Enterprise security architecture 101


Published on

Enterprise Security Architecture integrating physical security with information security to achieve organizational strategic goals based on Governance and Risk Management goals created by the Executive Team and Board of Directors.

Published in: Business, Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Enterprise security architecture 101

  1. 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Compiled by; Mark E.S. Bernard, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT, ISO 27001 Lead Auditor
  2. 2. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Accomplishments:• In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties• In 2013 Assisted Aviation organization with ISO/IEC 27001 Registration/Certification• In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation• In 2013 Assisted Major Bank with Risk Assessment of New Services and Products• In 2012 Assisted National Legal Firm with ISO/IEC 27001 Reg./Certification• In 2012 Assisted Executive Relocation Organization to ISO/IEC 27001 Reg./Certification• In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC 27001 Reg./Certification• In 2012 Assisted Global Electronic Solutions Provider ISO/IEC 27001 Reg./Certification• In 2012 Assisted Nano Technology Manufacturer with ISO/IEC 27001 Reg./Certification• In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO 27001 Reg./Cert• In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO 27001 Reg./Certification• In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider• In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov.• In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC 27001 Reg./Certification• In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration toSAP R3 - ERPSkype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernardMark E.S. Bernard, - Information Security /Privacy, GRC Management ConsultantCRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture,COBiT, ITILMark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regularfulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a SystemsEngineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERPsystems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process,followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed informationsecurity and privacy architecture established information security management systems as program manager based on ISO 27001. Mark Also led thereengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001 also establishing a KnowledgeManagement framework.
  6. 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***EnterpriseSecurityArchitecturewas createdfollowing thenatural orderin whichorganizationsare structured.
  7. 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***OrganizationalGovernance is a crucialrequirement of anyorganizational design.Providing the leadershipnecessary to guide theEnterprise to achieve itsstrategic goals andinvestor expectations.This guidance comesfrom the Board ofDirectors and ExecutiveTeam.
  8. 8. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Risk Management is thelinchpin of goodGovernance andorganizational design. TheBoard of Directors andExecutive Team utilize RiskManagement to makedecisions based on prosand cons, potential impactsdue to the realizations ofStrategic Risks, FinancialRisks, Compliance Risksand Operational Risks.Risk is not just associatedwith negative impacts, buttaking advantage of riskcan lead to positiveBusiness Benefits.
  9. 9. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The Enterprise SecurityManagement System is acrucial integration pointproviding assurance andinternal advisory serviceson behalf of seniorbusiness leaders to helpensure that enterprisedesign and architecture ofbusiness processes andinfrastructure does notcontravene RiskManagement goals. TheESMS encompassesphysical security,information in all formatshealth and safety.
  10. 10. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Enterprise Architecture isbased on BusinessRequirements and theinformation needed tosatisfy strategicorganizational goals.These strategic goals canonly be satisfied if theinformation andknowledge is available,maintains its securitybased on sensitivity andleverages the mostaccurate data for RiskManagement decisions bybusiness leaders.
  11. 11. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Enterprise Architecture isbased on BusinessArchitecture supported bythe information required tofacilitate business. Inmany cases businesssystems are leverage tomanage the volume ofdata input into thebusiness architecture.These business systemsalso help to improve thesecurity and integrity ofthe information and datarequired to deliverservices to customers andmake managementdecisions.
  12. 12. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Enterprise Architecture isbased on BusinessArchitecture which drivesthe requirements forinfrastructure deliveringinformation, data qualityand availability. Thesensitivity of informationrequired to achieveEnterprise goals helps toestablish the requirementsfor physical security,environmental securityand the security ofemployees also known ashealth and safety.
  13. 13. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The requirements forEnterprise Architectureand Business Architecturedrives the requirementsfor Human Resources.The skills, experience andgeneral knowledge ofmanagement and regularstaff help move theorganization towards itsstrategic goals.
  14. 14. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The requirements for EnterpriseArchitecture and BusinessArchitecture drives therequirements for Procurement andContract Management of externalexpertise, software, hardware, andtelecommunications. Onceacquired ongoing maintenance oflicenses and facilitation of ServiceManagement will be required.Mergers and Acquisitions also fallunder Procurement, so therequirements for confidentiality,integrity and availability become aseamless part of the organizationsproducts and services.
