About Analyze

Analyze Consulting was founded in 2007 with the purpose to help businesses get to the bottom of and solve business inefficiencies. The cornerstone of this dream is a passion for quality business analysis and project management.

We are motivated and rewarded by helping businesses be more efficient and solve problems.

We believe that the best way for us to do this is to start with a deep and thorough understanding of the problem or opportunity. The discipline and insight that we apply to this enables us to be confident and truly objective about defining the best possible solution.

Our vision is to be the partner of choice in solving business challenges through the appropriate use of technology, process and people.

Get In Touch

Email: info@analyze.co.za

Tel: +27 (0)21 447 5696

Cape Town Office:
The Studios – Unit 314
Old Castle Brewery Building
6 Beach Road
Woodstock
7925

Johannesburg Office:
Block A
Homestead Park
37 Homestead Road
Rivonia
2191

Security requirements: The Non-functional becomes Functional

/, Digital Transformation, Technology, Uncategorised/Security requirements: The Non-functional becomes Functional
Cyber Security Requirements

Cyber and general informational security has been taking centre stage recently with the widely reported data and system breaches. The latest example is a South African Financial Services Provider, whose IT infrastructure security was breached and had segments of their data held for ransom. The trend is rising as malicious elements seek monetary gains through exploiting an organisation’s data. With data being this generations’ gold, the miners are out in full force. This ought to lead to cyber security requirements being inspected closer.

 

System providers are doing their bit in identifying and patching software flaws but the humans in the information system are consistently the weakest link. The hackers and malicious social engineers are utilising more sophisticated and targeted ways to try and breach security systems and protocols. The question is, how do we, as shepherds of the business and system requirements stand a chance against this?

 

Cyber security requirements in the digital age have evolved from being simple non-functional elements at the end of a traditional requirements document, to being key elements of the design that proactively secures information and systems. Legislation in the form of Protection of Personal Information (POPI) and General Data Protection Regulation (GDPR) require more stringent and proactive security requirements. As we build our information systems, cyber security needs to be at the forefront of our design, while enabling the users and recipients of this information to do their jobs effectively.

 

There is no such thing as absolute security when access to information is also a requirement. Any gain in security or accessibility always involves some sort of trade-off. These trade-offs need to be weighed by business and IT according to the following considerations:

 

  • The severity of the risk – how impactful is this event on the organisation, if it occurs?
  • The probability of the risk – the risk increases with the type and value of information as well as the number of possible failure points.
  • The magnitude of the cost – if a breach happens, what is the potential cost to recover, the impact on the business reputation and the likely downtime? We need to balance these against the cost of implementation and ease of use.
  • The effectiveness of the countermeasure – these are the system and user measures for reducing risk. How aware are staff of security measures and what tools and techniques are available to them to mitigate the risks?

 

Cyber security used to be looked at (from a requirement perspective) purely through the lens of “Is this effective?”. The question must evolve to “Is this a good trade-off?” and business needs to be at the forefront of that decision. Using techniques such as Abuse Case Development and User Stories that focus on the security aspects, is crucial.

 

Get the business to try and break the various security aspects of the system as part of user testing and ensure that your security requirements can Identify, manage and report on these cyber security incidents. Cyber security must no longer be an afterthought, it must be a critical driver in the design of the information system.

 

The costs of not investing the necessary time and effort in functional security requirements can be huge, now more than ever. Get in touch with us to help you navigate this cyber security minefield.

No comments yet.

Leave a comment

Your email address will not be published.