@article {10.3844/jcssp.2017.558.571,
article_type = {journal},
title = {Enterprise Architecture Security Assessment Framework (EASAF)},
author = {Alshammari, Bandar Mzel},
volume = {13},
number = {10},
year = {2017},
month = {Oct},
pages = {558-571},
doi = {10.3844/jcssp.2017.558.571},
url = {https://thescipub.com/abstract/jcssp.2017.558.571},
abstract = {Many existing studies have shown that the causes of most of system attacks are not related to coding vulnerabilities that apply to individual systems, issues related to the run-time environment, or the technology in place. In fact, they are caused by issues associated with how systems within organizations are structured. Therefore, it is necessary to examine security with regard to all components that influence the organization’s systems, including data, processes and even employees. The most promising approach to achieving this goal is Enterprise Architecture (EA). The main goal of this project is to develop a framework based on the concepts of well-established EA frameworks such as TOGAF and Zachman and their compositional layers (e.g., application, information and process). This framework will be combined with a data flow analysis of the principles that trace the potential information flow between high- and low-security enterprise components. Therefore, this paper studies various enterprise architecture frameworks and shows how to develop an enterprise architecture framework that considers the organization’s information security from the perspective of information flow. This framework will have various layers, each with a set of security metrics that quantify the organization’s relative security based on the specifications of that layer. The defined framework will be capable of defining Enterprise Architecture security-related principles and metrics. These principles and metrics will eventually be used to define how to develop secure enterprise systems based on the enterprise architecture with regard to security-critical information flow within any given organization. The defined framework will also be capable of providing guidance for information security architects by recognizing certain parts of the organization that are less secure than others.},
journal = {Journal of Computer Science},
publisher = {Science Publications}
}