Architecture Assessment & Gap Analysis
Evaluate your current security architecture against your business context, regulatory requirements, and best-practice frameworks. Document findings in plain business language with a prioritized gap analysis.
Enterprise Security Architecture
Security that works with your business.
Not against it.
Security architecture done well is invisible — it enables business decisions, accelerates transformation, and reduces long-term technical and compliance risk. We apply the SABSA framework, the globally recognized standard for business-aligned security architecture, combined with 25+ years of hands-on experience at Canada's largest financial institutions, retail and public-sector organizations.
Our methodology
The SABSA approach
SABSA is a framework and methodology for developing risk-driven enterprise security architectures. Every layer traces back to business context, ensuring security decisions are grounded in what actually matters to your organization.
1
Business Context
Drivers, risk appetite, regulatory obligations, objectives
2
Architecture Design
Conceptual, logical, and physical security architecture
3
Capability Mapping
Technology to capability alignment, gap identification
4
Governance & Standards
Policies, standards, controls — NIST CSF, ISO 27002, CIS
5
Roadmap Delivery
Prioritized, phased plan with ownership and success criteria
SABSA integrates with enterprise architecture frameworks including TOGAF and Zachman, ensuring security architecture aligns with — and supports — your broader enterprise architecture.
What we advise on
Core architecture advisory services
Security architecture advisory spans the full range of enterprise security domains — from foundational assessments to specific platform and technology reviews.
Enterprise Security Architecture Design
Develop target-state security architecture aligned to your business strategy. Conceptual, logical, and physical architecture documentation with patterns and standards for your team to implement.
Cloud Security Architecture Review
Advisory on cloud security architecture for Azure and AWS environments. Review of cloud adoption plans, security control alignment, and architecture guidance for hybrid and multi-cloud deployments.
Identity & Access Management Architecture
Advisory on IAM architecture and federated identity. Guidance on access model design, and migration from legacy access management approaches.
OT/IT Security Architecture
Advisory on security architecture spanning both Information Technology and Operational Technology environments. Network segmentation, OT-specific threat models, and convergence architecture for safety-critical infrastructure.
PCI-DSS Architecture Advisory
Security architecture guidance for PCI-DSS compliance — cardholder data environment scoping, network segmentation, control design, and architecture documentation for QSA assessments.
Threat Modelling
Integration of threat modelling into security architecture and project review processes. Structured analysis of threats, attack surfaces, and countermeasures tied directly to architecture decisions.
API & Application Security Architecture
Advisory on API security architecture, web application security patterns, and application security review processes — including third-party connectivity, authentication standards, and data exposure controls.
Data Protection & Encryption
Advisory on data classification, encryption standards for data at rest and in transit, key management architecture, and data flow diagramming to support both security architecture and privacy compliance.
Sector expertise
Industry-specific architecture knowledge
Security architecture is not generic — the right design depends on your sector's specific risk landscape, regulatory requirements, and technology environment.
Banking & Financial Services
Core banking, payments, and regulatory compliance
- Application security vulnerability management programs
- Mainframe access control architecture and IAM modernization
- Cloud security architecture for Azure and AWS migrations
- Payment system security and PCI-DSS compliance architecture
- Network security architecture — VPN, SSL decryption, web content filtering
Insurance
Enterprise architecture integration and claims platform security
- Integration of security into Enterprise Architecture Frameworks
- Claims technology platform security architecture
- Data Encryption Standards for data at rest and in transit
- API security controls for third-party broker and vendor connectivity
- OSFI alignment and regulatory compliance architecture
Public Transit & Operational Technology
Fare payment systems and OT/IT convergence
- Smart card fare payment security architecture and PCI-DSS compliance
- OT/IT security architecture for safety-critical transit infrastructure
- SIEM implementation and security KPI reporting
- Cryptographic key management architecture
- Third-party system integrator security oversight
Government
Provincial government and multi-ministry security architecture
- Enterprise security architecture across multiple ministry mandates
- Multi-data-centre architecture for citizen-facing and internal platforms
- Privacy-by-design architecture for public digital services
- PCI-DSS advisory for government payment adoption
- Corporate Security Branch architecture solutions
What you receive
Architecture advisory deliverables
Every engagement produces documentation your team can actually use — not shelf-ware. Deliverables are scaled to engagement scope and your organization's context.
Current-state security architecture assessment and findings documentation
Target-state security architecture documentation and patterns
Security capability map — technologies to capabilities, gaps identified
Data flow diagrams and architecture context diagrams
Prioritized gap analysis and remediation roadmap
Security policies, standards, and encryption framework recommendations
Threat modelling results integrated into architecture documentation
Vendor and technology assessment documentation
Architecture review findings for project and platform security
Key Design Decision documents and Issue Briefs for architecture governance
In practice
Architecture advisory in regulated environments
A representative selection of security architecture advisory engagements. Client identities are kept confidential. View full engagement history →
Major Canadian Bank · 2019–2022
Application security, cloud architecture, and IAM modernization
Three separate advisory engagements at one of Canada's largest banks — spanning application security vulnerability management program, cloud security architecture review (Azure, AWS), IAM architecture guidance for mainframe-to-Active Directory modernization, and security documentation for network security solutions including VPN and SSL decryption.
Cloud securityIAMVuln. managementNetwork architecture
Regional Smart Card Payment System · 2012–2015
End-to-end security architecture for a fare payment system at scale
Security architecture advisory for a regional fare payment system — $250M+ in transactions, 1M+ fare cards, 2,000+ devices. Advised on PCI-DSS compliance architecture, SIEM deployment with KPI reporting, cryptographic key management, Privacy Impact Assessment coordination with Privacy Commissioner, and SOC 2 audit coordination.
PCI-DSSSIEMKey managementPrivacy architecture
Major Canadian P&C Insurer · 2016–2017
Enterprise architecture framework integration and claims platform security
Advised on integrating security capabilities into the Enterprise Architecture Framework using SABSA and ISO 27002. Drafted Data Encryption Standard, security architecture for claims technology platform, and API security guidance for third-party connectivity modernization.
SABSAISO 27002API securityEA integration
Provincial Government — Multiple Ministries · 2000–2011
Multi-ministry enterprise security architecture over a decade
Over a decade of security architecture advisory across provincial government ministries. Includes a major platform re-architecture serving 65,000 internal users and 8 million residents, and PCI-DSS advisory for government payment adoption.
Government architecturePrivacy by designMulti-DCPCI-DSS
Related services
Often combined with security architecture advisory
Security architecture integrates naturally with our other service pillars — privacy is built into architecture from the start, and Fractional CISO advisory provides the strategic context for architecture decisions.