2014-04-16

Ideas for #BPMshift - Delenda est "vendor-centric #BPM" - enchancing the information #security

Enterprise functioning can be considered as business activity flows spanning the applications, employees, customers and partners within and beyond the boundaries of the enterprise. Staff as well as tangible and intangible resources are involved in each business activity. Ensuring of the information security implies the following characteristics of the enterprise functioning:
  • Any business activity is performed only as prescribed and any unintended use of information (e.g., access to information resources unrelated to the work performed) would be impossible in principle. 
  • Organization and initial planning of business activities must be validated for the compliance with the formal rules of information security. 
  • Execution and operational planning of business activities must be constantly validated for the compliance with the formal rules of information security. 
In this blogpost, it is show how BPM can contribute into enhancing the information security.


Control of access to an informational resource along the process


In simple cases, the control of access to an informational resource can be rigidly connected to the phases of the life cycle of the resource. The latter can be implemented as a business process. Explicit and executable business process is convenient because the whole dynamic of control access is embedded in the process.


This allows better control of access rights change.

Control of access to an informational resource within an activity


In more complex cases, information resources linked to specific business activities. An employee, appointed for the carrying out of a particular business activity, gets access to the information resources required for the carrying out this business activity, only for the duration of this business activity.


Objective operational data collected, who has/had access to what information resources will increase the level of information security.


Separation of duty within a business process


In a simple form, the separation of duty is a check that the actual work to be done (“Do” in diagram below) and the validation of the result of this work (“Check” in diagram below) are always carried out by separate staff members.



Thus, business processes can detect potential cases for the separation of duty by establishing relationships between business activities.


Separation and imposition of duty among several business processes


In a general form, relationships between business activities should be established and formally registered. A non-inclusive list of such relationships is the following: 
  • Other activities which validate the results of the given activity.
  • Other activities which define the governance for the given activity.
  • Other activities which do the handling exceptional situations for the given activity (error handling, escalations, send for review and delegate).
  • Other activities which audit the given activity (1st, 2nd and 3rd party audit).
  • Other activities which evaluate the risks before the given activity.
  • Other activities which evaluate the risks after the given activity.
  • Other activities which certify the given activity (1st, 2nd and 3rd party certification).
  • Other activities which do compensation (undo) for the given activity.

These relationships between activities define some limitations that roles and actors may carry out what activities: the same actor or a different actor from a different role or a different actor from the same role. For example, if the “Activity_B” validates the results of “Activity_A” then no actor should be in “Role_1” and “Role_2” simultaneously.


Thus, the separation of duty maybe formally validated at the design-time.


Management of risk along business processes


Managing any work by processes is the key business capability with allows to address the risk-related issues in a proactive manner. The risk is strongly related to how the business processes are carried out. By understanding a process (i.e. through being able to simulate it) the business may predict how the risk is changing during the execution of that process. The explicit description of processes permits to add a few “check-points” within any process to examine its risk-related “health”.

Business processes act as a skeleton to which the enterprise adds risk management (as shown on the picture below) – each usual activity is enriched by risk-related monitoring and evaluation.



The risk evaluation may initiate some risk mitigation processes. The risk evaluation may be as complex as necessary, and it may include simulations (e.g. value at risk and stress testing), and the conduct of statistical and scenario analysis.


Delenda est "vendor-centric BPM"
AS

No comments: