The architecture of information security, like many other architectures, should be developed from top to bottom, starting from the architecture and strategy of the enterprise, in which it is fixed what and how should be done in the context of the entire company. The architecture and strategy of information security, in turn, are devoted to how these goals are realized from the point of view of information security.
How do we help meet the business needs for information security (IS) now and how will we do it in a year? For some enterprises, even five years is a very short time interval, since they tie their plans to the life of, for example, a turbine or a blast furnace, the design life of which can be fifty years. Accounting for sufficiently long time periods is the key difference between good architecture and bad architecture.
More info @ security architect