I read an interesting brief article today by Dr. Arnat Leemakdej, "Breaking down programming for non-programmers." It focuses on turning "government officers into an army of programmers" in the easiest and most efficient way possible using fourth-generation languages (4GL). (Please, you skeptics, no laughing…I’m not going to address the feasibility of that today.) It provided a very high-level overview. The goals are:
"Goal #1: The tool has to be easy. A non-programmer can write a business description much like a human language and mix and match activities to create a process. The tool has to be able to grab that language, understand what the writer is trying to do and then do it.
Goal #2: Since the main servers are all over the place with all kinds of security and firewalls in place, the system needs to be able to access disparate servers regardless of their environment. So web service support is mandatory since it uses standard XML asynchronous messaging infrastructure. The web services mechanism will also maintain security via several authentication methods. Reliability can be implemented through MOM or Enterprise Service Bus (ESB). So Service Oriented Architecture (SOA) is an ideal choice."
I’ve been speaking to organizations and writing about the need to integrate security and privacy into the applications and systems development process for several years. While Goal 2 in the excerpt discusses security, it really only touches upon security as being provided by firewalls and authentication. Of course there is so much more than that.
"But once the UI and web services are in place, the business owner can mix and match the process flow however he wants without bothering the tech guys. When the rules change, he just rewrites his business process using available templates."
I’m all for streamlining development and ensuring efficiency. However, with any application being built, security and privacy must be considered and integrated appropriately. This is critical not only for compliance requirements, but also to keep security incidents from happening and to maintain privacy appropriately. I really the article indicates "once the UI and web services are in place" but security and privacy must still be considered at all points along an application lifecycle, even when it is just being mixed and matched.
The tech guys and the information security and compliance guys should definitely be involved ("be bothered") if the application involves personally identifiable information (PII), or connections outside the enterprise, and sometimes within the enterprise when communicating between different security zones. True, there may be times where, if these applications are small and only used within the department and generating no new data, there may not be a need to "bother" the tech or security folks. However, how to make that decision should clearly be documented, preferably within a decision tree with accompanying documentation. Don’t assume the business folks will know what to do or the appropriate times to contact IT and info sec.
The article provided a sample business process. Such processes should be used to map out the information security and privacy activities throughout development. A high level example could be similar to the notes I’ve added into the sample within the article (organizations need to add more detail for their own specific situation).
"- Activity 1: customer files request."
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- Is the request via the Internet? A public kiosk? An electronic request from somewhere outside the enterprise network?
- Is PII collected? How will it be encrypted?
- Is identity verification and/or authentication necessary?
- What laws, regulations and/or contractual requirements cover this activity? What controls are need to be built in to meet compliance?
"- Activity 2: operator enters request. "
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- Does the information entered need to be encrypted?
- Where does the request go? To an outside entity? Does it stay internal to the enterprise network?
- Does PII cross any country borders?
"- Activity 3: system sends all entered data to Organisation A’s web service for posting on central server. "
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- Is the web service an outside entity? If so, do they have security in place to protect the data?
- Are backups made of the data?
- What are the controls for access to the data on the central server?
"- Activity 4: Organisation A sends back acknowledgement that everything is okay. "
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- How does the ackowledgement get sent? Via website? Email? Some other method?
- Does the acknowledgement contain PII? If so, how will it be encrypted?
- Is the acknowledgement worded in such a way that complies with applicable laws and regulations?
"- Activity 5: operator informs customer. "
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- How is the customer informed?
- Does an audit log of this activity need to be generated?
"- Activity 6: customer can make payment to operator. "
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- In what ways can payment be made?
- What need to be done to meet regulatory, PCI, etc. compliance?
- What are the security risks involved with each method?
- What are the legal requirements for each method?
"- Activity 7: operator prints out receipt for customer."
Privacy and info security issues to address; you may need to do a privacy impact assessment (PIA) or risk analysis:
- Where is the receipt printed?
- Is it a hard copy print? What are the safeguards that need to be in place?
- How is the receipt sent to the customer? What are the risks involved?
This is a very rudimentary exercise, but should give you an idea of the types of considerations that need to be made for integrating security and privacy into applications and systems, even for 4GL and BPAL apps.
If organizations can consistently integrate security and privacy into the applications and systems development process many incidents and noncompliance issues can be prevented from materializing once the application or system is in production.
Wouldn’t that be nice? 🙂
Technorati Tags
information security
IT compliance
regulatory compliance
SDLC
system development
policies and procedures
awareness and training
privacy