Transcript LMI Enterprise Architecture and Information Assurance

LMI Enterprise Architecture and
Information Assurance Integration Approach
A Case Study
Agenda
• Introduction
• Background/History
• Why Integrate EA and IA
• LMI LEAP Methodology
• Approach to EA IA integration
• Challenges encountered
• Solutions developed
PAGE 2
Overview of LMI—History
Founded in 1961 by
Secretary McNamara under
the Kennedy administration
“…to bring the best minds
to bear on solving our
government’s most
complex management
problems”
PAGE 3
Background/History —Continued
• LMI is an independent not-for-profit
government consulting firm
– Located in McLean, VA
• LMI has substantial experience assisting
federal agencies with IT planning and
implementation, including EA and IA.
PAGE 4
Background/History —Continued
• Dr. Didier Perdu and Dr. Roxanne Everetts
• LMI Research Fellows
– Members of the EA and IA communities of practice
• Dr. Perdu is the EA Practice Technical
Advisor; over 20 years experience with EA
• Dr. Everetts leads the IA Practice, over 28
years experience in IT, last 15 in IA
PAGE 5
Initial Problem
• LMI was asked to developed an IA EA
integration implementation plan
– in response to requirements from GAO EAMMF to
capture security aspects in EA
• Conducted initial research to establish state
of the practice and identify industry best
practice for integration approach
PAGE 6
Findings
• Over-estimated maturity of the practice
• IA requirements are not included in EA models
and artifacts
• IA has only been routinely integrated into
Design Phase of the System Development Life
Cycle (SDLC)
• Bottom line:
There is limited integration
between EA and IA
PAGE 7
Why integrate EA and IA
• EA can be used to express IA throughout SDLC
• EA provides enterprise-wide coordination and
integration of processes, information, and
technology
• EA enables multi-layered analysis of managerial,
technical and operational elements
• EA can enable organizations to meet the
challenge of ensuring the optimal allocation of
resources while providing the highest level of
security
PAGE 8
Call to Action
• Based on findings, LMI decided that its EA
approach, LEAP should be modified to
integrate IA
– In response to increasing requests
– To best serve our government clients
– To align our practice with emerging industry
standards and best practices
PAGE 9
What is LEAP?
• LMI Enterprise Architecture Practice (LEAP) is the approach
used by LMI since 2000 to help federal agencies develop and
implement Enterprise Architecture
• LEAP perspective is that EA is more than a set of products
required to achieve compliance
Interrelationship of architecture layers
LEAP Framework
Business Architecture
Business Areas/Functions
Information
Process Architecture
Information Flows
Bus. Processes
Information
Data Architecture
Architecture
Application Architecture
Data Model
Application Systems
Data Elements and Metadata Stds
Stds .
Application Modules
Data Sets
Infrastructure
Technology Architecture
Architecture
Networks
and Servers and Workings
Network Descriptions,
Components,
Technical Reference Model
P A G E 10
LMI EA/IA Integration Methodology
• Focus of IR&D project to integrate IA into EA
program
• Formed team of EA and IA specialists
• Reviewed existing EA document
• Reviewed IA controls
• Mapped NIST Security controls to EA process
layers
• Identified EA products/artifacts to address
controls
P A G E 11
Challenges Encountered
• No common taxonomy
• Unsure of impact of IA controls on EA artifacts
• Gap between EA process oriented focus and
IA system/technology focused approaches
• Lack of Industry Best Practices for integration
approach
P A G E 12
Solutions Developed
• Extend BPMN to cover process areas where
security controls apply
– Bridge gap between process focus vs system
focus
• For each IA control, identify changes to
related EA artifacts to address security
P A G E 13
Solutions Developed —Continued
Custome r
Generate
Acquisition
Action Request
Develop
Requirements
Review
Proposal
Award Notification
Tran sm ission Integrity
Acquisition Action Request
SC
Receive
Order
Delivery
Order
Proposal Evaluation
Requirements Definition Collaboration
Generate
Order
Receiving Report
Proposal
Acquisition
Mgmt
Requirements
Definition
Acquisition
Planning
Solicitation
Writing
Proposal
Evaluation
Contract
Award
Order
Management
Approve
Invoice
Obligation
Sales Instrument
Acquisition Funding
Order
Funds Availability
Solicitation
Invoice
Approved Invoice
Financial
Mgmt
Funds Control
Purchasing
Invoicing
Receiving
and
Acceptance
User Id entificatio n and Au th enticatio n
Award
IA
AND
Sepa ra tion of Du ties
AC
Disbursement
Response
Vendor
Respond to
Solicitation
Respond to
Order
P A G E 14
Solutions Developed —Continued
• Initiate EA and IA staff orientation sessions
– To develop common understanding and taxonomy
• Transform research into best practices
– Reach out to both the EA and IA communities
– Participate in the public discussion
– Share our experience with the community
P A G E 15
Next Steps
• Normalize LEAP with Federal Segment
Architecture Methodology (FSAM)
• Continue to monitor emerging industry
standards and best practices
• Continue research and development activities
P A G E 16
For further information
Dr. Didier Perdu
571-633-7757
[email protected]
Dr. Roxanne Everetts
703-917-7271
[email protected]
P A G E 17
Speakers’ Bio
Roxanne B. Everetts, DM, CISSP, CISM, CBCP, is a Information Assurance Research Fellow at LMI with over twenty five years of
progressively increasing information technology experience, including systems administration, database design and
implementation, open systems migration, staff training and management, and general management experience. As a Research
Fellow at LMI, Dr. Everetts uses her extensive technical background to provide high-level support in the areas of Information
Systems Security, Information Assurance, Information Operations, and Critical Infrastructure Protection. She provides support to
multiple government agencies, providing functional and operational expertise analyzing information security requirements to assist
customers establishing information assurance and defensive information operations programs. Dr. Everetts performs extensive
research on policy issues for a variety of customers.
Dr. Didier Perdu is a Research Fellow with LMI Government Consulting and heads the Tools and Methods Group of the Enterprise
Architecture Practice. He has more than twenty years of experience in modeling and evaluation of enterprise architecture and
information systems using a variety of methodologies and software packages. Dr. Perdu has worked on many Enterprise
Architecture projects for government clients such as GSA, OMB, US Army, CMS, and GPO. Dr Perdu holds a Ph.D. in Information
Technology from George Mason University and a Master of Science in Technology and Policy from MIT.
P A G E 18