SECURITY BASELINE

FRAMEWORK
Khairul Anam
+6014 3656551
[email protected]
linkedin.com/in/khairulanamcwa/
 DOCUMENT PURPOSE
01
Introduction:
To serve as a framework to understand minimum
security requirements for client's IT landscape

What is
this?
TARGET AUDIENCE
Client’s INTERNAL OR CLIENT delivery teams.
02 This framework is provided, and designed to be
used by, IT & STRATEGY, as well as any
relevant personnel.

SUPPLEMENTAL MATERIAL
03 THERE IS A COMPANION DOCUMENT
(SCORECARD) that focuses more on how to
asses deliverables for any IT project, as well as
IT FRAMEWORK DEFINITION.
SCOPE and approach of the assessment
TARGET
Gain an overview of client's IT Security elements and identify major non-compliances
against the IT Security Infrastructure standard, without evaluation on maturity of
implementation
SCOPE
Client's IT Security
Infrastructure Standards

Networking Identity and Access

Management (IAM)
Security Infrastructure Datacenter Workspace End-user

APPROACH

INPUTS
Review the relevant Virtual/F2F Validate control Recommend
MINIMUM requirements Interviews with key design by reviewing improvements to
defined within IT Security stakeholders and sample evidences & client's
Infrastructure Standard domain owners documentation
EFFORTS ~128 hours ~320 hours ~128 hours | ~8 hours
~8 Hours ~8 hours per entity ~20 hours per entity per entity reporting
RISK BASED COMPLIANCE SCORING
MATURITY RATINGS

MATURITY
LEVEL Managed Security control is implemented with Low/ No risk deviations
5 5
(5)
MATURITY
LEVEL Improving Security control is implemented with Medium risk deviations
4 4
(4-4.99)
MATURITY
LEVEL
Defined Security control is implemented with High risk
3 deviations 3
(3-3.99)
MATURITY
LEVEL Developing Security control is still under
2 development with low to medium risk 2
(2-2.99) deviations
MATURITY
LEVEL Not existing Security issue exists &
1 requires addressing; however 1
(1-1.99) no security control exists to
tackle the issue.
RISK BASED COMPLIANCE SCORING
CLIENT'S
GROUP CLIENT'S REGION
DOMAINS TARGET A B
C D F G

NETWORKING

SECURITY
INFRASTRUCTURE

NA
DATACENTER No External Third-
Party Datacenter

WORKSPACE END-USER

IDENTITY AND
ACCESS MANAGEMENT

Not Defined
existing
Developing Improving Managed NA Not Applicable
COMPLIANCE ASSESSMENT OVERVIEW PER DOMAIN
OVERALL SUMMARY IN COMPARISON WITH RELEVANT PEERS
Not existing Developing Defined Improving Managed
Security issue exist & Security control is still Security control is Security control is Security control is
requires addressing under development implemented with implemented with implemented with
however no security with low to medium
Essential recommendations
High risk deviations Medium risk deviations Low/ No risk
control exists to tackle risk deviations deviations
the issue

1 2 3 4 5

Network Segregation, Network Access

1 Networking Control (802.1x) across all locations
Web Application Firewall, System Logging,
2 Security Infrastructure SIEM Solution, Vulnerability Assessment,
Partner account security
Due Diligence of Third-Party DC providers,
3 Datacenter ISAE 3402, ISO 27001, Storage data
classification
Full disk encryption, Antivirus, Host based
4 Workspace End-user Firewalls, Centralized Mgmt. & Device
Control solutions
2 Factor Authentication for remote access,
5 Identity & Access Management Enterprise Certificate Authority and CA
signed certificates

