Professional Documents
Culture Documents
Final Project
Raul Mendoza
CSOL-520
Thomas Plunkett
Final Project
As a consultant for Informatics Inc. I have been asked to design an enterprise security
system for Intergalactic Banking and Financial Services Inc. (IBFS). To begin this process, I will
use the SABSA model for Security Architecture Development. The model contains different
architecture layers that support each other as depicted in figure 1. Although additional artifacts
are necessary to complete the enterprise security architecture, I will focus on the contextual layer
As an international business IBFS has multiple areas that must be addressed. To better
define what architecture components are needed, we must first understand the business
Retail Banking (Current accounts, direct debits, standing orders, debit cards,
Life insurance
Pensions
in multiple countries)
market floatation)
Invoice financing
With today’s architectures under daily attack, it is important to apply the appropriate
security architecture necessary to reduce our attack surface. This becomes increasingly important
when storing or processing data that is sensitive, contains Personally Identifiable Information,
Providers, patients, and financial customers require access to the appropriate information
as it relates to their roles. In order to ensure data is protected we must implement the appropriate
block ciphers, hashing functions, and key management to guarantee encryption communications
allow access between two or more systems in our network. By implementing the appropriate
crypto system and key distribution protocol, we are capable of safeguarding HIPAA, PCI/DSS
Implementing the appropriate security exchanges to ensure users can access information
allows an organization to manage and enforce security policies from a single point. The
following business drivers are identified to ensure we understand all criteria for supporting our
architecture.
other companies, and industries – will help make all of us safer and stronger.
users
The business drivers help us to identify what business issues need to be discussed and
how we associate any risk to them. Below is how I have identified the business drivers, risks, and
Because IBFS has such as broad footprint across the health and financial industries, it is
important to ensure compliance is enforced and supported at all levels. The mechanisms that
support the proper implementation are defined in greater detail through the SABSA model.
Although we understand that the business requirements drive the entire architecture, we must
also expect to provide and define which artifacts will be required. Conceptually an architect can
better define what IBFS wants to protect by associating business attribute profiles (figure 2).
Increased assurance is a major factor we must consider as part of the business function.
Determining what assurance services are available can elevate our assurance and increase
reliability to our customers. To better define what services and assurance services are needed,
The business drivers, attribute profiles, and risks have been provided to ensure we
understand what assets we have, what information we need to protect, who needs to access it,
when it must be accessed, and the location it must accessed from. But we must also address the
development. Policies must be developed to ensure they communicate what the business
expectations are to ensure employees understand what is considered acceptable. In the case of
IBFS, we must adhere to all HIPAA, Consumer Financial Protection Bureau (CFPB), and
PCI/DSS requirements to ensure all Financial data, credit card, and health information are
protected accordingly. (Department of human and health services [HHS], 2013, p. 1) As such, an
acceptable use policy will be developed to ensure employees understand what is allowed on
company systems.
Vigilance is mandatory to help ensure compliance. Controls and sound business systems
must be in place, and all departments need to stay in communication. In addition to regularly
monitoring and analyzing internal controls and financial systems, and assessing potential risks,
Educate staff. Whether through regular meetings or weekly email blasts, keep everyone
who needs to know about regulatory changes up to date. Provide regulatory compliance
training, and make sure employees also have access to resources such as industry
Invest in expertise. This includes hiring compliance officers and internal auditors.
Engaging specialized consultants with deep expertise in regulatory matters can also help
Learn from others. Keep an eye on competitors: Adopt their best practices and avoid
References
Department of human and health services. (2013). Summary of the HIPAA Privacy Rule.
regulations/index.html
Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture A Business-Driven