Tag Archives: case studies

Business Contextual Architecture – Public Sector Case Study

Leave a reply

Presented here is another segment in the series focusing on constructing a business contextual architecture, utilizing the Agile Security System devised by Andrew Townley. This particular case study centers on the public sector, specifically examining the context of the City of Mesa, Arizona.  The figure below is the Domain Impact Worksheet from the Agile Security System.

Figure 1 – Domain Impact Worksheet for City of Mesa, Arizona

Methodology

Please note that I use the phrases  of “security objectives” or “business objectives” throughout the observations below.  This is an architectural or strategy technique that I learned from SABSA and Andrew Townley.  SABSA refers to them as “business attributes.” Business attributes are abstractions of risk mitigation strategies or enablement strategies that must be met for an organization to deliver or achieve a desired outcome, goal or objective. The specific security objectives, like Available, Risk-Managed, and associated definitions are from “Getting Started with the Agile Security System” (Townley, 2023, Appendices E and F). A cybersecurity strategy  and operations need to incorporate and deliver on these cybersecurity objectives. 

Observations

  1. The official website, www.mesaaz.gov, stands as the primary brand for the City. Residents depend on the site’s continuous availability, anticipating unfettered access at all times. Moreover, residents expect that any information gathered from them is handled with the utmost protection. The security objectives, encompassing Availability, Governed, Duty-Segregated, Reputable, and Safe, are paramount in this context. Additionally, Customer-focused, Usable, and Resourced are other important business objectives.
  2. Data.mesaaz.gov and openbudget.mesaaz.gov assume a pivotal role in promoting the City’s strategic priority of cultivating “Strong Community Connections.” The essence of their importance is rooted in harnessing data analytics, minimizing disruptions to stakeholders, and aligning with the objective of ensuring transparency with citizens, thereby helping the implementation of a smarter Mesa. These two websites share the same security objectives as www.mesaaz.gov, including Availability, Governed, Duty-Segregated, Reputable, and Safe. Additionally, an overarching objective for Data.mesaaz.gov and openbudget.mesaaz.gov is to be Interoperable.
  3. Complexity and diversity of City Services are unapparelled.   The City of Mesa operates utilities, medical service, police, transportation, library, parks, social services and public Wi-Fi. These services are delivered by people operating in 28 diverse departments within the City of Mesa. The services are structured by unique and overlapping processes and expose different types of information to customers and employees.  The intricate complexity and diversity of services provided by the City of Mesa give rise to distinct business requirements, legislative demands, and a varied landscape of attack surfaces that require targeted risk mitigation strategies. A notable example is the existence of 52 internet-accessible web applications supporting diverse city processes. Consequently, it is imperative to incorporate critical security objectives into the cybersecurity strategy to effectively address these challenges. The essential security objectives include Risk-managed, Compliant, Documented, Recoverable, Access Controlled, Compliant, Integrity-Assured.
  4. Given the complexity and diversity of the City of Mesa’s services, the maturing of an Enterprise Architecture (EA) capability becomes imperative. The City has recognized the importance of maturing such capability by incorporating it into their IT Strategic Plan and Roadmap document. EA capability needs to incorporate and be integrated with Cybersecurity Architecture and Solution Architecture These architecture domains play a crucial role in ensuring that solutions are not only technologically sound but also aligned with key cybersecurity objectives and requirements.  Customer-Focused and Governed are key business objectives. Enterprise Architecture can help break down silos, down silos, explore new technologies / capabilities, ensure IT alignment with the 50 year plan (see https://plan.konveio.com/tomorrows-mesa-2050-general-plan),  and IT governance. 
  5. Effective risk management and policy governance are indispensable for municipalities like the City of Mesa, particularly in the context of limited funding for cybersecurity compared to federal governments or private corporations. Prioritizing IT security and privacy funding via risk management is paramount. A key facet of risk management involves identifying the appropriate owner / role, whether it be a City Manager, Mayor, or Department Head, to accept, mitigate, or transfer risks. The integration of risk management with a comprehensive City-wide framework, beyond cybersecurity and privacy, is essential. The adoption of a “Domain Framework” based on SABSA becomes instrumental, where each domain is owned by an accountable individual responsible for setting policies and risk appetite, while adhering to the parent risk parameters and policies. For example, the City of Mesa via the Mayor and City Council would set a city wide risk appetite level and general cybersecurity risk policy (i.e., Enterprise Domain). All child domains (e.g. Process, Information, Information Technology) would have to adhere to the risk appetite and policies of the parent (i.e., Enterprise Domain). This approach enables the appropriate role to make and own risk decisions similar to the ones they are already making in finance, legal, and HR. Cybersecurity would need to be consulted on cybersecurity policy and risk decisions. This approach also removes IT Security as the perceived owner of all cybersecurity risk and a blocker to projects/initiatives. Cybersecurity could also work with domain owners to draft policies. Domain owners would be accountable for writing policies for their domain and demonstrating compliance to them.
  6. Cybersecurity in local governments is a public safety risk that needs to be Risk-managed and Safe. 
  7. There are a lot of processes needed to structure the diverse City services.  Process information in the Domain Impact worksheet are from the  Process Classification Framework® (PCF), The City Government PCF.  There is a potential opportunity to leverage the City Government PCF to benchmark services, resulting in improvements in processes and services.   Per APQC, the PCF Experience serves as a high-level, industry-neutral enterprise process model that allows organizations to see their business processes from a cross-industry viewpoint.
