Managing Security and Privacy Integration across Enterprise Business Process and Infrastructure

Managing information security and privacy assurance are fiduciary responsibilities of all government and commercial organizations, but standing up a comprehensive fully-assured environment from the onset may be technically or financially impossible. Many organizations inadequately address this challenge from a ´bottom-up´ or piece-meal perspective, certifying and accrediting individual systems or focusing on perimeter systems and portals. A systematic enterprise-wide risk-management approach to information security and privacy is both practical and economically feasible, but must holistically integrate such requirements into both business process management and the technical infrastructure to be effective. The authors´ development of the roadmap for information security across the enterprise (RISE) methodology establishes a systematic approach to security and privacy management by leveraging enterprise architecture approaches, and ensures implementation control by integrating the processes and responsibility with enterprise-level portfolio management. RISE defines an iterative threat assessment and response cycle and integrates it with capital planning and investment control (CPIC) for both operational and infrastructure initiatives. This paper describes how RISE ensures risk-informed continuous process improvement and capital planning by maintaining an architecturally founded knowledge base supporting strategic planning and investment review.