Control Architecture: Establishment: Is a control architecture formally established?
Options:Option 1: Formally establish a control architecture for the enterprise.
Option 2: Use an informal control architecture for the enterprise.
Basis:Formally establish a control architecture for the enterprise.
A formally established control architecture includes establishment and documentation of:
- Control objectives and defining a model of how to associate and apply those objectives to content.
- An access control model of how to decide on what accesses and actions are permitted.
- Functional units and how they fit together in an architecture.
- Perimeter topology and what perimeters are supposed to do.
- Access methodology and how accesses are supported.
- A trust model and how the model is to be applied.
- Change controls and the methodology to be used to manage changes.
- Other related models as may be appropriate to the enterprise.
Use an informal control architecture for the enterprise.
If no formal model exists that covers the issues identified above, then an informal model is in use, regardless of whether there is an awareness of its existence. It is highly likely that this model differs from person to person and group to group and that the inconsistencies between them creates complexity and vulnerability as well as a general lack of control.