Secure Systems Architecture Ricardo Nevarez

Final Week 7

Final Assignment

Ricardo Nevarez

University of San Diego and CS520

December 11, 2017

in Partial Fulfillment of the Requirements for the Degree of

Master of Cybersecurity Operations and Leadership
Final Assignment.CS520.Week7.Ricardo Nevarez

Table of Contents
Executive Summary....................................................................................................................................... 1
The SABSA Security Architecture Model....................................................................................................... 2
The Six (6) Deliverables of the Component Layer for IBFS .......................................................................... 3
Primary Concerns of IBFS ............................................................................................................................. 4
Target Audience of IBFS ............................................................................................................................... 4
The Proposal ................................................................................................................................................ 5
Concerns of the Group CEO ........................................................................................................................ 5

Concerns of the COO ................................................................................................................................... 5

Concerns of the Senior VP of eBusiness ..................................................................................................... 6

Concerns of the Group Chief Financial Officer ........................................................................................... 7

Concerns of the senior - VP of Marketing and Distribution ........................................................................ 8

Concerns of the CIO .................................................................................................................................... 8

Concerns of the Director of Compliance ..................................................................................................... 9

Key Questions to Continuously Keep Asking ............................................................................................. 9

Conclusion ................................................................................................................................................... 9

References .................................................................................................................................................. 10
Final Assignment.CS520.Week7.Ricardo Nevarez

Executive Summary

It is the mission and goal of Informatics Inc. to implement the needs and the proposed requirements of

the following executives: Group CEO, COO, Senior VP of eBusiness, Group Chief Financial Officer, the

Senior- VP of Marketing and Distribution, CIO, and the Director of Compliance. By implementing this

Component layer enterprise security architecture we will base “all” decisions on the following: usability,

inter-operability, integration, supportability, low cost development, fast time to market, scalability of

proposed platforms, scalability of cost, scalability of security level, re-usability, and operations costs.

This proposed system will ensure that IBSF remain competitive in this growing financial market into the

future, and its systems flexible enough to meet those challenges whatever they may be. Thank you for

taking the time to read through this proposal, and with you support we can create a successfully

trustworthy computer network system for IBFS

Page 1
Final Assignment.CS520.Week7.Ricardo Nevarez

The SABSA Security Architectural Model

SABSA stands for the Sherwood Applied Business Security Architecture, is open- source and used for
developing business operational risk focused security architectures. Its framework is for information
security and information assurance architectures for any type of organization within any field. This
framework allows for an association between security architecture and the organizations business value
and its’ architecture (SABSA, 2017). It also offers a means to balance risk and reward in respect of the
methods and frameworks, and processes the SABSA security architectural model offers (Scott, 2012). It
allows the technology considerations of what is to be implemented onto the computer network system.

The SABSA security architectural model consists of six (6) layers of which are:

 Contextual Security Architecture

 Conceptual Security Architecture
 Logical Security Architecture
 Physical Security Architecture
 Component Security Architecture
 Detailed Security Structures
 Risk Management
 Security Services Management and Support
 Application and User Management and Support
 Security of Sites, Networks and Platforms
 Security Operational Schedule
 Operational Security Architecture lies across all above five (5) layers.

(Sherwood, Clark, & Lynas, 2005)

Fig 1- The SABSA Model for Security Architecture Development

Image from http://www.cissp.tjscott.net/models/sf.sabsa.analysis.pdf

Page 2
Final Assignment.CS520.Week7.Ricardo Nevarez

The SABSA Matrix

Fig 2 - The SABSA architectural is a 6x6 matrix

The Six (6) Deliverables of the Component Layer

The role of the security architecture consultant on behalf of Informatics Inc. is to provide the following
generalized component layer delivers of which will benefit IBFS’s security strategy needs.

