compiled by; mark e.s. bernard, cissp, cism, sabsa … security architecture was created following...

*** THIS DOCUMENT HAS BEEN CLASSIFIED FOR PUBLIC DISTRIBUTION BY SECURE KNOWLEDGE MANAGEMENT INC. ***

Compiled by; Mark E.S. Bernard, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT, ISO 27001 Lead Auditor


Mark was trained by IBM on IBM’s AS400 and worked with IBM Global Serviceson a Red Team conducting penetration testing against off shore financialinstitutions. Mark has led the design and implementation of informationsecurity programs for many US and Canadian organisations using ISO. Mark ledCentral 1 Credit Union to become the first Canadian Bank to earn ISO/IEC 27001Certification. During Mark’s work with BC Government 2008 he also led theMinistry of Finance Division Corporate Account Services to become the firstCanadian Government entity to earn ISO 27001 Registration /Certification.

Mark is regarded as a Cybersecurity thoughtLeader. In 2002 Mark founded the AtlanticCanada High Technology Crime InvestigationAssociation. In 2015 Mark published the firstNIST Cybersecurity Framework Foundationcourse.

Enterprise

Security

Architecture

was created

following the

natural order

in which

organizations

are structured.


Organizational

Governance is a crucial

requirement of any

organizational design.

Providing the leadership

necessary to guide the

Enterprise to achieve its

strategic goals and

investor expectations.

This guidance comes

from the Board of

Directors and Executive

Team.


Risk Management is the

linchpin of good

Governance and

organizational design. The

Board of Directors and

Executive Team utilize Risk

Management to make

decisions based on pros

and cons, potential impacts

due to the realizations of

Strategic Risks, Financial

Risks, Compliance Risks

and Operational Risks.

Risk is not just associated

with negative impacts, but

taking advantage of risk

can lead to positive

Business Benefits.


The Enterprise Security

Management System is a

crucial integration point

providing assurance and

internal advisory services

on behalf of senior

business leaders to help

ensure that enterprise

design and architecture of

business processes and

infrastructure does not

contravene Risk

Management goals. The

ESMS encompasses

physical security,

information in all formats

health and safety.


Enterprise Architecture is

based on Business

Requirements and the

information needed to

satisfy strategic

organizational goals.

These strategic goals can

only be satisfied if the

information and

knowledge is available,

maintains its security

based on sensitivity and

leverages the most

accurate data for Risk

Management decisions by

business leaders.



based on Business

Architecture supported by

the information required to

facilitate business. In

many cases business

systems are leverage to

manage the volume of

data input into the

business architecture.

These business systems

also help to improve the

security and integrity of

the information and data

required to deliver

services to customers and

make management

decisions.



based on Business

Architecture which drives

the requirements for

infrastructure delivering

information, data quality

and availability. The

sensitivity of information

required to achieve

Enterprise goals helps to

establish the requirements

for physical security,

environmental security

and the security of

employees also known as

health and safety.


The requirements for

Enterprise Architecture

and Business Architecture

drives the requirements

for Human Resources.

The skills, experience and

general knowledge of

management and regular

staff help move the

organization towards its

strategic goals.


The requirements for Enterprise

Architecture and Business

Architecture drives the

requirements for Procurement and

Contract Management of external

expertise, software, hardware, and

telecommunications. Once

acquired ongoing maintenance of

licenses and facilitation of Service

Management will be required.

Mergers and Acquisitions also fall

under Procurement, so the

requirements for confidentiality,

integrity and availability become a

seamless part of the organizations

products and services.


The requirements for Enterprise

Architecture and Business

Architecture drives the requirements

for Business Continuity and Disaster

Recovery. These requirements must

bring value to the organization by

helping to facilitate service delivery

and product development and/or

enhance the organizations

reputation.

The organizations mission, strategic

goals and business benefits must be

realized. Risk Management and

Enterprise Security play a crucial role

in effective, efficient BC and DR.


