Information Security & Control

Template for Security Design Document

V2.1
September 24, 2012
 [ COVER PAGE ]

Pentaho Community Edition

Security Design Document

[ Version No. ]

[ Date ]

2
Part 1: Introduction

Project Overview

Actualmente en Scotiabank el departamento financiero emite un archivo Excel con el contenido

correspondiente a cifras por venta de hipotecas y su margen de ganancia en comisiones
generadas por estas, abonado a reportes de presupuestos para las dos regiones (noreste y
sureste) en las que se encuentran dividido el país, esto según las entrevistas con los señores
Alejandro Gómez y Aldo Castillo del Departamento Financiero de Scotiabank CR. Esto permite
que usuarios tengan acceso a información que no pueden recibir, generando disconformidades
entre regiones.

Se propone una plataforma de Business Intelligence, que facilite la emisión, consolidación y

creación de dichos reportes, además, de mejorar el método de entrega del reporte.

3
Part 2: Architecture

2.1 Infrastructure Architecture Design and Configuration

Infrastructure Overview

 Brief high-level description of infrastructure requirements, e.g. high-availability, load

balancing, cross-site redundancy, etc.
 Sitio Web, utiliza Java.
 Windows
 Base de datos MS/SQL (existente, proporcionada por el Departamento Financiero)

Configuration Diagrams

 No aplica

Infrastructure Management Audit Trail and Logging

 En caso de utilizer la versión community no se cuenta con un sistema de auditoría, si

es la versión paga viene dentro del paquete de instalación.

Monitoring

 No aplica, solo en caso de adquirir la versión de paga.

4
2.2 Application Security Architecture

Application Logical Design

Cuenta con API’s que utilizan XML y SOAP para entrega de la información

Application Data and Process Flows

Diagram showing interaction between application logical components, including back-end and
manual processes.

Authentication Design

En este caso cuenta con un método de autenticación que puede conectarse con el AD de
Scotiabank, otra manera puede crear usuarios propios y asignar roles propios.
Los algoritmos de que utiliza para encriptar la información es Advanced Encryption Standard
(AES) de 128 bits.

Authorization Design

• SAML 2 • CAS 2 • Oauth

Application Security

• SAML 2
• CAS 2
• Oauth

Application Management Audit Trail and Logging

Utiliza una herramienta de terceros que realiza el monitoreo de sistema de métricas, vía
SNMP.

5
2.3 Network Security Architecture

Network Security Design

No aplica.

Network Security Management Audit Trail and Logging:

No aplica.

2.4 Server Security Architecture

Hardening Baseline

Describe management of server hardening process from start to finish, including UAT and
Production environments, or confirm standard process as follows:

. Remover puertos y servicios innecesarios

. Aplicar parches de seguridad
. Definir listas de acceso.
. Instalar scanning tool(s)
. Con la versión de pago se pueden instalar versiones de auditoría

UAT Baseline

Production Baseline

6
2.5 Database Security Architecture

Hardening Baseline

No aplica, existe en este momento.

2.6 Cryptographic Security Architecture

Cryptographic Security Architecture

 Provide description / diagram of cryptographic security architecture

 Identify where cryptography (e.g. encryption, authentication, signing and verification,
hashing techniques, etc.) is performed, e.g. over network connections (internal and
external), for data in storage (a.k.a. data at rest), as part of authentication / authorization
process.
 Describe which cryptographic products are deployed
 Identify underlying cryptographic algorithms used
 Identify key length used
 Describe key management and administration processes and identify associated roles and
responsibilities

2.7 DBR Requirements

DBR Classification

No aplica.

Target Production Image Retention

No aplica.

2.8 Business Continuity Planning Requirements

BCP Requirements

No aplica

7
2.9 Third-Party Processing Requirements

Third-Party Processing Requirements

No aplica

2.10 Compliance / Legal Requirements

Compliance / Legal Requirements

Co-ordinate review of security-related clauses and appendices in legal contracts and

agreements with IS&C

8
Part 3: Component Descriptions

Complete the template on this page for each component in the processing environment
(Production and UAT). A component is a physical device, e.g. server, host, network device,
client device, etc.

Component Name: Pentaho Community Edition

Objectives: Entrega de información.

Role Organization Designate Responsibilities
Site/Server Departamento Don Alejandro Director General del Proyecto y
Owner Financiero Gómez Funciones
Directores de zonas,
directores de
Operational Encargado de ayudar a realizar
sucursales y miembros Aldo Mora
User reportes y data a consolidar
del Departamento
Financiero
Platform: Java y aplicación web pentaho
Location:
New or Existing: existente

Narrative

Security Component Description

Logical Access  Controles existentes proveídos por el banco.
(e.g. ACF2, AD, etc.)
O/S Change Control  Existentes

Application Change  Existentes

Control Mechanism
Detective Software  Existentes
(e.g. BindView, ISS)
System Logging  Existentes

Other

9
Part 4: Security Implementation and Operations Design

Design of Controls:

INFORMATION SECURITY CONTROL STRATEGY

System Name: Pentaho Community Edition
Integrity Confidentiality Availability Continuity
Classification
x x
Information/System Owner: Departamento Financiero, Don Alejandro Gómez
Site/Server Owner: Departamento Financiero, Don Alejandro Gómez
Operational User(s): Directores de Zonas, sucursales y miembros del Departamento
Financiero.

Security Service Component Security Mechanism Residual Exposure

Logical Access UserID
Resource Rules
Registered Confidential Data
Critical/Sensitive Files
Access Control Lists
etc
Access Control List Document all aspects of ACL’s:
requirements . owner
. group
. reporting level (i.e. NetID)
. production operations
. support operations
. CCS requirements
. back-up requirements
Change Control Code promotion to UAT
Code promotion to Production
Access Controls Lists
Resource Rights
Powerful Privilege custody
etc
Physical Access Security of assets
Controls Inventory

Backup, Retention and Backup:

Rotation . frequency
. method
. storage location
. retention period
. offsite rotation
. retrieval process
. destruction of media

Disaster Back-up and DBR strategy:

Recovery . DBR Classification
. Time requirements
. Design
. Implementation
. Testing
Performance and Components requiring capacity
Capacity monitoring
Tools used for such monitoring
Roles and Responsibilities
Testing: Security Ensure that test plans include

10
 Security Service Component Security Mechanism Residual Exposure
Components the following:
. stress testing strategy
. max. concurrent sessions
required (incl. front-end to
back-end relationship)
Management & Reporting:
Measurement Of . ISS Scans
Security Controls . Bindview scans
. Other
Processing Controls Production processing
requirements
Exception Handling Error handling requirements and
escalations
Monitoring Standard monitoring tools are
implemented and tested, where
appropriate:
. CPU
. memory
. disk I/O
. disk availability
. network connections
. sockets
. handlers

Implement processes to monitor

and log the following:
. key processes
. log file events
. audit trails
Application: Document in detail:
Userid and authority for . use of accounts with Special
application execution Powerful Privileges (SPP) – not
Root
. Set UID private
. key configuration settings

Service Level Determine Service Level

Agreements Agreement (SLA), as this will
drive the requirements for
continuity.
Other:
Data & Information Define on-site and off-site
Protection requirements for: printing,
transmitting, storing, archiving,
and destruction of media-based
and paper-based data and
information.

11
Application Controls Strategy

Application Control Strategy

Application Function:

Module Reference:

Description:

Threat Risk Security Residual Exposure

Mechanism
Dollar Limits
Online Approvals
Auto-balancing

12