 Detailed Security Data Structure

 An updated data dictionary, defining the syntax rules of all the data structures
required by the security architecture.
 Security Standards
 A framework for security standards and a list for all security standards that is
required.
 Security Products and Tools
 List with descriptions and specifications of all strategic technologies,
products and tools of which have been selected.
 Identities, Functions, Actions and Access Control Lists (ACLs)
 Naming scheme and framework for defining roles, identities, access
privileges profiles, authorized functions and actions and guidance on
building ACL representing respective parameters.
 Processes, Nodes, Addresses and Protocols
 Design of the security infrastructure, including the application processes that
are to be run.
 Security Step Timing and Sequencing
 Detailed specification of procedural step timings and sequences needed to
implement the control structure execution model from the layer above.
Page 3
Final Assignment.CS520.Week7.Ricardo Nevarez

The Primary Concerns of IBFS

These specific concerns and of which the component layer deliverables can address for IBFS have been
considered for implementation and to directly address the needs of the Group CEO, COO, Senior VP of
eBusiness, Group Chief Financial Officer, Senior VP of Marketing and Distribution, CIO, and the
Director of Compliance within the organization IBFS.

 Web and email for new business applications owned by shareholders

 Primary business requirement is protect the trust, operate on a global scale, virtual teams
 Ability to securely manage different application management projects
 IBFS is in constant state of change with mergers, acquisitions, divestments, and joint ventures.
Securely integrate and disintegrate the ICT systems and network infrastructure. Must be flexible.
 Ability to share business information systems and yet remain independent.
 Implement CRM across all applications / legacy systems/ and batch processing
 Easy API with single sign on with growth towards CRM.
 Provide single central data repository for customer data.
 Outsourcing all operational services that are core businesses. This is applicable to ICT services.
Also outsource the WAN, and outsource the PCs.
 Ensure business applications and their respective data will be in-house.
 Service Level Agreements (SLAs)
 Define separate roles in finance, in securities and in compliance.
 Processes and procedural control mechanisms to be compliant.

Target Audience of IBFS

Specifically, management needs have been broken drown and identified under each interviewee for this
proposal.

Group CEO
 Web and email for new business applications owned by shareholders.

COO
 Primary business requirement is protect the trust, operate on a global scale, virtual teams.

Senior VP of eBusiness
 Ability to securely manage different application management projects and customer relationships.

Group Chief Financial Officer

 IBFS is in constant state of change with mergers, acquisitions, divestments, and joint ventures.
Securely integrate and disintegrate the ICT systems and network infrastructure. Must be flexible.

Page 4
Final Assignment.CS520.Week7.Ricardo Nevarez

Senior VP of Marketing and Distribution

 Ability to share business information systems and yet remain independent.
 Implement CRM across all applications / legacy systems/ and batch processing
 Easy API with single sign on with growth towards CRM.

CIO
 Provide single central data repository for customer data.
 Outsourcing all operational services that are core businesses. This is applicable to ICT services.
Also outsource the WAN, and outsource the PCs.
 Ensure business applications and their respective data will be in-house.

Director of Compliance
 Define separate roles in finance, in securities and in compliance.
 Processes and procedural control mechanisms to be compliant.

The Proposal

Group CEO
 Web and email for new business applications owned by shareholders.

Overwhelming the best product available to ensure that security and trust remains within the computer
network system, and that electronic communication remains secure, and business applications are
consistent throughout the organization is the Microsoft Office 365 product offered by Microsoft. This
product is scalable on a global platform of which can easily serve all employees, its’ available Service
Level Agreement (SLAs) is 99.9% uptime, provides that security and compliance that ensures a
trustworthy platform, and there is continuous innovation on the product. There are many key benefits here
such as continuous email backups, security and compliance protecting this part of the organization from
spam and including malware from entering onto the computer network system. Using this secure system
ensures the reputation of the organization remains intact and trust alike.

COO
 Primary business requirement is to protect the trust, operate on a global scale and virtual teams.

