The first time I looked at the details of the Digital Trust Ecosystem Framework (DTEF),1 I was struck with how many parts of the enterprise are included in the overall effort. Logically, standard IT and information security play crucial roles. However, a full implementation includes human resources (HR), communications/marketing, and enterprise architecture (EA). Since an organization’s digital trustworthiness is partially based on how its brand is perceived, communications/marketing makes sense. But what about HR? Yes, even HR has a role to play in this framework because the DTEF includes culture as an important aspect, marking it as one of the domains for the framework. If one peels back the layers of the DTEF, one can readily see that no part of the enterprise is insignificant or exempt from the framework.
Regarding the enterprise, it is important to focus on two domains that expect the full participation of every part of the enterprise in any organization: Culture and Architecture.
The Culture Domain
Part of what the DTEF defines as culture is a typical HR responsibility: managing skills and competencies. Manage Skills and Competencies is one of the three trust factors in the Culture domain. If you are not familiar with trust factors, they represent specific portions of the domain on which an organization is able to act. The actions for the Manage Skills and Competencies trust factor are similar to other capability maturity models (CMM): identifying the necessary skills for the CMM, providing resources to ensure that employees are able to gain those necessary skills, identifying gaps in employees’ skill sets, and providing the required training using the identified resources.
There are two additional trust factors in the Culture domain: Manage Culture and Create and Manage the Digital Trust Cultural Environment. When looking at these two trust factors, one can start to see responsibilities across the enterprise.
Manage Culture
The first trust factor, Manage Culture, starts with identifying the organization’s current culture, evaluating it against what the target culture should be, and continually measuring, evaluating and adjusting it by promoting what the target state should be. How is the target culture promoted? Part of it is communicating what that culture should be, but the framework also includes activities to communicate decisions, helpful behaviors, results from attempts to adjust toward the target state, and lessons learned from those decisions. Also, there is an expectation of senior management backing the culture change and modeling “trust-strengthening behaviors at all levels of the organization,”2 which are typically necessary to affect change.
Create and Manage the Digital Trust Cultural Environment
The second trust factor, Create and Manage the Digital Trust Cultural Environment, starts with designing the digital trust cultural context—that is, evaluating the organization’s current state in conjunction with where the organization wants to be as its target state. The communications factor is addressed next, and it is heavy. Each trust factor is further broken down into practices, and within those practices there are activities. The practice around communications has a number of key activities that focus on understanding what to communicate, how to communicate, the importance of communicating continually, and how to ensure that what is communicated can be tied back to the mission, goals, objectives, processes and procedures, and other aspects that are part of the operations and expectations of the organization.
Naturally, if an organization is going to focus on culture, it needs to be structured effectively for that culture. Roles and responsibilities should be well defined. The skills needed for each role should also be clearly understood and documented. This meshes with the trust factor of Manage Skills and Competencies and there are a great deal of interwoven expectations with the DTEF, much as one would see in other frameworks. The Culture domain is also where branding comes in, and efforts around managing reputation. All of these are part of the trust factor Create and Manage the Digital Trust Cultural Environment. And all of these encompass every level and structure within an organization. For instance, if IT is not able to deliver on services, organizational reputation is going to be negatively affected. Communications and marketing can only do so much. If customer support is lacking, customers will complain, and the organization’s brand and reputation will be damaged despite heroic efforts in other areas of the organization.
The Architecture Domain
I have been a member of an organization’s EA group and, in my experience, there are a few well-known frameworks for different aspects of architecture. However, the most well known is arguably The Open Group Architectural Framework (TOGAF).3 TOGAF is now more than a framework. It also includes a methodology, the Architectural Development Method (ADM), but here the focus is on the framework component. In the TOGAF framework, there are four domains: business, data, application and technology (BDAT). The business, data and application domains are what one would surmise. The technology domain may require a bit more explanation. Basically, technology comprises the underlying hardware and infrastructure to make the other domains work. Not surprisingly, the first trust factor in the DTEF Architecture domain, Create Enterprise Trust Architecture, includes a separate practice for each BDAT domain. The DTEF was designed to mesh well with other existing frameworks and the focus on BDAT is a great example of how the DTEF overlaps with TOGAF for EA.
