Approach and framework

Abstract

This chapter is an approach to ESARIS. In Sect. 3.1 the term ESARIS is defined in detail and shown in relation to other structures. The reasons and the background are provided in order to understand the necessity for an ICT Service Provider to develop and maintain such an architecture and to better appreciate its purpose and value. Section 3.2 analyzes the situation whereby there are many departments and different business in large enterprises and they all appear to depend on all the others. Here, there are at least two perspectives, referred to as corporate security management and product security management. Taking into consideration these different perspectives on information security provides more clarity, differentiates between responsibilities for security and thereby strengthens the scope of ESARIS. The latter is continued in Sect. 3.3 through a description of frameworks for ESARIS, i.e. organizations or systems relating to the architecture and which are required for it. The so-called Enablement Framework primarily refers to the corporate security perspective and provides the ICT Service Provider with the ability to achieve information security. The so-called Enforcement Framework primarily refers to the product security perspective and provides practical security measures for protecting the ICT services. Section 3.4 introduces the ESARIS Industrialization Concept with an explanation as to how requirements from different sources are treated, structured and used and how standardized elements are combined in order to create tailored ICT services and to meet various security requirements. Section 3.5 leads on to the next chapter by outlining the ESARIS Dimensions and Work Areas.