Process Security – Is Process the Most Vulnerable Component of IT
1. Introduction
Process is the foundational aspect of any IT system. It serves as a binding force between people and technology
for the purposes of making all operate efficiently and effectively. Without some form of documented process,
employees lack a controlled approach to accomplish job duties. The absence of process also makes it
increasingly difficult to use the technology tools contained within the IT system. The process aspect of an IT
system represents the portion with the most interfaces and points of failure that can be exploited by internal or
external threats. As such, organizations would be prudent to put an increased focus on process management to
mitigate risks associated with process vulnerability. As with the other aspects of the IT systems, vigilance is
needed to ensure all vulnerabilities are mitigated on a continuous basis.
2. Planning and Design Vulnerabilities
The level of process vulnerability that exists within an organization can be directly correlated to the relationship
between IT and the business it serves. In the normal cycle of commercial and government business, executives
and senior management set forth strategic objectives to accomplish certain goals and objectives. These can be
driven by wide array of input from data related to the economic environment, market reports, product and/or
solution development, and multi-year strategic plans. In similar fashion, government agencies look at analogous
data but with less focus on economic return and more focus on mission completion and budget. These strategic
goals and objectives will typically result in the production of plans and programs to produce the outputs
necessary to accomplish them. More than likely, each of these plans and programs, depending on size and
scope, will require support from IT and include requirements for one or more IT systems. The relationship
between IT and the business becomes a critical component to the success or failure of meeting leadership’s
goals and objectives.
At all levels, planning requires extensive discussion and review before agreement can be obtained on a direction.
This is especially true with IT systems largely because of the complexity involved and the breadth of potential
impact. It is very common to have a wide range of perspectives and broad set of priorities to discuss, negotiate,
and agree upon. At the core of this discussion is the ability of the proposed change to facilitate the successful
completion of process to produce desired business outcomes. The business will typically seek out the solution
that provides the greatest accessibility and productivity for workers to produce desired outcomes. To ensure that
there is balance built into the system, personnel from IT need to be involved with planning and design work in
order to ensure that process security is not sacrificed as part of the drive for accessibility and productivity. When
this is done it often has a great impact from a cost and stability standpoint. Goel and Chen (2006) state on this
subject that companies ‘retrofit security into their business processes in response to security breaches... at a
significant cost’. This can be avoided by considering process vulnerability during planning and design of new IT
systems as early in the process as possible.
3. Implementation Vulnerabilities
When implementing changes in new IT systems, it is critical to verify that the actual results match the intent of
the requirements and design. From a process standpoint, this translates into making sure the process workflow is
executed through the technology as intended, is producing the expected results, and is understood by those
executing the process. This is typically accomplished through the use of quality management and control best
practices as well as variety of tests conducted by IT personnel. From a security perspective, IT personnel are
responsible for making sure that there is no deviation from the process of implementation and artifacts
produced to support this effort. Any departure from standards, requirements, designs, scripts, and other
guidance developed during the planning and design of an IT system can create widespread vulnerabilities
throughout an IT system. A good example of impact can be seen with antivirus software. If an IT system has
been planned, designed, successfully tested, and piloted with an antivirus technology solution on it, but
operates slowly once when fully implemented in production environment, the solution is not to just have an IT
administrator go in and to remove the antivirus immediately. This would be considered a break in process and
could introduce more issues and vulnerabilities. The appropriate response would be to review the issue,
troubleshoot, find a solution that can maintain service, and research the issue for a permanent solution. In
support of these efforts, there are many best practice frameworks that can be leveraged, such as ITIL and COBIT,
to support this need. Along those lines the Project Management Institute (2011) states that ‘deviation from the
baseline plan may indicate the potential impact of threats and opportunities’. From an implementation process
standpoint, it is important to not depart from the plans developed during the planning and design stages to
ensure that the issues that emerge are addressed in a way that is ordered and structured.
4. Operations Vulnerabilities
Once an IT system is operational and in full use by the business, it becomes important to maintain control
around the system to ensure its operational integrity and that it continues to facilitate the outcomes sought by
the business. As part of the planning and design stages of the IT system, new or existing processes should have
been included or developed to support the goals and objectives of the business. Once those processes are
solidified, and designated as the standard, integration with the technology aspect of the system should be
addressed and implemented as part of the system. Control processes for the system should have also been
identified or established for maintenance and sustainment over time. This supports broader control and
operational integrity by providing stability and standardization for the business and the IT system. In other
words, if each user role knows what they should do, and how they should execute, that will facilitate stability and
support operational integrity. If IT personnel have a process that they can follow to govern the system and
maintain control over the technology, process, and user roles, that will also supports stability and
operational integrity goals as well.
Vulnerability is introduced into operations when there is a lack of ability to control and maintain order over the
IT system. In the absence of standard processes and approaches, vulnerabilities are propagated across the
system and chaos emerges as the behavioral norm. When control and standardization is limited or non-existent,
the result is variance in output from the IT system as well as higher labor costs for personnel having to increase
their efforts to perform job duties. The technology aspect of the IT system also become more vulnerable to
outages and failures due to the lack of standards for operating the system as well as the lack of control processes
in place to manage the technology itself. Ultimately, the IT system appears to not be providing any value
resulting in the organization investing in a new IT system, which may not be necessary. And without appropriate
lessons learned on the previous IT system, history may be doomed to repeat itself. On this subject, Cannon and
Hunnebeck (2011) state that standard approaches are necessary ‘for competitive advantage and to ensure a
consistent approach’ across the IT system. Without the consistent approach, the organization will have many
challenges being competitive, producing results, and mitigating the abundance of vulnerabilities that can
emerge through process within their area of operations.
Cannon, D. & Hunnebeck, L. (2011). ITIL Service Strategy. Retrieved from https://www.best-practice-management.com
Goel, S. & Chen, V. (2006). Can business process reengineering lead to security vulnerabilities: Analyzing the reengineered process. International Journal of Production Economics, (115)1, 104-112.
Project Management Institute. (2008). A Guide to the Project Management Body of Knowledge- PMBOK Guide 4th Edition. (4th ed.). Newton Square, PA: Project Management Institute.