LEGEND Overall Summary Statement based on the Maturity

Industry Benchmark
• Network Segregation and Network Access control will significantly reduce system from exposure and threats
A B • Assets that are accessible from untrusted networks like the Internet are highly vulnerable such as Websites, web application
client's region C servers which must be protected using Web Application Firewalls
• Vulnerability Assessments should be carried out prior to Go-live and on a regular basis to identify potential vulnerabilities that
client's region may be exploited by threat actors. Baselines should be documented for all technologies used.
• Due Diligence should be carried out for Third Parties to validate if they are compliant with client's’s Security requirements and
client's region overall regulatory requirements. Remote access should be secured using 2 Factor Authentication
• Data Leakage controls must be deployed on endpoints as these are exposed to several threats
KEY Strengths
OVERARCHING STRENGTHS

Usage of Central Wide usage of VPN Wireless Central Email &

Directories to connect to Head Controllers Mobile Device
Active Directory is deployed offices Central Management for
Security
across most of the client's Wireless Access Points at Group Solution O365 Email
Branch offices connect to the most client's entities
entities assessed. Domain SPAM filtering and Mobile
main HQ office Internet
policies are deployed and in- Device management is
Breakout at each country using
use. deployed for most entities
VPN solutions
AREAS of Improvement
OVERALL PERSPECTIVE

Network Network Vulnerability Due Diligence Weak Detection

Segregation Access Control Assessments for external capabilities
Segregate Networks Deploy 802.1x Conduct regular Datacenter providersSecurity Logging and
Monitoring capabilities are
Based on Asset and Network Access Vulnerability
Data criticality. Critical Conduct Due Diligence weak. Data leakage
Control across all IT Assessments especially
Assets like Production for Third Party solutions such as Endpoint
Infrastructure that on critical assets
systems must be Datacenters especially encryption for Laptops,
can support this deployed to Production
segregated into without ISO 27001 and Host based Firewalls,
IEEE standard and those which will be
separate Zones ISAE 3402. Validate if Centralized Management,
Internet facing. they compliant with 2FA authentication need to
client's Security be deployed
requirements
 High Level Implementation PLAN
KEY SECURITY RISKS
Implementation Risk Quick
# Key Areas of improvement wins
priority
1 Network Security elements – *Firewall appliance, 1
IPS, WAF, Wireless Controller
5 8 4 1
Very High

2 *Domain Controller (Corporate Directory) 1

3 *Enterprise Certificate Authority (CA) 1
6 2 Endpoint Protection – *Anti-Virus, Host based
4 1
Firewalls, Mobile Device Management (MDM)
2 Data Classification 4
9 7
High

Vulnerability Assessments, Security Audits and

3 5
Third-Party Due-Diligence
LIKELIHOOD

4 Secure Data Disposal 6

10 5 Network Segregation 2
12 13 11 6 Network Access Control 3
Medium

7 Privilege and Identity Access Management 7

14 8 Centralized Security logging and monitoring 8
(SIEM)
9 Data Leak prevention (e.g. Hard Disk encryption, 9
USB Encryption)
Low

15 10 2-Factor Authentication for remote access 10

11 Configuration Change Management solution 11

12 Minimum Baseline Security Standards for IT 12

Low Medium High Very High Infrastructure
13 Corporate Directory usage as Identity Store 13
IMPACT 14 *Server room environmental controls 14
Why Anam The Perfect Fit
I have 8 years of experience in digital transformation and modernization for multiple industries, and I am
keen to bring that experience in client's and work together with the team to drive future innovation.

The highlight of my achievements:

• Led the discussion, technical design, development and proof-of-concept for millions of
dollar projects for partners and client's.

• Led the production of the whitepaper to comply with the regulation of government bodies,
and as support for a fintech e-payment startup, bringing in a $15M project to the company.

• Managed architecture for 17 different products in the Airline industry while working
closely with the internal stakeholders, driving the collaboration culture and best practices.
Let’s Chat!
I’m currently based in Singapore, and always available via
Teams/Zoom, as well as reachable via phone.

Interests:
Reading (Currently: 4-Hours Body), Continuous Learning
(Aim to be certified in AWS SAP by Q1 2023), Christopher
Nolan film, Post-rock music (Toe), Japanese food, gaming,
taking care of daughters and wife.
Contact Anam

+6014 3656551

[email protected]