ESRI is providing security implementation patterns to help solve recurring security problems in a proven, successful way.  There is no single set of templates that can provide the security necessary for an organization as security solutions are based on individual business needs and the risks businesses are willing to accept.

 

ESRI GIS Security Patterns are based on three increasing levels of security:

  • Basic Security Risk Implementations
  • Standard Security Risk Implementations
  • Advanced Security Risk Implementations

Choosing an Appropriate Risk Level Pattern

Two mechanisms are available for helping customers choose the right pattern for their organization.

  • Formal – The National Institute of Standards defines a formal security categorization process
    • See NIST Guide SP 800-60
    • GIS security patterns are indirectly related to the Low, Medium and High categories
  • Informal – Simple scenarios ESRI customers can relate to
    • Basic
      • No Sensitive data – Public/Non-Privacy related information
      • All architecture tiers can be deployed on one server
      • Scenario Example: A financial organization managing routine administrative information (not privacy-related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of data integrity is low, and the potential impact from a loss of availability is low.
    • Standard
      • Moderate consequences with data loss or integrity
      • Architecture tiers are deployed to separate systems
      • Potential need for Federated Services
      • Scenario Exampl: An organization managing public information on its web server determines that there is no potential impact from a loss of confidentiality (i.e., confidentiality requirements are not applicable), a moderate potential impact from a loss of data integrity, and a moderate potential impact from a loss of availability.
    • Advanced
      • Sensitive data
      • All components redundant for high availability
      • 3rd party enterprise security components utilized
      • Scenario Exampl: A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate.

Once you have chosen an appropriate risk level pattern for your organization you can find corresponding reference implementations here:

  • Basic Security Reference Implementation
  • Standard Security Reference Implementation
  • Advanced Security Reference Implementation

These implementation patterns need to be evaluated and adapted to the customer’s unique requirements and circumstances.

Filed under: