Security Consultant in the Architecture Design Process - Term Paper Example

The role of security consultant in the architecture design process Name Institution Abstract: Security architecture needs the intervention of a security expert to be effectively structured to coordinate activities made of processes, people, and tools that are integrated to secure an organization's resources or assets. However, organisations still lack clear understanding of the roles of security consultants in the architecture design process. The proposed study will empirically explore the roles of security consultants in the architecture design process. The findings of the study will enable organisations to understand the significance of security consultants in their security systems. By understanding the roles of security consultants, organisations will maximise the efforts of structuring architecture needs to coordinate activities, processes, people, and tools that secure their resources or assets. The objectives of the study include determining how security consultants seek to ensure that threats and controls are in balance during the architecture design process. Next, integrating systems approach in explaining the role of security consultants in architecture design process, and lastly, identifying the role of security consultants in ensuring integrity, availability, and confidentiality of information systems. The research questions guiding the study are derived from the three research objectives. The study will be guided by design theories and systems theory. The research will use qualitative research design. Primary data will be collected through semi-structured qualitative interviews while secondary data will be collected through document analysis. The participants will include three security experts/consultants who have worked in the field of designing architecture for more than two years. Data analysis will be through qualitative interpretive method. Table of Contents Abstract: 2 Table of Contents 3 1.0 Introduction 4 1.1 Background 5 1.2 Significance of the study 7 1.3 Purpose of the study 8 1.4 Aim and objectives of the study 9 1.5 Research questions 9 2.0 Theoretical framework for analysis of security consultancy 9 2.1 Design theories 10 2.2. System’s theory 11 3.0 Literature Review 12 3.1 Security within the context of security consultant 12 3.2 Information security role and functions 12 3.3 Security architecture 14 4.0 Proposed research methodology 16 4.1 Research design. 16 4.2 Target population 17 4.3 Procedure 18 4.4 Data analysis 18 4.5 Limitations of the study 19 5.0 Reference List 19 1.0 Introduction Security architecture is an integrated security design intended to handle the requirements and potential risks associated with a particular environment or scenario. It also details out when and where security controls should be applied (Tsohou et al, 2015). The process of designing the architecture is often reproducible and needs extreme expertise to ensure its effectiveness. According to Gibbs (2008), the design principles in security architecture are often reported clearly, while the specifications of the in-depth security control are usually documented in independent documents. System architecture is essentially a design that integrates a structure and connects the components of a structure. The major attributes include the dependencies and relationships, benefits, form and drivers. According to Gibbs (2008), dependencies and relationships depict the link between the varied components within IT architecture, and how they relate. Benefits include standardisation and cost-effectiveness. Form is another attributes. Security architecture is associated with IT architecture. The last attribute is the drivers. It is based on four factors: regulatory and legal, financial, benchmarking and good practices and risk management (ISACA 2009; Gibbs, 2008). The architecture needs to be structured to coordinate activities made of processes, people, and tools that are integrated to secure an organization's resources or assets (Tsohou et al, 2015). However, to maximise these efforts, organisations need to understand the key components of security architecture, their diverse frameworks for designing and assessing an effective architecture, as well how to evaluate the effectiveness of the architecture (ISACA, 2009). This calls for the intervention of security consultant. However, as some studies have revealed, organisations still lack a clear understanding of the roles of security consultants in the architecture design process (Coole & Brooks, 2014). The proposed study will empirically explore the roles of security consultants in the architecture design process. 