Service Management and Operations

facilitate the mitigation of risk to strategic

goals, financial planning, compliance

management. This is accomplished

through the consistent execution of mature

processes and continuous improvement.

These Standard Operating Procedures

(SOP) include control points for Quality

Management and Risk Management such

as management approval and

reconciliation or segregation of duties.

These control points are normally selected

in response to a risk assessment or audit

finding. Security standards help establish

criteria that will be followed during the

execution of SOP.


Service Management is comprised of

11 unique processes that have been

fully integrated within each other. The

Service Desk is the central hub for

communications and service

management within the organization

and with external partners, investors

and customers.

Operations and Service Management

help the organization achiever

organizational strategic goals as

directed by Management, consulted

by the Enterprise Security Team and

Business Architecture group.


The Service Management Team provides

the “boots on the ground” operations

employees who maintain the Digital

Service Delivery and Product Life Cycle

Channels.

The Service Management Team ensures

that the Service Orientated Architecture is

maintained. This includes ensuring that the

software, hardware and telecommunication

services are fully operational within the

agreed terms for business hours in support

of the Business Architecture requirements

and Enterprise Security requirements for

the confidentiality of information, integrity

of information and data, and availability of

information.


The systems that employees

and customers rely upon are

prone to vulnerabilities that

could be exploited by a

motivated threat. The ESMS

will provide assurance that

these risks have been mitigated

by working with managers and

subject matter experts to

identify, risk assess, prioritize

and remediate as required. The

server stack and OSI or TCP/IP

stack are two examples of

t\where cracks can form

resulting in an exposure to

threats.

The achievement of organizational strategic

goals and objectives is contingent upon

maintaining a safe environment for

employees.


The Enterprise Security

Management System

provides a single point of

contact and leadership for

Enterprise Security based on

strategic organizational

goals and objectives. The

ESMS brings together

physical security with

information security in

support of Business

Architecture guided by

organizational Governance

and Risk Management.


ESMS Examples: Subjects of Interest

• Access Control

• Active Shooter

• Asset Protection and Management

• Background Screening/Due Diligence

• Bomb Threats

• CCTV

• Compliance Management

• Corruption/Ethics

• Crime, Prevention

• Cryptography

• Data/Information Security

• Data Privacy

• Disaster/Crisis Management

• Environmental

• Executive Protection/Personnel Security

• Facilities (General)

• Health and Safety

• Incident Management

• Investigations

• Mail Security

• Pandemics

• Physical Security, General

• Quality Management

• Risk Management

• Risk/Vulnerability Assessment and Site Surveys

• Security Personnel/Duties• Security Planning and Management

• Sexual Harassment/Discrimination

• Social Media

• Social Engineering

• Supply Chain

• Strikes/Demonstrations/Unrest

• Substance Abuse

• Telecommunications

• Travel

• Utilities

• Vehicles and Vehicle Operation

• Visitors

• Water• Workplace Violence

ESMS Examples: Applicable Industries

• Agriculture

• Aviation

• Banking

• Chemical

• Cities

• Distribution Centers

• Educational Institutions

• Energy Industry

• Factories

• FDIC

• Government

• Healthcare

• Industrial Sites

• Insurance

• Mass Transit

• Manufacturing

• Media

• Oil and gas/Energy

• Seaports

• Stadiums and Arenas

• Telecommunications

• Technology

• Theme Parks• Universities


The Enterprise Security Management System is a valuable program that

can be seamlessly integrated within every business process to help

support and facilitate organizational strategic goals.

Enterprise Security Architecture helps to visualize and disseminate the

integration of business processes including the importance of

overarching governance and risk management influence within the

organization concerning the confidentiality of information, integrity of

business processes and data and the availability of people and

information to achieve strategic organizational goals.

If you need help with your Enterprise Security Management System

adoption or integration project please contact me, thanks.


For more information contact Web: https://www.securekm.com

Twitter; @Security_KMLinkedIn; http://ca.linkedin.com/in/markesbernard


compiled by; mark e.s. bernard, cissp, cism, sabsa … security architecture was created following...

Documents