itb-nz logo
Story image

Security? Your business analyst can help.

01 Nov 2012

Public scrutiny surrounding data security is increasing, driven by the wake of several high-profile lapses in information governance. As a consequence, the necessity for organisations to invest in understanding and analysing their current security posture was never more pertinent. Not only should most organisations have a clear need of their present status, they should also consider what is required to protect the business into the future.

Although traditionally a more significant concern for banking and other financial institutions, today no organisation can ignore security. That’s especially relevant to those companies which are delivering services online.

When considering security, the first threat is typically considered to be external people: hackers maliciously using information. But there is a lot more to it. While that element hasn’t disappeared by any means, the threats are far more widespread. Indeed, they start within the company – it is necessary to protecting information from internal (authorised) users, while facilitating easy access to the ‘right’ information for the ‘right’ people.

In exploring how a Business Analyst (BA) should assist with security, it is necessary to first note that it is a substantial and extensive topic. More than that, the BA is not a security expert: instead, he or she has knowledge of business models, systems and, of course, processes. It is their knowledge of how business systems should be designed for efficiency and performance which should also be leveraged to ensure security; instead of answers, in many instances the BA should instead be asking pertinent questions which the business – supported by the necessary security expertise – should satisfactorily answer.

Let’s consider those questions.

Audits:These requirements address the need for solutions to be auditable. The BA may consider or specify:

  • Who will perform the audits?
  • Frequency of the audits?
  • How non-compliance issues will be handled?
  • What audit information will be recorded and tracked?
Data Integrity:These requirements address the integrity of data. The BA may consider or specify:
  • Timeliness (how current must information be)?
  • Database replication / Data quality / Referential integrity?
  • Content and format?
Privacy:These requirements address data sensitivity and confidentiality. The BA may consider or specify:
  • Degree of sensitivity (personal)?
  • Degree of confidentiality?
  • Web site privacy statement?
  • Current privacy policy?
  • Ownership?
  • Distribution?
  • Security?
  • Encryption?
Security:These requirements address data security in terms of access restrictions placed on users and other systems. The BA may consider or specify:
  • Privacy
  • Industry standards
  • Data, screen, or application level controls
  • Data transmission protocols
  • Encryption
  • Remote access
  • Password control
Authorisation:These requirements address how authorisation is assigned. The BA may consider or specify:
  • Who assigns authorisations?
  • Who designates alternate authorised users?
  • How access is assigned (named individuals, group, roles)?
  • Procedure of obtaining temporary access.
  • Procedures for changing passwords.
Reliability:These requirements address the acceptable defect rate or failure rate of the delivered product or service. The BA may consider or specify:
  • Degree to which the product or service performs to expectations
  • Anticipated frequency or timing of failures
  • Expected cause of failures
  • Acceptable recovery time (downtime)
  • Mechanism for recording and tracking faults and failures
Responsibilities:These requirements address the need to associate people to the tasks for which they are responsible. The BA may consider or specify the task to be performed with these responsible parties:
  • Individual persons
  • Roles
  • Teams
  • Groups
  • Job functions
  • Organisations
  • Suppliers
  • Sub-contractors
Data retention:These requirements address the need to retain data after it is no longer considered active. The BA may consider or specify:
  • Archiving procedures
  • Backup and restore operations
  • Any deletion of information
  • How long does the information needs to be retained
  • What is the volume of data
Backup & Restore:These requirements address plans and provisions for backup and restore operations. The BA may consider or specify:
  • What needs to be backed up
  • Who is responsible for performing backup and restore operations
  • What is the storage medium for backup
  • What is the volume of backup
  • Where will the backup be stored
  • How often the backup will be performed
  • What are the Security measurements in place
  • What will be the rate of growth of data
While that is a lengthy list of considerations, it is by no means an exhaustive one.What remains a constant for every organisation, whether it has just five- or hundreds of employees – is that it should identify the threats that it may face;analyse and prioritise those threats; and put in place security measures to mitigate those threats.This security policy should be discussed, reviewed and put into action; periodically, it should also be subject to review, providing for consistent alignment with the business strategy and the changing nature of information security threats. In so doing, the integrity of the organisation is continually assured.