Does your countermeasure planning function regularly evaluate the effectiveness of your security posture to meet today’s threats as well as emerging threats?

Is an inventory available that outlines security configurations or models for existing applications and systems?
Are business unit technology or solution liaisons aware of the Security Architecture function?
Is the organization (at the business unit level) aware of the component catalogue (or any other reusable architectural components) and it’s use for new business initiatives?
Countermeasures are steps taken to mitigate a risk (e.g., implement a security technology, modify configurations, etc.).  Does your organization have a mechanism for prioritizing countermeasures based on threats outside of best practices, regulatory compliance, standards, etc.?
Does your countermeasure planning function regularly evaluate the effectiveness of your security posture to meet today’s threats as well as emerging threats?
What influences the way your organization prioritizes countermeasures?
How is this function integrated into aligning countermeasures to meet intolerable business risks and scenarios?  
How does the organization review the effectiveness of the Architecture function on a regular basis (perhaps by means of an Architecture Council)?
Does the Operations function have metrics defined for the purpose of understanding it’s own adherence to Architecture standards?
Are security architecture solutions that have been designed and implemented, reviewed for effectiveness in meeting defined goals?
How has the organization designed its Security Architecture function to meet business goals and security principles?
How does the Architecture function interact (i.e. meet) regularly with Operations and Awareness teams?
What are the organization’s defined and dedicated security architect roles?
Does the Security Architecture function have defined and documented responsibilities?
Are all information security service domains (e.g. Third Party Management, IAM, Network Security) routed through Architecture prior to implementing design changes?
Has Architecture formally addressed business goals through development of Standards?
Does the Awareness function formally include education of Architecture standards in its activities?
Is there a formal escalation path to Architecture through the Change Management program?
Are security architects empowered to mandate the design of security principles into new business initiatives or risk mitigation efforts?
Has a component catalogue been developed that guides rational selection of technology based on security principles to be followed?

Llamanos