Cyber Security
Introduction
As a security architecture consultant, I will be addressing this paper from the perspective of the contextual architecture layer which is a business view in the Sherwood Applied Business Security Architecture (SABSA). Intergalactic Banking and Financial Services, Inc., is the need for an enterprise security system to help it stay at the top of the industry and to retain client and shareholder trust.
Security within a business environment is a key element as it is used in the protection of things that are of value to the business. In the world of technology today, security is very essential in the protection of information and data within the database systems. Technological advancement which has brought the mega-shift into the application of technology by economic, political, and social sector has led to the rise of cyber attacks. Financial institutions are the major targets of the cyber attacker given the nature of data and money contained in them. Banking and financial institutions, as well as other organizations, have understood the importance of investing in information security systems (Aliyu, & Tasmin, 2012). It has become mandatory to invest in security systems which helps the financial and banking institutions to maintain credibility and to retain the trust of their customers, as well as interested parties such as shareholders. Maintaining credibility through investing in information security systems helps the banking and financial sectors to achieve regulatory compliance. Most security threats for the financial sectors in many instances do come from the outside where attacks have access to information or on the other hand try to make counterfeit transactions. Whenever there is a data breach, high churn rates are witnessed on the customer base. For the financial institutions, data breaches include the cost of possible termination of licensure for the organizations that have been affected. It is very essential therefore that financial and banking institutions strengthen their incidence response teams in ensuring that immediate and efficient encryption is applied to all data (Aliyu, & Tasmin, 2012). The staff members should be highly trained in IT technology which could also mean hiring employees who are highly proficient in matters of information security. Security has to include the aspects of usability, scalability, supportability, integration, cost-effectiveness, and real-time marketability.
The Sherwood Applied Business Security Architecture (SABSA)
The Sherwood Applied Business Security Architecture (SABSA) is both a framework and methodology used for developing risk-driven architectures for enterprise information security (Burkett, 2012). It is also used in the delivery of security infrastructure solutions which support significant business initiatives. Everything within this model must be derived from an analysis of the security needs of the business. By being generic in form, the SABSA model can be used by any organization as the starting point. It comprises of six layers namely; contextual, conceptual, logical, physical, component, and operational layers which I have consecutively mentioned. Below is a table of the SABSA architectural Layers;
Business View Contextual Security
Architect View Conceptual Security
Designer View Logical Security
Builder View Physical Security
Tradesman View Component Security
Facility manager View Operational Security Architecture
The SABSA Architectural Layers
The first layer is the contextual security architecture which covers the business context comprising of objectives, risks, constraints, and factor that enable efficient functioning of the enterprise. The contextual architecture layer describes the context of the business under which the security system is to be designed. There are six very essential questions that a security architect consultant must be able to answer and they include; What? Why? How? Who? Where? When? To be more precise, it is the duty of the consultant to come up with answers on what the business needs for information security (Sherwood, 2005). The Why? Must answer questions regarding the business risks associated in terms of the assets, goal, threats, vulnerabilities, a well as the impacts of the risks. In How? It will be very important to have a close look into processes within the institution that need security. The who question should help me come up with answers regarding IBFS aspects of business security which means, how the organization views business security. In answering the where question, the organizational geography and location which in this case is worldwide will be very important in regards to business security. Lastly, it is necessary to consider the time-related aspect of business security in terms of both performance and deadlines.
Being a global group of companies, IBFS provides a range of services across the globe which includes; retail banking, corporate banking, general insurance, life insurance, pensions, corporate finance, and securities trading among others. IBFS has for a long time been using many legacy standalone applications which have stovepipe architecture. These applications have individual interfaces and databases which has resulted in complaints from stakeholder regarding difficulties in integrating the applications. There is need therefore to provide IBFS with a single central data repository for its client and stakeholder data that can be shared across all the applications. There is also a need to install a data warehouse for the organization.