The COO’s position is to ensure and assist the CEO with respect of running the organization. Along with
my recommendations to the Group CEO, I offer the same to the COO with some additional specialized
tools and products to ensure and minimize the threat to the organizations enterprise security architecture.
IBFS will be dealing with many third party vendors and thus must ensure that all security considerations
are taken. These vendors will be accessing, processing and communicating with or managing IBFS’s
information and or adding additional products or services of which are all security related. For this reason,
contracts must ensure that third party vendors address the administrative, physical and the technical
safeguard that will reasonable protect the confidentiality, integrity and availability of IBFS’s information.
Implementation of the Microsoft Office 365 (Microsoft, 2017)ensures that email communication is
protected, offers data loss prevention, data governance, threat management and more.

Page 5
Final Assignment.CS520.Week7.Ricardo Nevarez

For example, data loss prevention will allow identifying and protecting IBFS’s information by setting
policies to ensure the information within emails and shared documents are not shared with the wrong
people in error. Data governance helps the employees take control of their data by archiving or retention.
It allows the individual to set up preservation policies to preserve content within their mailboxes,
SharePoint and OneDrive. An added available service is by defining policy capture email and 3rd-party
communication for later review when needed. This helps with compliancy. Threat management is that
feature of which will quarantine messages that is deemed to be malware, spam, phish, including bulk
email. These quarantined messages can then be decided upon to be deleted or kept and forwarded to their
intended employee within the IBFS. This one product satisfies the COO’s needs of ensuring trust
worthiness of information flow within the organization. These are but a pinch of what is offered by this
product.

One other need the COO is looking for in respect to “virtual teams” is Teams the Microsoft product
within Office 365. Microsoft “Teams” allows a collaborative workspace that can be accessed around the
globe and can handle both public and private channels/ rooms alike. Teams also allows for private chat
within the organization and the sharing of files and notes. Other features offered include that of
scheduling meetings with video.

Another added piece to ensuring trust within the computer network system is ensure that proper network
security appliances are installed, configured, and maintained. This means that policy should be applied to
assure that these are properly configured, tuned to meet the needs of IBFS, that they operate properly and
that all the components together endure the confidentiality, integrity and availability of the information
(SABSA, 2017). These policies and procedures will address the prevention, detection and removal of
malicious code within the computer network environment at IBFS. Another necessary added security
layer will review user accounts to ensure that terminated employees or third party vendors that no- longer
work on the computer network systems that do not have further access. These policies will also outline
how often and what actions will be taken if any discrepancies happen to be found.

Senior VP of eBusiness
 Ability to securely manage different application management projects and customer relationships.

The required needs here for the Senior VP of eBusiness are met by implementing a- Customer
Relationship Management (CRM) software with a holistic approach. The CRM will help with building
relationships with customers around the world. The CRM will also help customer relations with managing
customers, employees, executive leadership, partners, suppliers, media, investors and advisors (Hall-
Stigerts, 2014). This particular vendor Salesforce puts together functions that address the needs of the
Senior VP of eBusiness. These functions work together through:

 Awareness  Purchase
 Knowledge  Retention
 Consideration  Advocacy
 Selection  Measurement

Page 6
Final Assignment.CS520.Week7.Ricardo Nevarez

 Awareness addresses cold-call leads, and marketing plans through targeted advertising.
 Knowledge addresses the coordination of the sales department between their team members and
customers to learn more about a use case. More marketing to reveal customer’s pain points, and
builds a knowledge base of frequently asked questions (FAQ’s) about IBFS’s products and
services.
 Consideration aims to take the customers by the hand through products and services.
 Selection allows for individualized messages to customers thanking them for their patronage.
 Purchase puts all the paperwork together and ensures the process for the client is painless.
 Retention addresses the need to reach out to customers with promotions on new products and
services, and customer surveys.
 Advocacy aims to send select customers with potential business referrals an incentivized program.
 Measurement aims to identify key performance indicators to drive process, and reveal areas of
which require attention. Matrices will be unique to IBFS, and the following will be collected but
not limited to: usage, data quality and business performance.

