The software engineering discipline has provided principles, methodologies, and tools for the development of information systems. Software engineering have also become a fundamental component to produce information systems and related software components which are cheaper, better and faster. Recently, many forms of security attacks against information systems have emerged that attempt to compromise the security of information systems and organizations. However, traditional software engineering is not adequate and effective for developing secure information systems. In this paper, we propose holistic, consistent, and integrated security engineering procedures for analyzing, designing, developing, testing, and maintaining secure enterprise information systems. The proposed security engineering methodology combines security risk control, enterprise security architecture, and security management as an integrated framework.