Professional Documents
Culture Documents
TCI Reference Architecture v2.0 PDF
TCI Reference Architecture v2.0 PDF
0
Guiding Principles
q Define protections that enable trust in the cloud.
q Develop cross-platform capabilities and patterns for proprietary and open-source providers.
q Will facilitate trusted and efficient access, administration and resiliency to the customer/consumer. Business Operation Information Technology Presentation Services Security and Risk
Presentation Platform
Support Services Operation & Support Management
q Provide direction to secure information that is protected by regulations.
q The Architecture must facilitate proper and efficient identification, authentication, authorization,
administration and auditability. Presentation Modality End-Points
q Centralize security policy, maintenance operation and oversight functions.
q Access to information must be secure yet still easy to obtain.
(BOSS) (ITOS) Consumer Service Platform Enterprise Service Platform Mobile Devices
Mobile Device Management Company
Desktops
Speech Recognition
(IVR) Governance Risk & InfoSec
q Delegate or Federate access control where appropriate.
B2E B2M
owned
Third-Party Public Kiosk Compliance Management
Social Portable Devices
q Must be easy to adopt and consume, supporting the design of security patterns Colaboration Compliance Policy Management
q The Architecture must be elastic, flexible and resilient supporting multi-tenant, multi-landlord platforms Compliance IT Operation Media B2B B2C
Medical Devices Smart Appliances Handwriting Management Exceptions Self Assessment
Capability
Mapping
Fixed Devices (ICR) Vendor Audit IT Risk Risk Portfolio Risk
q The architecture must address and support multiple levels of protection, including network, operating Search E-Mail e-Readers P2P
Audit Planning Secure Sandbox Management Management Management Management Dashboard
system, and application security needs. Contact/Authority DRP IT Governance
Independent Third-Party Internal Maintenance Technical Awareness and Training Residual Risk Management
High Level Use Cases Audits Audits Audits Plan Test Architectrure Standards and
Information System Regulatory Management Management Governance Guidelines
Mapping
Intellectual Property Protection
Privilege Management Infrastructure
Data Governance
Resource
Management
PMO
Program
Portfolio
Management Application Services Identity Management
Domain Unique
Identifier
Federated IDM
Authentication Services
SAML
Token
Risk Based
Auth
Multifactor
Mgmnt
Segregation Maturity
Data Ownership /
Stewardship
Data
Classification
Handling / Labeling /
Security Policy of Duties Project
Mgmnt
Model Programming Interfaces Security Knowledge Lifecycle Integration Middleware Identity
Provisioning
Attribute
Provisioning
OTP
Smart
Card
Password
Management
Secure Disposal of Rules for Information Contractors Roadmap Biometrics Network
Clear Desk Policy
Data Leakage Prevention Remediation Authorization Services Authentication
Strategy Alignment Input Single Sign On
Rules for Entitlement Review Middleware
SaaS, Validation Security
Data Retention Attack Code Security Application Policy WS-Security Authentication
PaaS, IaaS Design Policy Definition
Patterns Samples Framwrok - ACEGI Enforcement
Patterns Identity Verification OTB AutN
Policy Principal Data
Operational Risk Human Resources Service Delivery Mangement Management
Connectivity & Delivery Resource Data Privilege Usage Management
Management Security Development Process Management
XACML
Keystroke/Session Password
Role Logging Vaulting
Operational Risk Committee Service Level Information Technology Obligation
Self-Service Software Quality Assurance Management Privilege Usage Resource
Crisis Business Management Resiliency Application Stress and Out of the Box (OTB) AutZ
Gateway Protection
Security Hypervisor Governance and Compliance
Management Impact Analysis Employee Employment Vulnerability Volume
Code Review
Key Risk Indicators Termination
Background
Agreements
Job
Objectives Internal SLAs
Availability Resiliency
Scanning Testing
Abstraction
Business Continuity Screening Descriptions
OLAs External SLAs Management Analysis
Threat and Vulnerability Management
Planning Testing Roles and Employee Vendor Management
Responsibilities Awareness Capacity Planning Compliance Testing Vulnerability Management
Risk Management Framework Service Dashboard
Information Services
Employee Code of Conduct Databases Servers Network Application Infrastructure DB
Business Technical
Assessment Assessment
Independent Risk Management Asset Management Application Performance Penetration Testing Threat Management
Service Operational Monitoring Service Delivery Reporting Services ITOS Problem
Management
Incident
Management
BOSS Internal External Source Code Scanning Risk Taxonomy
PMO Strategy Roadmap
Security Monitoring Services Costing Bugdeting Service
Catalog
SLAs OLAs Dashboard Data Mining Reporting Tools Business Intelligence Risk
Assessments
Data Process
Self-Service Ticketing
Trend
Analysis
Problem
Resolution Internal Infrastructure
Infrastructure Services Virtual Infrastructure
eSignature
(Unstructured data)
Life cycle
management
Data Obscuring Data Seeding
Domain
Location Redundancy
Service Approval Mobile)
Review Server Virtualization Network Database (Transitory, Fixed)
Testing Version
Container Storage Availability
Space
ITIL v3
Planned Changes Control Network Full Paravirtualization Hardware-Assisted
Virtualization
IPv4 IPv6 Mobile Device
Emergency Build Virtualization
Policies and Standards
Process or
Project
Changes
Operational
Chages
Changes Source Code
Management
Services Services Services OS TPM Virtual External Internal Operational Security Baselines Job Aid Guidelines Role Based Awareness
Solution
Data
TOGAF Network
Segmentation
Authoritative
Time Source
VIrtualization Virtualization Memory
(VLAN) (VNIC)
Smartcard
Virtualization
Information Security
Policies
Technical Security
Standards
Data/Asset Classification
Best Practices &
Regulatory correlation
JERICHO