Federal Enterprise Architecture Framework (FEAF): Security Reference Model (SRM)

Editor's Note: Take a look at our featured best practice, Digital Transformation Strategy (145-slide PowerPoint presentation). Digital Transformation is being embraced by organizations across most industries, as the role of technology shifts from being a business enabler to a business driver. This has only been accelerated by the COVID-19 global pandemic. Thus, to remain competitive and outcompete in today's fast paced, [read more]

Also, if you are interested in becoming an expert on Digital Transformation, take a look at Flevy's Digital Transformation Frameworks offering here. This is a curated collection of best practice frameworks based on the thought leadership of leading consulting firms, academics, and recognized subject matter experts. By learning and applying these concepts, you can you stay ahead of the curve. Full details here.

* * * *

Enterprise Architecture (EA) denotes management best practice for lining up business and technology resources to realize strategic results, expand upon Organizational Performance and steer departments to achieve their core missions more successfully and achieve Operational Excellence.

Federal Enterprise Architecture Framework (FEAF) assists any agency of the Federal government achieve this through documentation and information that conveys a summarized outlook of an enterprise at various tiers of scope and detail.

The FEAF comprises of 6 interconnected Reference Models including Security Reference Model (SRM), linked through Consolidated Reference Model (CRM), each relating to a sub-architectural domain of the FEA framework.

Security is a worldwide concern pervading through all layers of the organization.  Effect on security at any level has an impact on each successive level, both ascending and descending.  Appropriate place for developing and charting Security standards, policies, and norms is the Enterprise Architecture Governance since it is the enforcement point for IT investments.

Security Reference Model (SRM) is a framework for maturing a security architecture created on Information Security and privacy standards.  SRM is omnipresent, entwining itself through all of the sub-architectures of the all-encompassing EA across all the other reference models.

Enterprise and solution architects have to remain aware of entire technology, business, performance, and security drivers so as to suitably steer IT Strategy and design Information Technology systems and choose apposite technology that fits their needs.  SRM offers all levels of architects a direction to understanding when and where those needs can be consolidated.

SRM facilitates in forming an even security architecture in 3 key areas:

1. Purpose
2. Risk
3. Controls

All the layers of SRM are vital for the security posture and wellbeing of an entire agency and/or system.  Highest levels of Federal architecture transform federal laws, regulations, and publications into specific policies.

Main principle of the SRM, at the enterprise layer, is to utilize the standards in place throughout the Federal or national IT security expanse to classify policy for a particular enterprise or agency. 

Segment level transforms department specific policies into security controls and measurements.  Policies set in place from the enterprise layer are utilized by SRM to categorize controls for a certain agency or segment. 

SRM utilizes controls set at the segment layer to enable system-specific designs and/or requirements of the individual system.  SRM employs controls chosen by the agency or segment to truly embed security into a system or application.

Proper security procedures ensure both risk reduction and regulatory compliance.  Regulatory compliance is not an aim in itself, but a constituent of the course by which risks and controls, applicable to the circumstance at hand, are chosen.  Risk mitigation is the eventual motive for the application of security controls.

In the same vein, chief goal of security is not to apply controls rather it is to diminish risks by means of layered security measures of which implementation of controls is a part.  Attaining decreased risk profile means that controls ought to be integrated throughout the organization, vertically and horizontally, across system and solution deployments, layered progressively.

Consequences of security are far more challenging to measure, and differ based on the organization’s business.  Metrics are signs of an organization’s advancement in security maturity and part of the overall IT Capability Maturity.  Undeveloped organizations have diminished capability of defining or collecting metrics.

Interested in learning more about FEAF: Security Reference Model?  You can download an editable PowerPoint on FEAF: Security Reference Model (SRM) here on the Flevy documents marketplace.

Do You Find Value in This Framework?

You can download in-depth presentations on this and hundreds of similar business frameworks from the FlevyPro Library.  FlevyPro is trusted and utilized by 1000s of management consultants and corporate executives. Here’s what some have to say:

“My FlevyPro subscription provides me with the most popular frameworks and decks in demand in today’s market.  They not only augment my existing consulting and coaching offerings and delivery, but also keep me abreast of the latest trends, inspire new products and service offerings for my practice, and educate me in a fraction of the time and money of other solutions.  I strongly recommend FlevyPro to any consultant serious about success.”

– Bill Branson, Founder at Strategic Business Architects

“As a niche strategic consulting firm, Flevy and FlevyPro frameworks and documents are an on-going reference to help us structure our findings and recommendations to our clients as well as improve their clarity, strength, and visual power.  For us, it is an invaluable resource to increase our impact and value.”

– David Coloma, Consulting Area Manager at Cynertia Consulting

“FlevyPro has been a brilliant resource for me, as an independent growth consultant, to access a vast knowledge bank of presentations to support my work with clients.  In terms of RoI, the value I received from the very first presentation I downloaded paid for my subscription many times over!  The quality of the decks available allows me to punch way above my weight – it’s like having the resources of a Big 4 consultancy at your fingertips at a microscopic fraction of the overhead.”

– Roderick Cameron, Founding Partner at SGFE Ltd

Want to Achieve Excellence in Digital Transformation?

Gain the knowledge and develop the expertise to become an expert in Digital Transformation. Our frameworks are based on the thought leadership of leading consulting firms, academics, and recognized subject matter experts. Click here for full details.

Digital Transformation is being embraced by organizations of all sizes across most industries. In the Digital Age today, technology creates new opportunities and fundamentally transforms businesses in all aspects—operations, business models, strategies. It not only enables the business, but also drives its growth and can be a source of Competitive Advantage.

For many industries, COVID-19 has accelerated the timeline for Digital Transformation Programs by multiple years. Digital Transformation has become a necessity. Now, to survive in the Low Touch Economy—characterized by social distancing and a minimization of in-person activities—organizations must go digital. This includes offering digital solutions for both employees (e.g. Remote Work, Virtual Teams, Enterprise Cloud, etc.) and customers (e.g. E-commerce, Social Media, Mobile Apps, etc.).

Learn about our Digital Transformation Best Practice Frameworks here.