Martin Redmond

S&P Global provides a subscription service that offers financial and industry data, research, news, and analytics to investment professionals, government agencies, corporations, and universities worldwide to an estimated one million subscriptions. I consulted with S&P Global to help with software-as-a-service source selection and identity access management (IdAM), data loss protection (DLP), and cloud access security broker (CASB) technology.

I reviewed the identity access management products and facilitated a team consensus. We selected SailPoint's cloud-based identity-as-a-service (IDaaS) as their service can scale to meet the company's one million international users. It also provided identity governance to meet international compliance requirements and reduced pricing by recapturing the investment in on-premise SailPoint servers. Additionally, SailPoint-as-a-service integrates with the current privilege access management system (CyberArk).

Further, I reviewed the IT investment in data loss protection (DLP) and cloud access security broker (CASB) technology. I also built data loss protection use-case and business requirements that required forwarding proxy, reverse proxy, and API proxy capabilities.

A key step in building a repeatable risk management process is to leverage a GRC tool. Limited CapEx funding and IT staff to support the implementation of new tools mandated the selection of an eGRC software-as-a-service tool that could be funded as part of an OpEx budget. We selected the ProcessGene SaaS solution because the software provided GRC processes for risk management, compliance, IT governance, and audit. Besides, it offered a business process modeling capability to document and capture the Smithfield missing business processes needed for the enterprise architecture, change management, process improvement, ERP rollout, mergers, and acquisitions.

The second key gap was the lack of an information security architecture and the use of standards in the service design phase of the service delivery lifecycle (SDLC). To help mature the SDLC, I facilitated the introduction of DevSecOps tools as outlined in the Verisk Analytics tools stack. Jira was implemented along with a formal requirement tracking module from Deviniti.

As an implementation example, I introduce the mobile device security reference architecture, additionally with BYOD and IoT functional architecture review and mapping to compliance standards.

The following is the developed DevSecOps tool framework in which risk scoring is used to provide governance of the continuous integration/continuous development (CI/CD) environment. The risk scoring and policy governance will allow CI/CD to deploy without needing configuration control board approval.

The governance allows deployment if the risk score is below an agreed-upon level. The risk score is calculated from input from multiple sources, such as DevSecOps tools, requirements, system architecture, development team skill level, and more.

Because of the NDA with VISA, I cannot disclose the components of their back-end processing systems. It was implemented on a big data analytics platform which acted as a highly transactional, operational data store. One of the use cases implemented was Visa's mobile location confirmation and Finsphere, which works through mobile banking apps offered by participating financial institutions and focuses solely on international transactions. Once a cardholder opts in, their location can be determined using their mobile phone network, Wi-Fi, or GPS. Those options are especially important for international travelers who prefer Wi-Fi over GPS, which relies on expensive data roaming services. I was responsible for implementing security controls, such as privacy, identity, authorization, encryption, data isolation, and more.

The Security Operations Center (SOC) for General Dynamics Health System was based on a cloud-distributed clustered deployment of SPLUNK, with forwarders placed at multi-customer sites. I helped achieve SOC-2 services certification.

“Best value” security architecture for each customer engagement where implemented using the customer's IT investment in software products. The challenge was making sure the various security services would work together. As a security service integrator, working with vendors and achieving product integration was imperative. The following is a list of each of the products used per service area:
• Asset management: ServiceNow, BMC, ManageEngine, MMSoft, Opsgenie, Asset Panda, SysAid
• Vulnerability management: Rapid7, Qualys, Beyond Trust, Tenable, Symantec, Tripwire, Retina
• Endpoint Protection: Symantec, CrowdStride, Sophos, Trend Micro, Carbon Black, Trend Micro
• Patch management – SCCM, Intune, BigFix, Ivanti, SysAid, ITarian, Cld Mgn St, MngEgn, SolarWinds
• Risk management – MetricStream, RSA, IBM, ServiceNow, LogicManager, RiskConnect, RSAM

HP's Hadoop, Anatomy, Vertica, Enterprise ArcSight, and N-applications platform (HAVeN) was deployed for complex strategic big data applications. The reference architectures below were used for HP's anti-money laundering (AML), SOC, and insider threat detection products which were applications built to run on the HAVeN platform.