View
2.357
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Enterprise Security Architecture integrating physical security with information security to achieve organizational strategic goals based on Governance and Risk Management goals created by the Executive Team and Board of Directors.
Citation preview
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Compiled by; Mark E.S. Bernard, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT, ISO 27001 Lead Auditor
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Accomplishments: • In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties
• In 2013 Assisted Aviation organization with ISO/IEC 27001 Registration/Certification
• In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation
• In 2013 Assisted Major Bank with Risk Assessment of New Services and Products
• In 2012 Assisted National Legal Firm with ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Executive Relocation Organization to ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Global Electronic Solutions Provider ISO/IEC 27001 Reg./Certification
• In 2012 Assisted Nano Technology Manufacturer with ISO/IEC 27001 Reg./Certification
• In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO 27001 Reg./Cert
• In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO 27001 Reg./Certification
• In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider
• In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov.
• In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC 27001 Reg./Certification
• In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration to
SAP R3 - ERP
Skype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernard
Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant
CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture, COBiT, ITIL
Mark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30
or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regular
fulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a Systems
Engineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERP
systems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process,
followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed information
security and privacy architecture established information security management systems as program manager based on ISO 27001. Mark Also led the
reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001 also establishing a Knowledge
Management framework.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Enterprise
Security
Architecture
was created
following the
natural order
in which
organizations are structured.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Organizational
Governance is a crucial
requirement of any
organizational design.
Providing the leadership
necessary to guide the
Enterprise to achieve its
strategic goals and
investor expectations.
This guidance comes
from the Board of
Directors and Executive Team.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Risk Management is the
linchpin of good
Governance and
organizational design. The
Board of Directors and
Executive Team utilize Risk
Management to make
decisions based on pros
and cons, potential impacts
due to the realizations of
Strategic Risks, Financial
Risks, Compliance Risks
and Operational Risks.
Risk is not just associated
with negative impacts, but
taking advantage of risk
can lead to positive Business Benefits.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Enterprise Security
Management System is a
crucial integration point
providing assurance and
internal advisory services
on behalf of senior
business leaders to help
ensure that enterprise
design and architecture of
business processes and
infrastructure does not
contravene Risk
Management goals. The
ESMS encompasses
physical security,
information in all formats health and safety.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Enterprise Architecture is
based on Business
Requirements and the
information needed to
satisfy strategic
organizational goals.
These strategic goals can
only be satisfied if the
information and
knowledge is available,
maintains its security
based on sensitivity and
leverages the most
accurate data for Risk
Management decisions by business leaders.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Enterprise Architecture is
based on Business
Architecture supported by
the information required to
facilitate business. In
many cases business
systems are leverage to
manage the volume of
data input into the
business architecture.
These business systems
also help to improve the
security and integrity of
the information and data
required to deliver
services to customers and
make management decisions.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Enterprise Architecture is
based on Business
Architecture which drives
the requirements for
infrastructure delivering
information, data quality
and availability. The
sensitivity of information
required to achieve
Enterprise goals helps to
establish the requirements
for physical security,
environmental security
and the security of
employees also known as health and safety.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The requirements for
Enterprise Architecture
and Business Architecture
drives the requirements
for Human Resources.
The skills, experience and
general knowledge of
management and regular
staff help move the
organization towards its strategic goals.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The requirements for Enterprise
Architecture and Business
Architecture drives the
requirements for Procurement and
Contract Management of external
expertise, software, hardware, and
telecommunications. Once
acquired ongoing maintenance of
licenses and facilitation of Service
Management will be required.
Mergers and Acquisitions also fall
under Procurement, so the
requirements for confidentiality,
integrity and availability become a
seamless part of the organizations products and services.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The requirements for Enterprise
Architecture and Business
Architecture drives the requirements
for Business Continuity and Disaster
Recovery. These requirements must
bring value to the organization by
helping to facilitate service delivery
and product development and/or
enhance the organizations
reputation.
