Navigant's Cyber Risk and Information Security PracticeLearn More


Developing an Enterprise Information Security Architecture07 July 2015

IT Security, Policy Development, Risk Management

Enterprise information security architecture (EISA) is defined by Wikipedia as “the practice of applying a comprehensive and rigorous method for describing a current and/or future structure and behavior for an organization’s security processes, information security systems, personnel and organizational sub-units, so that they align with the organization’s core goals and strategic direction.” Put more simply, an EISA is essentially a structured approach to developing an integrated and comprehensive security architecture. This architecture can be tailored to fit an organization’s size, risk profile, and budget and can be based on standard methodologies such as IAEF or TOGAF, etc.

Small and mid-sized businesses often do not think that EISA is practical based on the limited resources and expertise that they may have internally. In reality there are many principles within EISA that are practical and relevant to these organizations. Taking an enterprise view of information security can be done cost effectively and provide significant value. Key inputs include data classification, risk analysis and security assessment. To fully realize the benefit of EISA, a cross-departmental/functional team should participate to ensure that all stakeholder interests are represented.

EISA is important because it guides an organization in developing an integrated roadmap for improving its information security and decreasing the likelihood of a loss of data (maliciously or accidentally). The stronger the linkage between people, processes, and technology, the better the defense will be.

Benefits of an Information Security Architecture/Roadmap

  • Provides a logical way to decompose and identify specific activities necessary to strengthen the organization’s data protection.
  • Clearly identifies the necessary security controls and makes auditing easier.
  • Allows projects to be created based upon the architecture that can be managed individually.

Steps to Implementing an Information Security Architecture/Roadmap

  1. Gather information (data classification, risk data, security assessment findings, which include technology, organizational awareness, and policy analysis).
  2. Identify high-value information security initiatives and document specific project requirements.
  3. Obtain formal approval for high priority projects.
  4. Develop project specific management plans.
  5. Implement information security initiatives.
  6. Monitor for effectiveness.

Cyber security can be an overwhelming issue for organizations of all sizes and industries to tackle. Taking an EISA approach can aid an organization in developing a systematic architecture and roadmap that will significantly improve its security posture.

North Star Group has developed a methodology that combines the discipline of project management with the latest cyber-security technology and data-protection best practices to perform comprehensive and cost effective assessments that can include information classification. This methodology enables our clients to cost effectively address their cyber security needs. In today’s hyper-connected world, every organization is just one data breach away from being a leading story on the news and social media, which can severely damage its reputation and brand. Find out how to protect your institution. Contact COMPASS to learn more about our methodology and service offerings and how they can help your organization develop a robust cyber security ecosystem.

Work With Us Learn How