1.1 Background Sennewald (2012) explains that the role of security management consulting has grown since the 1990s following the expansion of the private sector across the globe, which necessitated the need for consulting services. The rise in demand for security consulting services also heightened after the 9/11, in addition to the tendencies by firms to downsize, outsource, and adopt technology in the 2000s. While security consulting has grown, the roles of security consulting continue to remain unclear. On a different account, Scholl et al (2010) suggest that most organisations have perceived a security consultant as an individual who only serves to recommend proper, cost-effective strategies to attain a wide range of security objectives, crime prevention, loss control, and investigative roles. Obviously, a rewarding dimension of security consulting is the opportunity to manage and control organisation’s security. As an independent operator, security consultant has little to do with organisational activities and the follow-up implementation of recommended programs (Tsohou et al, 2015). A consultant is essentially an agent of change tasked with advising and facilitating through research, collecting data, analysis of data, preparing data, and presenting recommendations and the design or a project (Bogers et al, 2008). Security consultants seek to ensure that threats and controls are in balance. To ensure that, the consultants need to use a holistic approach to security that covers the whole organisation. System resources, information, software, computer system services, and network connectivity are vital company assets that need protection from security threats. Relying on these processes by an enterprise rises with their expansion (Walek & Masar, 2013). Consequently, the individual assets are often left exposed to security threats. In return, the security threats exposed the assets to vulnerabilities. The consequences include a variety of harms as well as the decline an organization’s competitiveness. The operating system presents tools that facilitate working with a computer system’s hardware and information (ISACA, 2009). Additionally, they facilitate an environment for operating an organisations information system. Still, they correspond to the lower level where information systems operate (Walek & Masar, 2013). Once they are compromised, the entire information system’s security is corrupted. Hence, there is a need to engage consultants in building secure operation systems that possess security mechanisms that can guarantee effective enforcement of security goals that curtail security risks to a company’s assets (CISSP, 2012). The current model for implementation of secure operating systems is rooted in clear-cut characterization of security requirements, designing secure operating system that addresses certain requirements and proper implementation of planned architecture (Walek & Masar, 2013). However, designing secure system architecture and its implementation and application considered to be a costly and time-consuming process that demands expertise and intervention of a security consultant as the expert for particular problem domain. A security consultant selects the security features that can be integrated in secure operating system. The features selected that need to be implemented by security mechanisms have to see to it that the risks of disrupting the company asset’s integrity, availability, and confidentiality are eliminated. Therefore, understanding the specific roles of a security consultant is critical. In fact, as ISACA (2009) confirms, the exact role of security consultants is yet to be clearly defined in most enterprises. 1.2 Significance of the study In theory, the role of a security consultant is rooted in performing a risk assessment and creating security policies, standards, procedures, and measurements. Recently, security consultants have been regarded as playing a critical function in designing architecture (Vellani, 2008). In practice however, the role of security consultant is yet to be clearly defined. In fact, a survey of literature shows that no comprehensive empirical approach is yet to delineate the roles of a security consultant in designing architecture. Over the past decade, there has been an increased discussion of the roles security. Consultants play in the process of architecture design (Walek & Masar, 2013). Except for a few cases, these discussions have barely been informed by scholarly research. Hence, there is a need for an empirical research to gain some insight into the roles that consulting security specialists play in architecture design process and the value that they provide to enterprise security management. Therefore, the findings of the study will enable organisations to understand the significance of security consultants in their security systems. By understanding the roles of security consultants, organisations will maximise the efforts of structuring architecture needs to coordinate activities, processes, people, and tools that secure their resources or assets. More security consultants will also be engaged in organisation’s architecture design process. 1.3 Purpose of the study The current enterprise operating systems consists of a variety of software applications and component that correspond to security features. However, many system administrators and users have a problem with proper selection and use of these software applications and component (Scammel, 2008). In such situations, studies have showed that many organisations will end up consulting security experts without clear understanding of their roles. At the same time, in the process of designing and implementing safety operating system, the specialist knowledge of a security consultant is critical, lest the operating system be significantly exposed to threats. To avoid such scenarios, studies have also showed that organisations are likely to hire outside experts or consultants. However, as some studies have revealed, organisations still lack a clear understanding of the roles of security consultants in the architecture design process (ISACA, 2009; Tsohou et al, 2015). For this reason, this study seeks to investigate the role of security consultants in designing architecture. 