다음을 통해 공유


Process Security – Is Process the Most Vulnerable Component of IT

1. Introduction

Process is the foundational aspect of any IT system. It serves as a binding force between people and technology

for the purposes of making all operate efficiently and effectively. Without some form of documented process,

employees lack a controlled approach to accomplish job duties. The absence of process also makes it

increasingly difficult to use the technology tools contained within the IT system. The process aspect of an IT

system represents the portion with the most interfaces and points of failure that can be exploited by internal or

external threats. As such, organizations would be prudent to put an increased focus on process management to

mitigate risks associated with process vulnerability. As with the other aspects of the IT systems, vigilance is

needed to ensure all vulnerabilities are mitigated on a continuous basis.

2. Planning and Design Vulnerabilities

The level of process vulnerability that exists within an organization can be directly correlated to the relationship

between  IT and the business it serves.  In the normal cycle of commercial and government business, executives

and senior management set forth strategic objectives  to accomplish certain goals and objectives. These can be

driven by wide array of input from data related to the economic environment, market reports, product and/or

solution development, and multi-year strategic plans. In similar fashion, government agencies look at analogous

data but with less focus on economic return and more focus on mission completion and budget. These strategic

goals and objectives will typically result in the production of plans and programs to produce the outputs

necessary to accomplish them. More than likely, each of these plans and programs, depending on size and

scope, will require support from IT and include requirements for one or more IT systems. The relationship

between IT and the business becomes a critical component to the success or failure of meeting leadership’s

goals and objectives.

At all levels, planning requires extensive discussion and review before agreement can be obtained on a direction.

This is especially true with IT systems largely because of the complexity involved and the breadth of potential

impact. It is very common to have a wide range of perspectives and broad set of priorities to discuss, negotiate,

and agree upon. At the core of this discussion is the ability of the proposed change to facilitate the successful

completion of process to produce desired business outcomes. The business will typically seek out the solution

that provides the greatest accessibility and productivity for workers to produce desired outcomes. To ensure that

there is balance built into the system, personnel from IT need to be involved with planning and design work in

order to ensure that process security is not sacrificed as part of the drive for accessibility and productivity.  When

this is done it often has a great impact from a cost and stability standpoint. Goel and Chen (2006) state on this

subject that companies ‘retrofit security into their business processes in response to security breaches... at a

significant cost’. This can be avoided by considering process vulnerability during planning and design of new IT

systems as early in the process as possible.

3. Implementation Vulnerabilities

When implementing changes in new IT systems, it is critical to verify that the actual results match the intent of

the requirements and design. From a process standpoint, this translates into making sure the process workflow is

executed through the technology as intended, is producing the expected results, and is understood by those

executing the process. This is typically accomplished through the use of quality management and control best

practices as well as variety of tests conducted by IT personnel. From a security perspective, IT personnel are

responsible for making sure that there is no deviation from the process of implementation and artifacts

produced to support this effort. Any departure from standards, requirements, designs, scripts, and other

guidance developed during the planning and design of an IT system can create widespread vulnerabilities

throughout an IT system.  A good example of impact can be seen with antivirus software. If an IT system has

been planned, designed, successfully tested, and piloted with an antivirus technology solution on it, but

operates slowly once when fully implemented in production environment, the solution is not to just have an IT

administrator go in and to remove the antivirus immediately. This would be considered a break in process and

could introduce more issues and vulnerabilities. The appropriate response would be to review the issue,

troubleshoot, find a solution that can maintain service, and research the issue for a permanent solution. In

support of these efforts, there are many best practice frameworks that can be leveraged, such as ITIL and COBIT,

to support this need. Along those lines the Project Management Institute (2011) states that ‘deviation from the

baseline plan may indicate the potential impact of threats and opportunities’. From an implementation process

standpoint, it is important to not depart from the plans developed during the planning and design stages to

ensure that the issues that emerge are addressed in a way that is ordered and structured.

4. Operations Vulnerabilities

Once an IT system is operational and in full use by the business, it becomes important to maintain control

around the system to ensure its operational integrity and that it continues to facilitate the outcomes sought by

the business. As part of the planning and design stages of the IT system, new or existing processes should have

been included or developed to support the goals and objectives of the business.  Once those processes are

solidified, and designated as the standard, integration with the technology aspect of the system should be

addressed and implemented as part of the system. Control processes for the system should have also been

identified or established for maintenance and sustainment over time. This supports broader control and

operational integrity by providing stability and standardization for the business and the IT system. In other

words, if each user role knows what they should do, and how they should execute, that will facilitate stability and

support operational integrity.  If IT personnel have a process that they can follow to govern the system and

maintain control over the technology, process, and user roles, that will also supports stability and

operational integrity goals as well.

Vulnerability is introduced into operations when there is a lack of ability to control and maintain order over the

IT system. In the absence of standard processes and approaches, vulnerabilities are propagated across the

system and chaos emerges as the behavioral norm. When control and standardization is limited or non-existent,

the result is variance in output from the IT system as well as higher labor costs for personnel having to increase

their efforts to perform job duties. The technology aspect of the IT system also become more vulnerable to

outages and failures due to the lack of standards for operating the system as well as the lack of control processes

in place to manage the technology itself. Ultimately, the IT system appears to not be providing any value

resulting in the organization investing in a new IT system, which may not be necessary. And without appropriate

lessons learned on the previous IT system, history may be doomed to repeat itself. On this subject, Cannon and

Hunnebeck (2011) state that standard approaches are necessary ‘for competitive advantage and to ensure a

consistent approach’ across the IT system. Without the consistent approach, the organization will have many

challenges being competitive, producing results, and mitigating the abundance of vulnerabilities that can

emerge through process within their area of operations.

 

Cannon, D. & Hunnebeck, L. (2011). ITIL Service Strategy. Retrieved from https://www.best-practice-management.com

Goel, S. & Chen, V. (2006). Can business process reengineering lead to security vulnerabilities: Analyzing the reengineered process. International Journal of Production Economics, (115)1, 104-112.

Project Management Institute. (2008). A Guide to the Project Management Body of Knowledge- PMBOK Guide 4th Edition. (4th ed.). Newton Square, PA: Project Management Institute.