|
All organisations regardless of their size - small, medium, or large – and despite of their purpose – for profit or for non-profit – have a set of constituent architectures, each having different aims and objectives. These architectures, given in fig. 1, constitute the overall architecture of the organisation, which unfortunately is rarely documented and managed.
Having a closer look at these architectures, the business architecture deals with strategies, product and services portfolios, organisation, and processes, and always drives the information architecture, which is located underneath. The information architecture handles the management of the information needed to support the business architecture, and derives the security architecture, which is located below the information architecture. The security architecture protects the information by producing all the necessary countermeasures, and prescribes the applications architecture located below the information architecture. The applications architecture deals with all the software systems needed to support the daily operations of the organisation, and the security mechanisms prescribed by the security architecture. At the bottom, the technical architecture supports all the above architectures by providing all the software and hardware infrastructure of the organisation. Of course these architectures are given as a reference only and their number may vary according to the level of abstraction and detail, and according to the nature of the organisation (e.g. manufacturer, service, etc.).
In order to understand how these architectures interoperate, consider the example of a manufacturer that purchases prime material from suppliers, builds products, and sells them to the channel (i.e. distributors). In this organisation, the business architecture will deal with the strategies, the product portfolio (e.g. products, types, models, etc.), the organisation (e.g. structure, departments, people, jobs, appointments, etc.), and the processes involved (e.g. promotions, quotations, fulfilment, etc.). Likewise, the information architecture will manage the information needed to enable the organisation to communicate externally with the suppliers and customers, and internally between all directors, managers, and employees. Based on the business processes and the flow and storage of the information, the security architecture will assess the associated risks and derive different countermeasures for protecting the tangible (e.g. machinery) and intangible assets (e.g. information). In turn, the applications architecture will deal with the software systems needed to support the business processes – manual and automated – and the flow and storage of the information. In addition, it will also provide the different security mechanisms needed to support the security countermeasures. Finally, the technical architecture will deal with production machinery, but also with operating systems, workstations and servers, all network devices needed to support the computer network, and security appliances needed to support the derived countermeasures.
For organisations to operate and produce the desired result, a required level of knowledge is needed. If this knowledge is enriched from different sources and shared timely amongst the right stakeholders, the organisation becomes a learning organisation and gains competitive advantage over its competitors in terms of innovation, efficiency, capacity, and continuity. Whether the organisation reaches this level of perfection or not, it is the information architecture that prescribes methods and techniques regarding the storage and process of data to provide to all stakeholders the required flow of meaningful information to fulfil their daily tasks, but also to provide them with invaluable sources of knowledge. However, since knowledge is refined information, and in turn, information is refined data (Davenport and Prusak, 1998), it is therefore imperative for every organisation to protect its data, information, and knowledge from unauthorised disclosure and from authorised modification, and to ensure their availability to the right stakeholders whenever is needed. Since this task is sometimes overlooked by organisations for different reasons, governments issue regulations to protect the interest of customers – organisations and individuals – and as a whole to protect the trust in trade. Hence, this combination of due diligence and compliance puts pressure on organisations to protect themselves against security breaches that may undermine their cash flow, their reputation, and even their existence.
Due diligence and compliance are achieved with efforts and costs, and unfortunately a large amount of organisations still consider them as an expense rather than as an investment. Moreover, some other organisations consider them as a nice-to-have feature. Of course, this approach tends to change in organisations that have experienced a security breach.
|
