Bene Gesserit Urgent Care Offices (BGUC) - Logical Architecture

James Reynolds, Quincey Jackson, & Aly Malak

Department of Cyber Security, University of San Diego

CSOL-520: Enterprise Security Architecture

Professor Michelle Moore, Ph.D

November 20, 2023

 2

Bene Gesserit Urgent Care Offices (BGUC) - Logical Architecture

Bene Gesserit Urgent Care (BGUC) has been using the Sherwood Applied Business Security

Architecture (SABSA) framework to drive the development of its employee and patient portals. The

SABSA is founded on the concept that each security function should be directly connected to a business

goal and consists of five layers that are overlapped with a sixth layer. Now that BGUC has completed its

conceptual security architecture, where the focus was on creating the vision for the project and

describing the security principals that will be used, it can move onto developing its logical security

architecture, where the focus is on creating logical abstractions to describe the higher levels of the

architecture and deciding on the broad policies that will be used to achieve the previously determined

security principles (Sherwood et al., 2009).

Review of Current Status

The first step to designing the Logical Architecture for BGUC is to inventory the current system so

gaps can be identified and strong existing components can be utilized as the foundation for the new

architecture.

(1) Existing Security Infrastructure. BGUC currently contracts with Vector Security Networks for

physical security in the form of a monitored alarm system CCTV that monitors the physical

premises of BGUC’s multiple locations (Vector Security Networks, 2021). Regarding physical data

storage, BGUC currently uses a hybrid model: some information is stored in Amazon cloud

services and the remaining information is stored on servers located in locked IT rooms on several

of BGUC’s physical sites.

(2) Security Components. BGUC utilizes physical security controls, cloud security and third-party

contracts to secure the overall system. Employees are currently trained on security controls and

policies that pertain to their departments, and this type of training will continue on the new
 3

employee portal. The new patient portal will have security components that allow users to

access the system from multiple endpoints and devices. Security components such as MFA and

password policies will be applied to both portals.

(3) Controls. BGUC uses role-based access controls. All employees and patients are assigned specific

roles upon account creation. Their role(s) will determine the type of access their accounts have

when accessing the BGUC network. Under the current system, all new users register new

accounts by providing an email address, basic personal information, and a user-generated

password. Users must have their roles validated by Human Resources personnel who then assign

roles in an excel matrix that IT managers use to determine which additional roles to assign to

individual accounts.

(4) Policies. BGUC has a training policy which requires all employees be trained on the basic tenets

of HIPAA, cyber security threats related to the healthcare industry, and how to report suspicious

activity. BGUC currently has a strict personal device policy prohibiting the use of personal

devices for any activity that involves company data. An additional relevant BGUC policy is its

acceptable use policy for all users which prohibits the intentional misuse of an account in an

attempt to violate HIPAA and also prohibits all users, other than IT staff, from downloading any

files with extensions other than .doc, .docx, .jpg, or .pdf.

(5) Security Organization. BGUC currently utilizes the security structure shown below in Figure 1.

Additionally information about the Information Risk Council is described in Figure 2.

 4

Figure 1. BGUC Security Organization (Hyatt, 2023).

Figure 2. Information Risk Council Organization (Hyatt, 2023).

 5

Necessary Tools & Information

Raw Materials for Security Planning

To create a successful security plan, it is important that security architects for BGUC gather the

appropriate materials prior to the commencement of their security planning. This includes collecting any

relevant existing policies and procedures, organizing current blueprints/diagrams of existing networks

and assets, and documenting the plan. Additionally, BGUC will need to identify and, if needed, purchase

any of the tools necessary to carry out the security plan, which will include things like diagramming and

documentation tools. Finally, BGUC will need to identify and collect any relevant standards it will or may

be using and any legal compliance obligations.

Required Documentation for Security Plan

BGUC’s security plan needs to outline the plan, processes and steps that it plans to take in order

to meet the security requirements for each system. First, BGUC needs to analyze its security needs. This

will require that it review any and all existing security policies and practices (Resolver, 2021). Next, BGUC

will need to conduct a cyber risk analysis and manage and classify its data assets. Once it understands its

existing documentation, its assets, and the risks presented to the business, BGUC will need to utilize the

relevant regulatory standards, in this case, HIPAA, HITECH, and PCI DSS legal obligations, to create a

compliance plan, disaster recovery plan, and incident management plan that align with its existing

policies (Editorial team, 2021) and the following security policy statements:

(1) Acceptable Use Policy: Define the general categories of actions which are explicitly permitted or

forbidden when using organizational devices, systems, and electronics (SANS Policy Team, n.d.).

(2) Data Exfiltration Policy: Establish the list of approved methods for removing or sharing

information outside of organizational networks and the training requirements for users who will

be granted special roles as data transfer officers.

 6

(3) Remote Access Policy: Establish guidelines for connecting to the BGUC’s network from any host

or external network. Delineate requirements for password security, process for device approval,

and requirement to use OpenVPN whenever connecting from an outside network (SANS Policy

Team, n.d.).

(4) PKI/Digital Signature Policy: Require the usage of RSA algorithm for digital signature. Direct

usage of digital signature for authentication in all emails and all documents requiring signatures

(e.g., user agreements, acknowledgements of policy changes, etc.). Establish the requirements

for trusted certificate authorities (CAs) and the processes for key delivery and exchange

(Department of Defense, 2021).

(5) Email Encryption Policy: Require the usage of email encryption to protect sensitive or protected

data. Define classes and types of information that must be encrypted for transmission. Establish

the minimum encryption scheme requirements in compliance with all applicable federal laws

and other standards such as HIPAA, HL7, HITECH, and PCI DSS (SANS Policy Team, n.d.). Identify

specific tools which may be used for encryption such as Microsoft Outlook embedded

encryption feature (Microsoft Support, n.d.-a) or the process for approving such tools.

(6) Password Policy: Establish minimum password complexity requirements, a password change

periodicity requirement of once per quarter, and prohibitions on password sharing. Delineate

acceptable methods for password storage in encrypted form or in an approved password locker

application. Approve the use of master passwords for users with Single Sign-On (SSO) (Keeper,

2023).

(7) Multi Factor Authentication (MFA) Policy: Direct the usage of MFA for all user logon methods.

Establish parameters for acceptable forms of MFA (authenticator app, biometric, one-time code

via email).
 7

(8) Security Audit Policy: Describe how BGUC can assess and test its implemented security measures

to determine whether its current cyber security practices are adequate and whether its training

is effective. Outline the assessment criteria based on the type of security audit, how to prepare

for and conduct the security audit, the frequency and type of security audit, and things to look

out for during the audit (Buckbee, 2022).

(9) Incident Response Plan: Outline the procedures, steps, and responsibilities after an incident

occurs including how BGUC approaches incident response, how the plan supports its goals, the

phases of the incident response plan and the respective activities in each phase, the

personnel/roles and their responsibilities in completing the activities, how communication will

work between the incident response team and the rest of the organization, and criteria on how

to determine effectiveness of incident response (Cranford, 2023).

(10)Business Continuity Plan: Establish the process and steps the entire business needs to take to

restart and/or continue business operations with minimal disruption after an incident occurs.

Summarizes the mitigation, crisis, and recovery plans in light of BGUC’s key operations and legal

compliance requirements (Cisco, n.d.).

Architectural Tools

(1) Visio: This is a tool that can be used to create diagrams and flowcharts. It comes with dozens of

preset templates, and it can create 2-D and 3-D map diagrams as well as pull in live data from an

external source, such as network status data (Krause, 2021).

(2) SAP: An enterprise software solution that can be used to streamline processes, improve

productivity, and provide insight into BGUC’s operations. The SAP architecture establishes the

principles, trends, and practices of BGUC’s internal SAP landscape and consists of a presentation,
 8

application, and database layer that provide the interface with the users and configure the

system, receive and sift data, and manage and store data, respectively (Surety Systems, 2023).

(3) SPARX: An enterprise solution that can be used to visualize and model BGUC’s systems, software,

and processes. It can also be used to analyze, model and test BGUC’s assets, processes and

architectures. It supports multiple types of domains, such as business, software, systems and

architecture domains, and can be used to create domain-specific profiles, track and integrate

changes, and manage role-based security profiles (SPARX Systems, n.d.).

(4) ArchiMate Specification: These are specifications that create a common language that can be

used to describe the construction and operation of BGUC’s processes, structure(s) and

infrastructure, systems, and systems. Its instruments will enable the logical architect to describe,

analyze, and visualize the business domains and their relationships in a clear manner (The Open

Group, n.d.).