1.4 Aim and objectives of the study The study aims to conduct an empirical study of the roles of security consultant in the architecture design process. The objectives of the study include: i. To determine how security consultants seek to ensure that threats and controls are in balance during the architecture design process. ii. To integrate systems approach in explaining the role of security consultants in architecture design process. iii. To identify the role of security consultants in ensuring integrity, availability, and confidentiality of information systems. 1.5 Research questions The research questions are derived from the research objectives. The proposed research questions include: i. What are the roles of security consultants in the architecture design process? ii. How do security consultants ensure that threats and controls are in balance during the architecture design process? iii. How does the role of security consultants in the architecture design process fit into the security system? iv. What other roles do security consultants play in ensuring integrity, availability, and confidentiality of information systems. 2.0 Theoretical framework for analysis of security consultancy 2.1 Design theories Puhakainen (2006) used the design theory to explain the role of security consultancy in design architecture: social, technical, and socio-technical. Within the context of security consultancy in designing architecture, design theories can be derived to view consultants as engaging in the processes of planning, specifying, recommending, and consequently implementing artefacts to provide solutions to security problems. D'Aubeterre (2008) mentions that design theories are intended to offer solutions to perceived problems. Hanseth and Lyytinen (2004) also explain that design theories are intended to provide guidance on how to resolve particular problems by asserting that, “if acted upon, they will influence an artifact of a particular type to be created. Siponen and Livaru (2006) suggested certain design theories are effective for certain context where particular set of requirements are applied to a certain category of design problems across systems (horizontal demarcation) or to a certain division of information systems (vertical demarcation). The vertical design theories set in domain specific design theories intended for a particular class of information security systems that have similar structural features. The theory seeks to resolve the problems of how to specify and control a set of information systems before any security measure is designed. Within this context, a security consultant can be viewed to be serving the functions of specifying and managing a set of information systems before any security measure is designed. On the other hand, horizontal design theories are intended to resolve general process features in various design situations. It hypothesises that particular process features help in reaching solution despite the type of system an individual works with. Process theories also predict the interactions between people, and other resources on the success of a design and the delivery time. Indeed, Puhakainen (2006) shows that design theories have two key dimensions: a process and design. The product consists of a set of features that a product should have for attaining a certain goal. The process denotes the particular method for building the product. Within this context, the role of security consultant would include managing and controlling the processes of designing architecture to ensure success design within the set deadline. 2.2. System’s theory Due to the erratic pace of today’s enterprises, businesses should shield themselves from vulnerability at any time, and to design solutions rapidly, as well as cost-effectively. Application of systems thinking concept enables a life-cycle approach to information security management across all facets of an enterprise (Prezelj, 2012). The model is focused on security, although when eventually embraced fully, positively impacts other functional processes. Systems theory is concerned with the principles that apply to systems (Smith & Brooks, 2012). The theory hypothesises that effective functioning of a system can only be attained by integrating the interrelated components (Mele et al., 2010). Within the context of the role of a security consultant in design architecture process, the theory can be derived in order to view the profession as being part of a company’ security system. Hence, system objectives cannot be addressed, except for when the interrelated parts are drawn to function as an integrated system (Coole et al, 2012 Soltani & Yusof, 2012). 3.0 Literature Review 3.1 Security within the context of security consultant Within the context of this proposed research, security denotes a well-informed sense of guarantee that threats to information and controls are in balance. This is applicable to any valuable of vulnerable asset. However, the difference is distinct between physical security, information security and IT security. Beardsley (2013) defines physical security as the measures derived to prevent unauthorized access to assets, such as equipment, resources, and facilities. On the other hand, IT security aims to protect technical measures and applications. Lastly, information security defines the protection of information, whether digital or analogue (Feruza & Kim, 2009). In the context of the proposed study, the focus is on information security, hence both digital and analogous information are taken into consideration. As Zhyzhneuski (2011) explains, the three basic qualities of information are at risks of losing integrity, confidentiality, and availability. Confidentially seeks to ensure accessibility of information to only those with authorized access. Availability seeks to ensure that authorized users can access information and the related assets whenever required. Integrity, on the other hand, protects the accurateness and wholeness of information and information processing and storage methods (Fenelly, 2012). However, a critical success factor for effective information security design and implementation is the security consultant. The consultant balances the information threats and controls. 