Enterprise Architecture and Information Assurance: Developing a Secure Foundation, 1st Edition (Hardback) book cover

Enterprise Architecture and Information Assurance

Developing a Secure Foundation, 1st Edition

By James A. Scholz

Auerbach Publications

266 pages | 27 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439841594
pub: 2013-07-29
SAVE ~$17.39
eBook (VitalSource) : 9780429105654
pub: 2013-07-29
from $43.48

FREE Standard Shipping!


Securing against operational interruptions and the theft of your data is much too important to leave to chance. By planning for the worst, you can ensure your organization is prepared for the unexpected. Enterprise Architecture and Information Assurance: Developing a Secure Foundation explains how to design complex, highly available, and secure enterprise architectures that integrate the most critical aspects of your organization's business processes.

Filled with time-tested guidance, the book describes how to document and map the security policies and procedures needed to ensure cost-effective organizational and system security controls across your entire enterprise. It also demonstrates how to evaluate your network and business model to determine if they fit well together. The book’s comprehensive coverage includes:

  • Infrastructure security model components
  • Systems security categorization
  • Business impact analysis
  • Risk management and mitigation
  • Security configuration management
  • Contingency planning
  • Physical security
  • The certification and accreditation process

Facilitating the understanding you need to reduce and even mitigate security liabilities, the book provides sample rules of engagement, lists of NIST and FIPS references, and a sample certification statement. Coverage includes network and application vulnerability assessments, intrusion detection, penetration testing, incident response planning, risk mitigation audits/reviews, and business continuity and disaster recovery planning.

Reading this book will give you the reasoning behind why security is foremost. By following the procedures it outlines, you will gain an understanding of your infrastructure and what requires further attention.

Table of Contents

Setting the Foundation

Building the Enterprise Infrastructure

Security Categorization Applied to Information Types

Security Categorization Applied to Information Systems

Minimum Security Requirements

Specifications for Minimum Security Requirements

Security Control Selection

Infrastructure Security Model Components

Developing the Security Architecture Model

Dataflow Defense

Data in Transit, Data in Motion, and Data at Rest


Client-Side Security

Server-Side Security

Strategy vs. Business Model

Security Risk Framework

Systems Security Categorization

System Security Categorization Applied to Information Types

Application of System Security Controls

Minimum Security Requirements

System Security Controls

Business Impact Analysis

What Is the Business Impact Analysis?

Objectives of the Business Impact Analysis

Developing the Project Plan

BIA Process Steps

Performing the BIA

Gathering Information

Performing a Vulnerability Assessment

Analyzing the Information

Documenting the Results and Presenting the Recommendations


Risk Management

Risk Framework

Risk Assessment or Evaluation

Risk Mitigation and Response

Risk Monitoring

Risk Assessment

Secure Configuration Management

Phases of Security-Focused Configuration Management

Security Configuration Management Plan


Configuration Control

Change Control Board (CCB) or Technical Review Board (TRB)

Configuration Items

Baseline Identification

Functional Baseline

Design Baseline

Development Baseline

Product Baseline

Roles and Responsibilities

Change Control Process

Change Classifications

Change Control Forms

Problem Resolution Tracking


Configuration Status Accounting

Configuration Management Libraries

Release Management (RM)

Configuration Audits

Functional Configuration Audit

Physical Configuration Audit



Training Approach

Contingency Planning

Types of Plans

Business Continuity Plan (BCP)

Continuity of Operations (COOP) Plan

Cyber Incident Response Plan

Disaster Recovery Plan (DRP)

Contingency Plan (CP)

Occupant Emergency Plan (OEP)

Crisis Communications Plan

Backup Methods and Off-Site Storage

Cloud Computing

Essential Characteristics

Service Models

Continuous Monitoring

Continuous Monitoring Strategy

Organization (Tier 1) and Mission/Business

Processes (Tier 2) Continuous Monitoring Strategy

Information System (Tier 3) Continuous Monitoring Strategy

Process Roles and Responsibilities

Define Sample Populations

Continuous Monitoring Program

Determine Metrics

Monitoring and Assessment Frequencies

Considerations in Determining Assessment and Monitoring Frequencies

Physical Security


Security Level (SL) Determination

Threat Factors/Criteria

Building Security Level Matrix

Building Security Level Scoring Criteria


Public Impact

Building Occupants

Building Square Footage

Impact on Tenants

Other Factors

Level E Facilities

Campuses, Complexes, and Corporate or Commercial Centers

Changes in the Building Security Level

Building Security


Lighting for CCTV Surveillance

Building Security Levels

Minimum Security Standards

Entry Security

Interior Security

Security Planning

The Certification and Accreditation Process

Accreditation Decisions

Continuous Monitoring

General Process Phase I

Security Categorization

System Security Plans (SSPs)

Risk Assessments (RAs)

Contingency Plans (CPs)

Security Control Compliance Matrix (SCCM)

Standard Operating Procedures (SOPs)

Privacy Impact Assessment (PIA)

Configuration Management Plan (CMP)

Service Level Agreements (SLAs)

General Process Phase II: Security Test and Evaluation (ST&E)

Develop the Security Test and Evaluation (ST&E) Plan

Execute the ST&E Plan

Create the ST&E Report and Recommend Countermeasures

Update the Risk Assessment

Update the Security Plan

Document Certification Findings

General Management and Methodologies

Employed Methodologies

Internal Review Procedures

End-State Security Model

Appendix A: List of References (NIST )

Appendix B: List of References (FIPS)

Appendix C: Sample Certification Statement

Appendix D: Sample Rules of Engagement

About the Author

James A. Scholz is a veteran who served 20 years in the US Army. As a soldier he served as an explosive ordnance disposal technician for 17 years (10 years stationed at Fort Leonard Wood, Missouri) and part of his responsibilities were to ensure the security of Presidents, Vice-Presidents, and Foreign Dignitaries as they traveled throughout the Nation and abroad. James was awarded the Bronze Star for Valor, a Bronze Star, multiple Meritorious Service Medals, and the South West Asia Campaign Medal.

James served as the single responsible person for a 1.8 million dollar budget and as a Class "A" Agent for the US Army, overseas. James served as a Reserve Deputy Sheriff and a Crime Scene Technician with the El Paso County Sheriff’s Department, Texas from 1993 through 1996. James is President and CEO of a small, service disabled veteran -owned small business that provides disaster recovery, business continuity, physical, and logical security services to federal agencies. James has 31 years experience working with the federal government at all levels and has supported many rural towns in Missouri during his career as an explosive ordnance disposal technician.

Subject Categories

BISAC Subject Codes/Headings:
BUSINESS & ECONOMICS / Production & Operations Management
COMPUTERS / Information Technology
COMPUTERS / Security / General