  8. The City exhibits a seemingly greater transparency in sharing information about its IT assets compared to the private sector, evident in instances such as Palo Alto Networks  customer success story featuring their technology used by the City. However, this abundance of information poses potential risks as threat actors could leverage it for reconnaissance purposes (see MITRE ATT&CK framework T1589T1590T1591).  Therefore, a well-rounded cybersecurity strategy needs to incorporate the cybersecurity objectives of Educated, Classified, and Risk-Managed. Striking a balance between transparency and security is crucial to maintain the City’s resilience against potential cyber threats.
  9. The City of Mesa must allocate sufficient resources, if not already, to effectively identify and manage regulatory requirements for its complex environment. This necessitates collaboration, potentially through a committee comprising representatives from IT Security & Risk, the City Attorney’s office, and designated “Domain Owners” (see #5 above) for specific services. Any cybersecurity strategy needs to incorporate the objective of “Compliant.” Below are examples of potential regulatory and standards that may impose requirements for cybersecurity and privacy based on the information utilized and services offered by the City of Mesa. These sources should be carefully considered and integrated into the security strategy to maintain compliance: a) PHI – Health Insurance Portability and Accountability Act; b) PII – Children’s Online Privacy Protection Act, The Electronic Communications Privacy Act, Arizona’s Data-Breach Notification Law; c) Payment Information – The Payment Card Industry Data Security Standard; d) Water Utility – US Environmental Protection Agency Cybersecurity Checklist; e) Arizona Freedom of Information Act; f) US Transportation Security Administration cybersecurity requirements for airports and aircraft operators; g) US Executive Branch Strategies and Orders – National Cybersecurity StrategyExecutive Order 14028Executive Order 13800Policy Directive PPD-21; h) US Federal Aviation Agency’s regulations for Unmanned Aircraft System; i)NIST Cybersecurity Framework; j) Criminal Justice Information – FBI’s CJIS Security Policy; k) Cybersecurity Incident – SEC Rules on “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” Obviously, the City of Mesa is not a publicly traded company and these rules don’t apply to the City. However, it might be worthwhile to adopt the SEC framework for handling disclosures in the spirit of transparency if it doesn’t conflict with other laws or regulations. 
  10. Ransomware is a critical concern.  Per the Verizon Data Breach report from 2023, ransomware remains the favored approach for disrupting government operations. Several security objectives need to be addressed in response to ransomware: Risk-Managed, Recoverable, Access Controlled, Integrity-Assured, and Educated. Dallas (May  2023 – June 2023) and City of Oakland (February – April 2023) are two examples cities impacted by ransomware attacks. At minimum, the City should, if not already: a) utilize the domain impact worksheet (or similar business architecture modeling or business impact analysis) to initiate the identification of critical services necessitating protection, resilience, and expedited recovery in the event of a ransomware attack; b) evaluate the City’s alignment with CISA’s Stop Ransomware Guide, potentially converting the guidance into a spreadsheet or web application to assess and monitor progress. This evaluation should encompass technology, personnel, and processes; c) encourage cybersecurity technology partners to conduct complimentary ransomware health checks and remediation assessments of their technologies deployed within the City of Mesa’s environment; d) ensure the existence of an up-to-date and tested Incident Response plan, involving key stakeholders such as the City Manager, City Attorney, Mayor, and Councilors. Additionally, safeguard and regularly test the backup and restore infrastructure to ensure its effectiveness in mitigating the impact of a potential ransomware incident. Ensure there is reputable incident response company, like Verizon, Mandiant etc, on retainer to assist with incident response along with appropriate federal and state agencies.
  11. The City of Mesa should be cognizant of several trends identified in the 2023 Verizon Data Breach Report that are relevant to its security posture. While the report does not provide a breakdown for government levels, the patterns observed, such as system intrusion, basic web attacks, DDoS, social engineering, and miscellaneous errors, are pertinent to municipal entities. Espionage-motivated actors pose a notable threat in this sector, and the persistent issue of collusion between disgruntled internal actors and external entities requires attention. Financially motivated actors and nation states targeting public sectors for information remain a concern, with personal information being the most frequently stolen data type. In response to these threat actors, critical security objectives, including Risk-Managed, Integrity-Assured, and Risk-Aware, must be addressed. The City of Mesa should explore the feasibility of implementing geo-blocking for all web applications, except www.mesaaz.gov, to ensure it continues to support efforts to market and attract individuals and organizations to the city. Additionally, it is advisable for the city to assess its control maturity and capabilities against recognized frameworks such as the CIS Critical Controls and MITRE ATT&CK to ensure a robust and adaptive security posture, especially for applications listed in the “Critical Apps” subdomain. Side note – I like that VERIS has mapped their incident classification patterns to MITRE ATT&CK framework techniques and the CIS Critical Controls
  12. Similar to other cities, the City of Mesa has placed a strategic emphasis on evolving into a “Smarter City.” As the city progresses towards becoming smarter, several of the previously mentioned Security Objectives remain applicable. The criticality and frequency of cybersecurity incidents are expected to rise, especially as services increasingly rely on interconnected Operational Technology (OT) systems, Information Technology (IT) systems, and Smart City infrastructure. Recognizing the growing complexity and interconnectivity, CISA has offered cybersecurity best practices tailored for and attributes of a trusted for Smart Cities.  Consulting and potentially adhering to these best practices is crucial for the City of Mesa to enhance the security posture of its Smart City initiatives.
  13. Like Rogers Corporation, the City of Mesa has a cloud presence. I would have the same observations for the City of Mesa as those for Rogers Corporation.

