Enterprise security architecture 101

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT, ISO 27001 Lead Auditor


Accomplishments: • In 2013 Assisted Provincial Government with Privacy Impact Assessment of External Parties

• In 2013 Assisted Aviation organization with ISO/IEC 27001 Registration/Certification

• In 2013 Facilitated ISO Lead Auditor Training for International Manufacturing and Services Corporation

• In 2013 Assisted Major Bank with Risk Assessment of New Services and Products

• In 2012 Assisted National Legal Firm with ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Executive Relocation Organization to ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Cloud Service Provider of SaaS to achieve ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Global Electronic Solutions Provider ISO/IEC 27001 Reg./Certification

• In 2012 Assisted Nano Technology Manufacturer with ISO/IEC 27001 Reg./Certification

• In 2010/11 Led Cloud Service Provider of PaaS and IaaS in 8 DCs & 4 Continents to ISO 27001 Reg./Cert

• In 2009 Led Provincial Government to become 1st Canadian Public Sector ISO 27001 Reg./Certification

• In 2009 Led Provincial Government On-boarding Project for Oracle ERP Integrated Service Provider

• In 2009 Led Technology and Operations during Negotiated Request for Proposal on behalf of Prov. Gov.

• In 2007 Led Major Credit Union Trade & Wholesale Service to achieve ISO/IEC 27001 Reg./Certification

• In 2006 Led Privacy, Security, and Compliance Office during BC Government, outsourcing to Alternate Service Delivery during migration to

SAP R3 - ERP

Skype; Mark_E_S_Bernard; LinkedIn; http://www.linkedin.com/in/markesbernard

Mark E.S. Bernard, - Information Security /Privacy, GRC Management Consultant

CRISC, CGEIT, CISA, CISM, CISSP, PM, ISO 27001LA, CNA, SABSA-Security Service Management /Architecture, COBiT, ITIL

Mark has 24 years of proven experience within the domain of Information Security, Privacy, Governance, Compliance. Mark has led teams of 30

or more as a Director and Project Manager and managed budgets of $5 Million +. Mark has also provided oversight to 250 contractors and 230 regular

fulltime employees as a senior manager during government outsourcing contract valued at $300 million. Mark skills and experience as a Systems

Engineer, Software Engineer and Network Engineer has provided him an ability to led small and larger contracts for specialized services including ERP

systems like Oracle, SAP, JD Edwards, BPCS, JBA and red team penetration testing. Mark also led his work-stream during Negotiated RFP process,

followed by the on-boarding and knowledge transfer of the exiting Service Provider for a $25 Million Dollar Contract. Mark designed information

security and privacy architecture established information security management systems as program manager based on ISO 27001. Mark Also led the

reengineered IT processes based on Service Manager ITIL/ISO 20000 building in Quality Management ISO 9001 also establishing a Knowledge

Management framework.

http://www.linkedin.com/in/markesbernard

http://www.linkedin.com/in/markesbernard





Enterprise

Security

Architecture

was created

following the

natural order

in which

organizations are structured.


Organizational

Governance is a crucial

requirement of any

organizational design.

Providing the leadership

necessary to guide the

Enterprise to achieve its

strategic goals and

investor expectations.

This guidance comes

from the Board of

Directors and Executive Team.


Risk Management is the

linchpin of good

Governance and

organizational design. The

Board of Directors and

Executive Team utilize Risk

Management to make

decisions based on pros

and cons, potential impacts

due to the realizations of

Strategic Risks, Financial

Risks, Compliance Risks

and Operational Risks.

Risk is not just associated

with negative impacts, but

taking advantage of risk

can lead to positive Business Benefits.


The Enterprise Security

Management System is a

crucial integration point

providing assurance and

internal advisory services

on behalf of senior

business leaders to help

ensure that enterprise

design and architecture of

business processes and

infrastructure does not

contravene Risk

Management goals. The

ESMS encompasses

physical security,

information in all formats health and safety.


Enterprise Architecture is

based on Business

Requirements and the

information needed to

satisfy strategic

organizational goals.

These strategic goals can

only be satisfied if the

information and

knowledge is available,

maintains its security

based on sensitivity and

leverages the most

accurate data for Risk

Management decisions by business leaders.



based on Business

Architecture supported by

the information required to

facilitate business. In

many cases business

systems are leverage to

manage the volume of

data input into the

business architecture.

These business systems

also help to improve the

security and integrity of

the information and data

required to deliver

services to customers and

make management decisions.



based on Business

Architecture which drives

the requirements for

infrastructure delivering

information, data quality

and availability. The

sensitivity of information

required to achieve

Enterprise goals helps to

establish the requirements

for physical security,

environmental security

and the security of

employees also known as health and safety.


