Security Architecture

Review
Infrastructure & application security (efficiency,
process , standards, governance).
Understanding of Requirement 2

Haldiram’s (hereafter referred as HR in this document) wants to ensure they have a uniform Enterprise
Security Architecture to secure infrastructure solutions that support critical business processes, achieve
Workstream 1
compliance and deliver highly secure services.
Enterprise Security Architecture
Guidance

Workstream 2 Establish Security Architecture

EY has understood HR's requirements and has made a comprehensive based on business objectives &
Current State Assessment Principles
and pragmatic offering to assist HR in meeting their objectives.
Define specific information security
The objective is understood to controls based on the NIST CSF.
Workstream 3

Our Approach
► Secure, simplify, consolidate, and standardize the environment. Target State Architecture
► Understand and assess the current state security Architecture of
Define Target State Architecture and
HR’s including capability, posture and gaps transformational roadmap and

► Define target state Architecture and roadmap based on industry Workstream 4

standards, benchmarks, considering applicable regulatory Recommendation & Roadmap

compliance Recommendation based on assessment.

Prioritizing the security capabilities and
► Define Security Architecture Governance Processes for continuous provide timeline to implement these
Initiatives
monitoring and improvement
 3

HIGH LEVEL
APPROACH
 High Level Approach 4

Enterprise Security
1 Architecture Guidance 2 Current State Assessment 3 Target State Architecture 4 Recommendation & Roadmap

► Understand business objectives and ► Identify information security controls ► Define Target State enterprise security ► Identify Gaps on HR's Current
technology goals of HR’s based on the following: architecture Architecture wrt defined Enterprise
Understand the following in reference ▪ Assess availability of controls based Security Architecture
► ► List down applicable regulations,
to in- scope: on NIST CSF compliance and industry standards ► Provide recommendations to
▪ Business use cases, processes of ► Assess gaps of HR’s current security mitigate any gaps that may be
the applications. posture against NIST CSF. observed
▪ Planned IT setup in terms of
Activities

application, middleware, databases,

users, appliances and security
controls
► Define Security Principles

► Enterprise security architecture ► Gap analysis report of AS-IS ► Enterprise Security Architecture ► Roadmap for initiatives with priority
principles & business attributes technologies w.r.t to missing and diagram as par target architecture
redundant controls mapped to NIST
► Security control structure for ► Define timelines to initiatives and
CSF
Deliverables

application, network and cloud. priority

 5

DETAILED
APPROACH
Detailed approach 6

► Identify business objectives, goals and strategy

► Identify business attributes that are required to achieve those goals
Contextual Business Business Identify all the risk associated with the attributes that can prevent a
Conceptual 01
►
business from achieving its goals
Architecture Architecture
Layer Layer ► Identify the required controls to manage the risk
► Define a program to design and implement those controls:

► Governance, policy and domain architecture

► Operational risk management architecture
Logical ► Information architecture
Logical Certificate management architecture
Architectur 02 ►

Business Risk Architecture ► Access control architecture

e
Requirements identification ► Incident response architecture
► Application security architecture

Service
Physical ► Platform/Hardware/Network/OS/File security
Architecture 03
architecture ► Database security, practices and procedures
Business Risk Physical
Attributes Assessment Architectur
e
► Security standards ( NIST )
Component Component Apply security design principles
04 ►
Architectur architecture ► Security products and tools (e.g., antivirus [AV], virtual private
e network [VPN], firewall, wireless security, vulnerability scanner)

Security Vision ► Implementation guides

and Strategy Operational Administrations, Configuration/patch management
Design Layer Service 05
►
► Monitoring, Logging
architecture ► Access management, Change management
Detailed approach 7

Guiding Principles to Assessment

Security Architecture Guiding Principles Information Security Principles

1. Deliver quality and value to stakeholders to ensure that information security delivers value and P1 Segregation of critical assets
meets business requirements. P2 Defense in depth
P3 System resiliency
2. Comply with relevant legal and regulatory requirements to ensure that statutory obligations are
Least privilege and segregation of
met, stakeholder expectations are managed, and civil or criminal penalties are avoided. P4
privileges
3. Provide timely and accurate information on information security performance to support P5 Traceability and auditability
P6 Usability of Security Mechanisms
business requirements and manage information risk.
P7 Separation of Management Traffic
4. Evaluate current and future information threats to analyse and assess emerging information
Compliance to Legal and Regulatory
P8
security threats so that informed, timely action to mitigate risk can be taken. Requirements
5. Promote continuous improvement in information security to reduce costs, improve efficiency and Confidentiality, Integrity and
P9
Availability of Data
effectiveness, and promote a culture of continuous improvement in information security.
P10 Attack Surface Reduction

The above Organizational principles are derived from COBIT. Select list of Information Security Principles. This
shall be built upon during the engagement.
 8

