Activity 2: Organizational Context

Through senior management support and active involvement, we embarked upon initial knowledge extraction and organizational context discovery activity where we gathered initial information which facilitated the identification of the business strategy within the company. This enabled us to gain an understanding about the way things are done in terms of the company’s business process and the objectives to be achieved, followed by identifying the security goals that are part of an essential component of the company’s assets. During this time, the present architecture of software systems and applications were reviewed, the architectural components are identified, and the high-level dependencies between them were established. We considered factors that influence its operations, such as the company’s structure and the system and processes by which work is carried out. Based on the acquired knowledge, we established asset profiles consisting of security goals, criticality and the business process.

8.3.2.1 Assets Profile for DMS

To create a consistent asset profile, the IT manager was involved in explaining and documenting the system and its components, which provided the basis to identify assets and their security needs. The IT manager also presented a comprehensive overview of the DMS, which will be the target of analysis, from where we observed that the system comprises many different components. Based on these discussions, we analysed the architecture of the system intending to identify all dependencies, including how information is stored, processed and transported. By doing this, we were able to identify its assets, including data and applications. The asset profile is crucial because it can be utilized when developing and applying protection strategy, as well as risk mitigation plans for the system. We prepared an initial asset inventory of DMS together with details of the assets as shown in Table 8.3).

8.3.2.2 Security Goals of DMS Assets

After completing and agreeing on the asset inventory, the team turned its attention to identifying the security goals of DMS system. The security analyst conducted a high-level brainstorming exercise together with other team members to identify the most crucial security goals for the assets identified in the previous step. Security goals outline the qualities that an asset must aim to protect. At first, some representatives of the company emphasised that they are particularly concerned about the privacy of data held by the system. However, the security analyst explained that the team had reviewed the information collected during the previous step and examined every functional requirement. Hence, after a discussion, the project team decided to focus on the security goals of the system’s known characteristics and security goals to include:

180

 _{Confidentiality: confidentiality goals are primarily intended to ensure that no}

unauthorised access to data, application and other assets is permitted, and that accidental disclosure is not possible. Information or data on all the system’s components should be restricted to only those with the permission to access.

 Integrity: it must be ensured that data and applications of the DMS are safe from

unauthorised modification and can be modified only by authorised users. It also provides the accuracy and completeness of records, and only authorised users should be allowed to modify contents.

 Availability: data and resources must be made available for authorised use without

interference or obstruction. Data, application, and other system resources must be available when requested and easily accessible to authorised users.

 Accountability: The ability to trace activities or operations that occur to data,

applications or system components to a particular source. All users must be accountable for the operations they have performed.

 Conformance: the system must operate as intended without any variation to expected

behaviour, functions and regulatory requirements. The system must also be secured from vulnerabilities that can be exploited to cause unwanted behaviour.

8.3.2.3 Assets Criticality

Having identified assets of the system and associated security goals, the project team embarked on the next step of assigning criticality level to all the assets identified in the previous step. The criticality level is determined and assessed in greater detail as part of the asset profiling activity. Critical assets are those that are essential for supporting the DMS and the operations of the company. The security analyst determined the criticality of assets by applying a novel asset criticality system using fuzzy logic as proposed in the CSTF process.

8.3.2.4 Business Process

The business process identification and mapping workshop were organised to facilitate the discovery of business processes. The workshop brought together senior management from all units within the company to acquire valuable information from them in one instance. We set the context of the workshop and its objective communicated to capture the right information on how tasks are performed and executed within the company. The senior management provided a view of the process in their respective domains and leading questions were asked to understand the business process handovers from different units. Notes from all information from different unit managers were taken and provided a good view of the business process. These sessions served as a learning experience that revealed not only details about the business process, but also a business hierarchy, business rules, process operations and the assets required to support the business process.

181

Table 8.3 Asset Inventory

Asset

ID Asset Name Asset Description Business Process Security Goals Low Asset Criticality Required Protection

Criticality Moderately Critical Critical Highly Basic Average Significant

01 Document management

server Provides customers with the capability to create, store and manage documents and content electronically. The service incorporates digitization of existing documents and the means to manage information and data through workflow and process automation.

Assets and content

management Availability Integrity Authentication Conformance

*

*

02 Databases Stores information about the company’s

customers, personnel, marketing, landlords, tenants, transactions, assets, finances, and other information about the company’s business process.

Assets and content

management Integrity Confidentiality Availability Accountability Conformance

*

*

03 Company and customer

data Represent sensitive and private information about employees, tenants, landlords, finances, assets, etc.

Operations and services Integrity Confidentiality Availability Conformance Accountability

*

*

04 Web & Application

Servers Provides, processes and delivers web contents such as images and assets

information to employees and

customers. The application server provides the platform for hosting frontend applications used by the company

Web contents

managements Availability Integrity

*

*

05 Frontend Application Provides the user interface that allows employees and customers to visualise, access, and patronise the company’s services.

Service delivery Availability

Accountability

182