Security and Risk Management in TOGAF - Improvement is on its way!

IT architecture is becoming more popular in organizations, and TOGAF is the most widely used framework for that. Unfortunately, security and risk management are getting little attention in TOGAF 9. It limits the scope of risk management to risks associated with the architectural project itself. And the security-chapter has hardly any relationship with architecture work. To improve this situation, several white papers are being produced with the objective to integrate security and risk management in TOGAF.

In January 2016, the TOGAF Security Guide was published. It addresses security and risk management at a conceptual level, which matches with the way that TOGAF defines architecture. This enables the integration of both processes in the architecture. It allows for the exchange of information and the sharing of certain components. Thus, enterprise architecture and security architecture can co-exist and collaborate.

The TOGAF Security Guide is based on an enterprise security architecture that includes two successful standards, namely ISO 27001 (security management) and ISO 31000 (risk management). In line with ISO 31000, the definition of risk is broad and is close to that of 'uncertainty'. This means that risk can be positive or negative. The broad definition makes it possible to use it for (positive) business opportunities as well as (negative) security threats. The latter is, of course, the most common within IT-security.

In the figure below, the interface between the security architecture and enterprise architecture is shown.

Figure 1: Essential security and risk concepts and their position in the TOGAF ADM (Source: TOGAF Security Guide)

Now that the conceptual foundation is created in the TOGAF Security Guide, the next step is the development of practical guides. Current developments are:

• The Security Services Catalogue. This is a uniform set of security measures, where each measure is contained in the service concept. Thus, the measure can be found, can be used or applied, delivers a certain security value, etc. The development of this catalogue is a joint project of The Open Group and The SABSA Institute. The first release is expected in mid-2017.
• Risk modeling in Archimate. ArchiMate is a modeling language for enterprise architecture and closely related to TOGAF. The Archimate object model will be extended for modeling of risks. The white paper describing this has been revised, and in Q1 of 2017 an upgraded version of the white paper will be released. This update is in line with the TOGAF Security Guide

The strong conceptual foundation of risk in TOGAF, together with the practitioner guidance and support in the modeling language, pave the way for enterprise architectures that deliver environments with an acceptable security level.