Friday, 14 November 2008

People, Process and Technology!

I am currently working on a security assessment of one of the large applications in the bank due a series on incidents in the application and it is quite concerning from my side that the technical resources of the system are just looking at the people side of the solution. Different for a change, isn't it?

They are saying that if the users could be trusted, then we wouldn't need to do all this. I find this a change from the usual technical mindset, which is lets throw more technology at the problem. What is also concerning, is that fingers are being pointed to the platform from the business application and vica versa, but when asked for their implementation and configuration guidelines, none exist. Also when asked about the logical access control standards or the backup process, I get a blank stare.

The technology at the moment is not getting off the hook lightly, there are concerns in it. The concerns could have be signficantly reduced if the correct processes and supporting standards were in place.

Little wonder then that the people in the PPT (People Process and Technology) triangle can start manipulating the system? PPT is as important for a solution to be secure as Confidentiality, Integrity and Availability.

Solutions need to developed incorporating two triangles and whilst you can't merge them to make them the hexagon of holistic solution desgin, all the points do need to be taken into account.

Needless to say the Assessment's scope has increased significantly to a holistic review of the Information Security posture of the solution and its environment from a purely technical review.

I am looking forward to the result of the full audit of the environment as I think that it will be the first deliverable of a mature approach to the Information Risk Management approach (as opposed to an IT Security approach) that the department is trying to move towards.

No comments: