Security architecture principles serve as the guidance for all organizational resources to manage adequately security, privacy and compliance risk.

  • Cybersecurity roles and responsibilities must be clearly defined and acknowledged
  • Cybersecurity teams exist to support and enable business teams and business teams exist to help security teams implement security controls
  • Cybersecurity control implementations must be based on risk assessment and cost-effective
  • Cybersecurity controls must be implemented in a layered approach where failure in one layer should not cascade to the subsequent layers
  • Cybersecurity related process and technology selections must be reviewed, assessed and approved by Security Architecture team before implementing them to prevent shelf-wares – tools or technologies acquired without proper assessment and architectures sitting on a shelf and getting dust since they cannot be used
  • Common security services must be developed and reused across the enterprise