Comment

Security-proofing agency business processes

At their core, virtually all government agencies are process-driven, and this is especially true in direct citizen- and business-facing agencies. Systems and software that are driven by business processes are increasingly being implemented on top of service-oriented or cloud-based infrastructures, and they are becoming intertwined with security and privacy compliance.

Too often in government, business and security risk assessments are conducted as formalities and in a rather disjointed fashion. Information security/technology teams usually do not know the business processes and therefore focus their risk assessments on specific threats and "cool" technologies streaming out of industry. Consequently, in investment review board meetings, CIOs are unable to justify the need for new security protections or products in business terms.

Conversely, agency business process managers and executives often know their processes and what data is important for them, but they most likely lack knowledge of the underlying technologies. As a result, risk-centered vulnerabilities get lost in the discussions — until a significant security event happens.

To resolve the disconnection, agencies must do a better job of integrating data security specifications into business process execution via rules, algorithms and models. They must also understand how certain business-based rules can address service delivery efficiencies but introduce high risks that essentially compromise security and/or privacy. On the other hand, applying unnecessarily burdensome security measures to a low-risk business process can result in unneeded expense and poor customer service. Finding the right balance is challenging in a security paradigm that must understand the nuances of interactions among the users, business processes and business object layers in public, private and hybrid cloud environments.

Recent high-profile security breaches reveal the serious nature of unexamined business rules that drive data access. In a recent Ponemon Institute survey of major U.S./European companies, 71 percent of users said they had access to data they should not see. "Employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences," the report states.

To help close the security gap, we suggest four critical action steps:

  1. Make sure executives understand and support the need for proper security. Build relationships between the business and security teams, and gain an understanding of their roles. Make joint decisions on appropriate measures for the business processes.
  2. Don't reactively bolt security onto your business operations. Create management approaches that integrate security/privacy impact assessments into the development cycle of digital business processes. Express the risks in business terms, and don't gum up the interaction with technical or overly complex procedures. A few timeless questions are essential: Do you know how someone could break into your systems? Could you detect it and how quickly? Do you know what the worst impacts would be on your business and its customers?
  3. Stay informed! Conduct ongoing risk assessments and continuous monitoring exercises that jointly engage and inform business process managers and security/privacy managers. Remember that situations change when process rules change and/or new software-driven digital services are introduced. Increasingly focus your efforts on analytical capabilities that use automated continuous monitoring tools.
  4. Require evidence-based controls testing. Although security audits and certifications have become commonplace for cloud-based IT environments because of security/privacy challenges, focus on the near- or real-time capabilities of the security steps in your business process execution. A reliable and independent third-party assessment organization should be able to help you with that.

About the Authors

Dave McClure is chief strategist at Veris Group.

Thomas Romeo is president of Maximus Federal Services.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.