8. Provisioning for measurable and predictable operational security and information
8.1 Using PCUBE-SEC tools in example situations
8.1.2 Data privacy, privacy by design
An important governance aspect, either in the government agencies, or in the private sector, is the necessity of collecting the citizens' or customers' data, or even their profile, for different reasons, challenging, this way, their privacy.
Looking at the European view of this issue from the USA, even our not very fresh 95/46/EC European Data Protection Directive seems to be a desirable regulation [Spiekermann]. However, even over there impressive solution to privacy problem can be noticed, requiring, at the same time, involvement of systems analysis in aligning data privacy and the necessary security. This has been invented by Ann Cavoukian, information and privacy commissioner of Ontario [Cavoukian].
She is concerned about the data privacy of customers in commerce, and that of the citizens, in general. Both of these data collectors, either trading companies or government administration, are to be restrained. According to Dr. Cavoukian, the required privacy settings should be integrated into the information systems already in the systems design phase. She named this process, as "Privacy by Design" - abbreviated as PbD.
This requirement is completely in tune with my basic requirement concerning application systems development: preliminary planning of the systems, and documenting the state of both the users' and the compliance requirements at every milestone of the whole life-cycle of the application [Szenes, 2006, SOA], [Szenes, 2011, Appls.].
All these prove again, that systems analysis is necessary for satisfying high-, strategic level aspects. Following the advice given in this discussion contributes to the security of the application. Privacy is one of the most important business aspects of data security, thus it is a strategic goal.
8.1.3 "Tighter specs." The importance of the systems analysis in the web revolution The vital role of systems analysis comes to surface even in the HTML 5 web revolution, which promises to simplify the programmers' work, and to provide for a better cooperation between the physical and programmed products of different suppliers, than before, besides offering, of course, very interesting new features to the users of these products.
According to Gary Anthes, HTML 5 is an "umbrella term", embracing the markup language, and the technologies connected to it [Anthes]. In order to exploit the advantages of this evolution, the developers had to realize, that specifications of better quality are necessary to provide for compatibility between browsers. The need of more detailed - so-called "tighter" - specifications has even been emphasized by such very practical people, as Ian Hickson, software engineer at Google, founder of the Web Hypertext Application Technology Working Group, a complementary standards body of W3C [W3C].
At the first sight, to create such tighter specifications might not exactly seem to suit to those systems analysts, who have dealt with business requirements, instead of technics. However, their skill in exploring users' needs will come handy in creating such a standard, that can be supported by all the browsers, as this requires a capability to coordinate different facilities.
Collecting the preferences of those vendors and standard groups, who demand more exact specifications will not be a novelty to the experienced colleagues.
The fulfillment of such lower-level, information security requirements, as, e.g. the detailed specification of the input / output of the devices, is necessary to the cooperation between vendors, which is a high-level, strategic goal, To require this specification belongs to two excellence criteria, to efficiency, especially to the pertinency to the given subject, and also to functionality.
These examples show, that experienced systems analysts are needed to set order in the business-, and operational life of the companies.
8.2 Example for PCUBE-SEC knowledge base statements: the IT excellence criteria in clouds
Should anybody attack our cloud successfully, besides possible data leaking, even the service itself can be either refabricated, or made simply unreachable. Reviving some of earlier suggested defense methods, and extending their requirements with criterium order, the following, far from comprehensive, but useful advice could be added to the knowledge base [Szenes, 2011, Hack.].
network_confidentiality-application_confidentiality - storage_confidentiality.
[see above the on-demand cloud security]
network_confidentiality: network_security - network_maintenance.
prot_man_in_the_middle - prot_DDOS - prot_traffic.
[even if using the expressive names makes the knowledge base more readable, it is important to remind, that
PCUBE-SEC "knows" the knowledge base statements and their parts only to the extent of the explanation to be found in the database]
[here the techical details are omitted]
application_confidentiality: application_sec_use - [etc.]
application_sec_use: authorized_use - client_sec.
authorized_use: order_in_ hierarchy - user_education
- intro_of_autho_techniques - [etc.]
[We got to "order" quite soon. Here order_in_hierarchy could be further decomposed by requirements on the organizational pillar. The requirement, that a company should be organized, is of governance level. Security here yielded a strategic-level requirement.]
org_autho_tech - regul_autho_tech - tech_autho_tech.
[To introduce authorization techniques we need all the three pillars.]
[This is again an illustration for the classificational benefits of my pillars. For example, should we aim at introducing role-based access control, sorting the subjects and executors of the tasks to be done according to the pillars, help in identifying - and also in allocating! - the tasks to be executed.]
org_autho_tech: determine_sec_level_of_appl - [etc.]
The example has shown, how even the building of our PCUBE-SEC knowledge base help us in collecting and ordering our thoughts on a given subject.