Existing Documentation & Tools

BGUC already has in place some of the security policy statements that are required under this

logical architecture plan, so those will be utilized as a foundation for the new plans created for this

project. Furthermore, BGUC currently implements many of the cyber security security services, such as

MFA, antivirus and anti-malware, firewalls, and data encryption. These existing services will need to be

integrated with the new enterprise and can be leveraged so as to avoid redundancy between the current

services and those needed in the new enterprise. Some of the existing BGUC personnel will be used in

the development of this project, which will ensure that BGUC’s values and goals are maintained

throughout the development process. These personnels’ vast amount of knowledge and experience with

BGUC’s current systems will help ease the integration of the existing hardware and software with the

new enterprise since they will already be familiar with it as well as help with implementing the access
 9

controls since the current internal access controls will not be significantly changing from the old system

to the new enterprise.

Logical Architecture Resources

There are many types of resources that are available to a person as the designer of the logical

architecture. First, there are many architectural diagramming tools that can be used for diagramming

cloud infrastructure, such as Lucidchart or Visio (Broberg, 2020). Industry standards like the National

Institute of Technology and Standards can provide guidance and information relating to the key security

domains and relationships between them. Finally, legal compliance like HIPAA and PCI DSS can provide

information on the minimum requirements that need to be met and, in some cases, how they need to be

met.

Security Plan Proposals & Outline

Business Information Model

The business information model is a high-level overview of the relevant data sets and entities. It

shows the relationship and flow of information between these entities. A general business information

model for BGUC is below in Figure 3. The entities listed in the below model will have the attributes,

which describe the type of information and controls given to the entity, as described later in this section.
 10

Figure 3. BGUC Business Information Model.

Proposed Security Services

Security services are those mechanisms that will be utilized in order to provide adequate

security to BGUC’s systems. The following security services are recommended in light of BGUC’s business

operations and requirements:

(1) Single Sign-on: Single sign-on (SSO) allows users to sign in with one set of credentials and access

multiple accounts. This helps alleviate the need for users to have to remember multiple

passwords, provide the administrative team a centralized way to manage all of BGUC’s accounts

and each account’s access credentials, and easily enforce multi-factor authentication across all

accounts (Witts, 2022).

(2) Multi-factor Authentication: Multi-factor authentication requires a user to confirm his or her

identity multiple ways. After the user enters in his or her password, the second authentication
 11

could entail entering an additional PIN, providing a fingerprint, or confirming the login on the

user’s smartphone (Microsoft, n.d.-b).

(3) Data Encryption (rest and in transit) and Device Encryption: Encryption makes it more difficult

for attackers to decipher information in the event they ever gain access to BGUC’s data. At

minimum, BGUC should encrypt any protected health information (PHI), electronic PHI, personal

and sensitive information, and payment information (Lord, 2020), and its devices that will have

access to such information, such as laptops and medical software (Sarkar, 2023).

(4) Application Whitelisting: Application whitelisting is when only certain applications and

application components will be authorized for use on BGUC’s devices and/or network. This will

help protect against unlicensed software being downloaded and the execution of malware

because only those applications listed will be permitted to execute on BGUC’s systems

(Sedgewick et al., 2015).

(5) Antivirus and Anti-malware: Antivirus software protects against viruses and stops malicious

scripts from running whereas anti-malware software protects against malware and will identify

and remove suspicious activity. Anti-malware is especially useful because, unlike antivirus

software, it can identify threats it has not seen. These softwares should include real-time

scanning, automatic updates, and threat removal to ensure optimum benefit is gained from their

installation (Panda Security, 2020).

(6) Firewall: Firewall can help monitor and filter network traffic, block unauthorized access, prevent

virus infiltration, and support regulatory compliance. This will help act as an effective barrier,

especially when used in conjunction with antivirus software, and as a gatekeeper of all entry

points on the BGUC system (Palo Alto Networks, n.d.)

(7) Role Based and Person Based Authentication: Role based and person based authentication will

restrict access to data to only those persons who need to know the information in order to
 12

perform their job functions. This helps maintain the confidentiality of sensitive data and can help

minimize the potential points of exposure that an attacker may try to exploit.

(8) On-site Data Backup: An incident can expose patient information, compromise the data, or make

the data unavailable. Although BGUC is currently planning on storing its information in the cloud,

it should maintain a back-up copy of its data on-site in the event it cannot access the cloud

network or its network server becomes compromised (Lord, 2020).

(9) Logging and Monitoring Use: Logging access and usage data will allow BGUC to monitor what

information and applications are being accessed, who they were accessed by, when they were

accessed, and from whether they were accessed. This information can help BGUC strengthen its

security policies by identifying areas of concern and can provide an audit trail if there ever is an

incident (Lord, 2020).

(10)Restricting Access: Implementing access controls ensures that only those people who have a

need to know and access information are the ones that can access it. This will help minimize the

attack surface, which can help with protecting against a potential security incident (Lord, 2020).

