Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Approach
Deloitte uses a holistic approach based on the State’s policies and available enterprise tools such as public
key intrastructure (PKI), appropriate Federal/State laws, regulations and industry leading practices to design
and implement the Company A’ security solution. We start with the selection of eligibility business functions
for evaluation and we determine the corresponding information types for that function and then select the
security requirements from our Risk Framework established in the planning and start-up stage and
elaboration stage. These requirements may require implementing one or more management, technical and
operational controls for the system function. The technical design for security and privacy of the Company A
system is based on the outcome of the technical controls from this analysis performed for each system
function. We leverage one or more of the security solutions that are part of the Company A system to
implement the security and privacy technical design for the function. For example, the Company A system’s
web portal function processes PII data and therefore is subject to HIPAA, and IRS Publication 1075
requirements.
Figure X.X illustrates the various security solution components that will be designed, developed and
implemented for Company A system.
Figure X.X. Deloitte’s Approach to Designing Security Controls for Company A System.
Deloitte uses a layered ad risk driven approach to developing the security design and user access security for Company A system.
Meeting NIST and FISMA Requirements
Deloitte brings in an established toolset, our Risk Catalog, which is designed to make it both easier to
manage as well as streamline the compliance management process on an ongoing basis. Deloitte’s Risk
Catalog is a requirements library, which contains a common repository of information security requirements
containing authoritative sources from more than 300 different laws and industry sources, and other related
requirements that can be customized to meet the needs of the Company A system. Deloitte maps and
rationalizes the requirements that are applicable to Company A system, creates a risk and control assessment
framework based on NIST and FISMA Risk Management Frameworks (RMF) and then develops a “heat
map” for integrated risk reporting before the system is approved for production. The Risk Catalog is also
used to trace back applicable security requirements during design and testing phases of the project. Deloitte’s
Risk Catalog toolset is comprised of core solution accelerators as depicted in the figure X-X below.
Risk Catalog toolset used to rationalize requirements and streamline the compliance management process.
Defining Information System Boundaries
Deloitte will use a core solution accelerator, our Security and Privacy Risk Framework (“Risk Framework”)
from our Risk Catalog Toolset, to define the boundaries
for authorization in the proposed Company A system.
Deloitte’s Risk Framework provides a single source of
applicable security and privacy rationalized controls that
are derived after linking requirements, risk, controls, and
the Company A systems functions and operations. The Deloitte’s Security and Privacy Risk
Risk Framework enables us to integrate the applicable Framework
rationalized controls in to a security blueprint—to address Used in over 100 clients
proper coverage of user authorizations as well as link Over 120 authoritative sources
specific controls required to address the access to currently in the Risk Catalog tool set
individual window, report, data element & field levels
within the proposed Company A system. The
authorizations defined using the Risk Framework are
implemented as access capabilities/permissions within our Company A solution and granted to users through
user role assignments. The Company A system security blueprint will include standardized operating
environment descriptions, reference architecture, interfaces, baseline controls and role definitions.
• Identify all information types that • Select the security impact levels
are input, stored, processed for the identified information types
and/or output • Determine Security Category (SC)
• Document information types with for each information type: SC =
the basis for information type {(Confidentiality, Impact),
selection (Integrity, Impact), (Availability
Impact)}
• Document Provisional impact
4. Assign Security Categories levels
Deloitte uses a four step process to perform security categorization of the information for the Company A system
IL_IES-046
Figure 14-X. Deloitte’s Security Approach for the Development of the Security Plan.
Our approach to creating a security plan commences with establishing the fundamental components required to sustain security & privacy operations.