Initial questions

  1. Is the accuracy of the Domain Impact worksheet accurate, or are there crucial elements missing?
  2. What are critical services and initiatives requiring guidance from cybersecurity? 
  3. What is the risk management process for identity, assessing, addressing etc. risk? 
  4. Who is responsible for collecting regulations etc. and converting them into policies and requirements? 
  5. Is there a dedicated cybersecurity and IT plan for managing attacks involving ransomware?
  6. Why is business continuity with Cybersecurity? 
  7. How are cybersecurity items on the IT Strategy and Roadmap identified and prioritized? 
  8. How does cybersecurity architecture, enterprise and solution architecture integrate? 
  9. What components of the CIS Critical Security Controls are in place for the Information Technology parent domain in terms of people, process and technology?
  10. How is the cloud governed? Are there any initiatives involving cloud? 
  11. How is the network segmented? 
  12. How mature is City of Mesa’s Security Operations Capability?  

Business Contextual Architecture – The Why, The Approach and A Case Study

Leave a reply

The Why

So, you are a newly hired X at an organization. You can substitute X with CISO, architect, engineer, senior manager, consultant, sales manager etc. Maybe, you are a cybersecurity architect or enterprise architect at an existing organization and you have been tasked to develop a cybersecurity architecture strategy.

You probably have many, many questions (or you should), like…

  1. How do I determine what is most important to the organization?
  2. How do I gather and organize the various requirements from policies, standards and stakeholders?
  3. How do I get the “lay of the land” quickly, so I can ask people good questions and share some initial observations?
  4. How do you create credibility and trust?
  5. How do I get my organization to “shift left?”

The Approach

Over the past two years, I’ve been immersed in a transformative approach aimed at tackling these types of questions. This method, known as the “Agile Security System,” has been developed, maintained and taught by Andrew Townley (visit https://agilesecuritysystem.com for more details) and is based on SABSA. I have been a big supporter and fan of SABSA since 2018. My journey with Andrew’s methodology began during my participation in a “Building Effective Security Architectures” cohort. Subsequently, I had the opportunity to put it into practice within a healthcare organization valued at over $9 billion. To reinforce my understanding, I delved into Andrew’s book, “Getting Started with The Agile Security System,” as a refresher this year. For ongoing insights and master classes on this methodology, Andrew’s “Club” is an invaluable resource, complemented by his monthly “Security Sanity” newsletter.

Note: it’s important to clarify that my acknowledgment of Andrew Townley’s work, is not driven by any financial incentives or benefits from him. I credit him for this approach because it genuinely deserves recognition (and owns the copyrights and trade mark too).

