State of Arizona
Target Security Architecture
Information Technology (IT) Technical Document
“A Secure Framework for Delivering
e-Government Solutions”
Revision 2.0
Prepared by
Government Information Technology Agency
Chris Cummiskey, Director
100 North 15th
Ave, Suite 440
Phoenix, Arizona
85007
|
Revision |
Effective
Date |
Summary of Changes |
|
NC |
|
Initial
release |
|
1.0 |
|
Revision
1.0 release |
|
2.0 |
|
Revision 2.0 release 1.
Introduction. Revised text to be
consistent with newer domain documents. Added a graphic, references to applicable
policies and standards, and footnote containing link to Enterprise Architecture Trends document. Expanded EWTA domains graphic to be
consistent with the EA website. 4. Target
Security Architecture. Inserted a graphical representation of Security
Architecture. Updated the recommended implementation
approach to clarify that the implementation of Target Security Architecture is the responsibility of each agency
and, when undertaken, shall be in accordance with Statewide Policy P700, Enterprise Architecture, and Statewide Policy P340, Project Investment
Justification (PIJ). Removed implementation information relative to the
roles and responsibilities for incorporation of the recommended principles,
standards, and best practices into Statewide IT contracts. The alignment strategy of EWTA standards
and best practices with Statewide and agency IT contracts is presented in the
Framework and Strategies document
and Statewide Policy P700, Enterprise
Architecture, to consistently address all EWTA domains. Replaced Security Architecture Table with Target Technology Table encompassing
all EWTA domains, available at http://www.azgita.gov/enterprise_architecture/AZ_EA_Target_Technology_Table.htm.
5. Security
Architecture Standards. Incorporated
all Recommended Standards into the applicable, current, published versions of
Statewide IT Security Standards, available at http://www.azgita.gov/policies_standards. 6. Security
Architecture Purpose. Removed the
description of Enterprise Architecture Strategic Alignment with FY2002-03
State IT Plan. It is available at: http://www.azgita.gov/enterprise_architecture/NEW/Architecture_Strategies_Framework/.
8. Security
Architecture Recommended Best Practices. Updated section to reflect the incorporation
of the majority of Best Practices into the applicable, current, published
versions of Statewide IT security standards. 9. Security
Architecture Technology Trends.
Removed entire section since reference to the location of the document it
referenced has been added to the footnote in Section 1, Introduction. Appendix A.
OSI Reference Model. Removed.
Content has been replaced by the Target
Technology Table, available at http://www.azgita.gov/enterprise_architecture/AZ_EA_Target_Technology_Table.htm. Appendix B.
Agency Security Architecture “As-Is.”
Removed. Agency IT Security is reported and maintained in accordance with Statewide
Standard P800-S805, IT Risk Management. Appendix C. Threats to e-Government
Business. Removed. Incorporated information into IT Security Assessment, of Statewide
Standard P800-S805, IT Risk Management. |
TABLE OF CONTENTS
2. Security Architecture
Vision
3. Security Architecture
Definition
4. target Security architecture
5. recommended Security
Architecture Standards
6. Security Architecture
Purpose
7. Security Architecture
Principles
8. Security Architecture
recommended Best Practices
The
State of Arizona’s Enterprise Architecture (EA) describes a comprehensive
framework for information technology (IT)[1] and business that supports the Arizona
State government strategic plan. EA facilitates the application of information
technology to business initiatives and objectives and subsequent change in an
orderly, efficient manner by describing a direction for current and future
activities, supported by underlying principles, standards, and best practices.
EA effectively supports and enhances the
business of government and improves the ability to deliver responsive, cost-effective
government functions and services. Effective utilization of technology to
achieve business functions and services, increasing citizen access to those
services, sharing information and resources at all levels of government, and
maximizing IT resources investment are major motivating factors for the
development and implementation of EA. The implementation of EA presents
opportunities for State agencies to interoperate together to deliver a higher
level of courteous, efficient, responsive, and cost-effective service to the
citizen owners and employees of State government. Individually, each State
agency can independently implement EA components that are interoperable,
however, e-government initiatives, economies of scale, consolidation, and cross-agency
savings may best be realized not just through interoperability, but also by
working together in partnership and sharing.
EA includes important business, governance, and technical components. The technical components, collectively referred to as Enterprise Wide Technical Architecture (EWTA), provide technical guidance to State agencies. That guidance is supported by principles correlated to agency business functions, recommended standards, applicable recommended best practices, and technology trends[2]. Each component, or domain, of the EWTA is a separate, but interrelated, architectural discipline. EA is the glue that integrates each of these technical disciplines into a cohesive framework with the potential to transform government by improving service delivery, reducing costs, simplifying and streamlining requirements and services, and increasing efficiency and effectiveness.