The organizations mission, strategic
goals and business benefits must be
realized. Risk Management and
Enterprise Security play a crucial role in effective, efficient BC and DR.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Service Management and Operations
facilitate the mitigation of risk to strategic
goals, financial planning, compliance
management. This is accomplished
through the consistent execution of mature
processes and continuous improvement.
These Standard Operating Procedures
(SOP) include control points for Quality
Management and Risk Management such
as management approval and
reconciliation or segregation of duties.
These control points are normally selected
in response to a risk assessment or audit
finding. Security standards help establish
criteria that will be followed during the execution of SOP.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Service Management is comprised of
11 unique processes that have been
fully integrated within each other. The
Service Desk is the central hub for
communications and service
management within the organization
and with external partners, investors
and customers.
Operations and Service Management
help the organization achiever
organizational strategic goals as
directed by Management, consulted
by the Enterprise Security Team and Business Architecture group.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Service Management Team provides
the “boots on the ground” operations
employees who maintain the Digital
Service Delivery and Product Life Cycle
Channels.
The Service Management Team ensures
that the Service Orientated Architecture is
maintained. This includes ensuring that the
software, hardware and telecommunication
services are fully operational within the
agreed terms for business hours in support
of the Business Architecture requirements
and Enterprise Security requirements for
the confidentiality of information, integrity
of information and data, and availability of information.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The systems that employees
and customers rely upon are
prone to vulnerabilities that
could be exploited by a
motivated threat. The ESMS
will provide assurance that
these risks have been mitigated
by working with managers and
subject matter experts to
identify, risk assess, prioritize
and remediate as required. The
server stack and OSI or TCP/IP
stack are two examples of
t\where cracks can form
resulting in an exposure to
threats.
The achievement of organizational strategic
goals and objectives is contingent upon
maintaining a safe environment for
employees.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Enterprise Security
Management System
provides a single point of
contact and leadership for
Enterprise Security based on
strategic organizational
goals and objectives. The
ESMS brings together
physical security with
information security in
support of Business
Architecture guided by
organizational Governance and Risk Management.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
ESMS Examples: Subjects of Interest
• Access Control
• Active Shooter
• Asset Protection and Management
• Background Screening/Due Diligence
• Bomb Threats
• CCTV
• Compliance Management
• Corruption/Ethics
• Crime, Prevention
• Cryptography
• Data/Information Security
• Data Privacy
• Disaster/Crisis Management
• Environmental
• Executive Protection/Personnel Security
• Facilities (General)
• Health and Safety
• Incident Management
• Investigations
• Mail Security
• Pandemics
• Physical Security, General
• Quality Management
• Risk Management
• Risk/Vulnerability Assessment and Site Surveys
• Security Personnel/Duties
• Security Planning and Management
• Sexual Harassment/Discrimination
• Social Media
• Social Engineering
• Supply Chain
• Strikes/Demonstrations/Unrest
• Substance Abuse
• Telecommunications
• Travel
• Utilities
• Vehicles and Vehicle Operation
• Visitors
• Water
• Workplace Violence
ESMS Examples: Applicable Industries
• Agriculture
• Aviation
• Banking
• Chemical
• Cities
• Distribution Centers
• Educational Institutions
• Energy Industry
• Factories
• FDIC
• Government
• Healthcare
• Industrial Sites
• Insurance
• Mass Transit
• Manufacturing
• Media
• Oil and gas/Energy
• Seaports
• Stadiums and Arenas
• Telecommunications
• Technology
• Theme Parks
• Universities
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
The Enterprise Security Management System is a valuable program that
can be seamlessly integrated within every business process to help
support and facilitate organizational strategic goals.
Enterprise Security Architecture helps to visualize and disseminate the
integration of business processes including the importance of
overarching governance and risk management influence within the
organization concerning the confidentiality of information, integrity of
business processes and data and the availability of people and
information to achieve strategic organizational goals.
If you need help with your Enterprise Security Management System adoption or integration project please contact me, thanks.
*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
For more information contact Skype; Mark_E_S_Bernard
Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard