#53 Information Security - Minor change around risk and consideration of security architect
This change identifies a minor change to wording and also raises a couple of points about the security architect role.
From Australian Public Sector SFIA Cyber Security and Digital Workshop Oct12:
- Infosec Level 7 – suggest a minor modification to include risk management in addition to “…the strategic requirements of the business.”
- In relation to the role of a Security Architect, the goal is to manage risk rather than to simply comply with the business goals – and this is a key differentiator between Solutions Architects and Security Architects.
- In the “Blockchain and IOT (Internet of Things)” discussions, the Solution Architect may focus on the potential business advantages and benefits from early adoption, whereas Security Architect analysis and advice would focus on assisting with the implementation of this technology, if management so wished, to ensure that the implementation was appropriately risk managed throughout. Risk is an enterprise wide issue, hence the much broader remit that Security Architects have across the entire agency at multiple levels of the technology stack compared to a solution architect focussed on a particular deliverable.
Attached to Information security