Entity Schema & Privilege Profile

The BGUC system entity schema is based on relationships between both portals. Patients,

community and family members will be directly connected to their respective patient portal while

physicians, pharmacists and stakeholders will be directly connected and have access to their provider

portals. Access controls will be set for each user and their respective portals to ensure that no individual

has access to information that they shouldn't have access to. The following attributes will be assigned to

each entity:
 13

(1) Patient Attributes: Name, social security number, patientID (primary key), home address, email,

contact number, healthcare plan number, healthcare plan owner, medical history (Adobe

Experience League, 2022).

(2) Provider Attributes: Name, social security number, providerID (primary key), specialty, email,

contact number, preferred site (Adobe Experience League, 2022).

(3) ExperienceEvent Attributes: Appointment ID (primary key), patient ID (foreign key), provider ID

(foreign key), time, experience type (Adobe Experience League, 2022).

(4) MedicalRecord Attributes: Record ID (primary key), patient ID (foreign key), provider ID (foreign

key), Appointment ID (foreign key), date, diagnosis, medication, treatment (Adobe Experience

League, 2022).

Each entity in the schema will have a certain privilege profile. The privilege profile for the BGUC

security architecture will consist of a set of predefined rules and policies that accommodate users for

both portals. Rules will include limitations on the number of times (once) an email address may be used

to create a profile and the inability of patients, family or community members to sign up for the patient

portal without specific credentials, such as health insurance information. These rules will also be applied

to stakeholders, physicians and pharmacists who do not have an active employee ID with the

organization. The access credentials granted to each entity will be role and personal based in order to

limit the amount of information each entity can see. Security components such as Multi-Factor

Authentication will be applied to both portals, and SSO will be applied to the employee portal in order to

better facilitate everyday employee activities. Privileges such as these are essential for ensuring that

users are safe regardless of the device being used to access the portal.

Security domain definitions and associations

 14

Cyber security domains are the domains that implement the security policies. The following are

the primary domains that BGUC needs to account for:

(1) Perimeter networks: Also known as DMZ or the demilitarized zone on a network. This domain is

used to separate external services, servers, and resources from the internal LAN. The servers

located on the DMZ can be accessed from the internet while the internal LAN cannot be

accessed, thereby protecting the internal network from being remotely accessed (Lutkevich,

2021).

(2) Access Control: Controls and implements the access controls in alignment with the BGUC remote

access policy and person based and role based access controls (Ikrami, 2014).

(3) Network Security: Describes the network structures and methods of data transmission (including

transmission format and security measures) within and outside the network (Ikrami, 2014).

(4) Cryptography/Encryption: The methods and manner in which BGUC will protect its data to

maintain its confidentiality, integrity and authenticity (Ikrami, 2014). These will need to align

with the PKI/digital signature and email encryption policies.

(5) Security Architecture: The concepts and standards used to monitor and secure equipment,

networks, applications, and devices (Ikrami, 2014).

(6) Operations Security: Identifies hardware and software controls and the access privileges to these

resources (Ikrami, 2014).

(7) Business Continuity and Disaster Recovery: The controls and plans that address how the business

will continue to operate and subsequently return to normal business operations after an incident

occurs.

(8) Legal Compliance: Addresses BGUC’s contractual obligations and responsibilities, healthcare,

data privacy, and data breach notification requirements, and investigative techniques that can be

used to identify whether an incident occurs and needs to be disclosed (Ikrami, 2014).
 15

(9) Information Management and Data Security: Identifies BGUC’s assets and monitors the creation

and implementation of BGUC’s policies and standards (Ikrami, 2014).

Security processing cycle

The security processing cycle identifies the assets that BGUC is trying to protect, assesses the

current security state of these assets, reviews the protective measures and/or implements new

protective measures, and monitors the systems (Allcot, 2022).

(1) Annually: The security policy statements must be annually reviewed and updated (if needed).

BGUC shall also annually review its hardware, software and applications, assess the risk posed by

each, and upgrade the assets of items that pose the most risk to the company.

(2) Quarterly: Passwords must be updated one per quarter in accordance with the Password Policy.

(3) Ongoing: Software, operating system, firewall, antivirus and antimalware updates will be

automated to the highest extent possible and practicable in order to ensure that known

vulnerabilities are not able to be exploited. These should be updated as the patches and updates

are rolled out.