3.2 Information security role and functions In the current globalised economy and the continuously changing enterprise risk, enterprise security risk is increasingly becoming a business enabler. As Feruza and Kim (2009) view it, given the rapidly evolving research, technology, tools, and standards, businesses today benefit from mechanisms that can help secure their business operations, as well as the fundamental information and infrastructure involved. Still, enterprises struggle to uphold regulatory requirements, risk management, and economic conditions. As Schermann et al (2011) argue, the exact role of information security is yet to be defined clearly. While information security is still perceived as a cost centre, it has been showed that when an organisation’s information security is effectively managed, it can enable an enterprise to meet its business goals through improvement of efficiency and alignment of business objectives. According to ISACA (2009), enterprises usually consider information security in isolation. He further explains that they enterprises may have a common perception that security is someone else’s responsibility and hence, there is no collaborative effort to link security measures to business goals. With a compartmentalised approach, the security management becomes more vulnerable, as well as unnecessary spending on control and security. Basing on operational perspective, the security management efforts are less likely to attain the intended business benefit, leading to information at risk. On the other hand, some perceive information security as exclusively a technical discipline. While information technology offers tools valuable for protection of information, technology is not the only solution. In order to secure information, Fenelly (2012) advises that organisations must design systems architecture that is supported by effective procedures, standards, and guidelines. In some organisations, technology policies, strategies, standards and processes and created without understanding how organizational culture affects program effectiveness Cubbage &Smith, 2009). The security efforts that fail to take into consideration how humans react to and fail to apply technology usually fail to deliver the required benefits. In his view, hiring security consultants who understand how humans react to and apply technology so as to deliver the anticipated benefits (Oludele et al, 2009). ISACA (2009) also explains that information security encompasses various within an enterprise. Each specific area has some form of security vulnerabilities as well as equivalent countermeasures that elevate the security level as well as provide effective protection. Wang et al. (2008) takes this perspective to argue that organisations should hire security consultants with specialist knowledge on the security vulnerabilities. On a different account, failure to understand the varied areas and security levels of operating systems, protocols, network devices, hardware, and applications may lead to security vulnerabilities affect the environment in its entirety (Young & Leveson, 2014). 3.3 Security architecture Security architecture entails the design of intra- and inter-enterprise security solutions to address a client’s business requirements in the areas of application and infrastructure. Thorn et al (2008) opine that architects who engage in security work need to have the capacity to define the detailed technical requirements for security, as well as design, document and ensure operational and functional architectures, using the right security technology and process components as well as ensuring that the solution can address the security needs. According Gibbs (2008), security architecture as a broad and formal inclusion of the processes, people, technology, and policies that makes up the security practices of an enterprise. According to Walek and Masar (2013), it is in the architecture dynamic interconnection that an enterprise realised defence in depth. As regards design, Oludele et al (2009) explain that it defines or depicts how the positioning of security controls as well as how they relate to the entire information technology architecture. Therefore, security architecture is intended to define the security capabilities in various businesses areas consistently and a cost-effectively, and to enable an enterprise to be upbeat with its security investment decisions. Security Architecture is also viewed by Wang et al. (2008) as a cohesive security design that addresses requirements such as authorisation and authentication, as well as the risks of a certain scenario, environment and identifies the security controls that should be applied. The security architecture should address applications, processes, infrastructure, processes, and security operations and management. Application security