CSA’s Enterprise Architecture: Business Operation Support Services

Written by CSA’s Enterprise Architecture Working Group.

The Enterprise Architecture is both a methodology and a set of tools that enable security architects, enterprise architects, and risk management professionals to leverage a common set of solutions and controls. It can be used to assess opportunities for improvement, create road maps for technology adoption, identify reusable security patterns, and assess various cloud providers and security technology vendors against a common set of capabilities.

This blog describes the first of four domains from CSA’s Enterprise Architecture: Business Operation Support Services (BOSS). Check back for subsequent blogs on the other domains.

Overview

The Business Operation Support Services (BOSS) domain contains the corporate support functions such as Human Resources, Compliance, and Legal that are critical to any security program. It is also the place where the company’s operations and its systems are monitored for any signs of abuse or fraud.

A common concern when organizations decide to integrate services with cloud providers is the level of security the provider will offer, and the amount of exposure when data is hosted on a multi-tenant model. This domain outlines aspects that must be considered besides the technological solutions, such as legal guidance, compliance and auditing activities, human resources, and monitoring capabilities with a focus on fraud prevention.

Example

The security monitoring tool alerts an analyst that a customer withdrawal transaction was initiated from a workstation in the IT department instead of the customer contact center. A special investigation is held with the help of HR and Legal to determine that a disgruntled system administrator has been stealing from the company.

Services Provided

Compliance: The main focus of Compliance capabilities is to track internal, external, third parties (such as customers), audit activities, and related findings. For Compliance, it is necessary to have a common repository that allows the organization to track and remediate the technical or operational gaps outlined by these findings.

Data Governance: Processes included as part of Data Governance include data ownership, data classification, and responsibilities that data/asset owners have for their applications and services, as well as the necessary controls for data throughout the lifecycle.

Operational Risk Management: Operational Risk Management provides a holistic perspective on risk evaluation from a business perspective. Using the Risk Management framework will give insight into risks and threats to the organization. The framework will provide a means to assess, manage, and control the different risks across the organization.

Human Resources Security: Ensures that formal procedures, codes of conduct, personnel screening, and other best practices are in place for the organization, especially for third parties that will support the cloud services that an organization may have.

Security Monitoring Services: To ensure that the business is the focus, not the events or hardware. It is a common mistake not to focus the security function on the business operations, the processes, and the human behavior behind those processes.

Legal Services: As security incidents occur, the need for legal counsel is critical for organizations. There are several capabilities included that may help legal counsels lead compliance activities, deal with lawsuits, and track preventive awareness across the organization.

Internal Investigation: The role of Internal Investigations varies across organizations; some companies have their information security teams performing forensic activities, and more mature companies may have a dedicated team focused on internal and/or external fraud activities.

Relation to Other Domains

The BOSS domain works to align the Information Technology Operation and Support (ITOS) and the Security and Risk Management (SRM) domains with the business’ desired strategy, capabilities, and risk portfolio.

Read more in the CSA Enterprise Architecture Reference Guide.