 16

References

Allcot, D. (2022, January 13). What are the steps of the information security life cycle? Caplinked.

https://www.caplinked.com/blog/information-security-life-cycle-steps/

Adobe Experience League. (2022). https://experienceleague.adobe.com/#home

Buckbee, M. (2022, February 5). What is an IT security audit? The basics. Varonis.

https://www.varonis.com/blog/security-audit

Broberg, M. (2020, September 15). 6 architectural diagramming tools for cloud infrastructure. Red Hat.

https://www.redhat.com/architect/diagramming-tools-cloud-infrastructure

Cisco. (n.d.). What is business continuity?

https://www.cisco.com/c/en/us/solutions/hybrid-work/what-is-business-continuity.html

Cranford, J. (2023, April 17). Incident response (IR): plan & process. Crowdstrike.

https://www.crowdstrike.com/cybersecurity-101/incident-response/

Department of Defense. (2021). X.509 Certificate Policy Version 10.7. In DoD Cyber Exchange Public.

Department of Defense (DoD).

https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/pdf/unclass-dod_cp.pdf

Editorial Team. (2021). Information security plan: what is it & how to create it? Bit.AI Blog.

https://blog.bit.ai/information-security-plan/

Keeper. (2023, September). Enforcement Policies - Enterprise Guide.

https://docs.keeper.io/enterprise-guide/roles/enforcement-policies

Krause, A. (2021, July 22). What is Microsoft Visio and what does it do? Groovy Post.

https://www.groovypost.com/reviews/microsoft-visio-explained/

Hyatt, C. (2023, May 8). How to design a security program organizational structure that supports your

business goals (Part 2). Risk3sixty.

 17

https://risk3sixty.com/2020/09/14/how-to-design-a-security-program-organizational-structure-t

hat-supports-your-business-goals-part-2/

Ikrami, M. (2014, May 16). Information security domains: more than 10 possible? The Infosec Guru.

https://theinfosecguru.wordpress.com/2014/05/16/infosec-domains/

Lord, N. (2020, September 17). Healthcare cybersecurity: tips for securing private health data. Digital

Guardian.

https://www.digitalguardian.com/blog/healthcare-cybersecurity-tips-securing-private-health-dat

Lutkevich, B. (2021, July). DMZ in networking. TechTarget.

https://www.techtarget.com/searchsecurity/definition/DMZ

Microsoft Support. (n.d.-a). Encrypt Email Messages.

https://support.microsoft.com/en-us/office/encrypt-email-messages-373339cb-bf1a-4509-b296-

802a39d801dc

Microsoft Support. (n.d.-b). What is: multifactor authentication.

https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-b

e60-d123-eda06bddf661

Palo Alto Networks. (n.d.). What are the benefits of a firewall?

https://www.paloaltonetworks.com/cyberpedia/what-are-the-benefits-of-a-firewall

Panda Security. (2020, August 9). Difference between antivirus and antimalware + do I need both? Panda

Security.

https://www.pandasecurity.com/en/mediacenter/difference-between-antivirus-antimalware/
 18

Resolver. (2021, December 1). Enterprise planning: 6 steps to creating a security plan that works.

https://www.resolver.com/blog/enterprise-security-plan/

Sarkar, S. (2023). 8 ways to maintain better health care information security. Select Hub.

https://www.selecthub.com/medical-software/ehr/5-ways-maintain-healthcare-information-sec

urity/?amp=1

Sedgewick, A., Souppaya, M., & Scarfone, K. (2015, October 28). Guide to application whitelisting.

National Institute of Standards and Technology.

https://www.nist.gov/publications/guide-application-whitelisting

Sherwood, J., Clark, A., & Lynas, D. (2009). Enterprise Security Architecture [White Paper]. SABSA

Institute.

https://sabsacourses.com/wp-content/uploads/2021/02/TSI-W100-SABSA-White-Paper.pdf

SPARX Systems. (n.d.). Enterprise architect. https://sparxsystems.com/

Surety Systems. (2023, August 1). Understanding the key components of the SAP Architecture.

https://www.suretysystems.com/insights/understanding-the-key-components-of-the-sap-archite

cture/

The Open Group. (n.d.). The ArchiMate Enterprise Architecture Modeling Language.

https://www.opengroup.org/archimate-forum/archimate-overview

Vector Security Networks. (2021, October 7). Vector Security Networks | Multisite commercial services.

https://vectorsecuritynetworks.com/

Witts, J. (2022, September 23). How secure is Single Sign-On (SSO) for businesses? Expert Insights.

https://expertinsights.com/insights/how-secure-is-single-sign-on-sso-for-businesses/