Information systems security architecture is based on two components: information security architecture as a whole and the structure of the organization. It has specific features associated with the threat model developed for the organization. It takes into account the risks of virus threats and hacker attacks, leakage of personal data and confidential information, as well as disruption of the operation of the entire system or its elements. Important information is also contained in video conferencing and video sessions, voice applications, and IP telephony (Ingeno, 2018). Architecture should take into account these risks and assume protection from insider actions, unintentional errors of users or system administrators, as well as external risks.
The architect should begin a security analysis after receiving the data, collecting requirements, and finishing elicitation. First of all, a vulnerability analysis should be performed to determine the extent of risk. Building an information security system for a company should start with a comprehensive diagnostic survey of the main business processes and information systems. The analysis of the existing information security system allows establishing whether the security level of the company’s information technology resources meets the requirements (Ingeno, 2018). During the complex analysis, a risk assessment must be carried out. Penetration testing is useful to test the ability of an information system to resist unauthorized access and information tampering.
Each stage of work allows the architect to ensure effective control of the project throughout its entire duration. During the information security analysis, the architect identifies the owners of information technology resources, including automated systems and corporate data, and those who are responsible for the integrity of these resources. Requirements are established for the system of separation of access rights, including all rules for access to the company’s information system (Ingeno, 2018). All security procedures are checked, including the support of the information security system, the process of investigating information security violations, the organization of the backup system, the differentiation of user rights, and others. The persons responsible for the development and support of the information security system are determined.
When assessing security architecture risks, the architects should model possible scenarios of attacks on the information security system. In this process, they need to apply their knowledge and use a set of different analytical methods (Rerup & Aslaner, 2018). This improves the accuracy of the security architecture risk assessment. Information security analysis requires adaptive and dynamic architectural approaches. Experts must build a comprehensive solution that enables enterprises to identify and eliminate threats. Security architects also help the enterprise to improve risk management in borderless networks so that the employees can access the corporate network from any device and use the applications and information they need.
Possible consequences of non-compliance of the information security system with the company’s security policy must be determined. If the analysis is carried out by a third-party organization, it is necessary to involve the customer’s personnel in the work at all stages of the project (Rerup & Aslaner, 2018). This ensures that the basic requirements, specifics, and interests of the company are taken into account. A significant advantage of engaging an external contractor in the analysis is the ability to use the experience accumulated by the architect in analyzing each component of the information security system for a specific industry (Rerup & Aslaner, 2018). As a result, the company receives a detailed report with recommendations for changing or supplementing the existing infrastructure of the information security system. A list of necessary measures is compiled following the requirements of international or national standards, technical requirements of providers of information security solutions, and recommendations of the National Security Agency.
When analyzing information systems security, the architects must be acquainted with domestic and foreign standards, formal methods and approaches to software verification, as well as methods of analysis and testing of protocols. They must know the methods of protecting systems from research and debugging, features of file formats of modern operating systems, algorithms for disassembling programs, modern debugging tools, and emulation of program code. They should be able to formalize the tasks of security analysis, determine the scope of necessary tests and control experiments, develop models of threats for information systems, and highlight subsystems containing critical information. They create a formal description of protocols, disassemble and debug programs, identify an attack in the information logs of the system, describe the nature of the attack, its signs, and detection methods. The architects must possess the knowledge of methods and tools for software security analysis, searching for vulnerabilities, analyzing and verifying protocols, debugging and testing a program, as well as modern security risk assessment methods.
During the analysis and risk assessment, the security architect identifies situations that can lead to disruption of the normal course of business processes. The accuracy and reliability of assessments make it possible to recognize threats and vulnerabilities in the information security system and analyze the basic parameters of the existing architecture. It is also important to take corrective measures aimed at improving the system security processes. The architect should develop a strategy of actions, which will contribute to an increase in the information security level.
Ingeno, J. (2018). Software architect’s handbook: Become a successful software architect by implementing effective architecture concepts. Packt Publishing Ltd.
Rerup, N., & Aslaner, M. (2018). Hands-on cybersecurity for architects: Plan and design robust security architectures. Packt Publishing Ltd.