Looking at each trust factor, it is clear that each aligns with the traditional expectations of what EA is intended to perform for an enterprise organization.
The other trust factors in Architecture are Manage Information and Technology Architecture, Manage Digital Trust Resources, and Align Digital Trust Technology With Organizational Needs. Looking at each trust factor, it is clear that each aligns with the traditional expectations of what EA is intended to perform for an enterprise organization.
Manage Information and Technology Architecture
Manage Information and Technology Architecture concerns itself with the life cycle of assets—whether those assets are properly fulfilling the role they should be performing in the organization; whether they are available, recoverable and resilient to the requirements of the enterprise; and whether integrity is maintained at all levels of the information and technology stack, including the supply chain. Again, all levels and parts of the enterprise are involved in this trust factor.
Manage Digital Trust Resources
Manage Digital Trust Resources focuses on the maintenance and day-to-day health of the various information and technology assets. Are patches being applied? Is performance sufficient? Are appropriate controls and monitoring in place? Is the physical infrastructure, including facilities, functioning to meet the needs of the organization? What about cloud and outsourced resources? Are they sufficient, and does the organization have reasonable assurance around their health and security? Once again, these efforts reach out to most, if not all, parts of the enterprise.
Where there are gaps between current architecture and target architecture, EA should be driving the organization to eliminate those gaps.
Align Digital Trust Technology With Organizational Needs
Finally, Align Digital Trust Technology With Organizational Needs is a key responsibility for EA in general. EA should be aligning technology to meet the business needs, both in the present (current architecture) and for the future (target architecture). Where there are gaps between current and target architecture, EA should be driving the organizational change to eliminate those gaps. Within the DTEF, EA is expected to do the same.
The DTEF Involves the Entire Enterprise
There are frameworks that basically sit in one or two departments within an enterprise organization. The DTEF is not one of those frameworks. The DTEF spans all parts of the enterprise, as can be clearly seen by examining either the Culture or Architecture domains. The Culture domain makes it clear that a digital trust culture has to be backed by senior management, communicated well and often throughout the organization, and modeled at all levels of the enterprise. Adopting a digital trust culture requires key decisions for change, and each of those decisions requires analysis with proper communication of results and lessons learned. The organization may need to be reshaped with new roles and responsibilities defined along with the skills required for those new roles. HR will need to ensure that proper training is available and that there is a program to eliminate gaps between the skill sets that are currently present within the organization and what the target state should be.
Likewise, Architecture focuses on information, infrastructure and technology assets for the organization. Those assets should meet the needs of the business, be properly maintained, and be designed to meet expectations around availability, recoverability and resilience. Where there are gaps between current architecture and target architecture, EA should be driving the organization to eliminate those gaps, much in the same way that HR should be working to eliminate gaps in skill sets. EA should also drive technology to align with the business. This requires a comprehensive effort across the enterprise to be successful.
And those are only two of the six domains of the DTEF. The other four domains have similar expectations for all parts of the enterprise to be engaged. This should not surprise anyone. After all, if one part of the organization is not able to meet expectations, that shortfall will have a negative effect on the organization’s brand and reputation. Even if that impact is not seen outside of the organization, it will be felt inside the enterprise. If the issues are not eliminated, eventually a negative effect will be seen outside of the organization. We do not need the DTEF to teach us these axioms. However, the DTEF brings focus to the fact that maintaining or improving an organization’s position with respect to brand and reputation, its standing within the digital trust ecosystem, requires every aspect of the enterprise to be successful.
Endnotes
1 ISACA®, Digital Trust Ecosystem Framework (DTEF), USA, 2022. The DTEF is currently in limited release. The most up-to-date information on ISACA’s digital trust offerings can be found at www.isaca.org/digital-trust.
2 Ibid.
3 The Open Group, TOGAF Standard, 10th Edition, United Kingdom, 2022, https://www.opengroup.org/togaf
K. BRIAN KELLEY | CISA, CDPSE, CSPO, MCSE, SECURITY+
Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server and Windows Server. He has served in a myriad of other positions, including senior database administrator, data warehouse architect, web developer, incident response team lead and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps and user groups.