Model | Verification | Architecture Assessment
The Architecture Assessment (AA) practice ensures that the application and infrastructure architecture adequately meets all relevant security and compliance requirements, and sufficiently mitigates identified security threats. The first stream focuses on verifying that the security and compliance requirements identified in the Policy and Compliance, and Security Requirements, practices are met, first in an ad-hoc manner, then more systematically for each interface in the system. The second stream reviews the architecture, first for mitigations against typical threats, then against the specific threats identified in the Threat Assessment practice.
In its more advanced form, the practice formalizes the architecture security review process, continuously evaluates the effectiveness of the architecture’s security controls, their scalability and strategic alignment. Identified weaknesses and possible improvements are fed back to the Secure Architecture practice to improve reference architectures.
Maturity level | Stream AArchitecture Validation | Stream BArchitecture Mitigation | |
---|---|---|---|
1 | Review the architecture to ensure baseline mitigations are in place for typical risks. | Identify application and infrastructure architecture components and review for basic security provisioning. | Ad-hoc review of the architecture for unmitigated security threats. |
2 | Review the complete provision of security mechanisms in the architecture. | Validate the architecture security mechanisms. | Analyze the architecture for known threats. |
3 | Review the architecture effectiveness and feedback results to improve the security of the architecture. | Review of the architecture components' effectiveness. | Feed the architecture review results back into the enterprise architecture, organization design principles and patterns, security solutions and reference architectures. |