A critical and must deliverable of the business contextual architecture of the “Agile Security System” is the “Domain Impact Worksheet.” Other deliverables include:

  1. Listing of requirements and objectives per domain in the “Domain Impact Worksheet.”
  2. Listing of risks to the objectives and requirements
  3. Listing of strategies to mitigate the identified risks
  4. Mapped relationships and approved interactions between domains

This posting focuses on the “Domain Impact Worksheet” deliverable. In Figure 1 below, the “Domain Impact Worksheet,” the interplay of blue and gold boxes unfolds. Each of these colored boxes represents a unique “domain,” a concept rooted in the idea that a domain is “any collection of elements that share a common set of characteristics that can be deployed to deliver a common purpose” (Townley, 2023). This foundational concept, courtesy of SABSA, is a noteworthy contribution to breaking down and organizing elements of an organizational. Gold domains have elements with corresponding items in the real and physical world, while blue domains organize logical elements.

The Domain Impact worksheet serves as a consistent, visual framework and communication tool for organizing elements of an organization for analysis and structuring requirements (see question #2 above). Each domain adheres to a consistent set of criteria, aiding in the determination of whether an element belongs within its confines. Moreover, each domain can have distinct requirements that must be addressed or risks mitigated via security objectives (i.e. Cybersecurity Strategy). The beauty of this system lies in its ability to nest domains within each other, forming a hierarchy of super-domains and subdomains. Subdomains domains inherit requirements from their super-domain but may also have unique requirements from their peer domains.

In essence, the “Domain Impact Worksheet” becomes a canvas illustrating (see question #3 above) the connectivity between the organization’s vital value streams and the underlying components of people, products, processes, services, facilities, information, and technology (see question #1 above). It not only visually organizes these elements but also provides foundation for showing how they interact with another within the organizational landscape. It helps you “shift left” (see question #5 above) because you start with “the business” context and creates credibility (see question #4 above) by demonstrating that you understand what cybersecurity needs to protect and enable.

One key principle embedded in “The Agile Security System” is the commitment to thorough preparation (i.e., do your homework). I complete “my homework” by utilizing various tools, including:

  1. SEC 10-K Document review: One valuable resource is the SEC 10-K Filings, particularly the “Risk Factors” section. This document, initially introduced to me when I was enrolled in the MBA program at Grand Canyon University, offers a business-centric perspective on cybersecurity risks alongside other organizational challenges. Instead of drowning in a sea of technical jargon, it provides a holistic view, steering clear of mere lists of CVEs or the latest cyber threats.
  2. SSL Labs Report Review: Provides a “grade” on the SSL hygiene of a website and type of web platform (e.g. IIS, Apache) utilized by the website.
  3. Shodan IO Report Review: The Shodan IO report on the main website takes the investigation further, presenting web platforms, operating systems, and even country locations.
  4. Searching and reviewing job descriptions. Job descriptions can be surprisingly revealing. A glance at them can provide valuable information on the technical applications and platforms actively used within the organization, offering a glimpse into its technological ecosystem.
  5. OSINT Framework. This is not a tool per se, but a way to query free search engines, resources, and tools publicly available on the Internet. Various tools provide information on IP addresses.
  6. Review the latest Verizon Data Breach report. This report furnishes incident data within a particular industry, aiding in the identification of potential risks for the organization under scrutiny.
  7. Prompting ChatGPT 3.5. Leveraging the power of generative AI through ChatGPT 3.5 can bring another layer of understanding. This platform not only answers questions but also provides contextual information about the organization, generating risks, and information in areas that you are not well-versed in.
  8. Leverage Microsoft PowerPoint, Word, Google Slides or Docs. Don’t overlook the simplicity and adaptability of familiar tools. The Microsoft PowerPoint slide, as exemplified in Figure 1, the “Domain Impact Worksheet” is based on a template from “Building Effective Security Architectures” cohort. It serves as a template for creating reusable business contextual architectures, offering a straightforward yet effective means of documentation. I also use Microsoft Word to collect and organize my notes and output from the various tools mentioned above. My notes are organized around the various domains and risk factors.

A Case Study – Rogers Corporation (Engineering and Manufacturing, ROG – NYSE)

Rogers Corporation designs, develops, manufactures and sells high-performance and high-reliability engineered materials and components to meet our customers’ demanding challenges. Rogers operates two strategic operating segments: Advanced Electronics Solutions (AES) and Elastomeric Material lSolutions (EMS).

Note – Elastomeric materials are polymers with elastic properties, capable of returning to their original shape after deformation

The “Domain Impact Worksheet” in Figure 1 summarizes part of the business contextual architecture of Rogers Corporation.

Figure 1 – Domain Impact Worksheet for Rogers Corporation

Let’s go back to question # 3 above except let’s slightly re-word it.

What are some questions and initial observations about Rogers Corporation?

Initial Observations

  1. Ensuring the safeguarding and facilitation of critical functions such as manufacturing, engineering, sales, financial systems, shipping, and engineering services is of paramount importance. The uninterrupted operation of factories and the timely issuance of invoices are directly tied to the financial health of the company. This principle extends to our Supply Chain partners as well. Any cybersecurity incident or unforeseen disruption stemming from poorly executed upgrades or changes has the potential to significantly impede these essential services. A comprehensive cybersecurity strategy must integrate security goals that encompass availability, change management, configuration management, monitoring, recoverability, risk management, vulnerability management, threat monitoring, threat management, and usability.(see Townley, 2023 Appendix E for definitions of these objectives or attributes).
  2. Securing Rogers’ proprietary information, including trade secrets such as manufacturing processes, patents, licenses, and confidential customer data, demands a strategic focus within any robust cybersecurity framework. Effectively safeguarding these critical assets necessitates the integration of security objectives that prioritize confidentiality, classification, access control, duty segregation, awareness, governance, and ongoing monitoring (see Townley, 2023 Appendix E for definitions of these objectives or attributes).
  3. The business requirements for writing cybersecurity policies and ensuring Rogers complies with various regulations come from several sources. These requirements must be harmonized and ideally aligned with a centralized control framework, such as the Unified Compliance Framework. To achieve this, an evaluation of the following regulations for relevance is essential: a) EU General Data Protection Regulation; b) Cybersecurity Law of the People’s Republic of China (2017); c) National Security Law (2015, China); d) Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Privacy Act, Hungary); e) Personal Information Protection Act (PIPA, South Korea); f) California Consumer Privacy Act; g) Sarbanes-Oxley Act (US); h) Securities and Exchange Commission (SEC) Guidance, including the new incident disclosure; i) State Data Breach Notification Laws. Consequently, the cybersecurity strategy must be structured to address the security objectives of auditability, legality, and compliance (see Townley, 2023 Appendix E for definitions of these objectives or attributes).
  4. Rogers appears to have a presence in Azure. Any identified security objectives and cybersecurity strategy needs be extended to this environment. In fact, Rogers’ IT Cloud strategy should have a cybersecurity section that addresses these objectives along with cover other areas: a) multi-disciplinary risk framework to manage risks in the cloud; b) a control framework that is cloud service provider agnostic, but mapped to Azure services; c) approach on how zero trust will be implemented; d) the identity and access management approach; e) the use of a cloud-native application protection platform (see https://www.gartner.com/reviews/market/cloud-native-application-protection-platforms for definition); f) cybersecurity operations center capabilities (see https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf for a great resource on SOCs).

Initial Questions

  1. Is the accuracy of the Domain Impact worksheet assured, or are there crucial elements missing?
  2. How do members of the engineering and sales force teams obtain access to the essential data required to support customers effectively?
  3. What components of the CIS Critical Security Controls are in place for the Information Technology parent domain in terms of people, process and technology?
  4. Who is accountable and responsible for collecting and maintaining cybersecurity and privacy requirements from the various countries that Rogers operates in?
  5. How does the organization navigate the complex situation of operating a factory in China while acknowledging documented evidence indicating that China or affiliated actors engage in active intellectual property theft, as highlighted in instances such as those presented in the document at https://foreignaffairs.house.gov/wp-content/uploads/2020/02/Egregious-Cases-of-Chinese-Theft-of-American-Intellectual-Property.pdf?
  6. In what manner is the network segmented to heighten detection capabilities and restrict the potential impact area in the event of a compromise?
  7. What categories of Operational Technology (OT) are currently in operation within the environment, and does OT pose a significant risk for Rogers? For a comprehensive definition of OT, refer to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf. The latest Verizon Data Breach report indicates that incidents involving OT remain relatively small, particularly in the manufacturing industry, it remains prudent to stay vigilant given the potential impact, as recommended by Verizon.
  8. What is the cloud governance for the Azure environment? Does it follow the recommended Microsoft governance model, including the team structure? Has the environment been architected to align with the Microsoft Cloud Adoption Framework, especially the use of landing zones?

That is it. Let me know your thoughts. Happy Holidays..

~R&R

Dashing through the snow
In a one-horse open sleigh
O’er the fields we go
Laughing all the way
Bells on bobtails ring
Making spirits bright
What fun it is to create & share
architectures tonight.