SECURITY ARCHITECTURE PRINCIPLES
Security architecture principles serve as the guidance for all organizational resources to manage adequately security, privacy and compliance risk.
- Cybersecurity roles and responsibilities must be clearly defined and acknowledged
- Cybersecurity teams exist to support and enable business teams and business teams exist to help security teams implement security controls
- Cybersecurity control implementations must be based on risk assessment and cost-effective
- Cybersecurity controls must be implemented in a layered approach where failure in one layer should not cascade to the subsequent layers
- Cybersecurity related process and technology selections must be reviewed, assessed and approved by Security Architecture team before implementing them to prevent shelf-wares – tools or technologies acquired without proper assessment and architectures sitting on a shelf and getting dust since they cannot be used
- Common security services must be developed and reused across the enterprise