Deliverables
Developing deliverables for the business begins with collecting business requirements for IBFS for the purpose of producing deliverables within the contextual layer that will facilitate precision in a secure architecture (Whittle, & Myrick, 2016). There will be a need to have an in-depth understanding of the nature of IBFS business, its goals, objective and its assets. The business deliverables of the contextual layer are derived from the questions that the layer aims at answering. One of the deliverables is the business model which is inclusive of the drivers of the business mapped to the business attributes of SABSA and they include and not limited to assets, goals, and objectives. The other deliverable is the Business Rik Model which is in the form of a risk assessment matrix. Other deliverables include; the business process model, the business organizational/relationships model, business geography model, and the business time-dependency model.
In terms of the Business model deliverable, IBFS is performing fairly well and not much adjustment is required. The organization has so far maintained customer and investor confidence. It has a good market reputation. The current security systems and payment card information Data Security is confidential however, upgrades need to be made on the information security architecture. IBFS has managed to retain business continuity by incorporating business attribute of availability and by being recoverable. The Business risk model is basically used to carry out an assessment of risks such as threats, vulnerabilities, impacts of the threats, and the intensity of the underlying risk.
IBFS is located in 84 countries across the globe which means that language, time zone, culture, laws, and locations are different. The geography model deliverable has to be sensitive by providing considerations on protection and support given to the different work stations across the globe given that there will be remote workers, customers, and vendors whose means of access is through the internet. Just like every other organization, there have to be business deadlines which are encompassed within the Time Dependencies deliverable. In term of business security, the model gives considerations to time-related aspects. It will be important to provide security to maintain confidentiality when it comes to the timeframe for the transactions being made. Having a sluggish security mechanism that forces the time of the transaction to go beyond the set timeframe leads to the business impediment. When it comes to trading, the time when the market closes must be sensitive to the market demands which translates to predicting how security will be improvised.
Deliverables Recommendation
The Business process model deliverable is very essential for IBFS as it will be used to take an inventory of the business processes and make an analysis of the processes for the purpose of determining the type of security needed. Both internal and external processes will be very useful to consider in order to identify those that occur at the enterprise level, at the group level, and within the various entities owned by IBFS. In order to have a more precise analysis of the security needs of IBS, it will be important to minimize the processes into sub-processes. One of the sub-processes that should be considered is business interaction between the business entities. This subprocess includes entity identification where all the entities must be identified., entity authentication, and entity authorization where access is limited to only the entities that should have access. The other subprocess involves business communications that must be given a significant level of protection (Sherwood, 2005). Given that IBFS is a global company with branches all over the world and operating in regions with different languages and cultures as well as time zones, this subprocess is very significant. The Local and Wide Area Networks must be well secured, the internet and web access, conference calls, file transfers, remote access, emails, and online Chat and Instant Messaging must all be protected. Given that IBFS provides a range of services globally, the business process model deliverable will help in the protection of business transactions as well as information in order to meet the set policies, standards, laws, and regulations. Some of the transactions and information that will be protected include; invoices, client information, corporate information, payments, orders, and contract negotiations and agreement.
The organization and relationship model will enable IBFS to make an analysis of a range of aspects in order to define appropriate security needs. One of the relationships to consider is the interactions between suppliers and customers which should be based on trust. The deliverable will be helpful in analyzing the hierarchies that exist in the management of IBFS and the effects of these hierarchies on control, governance, and authorization. I will be able to look at the relationship between mergers and acquisitions and how the SABSA security architecture will help to support changes in the entire structure of IBFS group of companies.
Conclusion
It is very important to look at internal and external relationships of IBFS security structure, organizational divisions, the people involved, and the business processes which will help me to translate the aspects into security domains. The Contextual Security Architecture layer of the SABSA model describes the context of the business under which a secure system is to be designed. Security has to include the aspects of usability, scalability, supportability, integration, cost-effectiveness, and real-time marketability.
References
Aliyu, A. A., & Tasmin, R. B. H. J. (2012). The impact of information and communication technology on banks’ performance and customer service delivery in the banking industry. International Journal of Latest Trends Finance and Economy, 2(1), 80-90.
Burkett, J. S. (2012). Business Security Architecture: Weaving Information Security into Your Organization’s Enterprise Architecture through SABSA®. Information Security Journal: A Global Perspective, 21(1), 47-54.
Sherwood, N. A. (2005). Enterprise security architecture: a business-driven approach. CRC Press.
Whittle, R., & Myrick, C. B. (2016). Enterprise business architecture: The formal link between strategy and results. CRC Press.