Structures and documents
The dimensions described previously relate both to the goals of the organization (what is important to measure in how it achieves those goals) and also to how well a security measure works within the context of enterprise goals. This is what makes understanding the goals so important. But assuming that going through a full goal-mapping exercise to correlate every organizational goal to technology goals – and map, in turn, security goals to technology ones – represents a time investment that not every architect can afford to make, how can we get to a rapid understanding quickly so that our design work can proceed?
As we implied earlier, one way to do this is by looking at policy, procedure, standard, and guidance documentation that may already exist in the organization. This is because they are the codification of already-made decisions by the organization, which are, in turn, driven by the goals. Sometimes, these items are even referred to...