Cybersecurity has become a familiar theme in the news. It impacts businesses, ranging from start-ups to global companies, all around the world.

The topic is not popular in the business analysis domain, but as more and more solutions move to the cloud, this subject is becoming more articulated amongst business stakeholders.

In my book A Navigator to Business Analysis I present insights into the security framework.

Today, I would like to share my view on how the BAs can define an effective security protection when they know what to focus on.

Five areas of focus

A cyberattack is like a tsunami – little or no warning at all and a devastating effect when it hits the shore. With this metaphor in mind, I can say that preparedness to cyberattacks is built on five areas you need to focus on:

  • Identify (what assets and services are at risk) - WHAT
  • Guard (business and its assets and services) - HOW
  • Detect (cybersecurity events) – WHAT, WHERE, WHEN
  • Resist (contain the impact of a cybersecurity event) - HOW
  • Restore (recover the impaired assets and services) – HOW, WHERE, WHEN.

The devil is in the detail

While the five areas look transparent at a high level, the details behind them matter to the business the most. There are multiple factors in each area that you need to consider while working on gathering requirements and specifying the required capabilities of a solution.

Identify

  • Business context (company’s mission, objectives, its environment)
  • Business Data (data flows, criticality and business value)
  • Software platform (OS) and location (on premise, hybrid, cloud)
  • Business applications (criticality and business impact of security breaches)
  • IT Infrastructure services (telephony, internet, interfaces and business impact of outages)
  • External information systems (criticality and business impact of outages)
  • Governance (internal policies, procedures and processes, operational practice)
  • Internal risk management framework(s) and processes
  • Risk mitigation approaches and risk tolerance
  • Regulation (regulatory and legal requirements)
  • Known asset and service vulnerabilities
  • Known threats (internal and external)
  • Business impact on impaired assets and services
  • Likelihood of cybersecurity events (threat model)
  • Organisational and technology constraints

Guard

  • Identities and credentials
  • Physical access to the assets
  • Remote access to the assets
  • Access permissions (least needed functionality)
  • Data at rest (backup, archive, retention)
  • Data in transit (transfer, exchange)
  • Removable media with data
  • Asset and service availability
  • Asset (hardware and software) configurations
  • Production environments
  • Asset transfer, removal and disposal (hardware and software)
  • Data disposal (past retention terms)
  • Audit and log records
  • Networks and interfaces
  • Barriers (event thresholds and alarm notifications)

Detect

  • Anomalous activities (internal, external)
  • Attempts of breaches
  • Malicious code (software)
  • Unauthorised devices, software, connections
  • Identity fraud
  • Physical unauthorised access to the assets
  • Remote unauthorised access to the assets
  • Vulnerabilities (through scans and penetration tests)

Resist

  • Investigate notifications
  • Capture the cybersecurity event
  • Activate response plans
  • Share information with partners
  • Contain and minimise the impact
  • Resolve cybersecurity incidents
  • Mitigate incident impact
  • Apply lessons learned

Restore

  • Availability of the impaired assets and services
  • Capacity of the impaired assets and services
  • Physical access to the affected assets
  • Remote access to the affected assets and services

Summary

These five areas of focus and their outlined details enable you to embed cybersecurity capabilities into the solutions that the business relies on.

Now you know what principles to apply and what questions to ask when you engage business stakeholders in the requirements gathering activities. Work through these areas and factors to define the least vulnerable solutions.

You have also learnt a bit of terminology related to the cybersecurity domain. It will help you collaborate better with multiple stakeholders within organisations you may work for.

I wish you all the best in your projects!