Tag: IT Security

Being vigilant on how security is managed within an organisation, in particular when managing projects must be crucially and heavily evaluated. At a time where there is an increased expectation for transparency and privacy. Security breaches will be strictly punished, security should be at the forefront of thoughts and not just for what the projects are meant to deliver but also how they are run.

Customers often expect to be able to interact with organizations digitally and this creates additional concerns and risks.  Whilst we should of course keep the clear and present cyber-security risks front of mind, we shouldn’t ignore the broader information security risks which might have nothing to do with the particular technology or process that is being worked on.  In fact, it’s an opportunity to ask some crucial questions about existing processes that may have emerged years ago that are no longer fit for purpose today.

There have been projects conducted to develop online portals for customers, these type of projects are becoming more and more common. When conducting projects of this nature, interaction with security experts, architects, and having very robust non-functional requirements with testing is a must.  However, this can also create a “Rod for your back” when the focus is on security, the online processes becomes so secure that even authorized users can’t access the portal.  Having a password that expires after one month for example is probably pretty irritating if an ‘average’ customer accesses their account once or twice per year.

This creates an issue and dilemma for the team, especially when the scope or remit from the stakeholders representing customers want to focus on ease of use.  Then there are another group of stakeholders who have an interest in ensuring compliance and managing risk who wanted to focus on impenetrable security.  The challenge, it turns out, is to find a sensible balance between the two. 

When examining a situation of this nature, two questions become pertinent.

•  “How else can customers engage with us?”
• “What security protocols are there via those channels?”

Focus on these questions can find out if a customer the information provided by a customer is actually accurate. Especially when basing identification on pieces of information that were held on file—typically things like full name, address, postal code, date of birth and so on.  All this information sounds quite acceptable and sensible. However thinking broadly, who knows this information about you?  Possibly neighbours, distant relatives and a proportion of colleagues. Let’s not mention if the post is used, meaning how is a signature validated?

It should be understood that Cyber Security is important but don’t forget about the broader information security. Situations arise where new processes are subject to checks and balances that may not exist on other channels. This in turn creates a useful opportunity to ask: “are we being too risk averse here?  If not, do the same risks exist for other channels? And if so, shouldn’t we strengthen them too?”

In many cases, it’ll be completely sensible to continue with a focus on cybersecurity, especially when introducing new processes, while also tightening up older processes that might not have been examined for many years.  This assists with promotion of a more holistic view on risk, and helps reduce the risk of fraud or information leakage.  Whilst large-scale IT system breaches might mean that a huge quantity of data is compromised, and this should be avoided at all times. It also shouldn’t be underestimated the reputational damage of one or two personal records being misappropriated for fraudulent reasons.

As with so much of what is performed as project managers, business analysts, ensuring a systemic and holistic approach, working with our customer and stakeholders to zoom out and see a clearer picture of balancing cyber-security, information security and what is trying to be achieved by the project, is a very careful balancing act. Let us know your thoughts on cyber-security, Information Security when running your projects, we would like to read your comments.