The requirements for

Enterprise Architecture

and Business Architecture

drives the requirements

for Human Resources.

The skills, experience and

general knowledge of

management and regular

staff help move the

organization towards its strategic goals.


The requirements for Enterprise

Architecture and Business

Architecture drives the

requirements for Procurement and

Contract Management of external

expertise, software, hardware, and

telecommunications. Once

acquired ongoing maintenance of

licenses and facilitation of Service

Management will be required.

Mergers and Acquisitions also fall

under Procurement, so the

requirements for confidentiality,

integrity and availability become a

seamless part of the organizations products and services.


The requirements for Enterprise

Architecture and Business

Architecture drives the requirements

for Business Continuity and Disaster

Recovery. These requirements must

bring value to the organization by

helping to facilitate service delivery

and product development and/or

enhance the organizations

reputation.

The organizations mission, strategic

goals and business benefits must be

realized. Risk Management and

Enterprise Security play a crucial role in effective, efficient BC and DR.


Service Management and Operations

facilitate the mitigation of risk to strategic

goals, financial planning, compliance

management. This is accomplished

through the consistent execution of mature

processes and continuous improvement.

These Standard Operating Procedures

(SOP) include control points for Quality

Management and Risk Management such

as management approval and

reconciliation or segregation of duties.

These control points are normally selected

in response to a risk assessment or audit

finding. Security standards help establish

criteria that will be followed during the execution of SOP.


Service Management is comprised of

11 unique processes that have been

fully integrated within each other. The

Service Desk is the central hub for

communications and service

management within the organization

and with external partners, investors

and customers.

Operations and Service Management

help the organization achiever

organizational strategic goals as

directed by Management, consulted

by the Enterprise Security Team and Business Architecture group.


The Service Management Team provides

the “boots on the ground” operations

employees who maintain the Digital

Service Delivery and Product Life Cycle

Channels.

The Service Management Team ensures

that the Service Orientated Architecture is

maintained. This includes ensuring that the

software, hardware and telecommunication

services are fully operational within the

agreed terms for business hours in support

of the Business Architecture requirements

and Enterprise Security requirements for

the confidentiality of information, integrity

of information and data, and availability of information.


The systems that employees

and customers rely upon are

prone to vulnerabilities that

could be exploited by a

motivated threat. The ESMS

will provide assurance that

these risks have been mitigated

by working with managers and

subject matter experts to

identify, risk assess, prioritize

and remediate as required. The

server stack and OSI or TCP/IP

stack are two examples of

t\where cracks can form

resulting in an exposure to

threats.

The achievement of organizational strategic

goals and objectives is contingent upon

maintaining a safe environment for

employees.


The Enterprise Security

Management System

provides a single point of

contact and leadership for

Enterprise Security based on

strategic organizational

goals and objectives. The

ESMS brings together

physical security with

information security in

support of Business

Architecture guided by

organizational Governance and Risk Management.


ESMS Examples: Subjects of Interest

• Access Control

• Active Shooter

• Asset Protection and Management

• Background Screening/Due Diligence

• Bomb Threats

• CCTV

• Compliance Management

• Corruption/Ethics

• Crime, Prevention

• Cryptography

• Data/Information Security

• Data Privacy

• Disaster/Crisis Management

• Environmental

• Executive Protection/Personnel Security

• Facilities (General)

• Health and Safety

• Incident Management

• Investigations

• Mail Security

• Pandemics

• Physical Security, General

• Quality Management

• Risk Management

• Risk/Vulnerability Assessment and Site Surveys

• Security Personnel/Duties

• Security Planning and Management

• Sexual Harassment/Discrimination

• Social Media

• Social Engineering

• Supply Chain

• Strikes/Demonstrations/Unrest

• Substance Abuse

• Telecommunications

• Travel

• Utilities

• Vehicles and Vehicle Operation

• Visitors

• Water

• Workplace Violence

ESMS Examples: Applicable Industries

• Agriculture

• Aviation

• Banking

• Chemical

• Cities

• Distribution Centers

• Educational Institutions

• Energy Industry

• Factories

• FDIC

• Government

• Healthcare

• Industrial Sites

• Insurance

• Mass Transit

• Manufacturing

• Media

• Oil and gas/Energy

• Seaports

• Stadiums and Arenas

• Telecommunications

• Technology

• Theme Parks

• Universities


The Enterprise Security Management System is a valuable program that

can be seamlessly integrated within every business process to help

support and facilitate organizational strategic goals.

Enterprise Security Architecture helps to visualize and disseminate the

integration of business processes including the importance of

overarching governance and risk management influence within the

organization concerning the confidentiality of information, integrity of

business processes and data and the availability of people and

information to achieve strategic organizational goals.

If you need help with your Enterprise Security Management System adoption or integration project please contact me, thanks.


For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard