The Role of a Security Consultant in the Architecture Design Process – Capstone Project Example

Download full paperFile format: .doc, available for editing

The paper "The Role of a Security Consultant in the Architecture Design Process'  is an outstanding example of a capstone project on architecture. The study empirically explored the roles of security professionals in the architecture design process. The objectives included determining how security professionals seek to ensure that threats and controls are in balance during the architecture design process. The study also aimed to integrate the systems approach in explaining the role of security professionals in the architecture design process and identifying the role of security professionals in ensuring the integrity of the security architecture. The study used a qualitative research design.

Primary data was collected through semi-structured qualitative interviews. Secondary data was collected through document analysis. Data analysis was through the qualitative interpretive method. The study summarised into three: To prevent overspending on unnecessary security devices, to prevent risks of liability due to failure to comply with regulatory requirements, and most lasting, to ensure that all the security layers or components serve their objective as required. These roles are fixed to the Defence in-depth theory and systems approach, as they make sure that the security architecture is designed to operate as part of the security system in order to holistically detect, delay, deter, and respond to security threats. Introduction The roles and responsibilities of security management professionals have expanded in scope since the 1990s parallel to the expansion of the private sector and the tendencies by firms to downsize, outsource, and adopt the technology (CISSP, 2012; Sennewald, 2012).

The rise in demand for security professional services has also been persistent since 9/11. While security consulting has grown, the roles of security professionals continue to remain unclear (Farah, 2004; Walek & Masar, 2013). Many organizations see a security professional be an individual tasked with recommending proper, cost-effective strategies to attain a wide range of security objectives, crime prevention, loss control, and investigative roles (Scholl et al, 2010).

This is, however, insufficient. Obviously, a rewarding dimension of security professionals is the opportunity to manage and control an organization’ s security (Tsohou et al. , 2015). The security professionals seek to ensure that threats and controls are in balance (Bogers et al. , 2008). Designing secure system architecture and its implementation and application are costly, time-consuming, and complex processes that demand expertise and intervention of a security professional, who is the expert for a particular problem domain.

A security professional selects the security features that can be integrated into a secure operating system (Vellani, 2009). The features selected that need to be implemented by security mechanisms have to see to it that the risks of disrupting the company asset’ s integrity, availability, and confidentiality are eliminated. Therefore, understanding the specific roles of a security professional is critical. In fact, as ISACA (2009) confirms, the exact role of security professionals is yet to be clearly defined in most enterprises. In some projects, the project team may proceed with defining the security requirement without the involvement of the security professional mostly due to a lack of understanding of the significance of security professionals (ISACA, 2009).

Their roles become more complicated when they are tasked with designing security architecture (Vellani, 2009). Security architecture is an integrated security design intended to handle the requirements and potential risks associated with a particular environment or scenario. The Security architecture details out when and where security controls should be applied (Tsohou et al. , 2015).

The process of designing the architecture is often reproducible and needs extreme expertise to ensure its effectiveness. This calls for the participation of a security consultant. As Gibbs (2008) mentions, in designing security architecture, the difference between hiring a security professional and ignoring it is on how holistically and effectively the security systems are expected to protect assets.

References

Beardsley, J. (2013). Security 101: Understanding the Common Layered Security Concept. The Valley Business Journal. Retrieved: < http://www.valleybusinessjournal.com/index.php/technology/item/1382-security-101-understanding-the-common-layered-security-concept>

Bogers, T., Meel, J. & Voordt, T. (2008). Architects about briefing: Recommendations to improve communication between clients and architects. Facilities 26(3), 109-116

Bosch, S. (2014). Designing Secure Enterprise Architectures. MSc Business Information Technology Institute: University of Twente Faculty of Electrical Engineering, Mathematics and Computer Science Enschede, the Netherlands

Brauch, H. (2007). Coping with Global Environmental Change, Disasters, and Security. Hexagon Series on Human and Environmental Security and Peace

Bucur, A. (2010). Banking 2.0: Developing a Reference Architecture for Financial Services in the Cloud. Utrecht: Capgemini Consulting Technology Outsourcing

CISSP. (2012). Common Body of Knowledge Review: Security Architecture & Design Domain. Open Security Training Version: 5.10

Cohen, L., Manion, L. & Morrison, K. (2007).Research methods in education. (6th ed.). London: Routledge Falmer

Coole, M. & Brooks, D. (2014). Do Security Systems Fail Because of Entropy? Journal of Physical Security 7(2), 50-76

Coole, M., Corkill, J. & Woodward, A. (2012). Defense in Depth, Protection in Depth, and Security in Depth: A Comparative Analysis Towards a Common Usage Language. A paper published in the Proceedings of the 5th Australian Security and Intelligence Conference, Novotel Langley Hotel, Perth, Western Australia, 3rd-5th December 2012

Ellis, T. & Levy, Y. (2008). The framework of Problem-Based Research: A Guide for Novice Researchers on the Development of a Research-Worthy Problem. Informing Science: the International Journal of an Emerging Transdiscipline vol 11, pp.17-33

Farah, G. (2004). Information Systems Security Architecture A Novel Approach to Layered Protection: A Case Study. SANS Institute GSEC Practical Version 1.4b

Fenelly, L. (2012). Effective Physical Security. (4th ed.) Waltham, MA: Butterworth-Heinemann