architecture is anchored in the two. It needs to address the security provided in the applications as well as the additional controls needed outside the application. ISACA (2009) argues that customarily, security architecture is considered a document that outlines the security services that should be provided, as well as how and where within a layered model. According to Bogers et al (2008), the enterprise in enterprise architecture encompasses all types of organisations, whether public or private organisations. The four main layers of an enterprise is made up of include data and information, business, application, and infrastructure or technological (See Figure 1). The organisation activities and processes utilise information or data that needs to be collected, organized, as well as distributed through applications that run on technology such as a computer system. Figure 1: Four typical layers in information architecture (Bogers et al, 2008). 4.0 Proposed research methodology The research questions call for a general overview of the current situations in current organisations in order to identify the role of security consultants in designing architecture. The research will use qualitative research design. 4.1 Research design. The reason for selecting qualitative research is due to the qualitative nature of data the research desires for the study. In particular, the researcher expected to collect participant’s responses verbatim. The researcher seeks to explore organisational understanding of the role of security consultants. Ellis and Levy (2008) explains that qualitative research methods stress on understanding and interpreting phenomenon in their natural settings and within the context of insider view. Additionally, this is since the research expected to survey few participants. Primary data will be collected through semi-structured qualitative interviews. Secondary data will be collected through from relevant research literature, organisational reports, internet sources, and company databases. The secondary data used will be critically evaluated to gain a better insight into the roles of security consultants in designing architecture (Phellas et al, 2011). Figure 2: Conceptual map of the study (Ellis & Levy, 2008). 4.2 Target population The participants will include three security experts/consultants who have worked in the field of designing architecture for more than two years. The reason for relying on the three years as the criteria for selecting the participants is since the research believes that the period of time is sufficient for any security expert in the field to gain sufficient experience. Each of the participants who willingly agree to take part in the study will be interviewed separately. 4.3 Procedure The primary data is collected using semi-structured interviews questionnaires. In order to ensure a broad and systematic interviewing of the participants, an interview guide will be used. The process will involve verbally administered questionnaires, where the respondents will be asked from a list of preset questions with limited variation and limited scope (Onwuegbuzie et al, 2012). Semi-structured interview method is selected since the researcher desires that the participants respond to the same set of stimuli or questions in order to cause identical combination of stimuli (Cohen et al, 2007). Each of the interviews will take between 30 and 60 minutes. The interviews will be conducted on a one-off basis. Interviewers will be provided with a brief outline of the intent, extent and what they will be required to do prior to the meeting. Notes will be taken during the interview to record responses from the participants (Heyvaert e al, 2013). 4.4 Data analysis Data analysis will be done after each interview once the transcripts are prepared and the notes taken. The researcher will complete all the transcripts. During this time, notes will be made on the potential themes and issues that will emerge during the interview. The process involves developing coding scheme or classification that enables generation of themes and ideas (Denzin & Lincoln, 2011). Each interview script will then be reviewed (Heyvaert e al, 2013). A coding system will be established based on the results of the review. The codes will be based on key topics that emerge from the research questions. Each section of the transcripts will then be coded (Woolley, 2009). Afterwards, each response will be assigned into a theme to allow for description and discovery of ideas. Qualitative interpretation of data will then be done to generate meaning. 4.5 Limitations of the study Since qualitative interpretation will be used in analysis of data, the research is likely to be exposed to bias. The validity of the qualitative analysis will also depend on the researcher's competence and skills. Because of the small study sample, the findings of the research are likely to be less generalisable. 