WORK
PRODUCTS
(Illustrative)
Key work products 9

Gap Assessment / Benchmarking & Target Profile

Key work products 10

Gap Assessment / Benchmarking & Target Profile

Key work products 11

Implementation Roadmap / Executive Summary

 12

Detailed
Scope
Activities : In-scope 13

▪ One Public facing D2C/ B2C site : Review of Security Framework for Development/Acquisition, Operations &
Maintenance Process
▪ One Mobile App : Review of Security Framework for Development/Acquisition, Operations & Maintenance
Process
▪ Azure & AWS Cloud Native : Review of the security control framework adopted for cloud
▪ Application VAPT : Conduct VAPT for cloud hosted externally exposed application (e.g., Magento – PaaS)
▪ Review of Security Policy Framework : Reviewing the existing security policies for IT infrastructure. [Only
Policies]
▪ One Outlet (out of 95) : Review security control framework for operations & integration with internet, DC,
Plant etc.
▪ Two Plants (1 from Sec A and 1 from Sec B) : Review of security control framework for operations &
integration with internet, DC, Outlet etc.
▪ Chennai SOC : Governance related to people, processes, and technology to continuously monitor, detect,
analyse, and respond to cybersecurity incidents
▪ Corporate DC (Architecture, Processes, and Technology) : Reviewing the cyber security controls in place
from people, process & technology perspective and their effectiveness.
▪ Migration of DMZ to Azure – Security Architecture Assessment (It is in proposal stage and the blueprint is
being prepared)
▪ Integrations to third party :- Review of secure integration interface with third party apps or platforms.
▪ Integration between Navision & CRM, eCom to SAP, eCom to NAV, Razorpay - API integration, LOAI, &
Unicommerce, GST portal integration, MDM integration interface
▪ HO Layer (with the small SQL DB) will get Replaced with an API layer - Security Review of API development
and deployment.

Pre-requisites :-
1. SPOCS to be identified for individual scope components for example : Application Security, AWS/Azure Cloud, Security Policy Review, SOC, Third Party Integration etc.
2. Shared folder to upload securely all work products from the assessments/reviews.
3. Network Architecture, Application Architecture, Data Flow Diagrams, Access to the Security Policy Documents, Architecture Diagrams of Cloud Environments, Process
documents for SOC (Security Operation Centre)

Please Note : Except Application VAPT all other assessments are table top assessment. SaaS applications are manged by external owners hence not possible to launch VAPT.
 14

Limitation &
Assumption
Assumptions and Limitations 15

This proposal is based on the following general assumptions and limitations. The EY Engagement Manager will continually monitor these assumptions and limitations to assess
the impact to the engagement deliverables:
► Given the COVID-19 Pandemic, EY understands that Haldiram’s is willing to facilitate remote access based engagement.

► If EY is awarded the Contract, both EY and Haldiram’s will endeavour to agree / negotiate on Contract Terms and Conditions that are acceptable to both parties and shall
act in a spirit of mutual trust and co-operation.
► Designate a competent employee or employees, preferable within senior management, to be responsible for the engagement.

► Ensure Security Architects are available during workshop to provide information

► Ensure that the relevant architecture and related document are readily available and have sufficiently detailed information.

► Commit appropriate resources, including the involvement of the concerned departments / functions, during the engagement and in finalization of the deliverables (or
relevant sections thereof).
► The client will provide explicit approvals and time slots for assessment and EY will use those time slots only for, gathering information and conducting the assessments.

► Client will provide necessary accesses to EY consultants to perform the assessment.

► Acceptance and approval of all EY deliverables to be provided by the Client within a period of 2-3 business days of the draft deliverables being submitted by EY to the
Client.
► EY will take possible measures to avoid any disruption scenario.

► Provide additional inputs as may be required from time to time.

► EY will not assume custodianship of any IT system or management responsibility. We will develop the Security Architecture framework in line with the discussion with the
identified stakeholders and the regulations that Haldiram’s needs to be compliant with.
► EY will not assist in implementation of developed security architecture framework and action plan. Implementation support can be provided post the completion of the
framework at an additional cost.
► For better understanding of current security process, EY may conduct design walkthrough of IT landscape on sample basis.

► Review of IT Infrastructure security policy is focused on only quality of policy definition and not enforcement of policy.

► Review of IT Infrastructure security policy is focused on only quality of policy definition w.r.t industry best practice & applicability.

► Application VAPT is not applicable for SaaS applications reason being we neither managed it nor own it. Application VAPT is applicable for applications which are owned
and managed by Haldirams ( e.g. Magento – PaaS)
► In case secure integration interface review only the interface will be reviewed from the security perspective. Review of the 3rd party applications/platforms from the
security perspective is not in scope.
 16

Engagement
Timelines
Timeline 17

This is a preliminary draft of the project plan and schedule. The final project plan shall be discussed, prepared and mutually agreed with client’s stakeholders before the start / during the project initiation phase

Security Architecture Review

TIMELINES

PHASES W1 W2 W3 W4 W5 W6 W7 W8 W9 W10 W11 W12 W13 W14 W15 W16 W17 W18

1
Enterprise Security Architecture Guidance

2
Current State Assessment (Included Policy Review)

3
Target State Security Architecture

4
Recommendation and Roadmap

[Timeline doesn’t Include VAPT. VAPT Timeline will be provided separately]

S. No Description Fees
1 Security Architecture Review INR 28,00,000 /-
2 VAPT for one application (eCommerce – Magento) INR 2,00,000/-
Total Amount (Exclusive of applicable taxes) INR 30,00,000 /-
Our pricing methodology is based on the services we are expected to provide in response to the scope of work discussed with us. We have also included appropriate project
management and quality assurance time. For project execution there will be dedicated EY team consisting of competent resources guided by a subject matter expert. Any operational
expenses will be over and above-mentioned fees. Taxes will be extra as applicable.

1
Thank you