Does your countermeasure planning function regularly evaluate the effectiveness of your security posture to meet today’s threats as well as emerging threats?
| Is an inventory available that outlines security configurations or models for existing applications and systems? |
| Are business unit technology or solution liaisons aware of the Security Architecture function? |
| Is the organization (at the business unit level) aware of the component catalogue (or any other reusable architectural components) and it’s use for new business initiatives? |
| Countermeasures are steps taken to mitigate a risk (e.g., implement a security technology, modify configurations, etc.). Does your organization have a mechanism for prioritizing countermeasures based on threats outside of best practices, regulatory compliance, standards, etc.? |
| Does your countermeasure planning function regularly evaluate the effectiveness of your security posture to meet today’s threats as well as emerging threats? |
| What influences the way your organization prioritizes countermeasures? |
| How is this function integrated into aligning countermeasures to meet intolerable business risks and scenarios? |
| How does the organization review the effectiveness of the Architecture function on a regular basis (perhaps by means of an Architecture Council)? |
| Does the Operations function have metrics defined for the purpose of understanding it’s own adherence to Architecture standards? |
| Are security architecture solutions that have been designed and implemented, reviewed for effectiveness in meeting defined goals? |
| How has the organization designed its Security Architecture function to meet business goals and security principles? |
| How does the Architecture function interact (i.e. meet) regularly with Operations and Awareness teams? |
| What are the organization’s defined and dedicated security architect roles? |
| Does the Security Architecture function have defined and documented responsibilities? |
| Are all information security service domains (e.g. Third Party Management, IAM, Network Security) routed through Architecture prior to implementing design changes? |
| Has Architecture formally addressed business goals through development of Standards? |
| Does the Awareness function formally include education of Architecture standards in its activities? |
| Is there a formal escalation path to Architecture through the Change Management program? |
| Are security architects empowered to mandate the design of security principles into new business initiatives or risk mitigation efforts? |
| Has a component catalogue been developed that guides rational selection of technology based on security principles to be followed? |