reviewed to check that they do not compromise the security of either the system or the operating environment.

Business continuity management

Counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters

  • Business continuity management processes are implemented to reduce the disruption caused by disasters and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.
  • The consequences of disasters, security failures and loss of service are analyzed, and risk factors developed.
  • Contingency plans are developed and implemented to ensure that business processes can be restored within the required time-scales.
  • Contingency plans are maintained and practiced to become an integral part of all other management processes.
  • Business continuity management includes controls to identity and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations.

Compliance with legal requirements

Avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements.

  • Advice on specific legal requirements is sought from the organization's legal advisers, or suitably qualified legal practitioners.

Reviews of security policy and technical compliance

Ensure compliance of systems with organizational security policies and standards

  • The security of information systems is regularly reviewed.
  • Such reviews are performed against the appropriate security policies and the technical platforms and information systems are audited for compliance with security implementation standards.

System audit considerations

Maximize the effectiveness of and to minimize interference to/from the system audit process.

  • Controls to safeguard operational systems and audit tools during system audits are established and documented.
  • Safeguard the integrity and prevent misuse of audit tools.


According to Deloitte & Touche "The British Standard for Information Security Management (BS 7799) is a set of non-technical protocols for ensuring the secure transmission of information."

PriceWaterhouseCoopers says "The aim of the BS 7799 is to provide guidance and recommendations on good practices for information security management. The BS 7799 is a compilation of the best information security practices in general use by many international companies."

Additional Security whitepapers and references are available from http://www.pgp.com/products/whitepapers.asp

BTW: A question for those of you that have read to this point. Could a small organization have a architecture using only Best Practices and a Buy List? Or, what kind of architecture could a small organization have at a minimal expense?

Send any question, message, article or white paper to me, directly at dmcafee@ewita.com or the community address of EWIT_Architecture@egroups.com.



Site Spotlight

Got a good site that you would like to have spot lighted?

Send any recommendations to me, directly at dmcafee@ewita.com or the community address of EWIT_Architecture@egroups.com.



Vendor Spotlight

Got a good site that you would like to have spot lighted?

Send any recommendations to me, directly at dmcafee@ewita.com or the community address of EWIT_Architecture@egroups.com.




Request for information:

Comment: I don't know if it happens to others, but I have had a recurring problem when receiving your Newsletter... (has occurred in past editions). Thought I should alert you.
I am getting an overlay of information on the screen that looks something like a double exposure. It looks as if several separate pages are being written on top of each other. Perhaps the file has a carriage return or page break code that is going whacky? I will forward my copy back to you after this msg so that (if possible) you can see what's being generated. BTW-I am using Netscape.
Thanks for your continued collaboration!
Response: Yes, there is a incompatibility between Microsoft and Netscape, I think it is located in the Office 2000 interface for text in outlook. I will try something different this time, hopefully it will work. This is one of the reasons I started putting the newsletter on the site and sending out a message with pointers to it.


Comment: Congratulations!
Your site has been chosen as one of our "Five Star Selections" at the itmWEB Site! This is a real honor as very few sites get to display our award graphic. It will be featured in our Five Star Selections Listing. This Listing is composed of sites which either make an outstanding contribution to the Information Technology profession or which provide an exceptional on-line IT resource.

Response: Thanks, I appreciate that!


Comment: I hadn't spent too much time surfing the web to find architecture examples since we published the NC architecture. Now that I've started this independent contract I found several NC-like architectures. I
really like your web site. It contains so much useful information. I vote it as "best architecture reference" web site

Response: Thanks, again I appreciate that!


Comment: I'm still receiving messages from your Listserv at my office address. It's ok, but I rather not receive them.

Response: Your address has been deleted from the mailing list as requested, however you may be receiving a copy through one of the Federal Listserv that I mail to. These are ARCH-BIZ@listserv.gsa.gov; ARCH-DATA@listserv.gsa.gov; ARCH-INFRA@listserv.gsa.gov; ARCH-SYS@listserv.gsa.gov; and ARCHITECTURES@listserv.gsa.gov


Comment: First - impressive site! As you can tell, I am here on a Sunday afternoon searching the web getting clued into Enterprise Architecture. Your site is proving to ba a very valuable addition to what we have. Our project is new and this leads me to my second question - tools.

I have found several companies that provide tools that capture the architecture, but they all have limitations. Have you ever done research in this area? We are currently looking at PTech (Framework), Blue Ice (ERWin), Viasoft (Rochade), Popkin (Systems Architect 2001), and Microsoft (Visio). Any suggestions...? Thanks in advance.

Response: I haven't done any comparative research and am unaware of anyone that has done any, perhaps other readers of this newsletter could assist in this? We used Visio on the projects I have worked on, but as a simple charting device, not a database. I was impressed at some of the information I have seen from Ptech. Their product seemed that it could be tailored to an enterprise effort.


Feel free to add to any response, just email me the answer, I will include it in the next newsletter and forward directly to the person posing the question.

Readers: To respond, comment or ask questions send your comment to dmcafee@ewita.com


Click Here!