This CRM solution by Salesforces addresses the needs meets the business goals, allows it to be
competitive within the financial space in which it competes in.

Group Chief Financial Officer

 IBFS is in constant state of change with mergers, acquisitions, divestments, and joint ventures.
Securely integrate and disintegrate the ICT systems and network infrastructure. Must be flexible.

This proposed Information and Communication Technologies (ICT) system aims take user input and
provide the needed information to assist in decision making through its data, procedures, software and
hardware. This ICT system will be unique to IBFS. The Group CFO requirements will require many
changes of which will include computer programmers, network managers and computer engineers to
integrate the system. With this constant change with mergers, acquisitions, divestments, and joint
ventures, boundaries become blurred and employees may take on new duties as well as lose some.
Moving staff around will also cause disruption of relationships within IBFS when departments are
strategically restructured to meet new business needs.

Other things to consider are initial costs of network equipment, the installation and training of the
equipment. Because of these mergers, acquisitions, divestments, and joint ventures it’s important to
approach the integration and disintegration of the system by its many parts and how it can impact network
performance and established security. Specifically speaking of the network infrastructure, by far the
holistic approach is to maintain a STAR topology since this allows fault tolerance, load tolerance, and its
ease of connecting and disconnection workstations, servers, routers, and switches from the computer
network.

Another piece to this is implementing a remote management system for monitoring servers, network
hardware appliances and workstations. This flexibility also allows checking for updated patches, software
is installed, and software licenses are up to date. This ICT system will have an impact on all aspects of
IBFS include security where a security policy must ensure the following are covered:

 Physical security
 Logical security
 Continuous network monitoring
 Computer network systems access
 Operational procedures of which can include a Disaster Recovery Plan (DRP)

Page 7
Final Assignment.CS520.Week7.Ricardo Nevarez

 Physical security will include implementation to protect the organizations entry and exits that
only authorized personnel are allowed access. This will also ensure that workstations are
protected from removal by unauthorized personnel. A contingency plan will be implemented
enabling alternate authorized personnel oversight. Server room will be secured to ensure only
those authorized to have access. Network wiring closets of which contain network appliances will
also remain locked and accessible to only those who are authorized.

 Logical security, Continuous network monitoring, and computer network access will ensure
proper allocation of access rights to the computer network information system and its services.
Limited access rights will be given to local workstations by using “restricted user access rights”
and this will also help with mitigating installation of malware. Passwords will be scheduled to
change every 30, 60 or 90 days. Auto logoff on the employee’s workstations will help in the area
to prevent unauthorized access to that workstation if the user walks away. Also, remote
management to the workstations will use SSL/TLS, IPSec, and VPN tunnels where needed.
Lastly, but not limited to – there will be periodic review of all accounts within IBFS computer
network.

 Operational procedures of which can include a Disaster Recovery Plan (DRP) aims to ensure
that all security policies and procedures and implemented to address the prevention, detection and
removal of any and all malicious code within the computer network system. Other operational
management procedures in this ICT system will ensure that all workstations have installed
antivirus protection, that logs from the various network appliances and implemented software are
reviewed regularly through automated or manual means. IBFS most valued asset is its data. That
said, I propose to use encryption that follows the recommendations of NIST 800-11 (Scarfone,
Souppaya, & Sexton, 2007). Encryption will be applied to the databases and any file servers. All
workstations will utilize full hard disk encryption including servers and any computer network or
mobile device to mitigate unauthorized access to the data. This will also add “trust” as per the
COO’s request. Additionally the DRP will back-up all critical IT systems and its data. The
backups will be kept offsite and redundant copies will be kept. Period scheduled recovery will be
performed to ensure that backups are available and can be successfully recovered. Lastly, any
changes to policies and procedures will be recorded.

