Towards a holistic Information Security Governance Framework for SOA

Service Oriented Architecture (SOA) is a design paradigm that enables applications to be built from business processes to support enterprise architecture. This architecture introduces information security challenges that are not comprehensively addressed by current best-practices. This paper evaluates if an Information Security Management System (ISMS), defined by the international standard ISO/IEC 27001 and 27002 can be used to comprehensively support Information Security governance for SOA. As SOA governance, a separate and distinct governance framework, also addresses information security to a certain extent, managers are faced the difficult task of deciding whether their SOA sufficiently protected by the different frameworks. The conclusion is that information security for SOA needs to be addressed more holistically, following an Enterprise Information Security Architecture (EISA) approach where Enterprise Architecture (EA) is concerned with the design of the overall architectural vision of an organization. The framework chosen for this purpose is SABSA, a well-known enterprise security architecture. Using the example of access control to highlight challenges, it becomes clear that Information Security governance for SOA can benefit from an approach such as SABSA.