Enterprise Information Security Architecture (EISA)
Enterprise Information Security Architecture (EISA) is the process of instituting a complete information security solution to the architecture of an enterprise, ensuring the security of business information at every point in the architecture. In other words, it is the enterprise and its activities that are to be secured, and the security of computers and networks is only a means to this end.
EISA is not simply about building a wall between enterprise IT systems and the rest of the world. More importantly, it is a security architecture that aligns with the strategies and objectives of the enterprise, while also taking into consideration the importance of the free flow of information from all levels of the organization (internal to vendors to customers, etc.).
The development of this security architecture framework is purposely constructed to outline the current, intermediate, and target reference architectures, allowing them to align programs of change. This framework provides a rigorous taxonomy of the organization that clearly identifies what processes the business performs and detailed information about how those processes are executed and secured.
This framework goes into many levels of detail that vary according to practical considerations such as budget. This allows decision makers to make the most informed decisions about where to invest their resources and where to align organizational goals and processes to support core missions or business functions.
The Structure and Content of an EISA Framework
The primary function of EISA is to document and communicate the artifacts of the security program in a consistent manner. As such, the primary deliverable of EISA is a set of documents connecting business drivers with technical implementation guidance. These documents are developed iteratively through multiple levels of abstraction.
The three key dimensions of the EISA framework are as follows:
The EISA should describe how security is woven into the fabric of the business. The EISA process must allow inputs from and interface points with design components from other planning disciplines. Then, as the architecture and security processes mature, the EISA can have a more symbiotic relationship with the enterprise architecture, allowing further changes to be integrated easily.