5.0 Reference List Beardsley, J. (2013). Security 101: Understanding the Common Layered Security Concept. The Valley Business Journal Bogers, T., Meel, J. & Voordt, T. (2008). Architects about briefing: Recommendations to improve communication between clients and architects. Facilities 26(3), 109-116 Bosch, S. (2014). Designing Secure Enterprise Architectures. MSc Business Information Technology Institute: University of Twente Faculty of Electrical Engineering, Mathematics and Computer Science Enschede, the Netherlands Bucur, A. (2010). Banking 2.0: Developing a Reference Architecture for Financial Services in the Cloud. Utrecht: Capgemini Consulting Technology Outsourcing CISSP. (2012). Common Body of Knowledge Review: Security Architecture & Design Domain. Open Security Training Version: 5.10 Cohen, L., Manion, L. & Morrison, K. (2007).Research methods in education. (6th ed.). London: RoutledgeFalmer Coole, M. & Brooks, D. (2014). Do Security Systems Fail Because of Entropy? Journal of Physical Security 7(2), 50-76 Coole, M., Corkill, J. & Woodward, A. (2012). Defence in Depth, Protection in Depth and Security in Depth: A Comparative Analysis Towards a Common Usage Language. Paper published in the Proceedings of the 5th Australian Security and Intelligence Conference, Novotel Langley Hotel, Perth, Western Australia, 3rd-5th December, 2012 Cubbage, C. & Smith, C. (2009). The function of security in reducing women's fear of crime in open public spaces: A case study of serial sex attacks at a Western Australian university. Security Journal, 22, 73–86 D'Aubeterre, F. (2008). A Design Theory for Secure Semantic EBusiness Processes (SSeBP). New York: ProQuest Denzin. N. & Lincoln, Y. (2011). The SAGE Handbook of Qualitative Research. New York: SAGE Publications Ellis, T. & Levy, Y. (2008). Framework of Problem-Based Research: A Guide for Novice Researchers on the Development of a Research-Worthy Problem. Informing Science: the International Journal of an Emerging Transdiscipline vol 11, pp.17-33 Fenelly, L. (2012). Effective Physical Security. (4th ed.) Waltham, MA: Butterworth-Heinemann Feruza, S. & Kim, T. (2009). IT Security Review: Privacy, Protection, Access Control, Assurance and System Security. International Journal of Multimedia and Ubiquitous Engineering 2(2), 17-30 Gibbs, N. (2008). Elements of a Good Security Architecture. Internal Auditor. Retrieved: Hanseth, O. & Lyytinen, K. (2004). Theorizing about the Design of Information Infrastructures: Design Kernel Theories and Principles. Case Western Reserve University, USA . Sprouts: Working Papers on Information Systems, 4(12). Heyvaert, M., Hannes, K., Maes, B. & Onghena, P. (2013). Critical Appraisal of Mixed Methods Studies. Journal of Mixed Methods Research 20(10), 1-26 ISACA. (2009). An Introduction to the Business Model for Information Security. ISACA: Rolling Meadows, IL. Retrieved: Mele, C., Pels, J. & Polesce, F. (2010). A Brief Review of Systems Theories and Their Managerial Applications. Service Science 2(1/2), 126 – 135 Oludele, A., Ogunnusi A., Omole O. & Seton O. (2009). Design of an Automated Intrusion Detection System incorporating an Alarm. Journal of Computing, 1(1), 149-157 Onwuegbuzie, A., Leech, N. & Collins, K. (2012). Qualitative Analysis Techniques for the Review of the Literature. The Qualitative Report 17(56), 1-28 Phellas, C., Bloch, A. & Seale, C. (2011). Structured Methods: Interviews, Questionnaires And Observation. Retrieved: Prezelj, I. (2012). Challenges in Conceptualizing and Providing Human Security. HUMSEC Journal, Issue 2, 1-22 Puhakainen, P. (2006). A Design Theory For Information Security Awareness. A Scientiae Rerum Naturalium 463 Salim, H. (2014). Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks. Massachusetts Institute of Technology Working Paper Cisl# 2014-07 Scammel, T. (2008). Security Architecture: One Practitioner's View. ISACA Journal 1(1), 1-5 Schermann, M., Bohmann, T. & Krcmar, H. (2011). Explicating Design Theories with Conceptual Models: Towards a Theoretical Role of Reference Models. Retrieved: Scholl, M., Stine, K., Lin, K. & Steinberg, D. (2010). Security Architecture Design Process for Health Information Exchanges (HIEs). Washington D.C: National Institute of Standards and Technology Sennewald, C. (2012). Security Consulting. New York: Butterworth-Heinemann Siponen, M.& Livaru, J. (2006). Six Design Theories for IS Security Policies and Guidelines. Journal of the Association for Information Systems 7(7), 445-472 Smith, C. & Brooks, D. (2012). Security Science: The Theory and Practice of Security. Oxford: Butterworth-Heinemann Soltani, F. & Yusof, M. (2012). Concept of Security in the Theoretical Approaches. Research Journal of International Studies 1, 7-16 Thorn, A., Christen, T., Gruber, B., Portman, R. & Ruf, L. (2008). What is a Security Architecture? Information Security Society Switzerland. Retrieved: < https://www.isss.ch/fileadmin/publ/agsa/Security_Architecture.pdf> Tsohou, A., Karyda, M., Kokolakis, S. & Kiountouzis, E. (2015). Managing the introduction of information security awareness programmes in organisations. European Journal of Information Systems 24, 38–5 Vellani, K. (2008). Strategic Security Management: A Risk Assessment Guide for Decision Makers. New York: Butterworth-Heinemann Vellani, K. (2009). Crime Analysis for Problem Solving Security Professionals in 25 Small Steps. Pop Centre. Retrieved: Walek, B. & Masar, J. (2013). Methodology for design of safe operating systems. Information Technology & Computer Science 4(1), 634-638 Wang, J., Chaudhury, A. & Rao, R. (2008). A Value-at-Risk Approach to Information Security Investment. Information Systems Research 19(1), 106-120 Woolley, C. (2009). Meeting the Mixed Methods Challenge of Integration in a Sociological Study of Structure and Agency. Journal of Mixed Methods Research 3(7), 7-25 Young, W. & Leveson, N. (2014). An Integrated Approach to Safety and Security Based on Systems Theory. Communications Of The ACM. 57(2), 31-35 Zhyzhneuski, A. (2011). BIM as a Modern APproach to the Design and Management in Construction Industry. Retrieved: Read More