CIO Council issues third version of FEA security/privacy profile
- By Jason Miller
- Jul 24, 2006
In the latest version of the Federal Enterprise Architecture Security and Privacy Profile, the CIO Council for the first time gives agencies a document that is built from reality.
Unlike many FEA profiles, two agencies tested the validity of Version 2 of the Security and Privacy document. The Justice and Housing and Urban Development departments undertook a four-month trial to see how the updated methodologies to add security and privacy to agency EAs worked.
'The current version was modified based on validation exercises and an assessment of related documents,' the profile states. 'Validation consisted of abbreviated applications of the FEA SPP methodology.'
This is the third version of the profile
the CIO Council released that complements the federal architecture methodology. The council issued the first one
in August 2004 and again in July 2005.
This profile cuts across all five layers of the FEA' business, service component, performance, technical and data reference models. The CIO Council also has issued similar profiles for records management
and geospatial information.
The security and privacy profile moves the agencies toward addressing these issues from a 'business-centric, enterprise perspective.' The profile, the CIO Council hopes, will integrate 'disparate perspectives of program, security, privacy and capital planning into a coherent process, using an organization's enterprise architecture efforts.'
In short, the profile:
- Promotes an understanding of the organization's security and privacy requirements, its capabilities to meet those requirements and the risks to its business;
- Helps program executives select the best way to meet the requirements and improve current capabilities, using standards and services that are common to the enterprise or government;
- Improves agencies' processes for incorporating privacy and security into major investments.
The profile outlines its methodology that asks agencies to:
- Identify the program's needs and capabilities;
- Analyze how to effectively address those needs with a consideration to using existing systems to reduce costs;
- Select the tools to improve the security and privacy of system including ensuring the agency has asked for adequate funding and the effort is coordinated across the department.
'Before launching into the FEA SPP methodology, agencies should address two prerequisites,' the profile said. 'First, it is important to develop a common understanding of the objectives and activities of the methodology. Second, team members need to gain a basic understanding of each participants functional domain.'
The profile outlines 17 security and 17 privacy control areas, which provide a common terminology and framework. The security control areas includes risk assessment, planning, system and services acquisition, while the privacy control areas include policies and procedures, monitoring and measuring and acceptable use.
The guidance said by layering security and privacy over the EA, it will ensure every aspect of the business receives appropriate attention. It also will promote interoperability and helps to make sure employees use standard capabilities.
'The FEA SPP provides an opportunity for agencies to take an enterprise perspective of security and privacy and establish processes to identify requirements, leverage capabilities and manage investments effectively,' the profile said. 'As agencies implement the FEA SPP, they will find opportunities to share resources and capabilities across domains, programs and agencies.'