Senior VP of Marketing and Distribution

 Ability to share business information systems and yet remain independent.
 Implement CRM across all applications / legacy systems/ and batch processing
 Easy API with single sign on with growth towards CRM.

These requirements have been covered under the Group CFO needs.

CIO
 Provide single central data repository for customer data.
 Outsourcing all operational services that are core businesses. This is applicable to ICT services.
Also outsource the WAN, and outsource the PCs.
 Ensure business applications and their respective data will be in-house.

To meet the CIO’s requirements, the Salesforce implementation will satisfy these requirements such that
it will allow a single data repository through the CRM. This allows access to the data from various
applications. The implementation is a project that will involve much research, and major technical
challenges (Sherwood, Clark, & Lynas, 2005).
Page 8
Final Assignment.CS520.Week7.Ricardo Nevarez

Director of Compliance
 Define separate roles in finance, in securities and in compliance.
 Processes and procedural control mechanisms to be compliant.

This is achievable through clear documented security responsibilities of which will ensure all job
descriptions are clear and relevant to security policies. This will ensure what the employee position is
within IBFS.

Key Questions To Continuously Keep Asking Are

Keep in mind that throughout the implementation of this proposal will require both management and
technical controls to ensure this projects success. There are key questions to that should be asked
throughout each phase of this implementation such as and these questions are limited to: what tools are
going to be used to protect the computer network system, why use the tools that are considered to be used,
how is the tool going to be deployed, who is going to be deploying the tool, where is the security
management of the tool, and when is the servicing of the tool required.

Other questions that will come up will include and not limited to: what is the operation risk to the IBFS,
what is the delivery processes, who are the personnel involved, and how long and how well will this
perform. Additionally, other questions to continuously keep asking are and not limited to these
(McNamara, 2017), (Sherwood, Clark, & Lynas, 2005):

 Are all the components available for implementation?

 Do the proposed components integrate into the existing computer network system of IBFS?
 Is the system running smoothly?
 Is the system properly been implemented?
 Are “all” the required needs met and satisfactory to those who have been interviewed?
 Who is going to provide the ongoing maintenance of the computer network system?
 Is the implementation compliant?
 Is there value in the implemented system?

Conclusion

In conclusion, this paper takes a holistic and flexible approach to deliver the needs and
requirements of each individual interviewee through the point of view of the Component Layer
of the SABSA architectural model. Informatics Inc. will use this as a guide to be used to
implement a solid security structure of which will allow IBFS to continue business globally
securely. It is important not to focus so much on the component level but use the previous four
(4) layers above to provide the full picture of what the completed secure computer network will
look like. Overall, these are my recommendations, and with the proper support of the stake
holders, this project can be a successful project.

Page 9
Final Assignment.CS520.Week7.Ricardo Nevarez

References
Hall-Stigerts, L. (2014, December 18). A Holistic Approach to Customer Relationship Management.
Retrieved December 11, 2017, from Salesforce:
https://www.salesforce.com/ca/blog/2014/12/what-is-crm.html

McNamara, C. (2017). Key Questions When Planning a Computer System. Retrieved December 11, 2017,
from Management Help: https://managementhelp.org/computers/planning.htm

Microsoft. (2017). Office 365 is Ready For Your Enterprise. Retrieved Decemebter 11, 2017, from
Micrsoft: https://products.office.com/en-us/business/enterprise-productivity-tools

SABSA. (2017, December). Retrieved December 10, 2017, from SABSA: http://www.sabsa.org/

Scarfone, K., Souppaya, M., & Sexton, M. (2007, November). Guide to Storage Encryption Technologies
for End User Devices. Retrieved December 11, 2017, from NIST:
https://csrc.nist.gov/publications/detail/sp/800-111/final

Scott, T. (2012). An Analysis of The SABSA Framework. Retrieved December 10, 2017, from
CISSP.tjscott.net: http://www.cissp.tjscott.net/models/sf.sabsa.analysis.pdf

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise Security Architecture. Boca Raton: CRC Press.

Page 10