Scribd Logo
Upload

Welcome to Scribd!

  • Assignment

    Uploaded by

    api-403267489
    101 views8 pages

    Original Title

    assignment

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    101 views8 pages

    Assignment

    Uploaded by

    api-403267489

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Running head: FINAL PROJECT 1

    Final Project

    Raul Mendoza

    University of San Diego

    Secure Systems Architecture

    CSOL-520

    Thomas Plunkett

    December 10, 2017


    FINAL PROJECT 2

    Final Project

    As a consultant for Informatics Inc. I have been asked to design an enterprise security

    system for Intergalactic Banking and Financial Services Inc. (IBFS). To begin this process, I will

    use the SABSA model for Security Architecture Development. The model contains different

    architecture layers that support each other as depicted in figure 1. Although additional artifacts

    are necessary to complete the enterprise security architecture, I will focus on the contextual layer

    as it applies to the IBFS business needs.

    Figure 1. SABSA Model (Sherwood, Clark, & Lynas, 2005, p. 34)

    As an international business IBFS has multiple areas that must be addressed. To better

    define what architecture components are needed, we must first understand the business

    requirements of IBFS. IBFS business units are as follows:

     Retail Banking (Current accounts, direct debits, standing orders, debit cards,

    credit cards, check payments, internet payments)

     Corporate banking (current accounts, foreign exchange, treasury, payments)


    FINAL PROJECT 3

     General insurance (household, motor, travel, health care)

     Life insurance

     Pensions

     Personal investment products (unit trusts, annuities, special investment products

    in multiple countries)

     Savings, loans, mortgages

     Asset management (managing portfolio of investments on behalf of clients)

     Custody of other agency services

     Securities trading (buying and selling stocks, shares, and bonds)

     Corporate finance (advising on mergers, acquisitions, divestments, and stock

    market floatation)

     Invoice financing

    With today’s architectures under daily attack, it is important to apply the appropriate

    security architecture necessary to reduce our attack surface. This becomes increasingly important

    when storing or processing data that is sensitive, contains Personally Identifiable Information,

    (PII) customer/patient health, financial and credit card information.

    Providers, patients, and financial customers require access to the appropriate information

    as it relates to their roles. In order to ensure data is protected we must implement the appropriate

    block ciphers, hashing functions, and key management to guarantee encryption communications

    allow access between two or more systems in our network. By implementing the appropriate

    crypto system and key distribution protocol, we are capable of safeguarding HIPAA, PCI/DSS

    information, and sensitive investment data.


    FINAL PROJECT 4

    Implementing the appropriate security exchanges to ensure users can access information

    allows an organization to manage and enforce security policies from a single point. The

    following business drivers are identified to ensure we understand all criteria for supporting our

    architecture.

     Sharing accurate and actionable information – with consumers, policy makers,

    other companies, and industries – will help make all of us safer and stronger.

     Strong password policy is needed to ensure access is only granted to authorized

    users

     Identify any misconfigured services, such as Web services, Microsoft SQL

    servers, and infrastructure devices

     Identify vulnerabilities on any existing internal networks

     Discover outdated services or unpatched systems

     Operate globally with little to no down time

    The business drivers help us to identify what business issues need to be discussed and

    how we associate any risk to them. Below is how I have identified the business drivers, risks, and

    risk mitigation recommendations for each Figure 2.).


    FINAL PROJECT 5

    Figure 2. Business Risk Model.

    Because IBFS has such as broad footprint across the health and financial industries, it is

    important to ensure compliance is enforced and supported at all levels. The mechanisms that

    support the proper implementation are defined in greater detail through the SABSA model.

    Although we understand that the business requirements drive the entire architecture, we must

    also expect to provide and define which artifacts will be required. Conceptually an architect can

    better define what IBFS wants to protect by associating business attribute profiles (figure 2).

    Increased assurance is a major factor we must consider as part of the business function.

    Determining what assurance services are available can elevate our assurance and increase

    reliability to our customers. To better define what services and assurance services are needed,

    please review figure 3.


    FINAL PROJECT 6

    Figure 3. Assurance & Security Services

    The business drivers, attribute profiles, and risks have been provided to ensure we

    understand what assets we have, what information we need to protect, who needs to access it,

    when it must be accessed, and the location it must accessed from. But we must also address the

    importance of Security policy making, information classification, organizational and cultural

    development. Policies must be developed to ensure they communicate what the business

    expectations are to ensure employees understand what is considered acceptable. In the case of

    IBFS, we must adhere to all HIPAA, Consumer Financial Protection Bureau (CFPB), and

    PCI/DSS requirements to ensure all Financial data, credit card, and health information are

    protected accordingly. (Department of human and health services [HHS], 2013, p. 1) As such, an

    acceptable use policy will be developed to ensure employees understand what is allowed on

    company systems.

    Vigilance is mandatory to help ensure compliance. Controls and sound business systems

    must be in place, and all departments need to stay in communication. In addition to regularly

    monitoring and analyzing internal controls and financial systems, and assessing potential risks,

    IBFS leaders must take time to:


    FINAL PROJECT 7

     Educate staff. Whether through regular meetings or weekly email blasts, keep everyone

    who needs to know about regulatory changes up to date. Provide regulatory compliance

    training, and make sure employees also have access to resources such as industry

    publications and webinars on relevant topics.

     Invest in expertise. This includes hiring compliance officers and internal auditors.

    Engaging specialized consultants with deep expertise in regulatory matters can also help

    organizations to manage compliance initiatives more effectively.

     Learn from others. Keep an eye on competitors: Adopt their best practices and avoid

    repeating their blunders.


    FINAL PROJECT 8

    References

    Department of human and health services. (2013). Summary of the HIPAA Privacy Rule.

    Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-

    regulations/index.html

    Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven

    Approach. Boca Raton, FL: Taylor & Francis Group.

    You might also like