We demonstrate, by a number of examples, that information flow security properties can be proved at an architectural level of abstraction that describes only the causal structure of a system and local properties of a number of trusted components. Architectures are represented using a generalization of intransitive noninterference policies that admits the ability to filter information passed between communicating domains. A notion of refinement of such architectures is developed that supports top-down development of architectural specifications and proofs by abstraction of information security properties. 1.