Security? Your business analyst can help.
Public scrutiny surrounding data security is increasing, driven by the wake of several high-profile lapses in information governance. As a consequence, the necessity for organisations to invest in understanding and analysing their current security posture was never more pertinent. Not only should most organisations have a clear need of their present status, they should also consider what is required to protect the business into the future.
Although traditionally a more significant concern for banking and other financial institutions, today no organisation can ignore security. That’s especially relevant to those companies which are delivering services online.
When considering security, the first threat is typically considered to be external people: hackers maliciously using information. But there is a lot more to it. While that element hasn’t disappeared by any means, the threats are far more widespread. Indeed, they start within the company – it is necessary to protecting information from internal (authorised) users, while facilitating easy access to the ‘right’ information for the ‘right’ people.
In exploring how a Business Analyst (BA) should assist with security, it is necessary to first note that it is a substantial and extensive topic. More than that, the BA is not a security expert: instead, he or she has knowledge of business models, systems and, of course, processes. It is their knowledge of how business systems should be designed for efficiency and performance which should also be leveraged to ensure security; instead of answers, in many instances the BA should instead be asking pertinent questions which the business – supported by the necessary security expertise – should satisfactorily answer.
Let’s consider those questions.
Audits:These requirements address the need for solutions to be auditable. The BA may consider or specify:
- Who will perform the audits?
- Frequency of the audits?
- How non-compliance issues will be handled?
- What audit information will be recorded and tracked?
- Timeliness (how current must information be)?
- Database replication / Data quality / Referential integrity?
- Content and format?
- Degree of sensitivity (personal)?
- Degree of confidentiality?
- Web site privacy statement?
- Current privacy policy?
- Ownership?
- Distribution?
- Security?
- Encryption?
- Privacy
- Industry standards
- Data, screen, or application level controls
- Data transmission protocols
- Encryption
- Remote access
- Password control
- Who assigns authorisations?
- Who designates alternate authorised users?
- How access is assigned (named individuals, group, roles)?
- Procedure of obtaining temporary access.
- Procedures for changing passwords.
- Degree to which the product or service performs to expectations
- Anticipated frequency or timing of failures
- Expected cause of failures
- Acceptable recovery time (downtime)
- Mechanism for recording and tracking faults and failures
- Individual persons
- Roles
- Teams
- Groups
- Job functions
- Organisations
- Suppliers
- Sub-contractors
- Archiving procedures
- Backup and restore operations
- Any deletion of information
- How long does the information needs to be retained
- What is the volume of data
- What needs to be backed up
- Who is responsible for performing backup and restore operations
- What is the storage medium for backup
- What is the volume of backup
- Where will the backup be stored
- How often the backup will be performed
- What are the Security measurements in place
- What will be the rate of growth of data