EA applies to all agencies. The agency director, working in conjunction with the agency CIO, is responsible for ensuring the implementation of EA within the agency’s “sphere of influence,” as designated by statute or rule. The EA Target Domain Architecture documents define an overall strategy and technical framework; however, by design, the capital planning, process approach and timeframes for transition, project management, and investment control for the implementation of the target architectures are the responsibility of the agency[3]. Implementing EA requires significant capital investments. Arizona, like most states, does not have unlimited capital to invest in implementing EA, therefore, migrating to EA within available budgets is the only viable method.
Within the overall context of Homeland Security, the State of Arizona’s Security Architecture substantiates the fundamental significance of IT security to the State by delineating a set of processes, recommended standards, and best practices that will securely and economically protect the State’s IT business functions, including public access to appropriate information and resources, while maintaining compliance with the legal requirements established by existing Federal and State statutes pertaining to confidentiality, privacy, accessibility, availability, and integrity. Security Architecture provides a risk-based, cost-effective framework, and foundation to enable secure communication, protect agency business processes and information resources, and ensure that new methods for delivering service are secure.
Security Architecture defines common, industry-wide, open-standards-based technologies and applicable industry best practices as the cornerstone elements required to enable secure and efficient transaction of business, delivery of services, and communications among its citizens, federal government, cities, counties, and local governments, as well as the private business sector. Security Architecture must enable the State and individual agencies to quickly respond to technology, business, and information requirements changes without compromising the security, integrity, and performance of the enterprise and its information resources.
Target Security Architecture addresses all relevant criteria on a broad scale, rather than as an individual agency or part of the deployment of an individual application The Target Security Architecture addresses security requirements and statutory mandates from a risk-based, cost-effective approach to establish a recommended minimum baseline for Security Architecture. State agencies have differing levels of security requirements and statutory mandates. Agencies that require higher levels of security based on more stringent mandates will extend or add to the baseline Target Security Architecture, Statewide Policy P800, IT Security and applicable Statewide security standards, and will document additions accordingly in individual agency policies, standards, and procedures.
The Target Security Architecture must identify the basic
services needed to address security in both the current electronic environment
and in future, anticipated electronic environments. Agencies are working to preserve the integrity, reliability, availability,
and confidentiality of important information while maintaining their
information systems. The most effective way to protect information and systems
is to incorporate security into each domain of EA. This approach ensures that
security supports agency business operations, thus facilitating those
operations, and that plans to fund and manage security are built into
life-cycle budgets for IT.
Target Security Architecture
Target Security Architecture provides the strategies and
framework necessary to protect individual agency and the State’s information
infrastructure, while transacting business in a changing electronic world. Security Architecture ensures
that the systems that make State information and programs more accessible to
the people of Arizona protect the State’s information and resources, and the
rights of the people of Arizona.
These security
issues are augmented by a recognition that the security of systems and data
needs to include the recognition and protection of electronic documents. In
addition to concerns about the security of data and the systems the data
resides on, is a concern for the context and structure of signed (and unsigned)
electronic government records (documents). This leads to a policy and practices
collaboration with the Secretary of State and Library, Archives and Public
Records in matters of signed and unsigned electronic government records. Part
of the security issue is the assurance of the integrity and authentication of
such records within current and future Electronic Records Management Systems.
Arizona’s Target Security Architecture is supported by principles correlated to agency business functions, recommended standards, applicable recommended best practices, and technology trends. The principles and recommended standards contained in this document are codified in Statewide Policy P800, IT Security, and statewide IT security standards. Policies and standards generated as part of EA are subject to the review, approval, refresh renewal procedures outlined in Statewide Policy P105, Policies, Standards, and Procedures (PSP) Policy.
Rather than present individual target domain
tables that potentially could overlap or become outdated as other domains and
associated statewide policies and standards are reviewed and updated, the
technical components of the Target Security Architecture are summarily presented relative to the OSI 7498-1 Network
Reference Model and 7498-2 Security Service Model in a composite, integrated domain
table, consolidated from the individual EWTA domains, referred to as the Target
Technology Table and available at: http://www.azgita.gov/enterprise_architecture/.
The development of the Target Security Architecture is a collaborative process to allow all agencies to participate so that their current investment in certain products and services can be maximized while also developing a transition plan