by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : March 30, 2015
DAVID McCLURE is chief strategist at Veris Group, and THOMAS ROMEO is president of Maximus Federal Services. Commentary|DAVID McCLURE AND THOMAS ROMEO At their core, virtually all government agencies are process-driven, and this is especially true in direct citizen- and business-facing agencies. Systems and software that are driven by busi- ness processes are increasingly being implemented on top of service-orient- ed or cloud-based infrastructures, and they are becoming intertwined with security and privacy compliance. Too often in government, busi- ness and security risk assessments are conducted as formalities and in a rather disjointed fashion. Information security/technology teams usually do not know the business processes and therefore focus their risk assessments on specific threats and “cool” technol- ogies streaming out of industry. Con- sequently, in investment review board meetings, CIOs are unable to justify the need for new security protections or products in business terms. Conversely, agency business pro- cess managers and executives often know their processes and what data is important for them, but they most likely lack knowledge of the under- lying technologies. As a result, risk- centered vulnerabilities get lost in the discussions — until a significant security event happens. To resolve the disconnection, agencies must do a better job of inte- grating data security specifications into business process execution via rules, algorithms and models. They must also understand how certain business-based rules can address service delivery efficiencies but intro- duce high risks that essentially com- promise security and/or privacy. On the other hand, applying unnecessarily burdensome security measures to a low-risk business process can result in unneeded expense and poor customer service. Finding the right balance is challenging in a security paradigm that must understand the nuances of interactions among the users, business processes and business object layers in public, private and hybrid cloud environments. Recent high-profile security breach- es reveal the serious nature of unex- amined business rules that drive data access. In a recent Ponemon Institute survey of major U.S./European com- panies, 71 percent of users said they had access to data they should not see. “Employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating conse- quences,” the report states. To help close the security gap, we suggest four critical action steps: 1. Make sure executives under- stand and support the need for proper security. Build relationships between the business and security teams, and gain an understanding of their roles. Make joint decisions on appropriate measures for the business processes. 2. Don’t reactively bolt security onto your business operations. Cre- ate management approaches that inte- grate security/privacy impact assess- ments into the development cycle of digital business processes. Express the risks in business terms, and don’t gum up the interaction with technical or overly complex procedures. A few timeless questions are essential: Do you know how someone could break into your systems? Could you detect it and how quickly? Do you know what the worst impacts would be on your business and its customers? 3. Stay informed! Conduct ongo- ing risk assessments and continu- ous monitoring exercises that jointly engage and inform business process managers and security/privacy manag- ers. Remember that situations change when process rules change and/or new software-driven digital services are introduced. Increasingly focus your efforts on analytical capabilities that use automated continuous monitor- ing tools. 4. Require evidence-based controls testing. Although security audits and certifications have become common- place for cloud-based IT environments because of security/privacy challenges, focus on the near- or real-time capa- bilities of the security steps in your business process execution. n Security-proofing agency business processes Technology and business teams must come together to address the risks to systems and software that increasingly reside in cloud-based environments Recent high-profile security breaches reveal the serious nature of unexamined business rules that drive data access. March 30, 2015 FCW.COM 11 0315fcw_011.indd 11 3/9/15 1:01 PM
March 15, 2015
April 15, 2015