  15. 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The requirements for EnterpriseArchitecture and BusinessArchitecture drives the requirementsfor Business Continuity and DisasterRecovery. These requirements mustbring value to the organization byhelping to facilitate service deliveryand product development and/orenhance the organizationsreputation.The organizations mission, strategicgoals and business benefits must berealized. Risk Management andEnterprise Security play a crucial rolein effective, efficient BC and DR.
  16. 16. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Service Management and Operationsfacilitate the mitigation of risk to strategicgoals, financial planning, compliancemanagement. This is accomplishedthrough the consistent execution of matureprocesses and continuous improvement.These Standard Operating Procedures(SOP) include control points for QualityManagement and Risk Management suchas management approval andreconciliation or segregation of duties.These control points are normally selectedin response to a risk assessment or auditfinding. Security standards help establishcriteria that will be followed during theexecution of SOP.
  17. 17. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***Service Management is comprised of11 unique processes that have beenfully integrated within each other. TheService Desk is the central hub forcommunications and servicemanagement within the organizationand with external partners, investorsand customers.Operations and Service Managementhelp the organization achieverorganizational strategic goals asdirected by Management, consultedby the Enterprise Security Team andBusiness Architecture group.
  18. 18. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The Service Management Team providesthe “boots on the ground” operationsemployees who maintain the DigitalService Delivery and Product Life CycleChannels.The Service Management Team ensuresthat the Service Orientated Architecture ismaintained. This includes ensuring that thesoftware, hardware and telecommunicationservices are fully operational within theagreed terms for business hours in supportof the Business Architecture requirementsand Enterprise Security requirements forthe confidentiality of information, integrityof information and data, and availability ofinformation.
  19. 19. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The systems that employeesand customers rely upon areprone to vulnerabilities thatcould be exploited by amotivated threat. The ESMSwill provide assurance thatthese risks have been mitigatedby working with managers andsubject matter experts toidentify, risk assess, prioritizeand remediate as required. Theserver stack and OSI or TCP/IPstack are two examples oftwhere cracks can formresulting in an exposure tothreats.The achievement of organizational strategicgoals and objectives is contingent uponmaintaining a safe environment foremployees.
  20. 20. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The Enterprise SecurityManagement Systemprovides a single point ofcontact and leadership forEnterprise Security based onstrategic organizationalgoals and objectives. TheESMS brings togetherphysical security withinformation security insupport of BusinessArchitecture guided byorganizational Governanceand Risk Management.
  21. 21. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***ESMS Examples: Subjects of Interest• Access Control• Active Shooter• Asset Protection and Management• Background Screening/Due Diligence• Bomb Threats• CCTV• Compliance Management• Corruption/Ethics• Crime, Prevention• Cryptography• Data/Information Security• Data Privacy• Disaster/Crisis Management• Environmental• Executive Protection/Personnel Security• Facilities (General)• Health and Safety• Incident Management• Investigations• Mail Security• Pandemics• Physical Security, General• Quality Management• Risk Management• Risk/Vulnerability Assessment and Site Surveys• Security Personnel/Duties• Security Planning and Management• Sexual Harassment/Discrimination• Social Media• Social Engineering• Supply Chain• Strikes/Demonstrations/Unrest• Substance Abuse• Telecommunications• Travel• Utilities• Vehicles and Vehicle Operation• Visitors• Water• Workplace ViolenceESMS Examples: Applicable Industries• Agriculture• Aviation• Banking• Chemical• Cities• Distribution Centers• Educational Institutions• Energy Industry• Factories• FDIC• Government• Healthcare• Industrial Sites• Insurance• Mass Transit• Manufacturing• Media• Oil and gas/Energy• Seaports• Stadiums and Arenas• Telecommunications• Technology• Theme Parks• Universities
  22. 22. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***The Enterprise Security Management System is a valuable program thatcan be seamlessly integrated within every business process to helpsupport and facilitate organizational strategic goals.Enterprise Security Architecture helps to visualize and disseminate theintegration of business processes including the importance ofoverarching governance and risk management influence within theorganization concerning the confidentiality of information, integrity ofbusiness processes and data and the availability of people andinformation to achieve strategic organizational goals.If you need help with your Enterprise Security Management Systemadoption or integration project please contact me, thanks.
  23. 23. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***For more information contactSkype; Mark_E_S_BernardTwitter; @MESB_TechSecureLinkedIn; http://ca.linkedin.com/in/markesbernard