Feruza, S. & Kim, T. (2009). IT Security Review: Privacy, Protection, Access Control, Assurance, and System Security. International Journal of Multimedia and Ubiquitous Engineering 2(2), 17-30

Gibbs, N. (2008). Elements of a Good Security Architecture. Internal Auditor. Retrieved:

Heyvaert, M., Hannes, K., Maes, B. & Onghena, P. (2013). Critical Appraisal of Mixed Methods Studies. Journal of Mixed Methods Research 20(10), 1-26

Hunstad, A. & Hallberg, J. (2007). Design for securability – Applying engineering principles to the design of security architectures. Published in the Workshop for Application of Engineering Principles to System Security Design (WAEPSSD) Proceedings

ISACA. (2009). An Introduction to the Business Model for Information Security. ISACA: Rolling Meadows, IL. Retrieved:

Jackson, D. (2011). Intelligence-Led Risk Management For Homeland Security: A Collaborative Approach For A Common Goal. Monterey: Naval Postgraduate School.

Jonathan, J. (2009). A psychological perspective on vulnerability in the fear of crime. Psychology, Crime and Law, 15 (4), 1-17

Lee, M. (2008). Fear of Crime: Critical Voices in an Age of Anxiety. New York: Routledge

Mele, C., Pels, J. & Polesce, F. (2010). A Brief Review of Systems Theories and Their Managerial Applications. Service Science 2(1/2), 126 – 135

Oludele, A., Ogunnusi A., Omole O. & Seton O. (2009). Design of an Automated Intrusion Detection System incorporating an Alarm. Journal of Computing, 1(1), 149-157

Onwuegbuzie, A., Leech, N. & Collins, K. (2012). Qualitative Analysis Techniques for the Review of the Literature. The Qualitative Report 17(56), 1-28

Phellas, C., Bloch, A. & Seale, C. (2011). Structured Methods: Interviews, Questionnaires, And Observation. Retrieved:

Prezelj, I. (2012). Challenges in Conceptualizing and Providing Human Security. HUMSEC Journal, Issue 2, 1-22

Salim, H. (2014). Cyber Safety: A Systems Thinking and Systems Theory Approach to Managing Cyber Security Risks. Massachusetts Institute of Technology Working Paper Cisl# 2014-07

Samaras, V. (2012). A BYOD Enterprise Security Architecture for accessing SaaS cloud services. Retrieved:

Scammel, T. (2008). Security Architecture: One Practitioner's View. ISACA Journal 1(1), 1-5

Scholl, M., Stine, K., Lin, K. & Steinberg, D. (2010). Security Architecture Design Process for Health Information Exchanges (HIEs). Washington D.C: National Institute of Standards and Technology

Sennewald, C. (2012). Security Consulting. New York: Butterworth-Heinemann

Shoemaker, J. & Mead, N. (2013). Teaching Security Requirements Engineering Using SQUARE. Carnegie Mellon University and IEEE 2005-2013.

Sjorberg, L., Moen, B. & Rundmo, T. (2007). Explaining risk perception. An evaluation of the psychometric paradigm in risk perception research. Trondheim: Rotunde Publicjasjoner

Smith, C. & Brooks, D. (2012). Security Science: The Theory and Practice of Security. Oxford: Butterworth-Heinemann

Soltani, F. & Yusof, M. (2012). Concept of Security in the Theoretical Approaches. Research Journal of International Studies 1, 7-16

Thorn, A., Christen, T., Gruber, B., Portman, R. & Ruf, L. (2008). What is a Security Architecture? Information Security Society Switzerland. Retrieved: < https://www.isss.ch/fileadmin/publ/agsa/Security_Architecture.pdf>

Transit Safety. (2014). Access Management. Retrieved:

Tsohou, A., Karyda, M., Kokolakis, S. & Kiountouzis, E. (2015). Managing the introduction of information security awareness programs in organizations. European Journal of Information Systems 24, 38–5

Varma, D., Rao, V., Rani, P. & Kumar, M. (2012). Dependable Web Services Security Architecture Development Theoretical And Practical Issues – Spatial Web Services Case Study. Computer Science & Information Technology 2(1), 79-98

Vellani, K. (2008). Strategic Security Management: A Risk Assessment Guide for Decision Makers. New York: Butterworth-Heinemann

Vellani, K. (2009). Crime Analysis for Problem Solving Security Professionals in 25 Small Steps. Pop Centre. Retrieved:

Walek, B. & Masar, J. (2013). Methodology for the design of safe operating systems. Information Technology & Computer Science 4(1), 634-638

Wang, J., Chaudhury, A. & Rao, R. (2008). A Value-at-Risk Approach to Information Security Investment. Information Systems Research 19(1), 106-120

Wilson, W. & Chaddha, A. (2010). The Role of Theory in Ethnographic Research. Ethnography 10(4), 549-564.

Woolley, C. (2009). Meeting the Mixed Methods Challenge of Integration in a Sociological Study of Structure and Agency. Journal of Mixed Methods Research 3(7), 7-25

Young, W. & Leveson, N. (2014). An Integrated Approach to Safety and Security-Based on Systems Theory. Communications Of The ACM. 57(2), 31-35

Zhyzhneuski, A. (2011). BIM as a Modern Approach to the Design and Management in Construction Industry. Retrieved:

Download full paperFile format: .doc, available for editing
Contact Us