Business Model Process with 60+ New Business Hacks 2019
No organization wants to take unnecessary risk. No business leader wants to do anything intentionally that would negatively harm the organization or themselves. Every business leader is accountable for something specific that eventually contributes to desired business outcomes.
Business leaders set the framework and direction for the team to do the right things and believe they are doing the right things. If this is the case, we ask, why are business leaders concerned about security?
Why don’t business managers like the security solutions proposed by Information Technology (IT) teams? Why do organizations continue to be surprised by security incidents?
The answer seems to be obvious – misplaced accountability for securing business operations. Business thinks IT is accountable for security, but IT alone cannot set clear expectations, develop the clear capability, set the key performance indicators for the business outcome, and take appropriate risks.
In this post, we provide the details of Business Model Process and Types What It is 2018 to elaborate what it is and how it can be used by the business leaders for planning, prioritizing, communicating, and monitoring the state of capabilities required for secured business operations.
The secured business model provides a bridge between the business objectives and underlying business practices and technology solutions for secure business operations. This blog explains 60+ New Business Hacks for Business Model Process in 2019.
The model helps business leaders articulate their goals and objectives into a set of clear and directional statements about what must be prevented or protected, ensure alignment, establish the appropriate freedom within the framework, set expectations, and monitor progress and outcomes.
This model helps operational and line managers in scoping, driving cross-functional alignment, managing a portfolio, and measuring and communicating the value of their initiatives. The next post provides detailed insight into the secured operating model in support of the secured business model.
Secured Business Model
The heart of every effective business management is a business model, defining the purpose, value proposition, and core – differentiating capabilities. For secured business operations, the Secured Business Model provides an information security capability map from a business perspective.
It is used to determine the organization’s current risk posture, and the required capabilities for the required secured business posture.
In addition, the model provides guidance for closing the gaps and acts as a vehicle for monitoring the execution. The capabilities are organized in five performance domains.
Each performance domain includes a set of capability building blocks. Each capability building block is characterized across five maturity or performance levels. Figure outlines the five Ps with their top-level capability building blocks.
One cannot clap with one hand. Business leaders must focus on all these five performance domains collectively to ensure that they have the right capabilities and are providing a clear direction to everyone in the organization for conducting business operations with the required security risk resilience.
Prevent performance domain represents what an organization is preventing or should be preventing from happening. Any occurrence of unauthorized access, leakage, failure, denial of service, or errors and fraud will have a detrimental impact on the organization’s ability to conduct and maintain business operations.
The table lists the key capabilities in the prevent domain. Based on the current and desired business engagement with customers, partners, and employees, business management can identify what must be prevented.
Prevent Capability Building Blocks
Unauthorized Today, most organizational assets are digitized. Limiting the right Access access to the right people at the right time is the most crucial to prevent cyber-attacks. Prevent unauthorized access and identify undesired access granted.
The extent of prevention depends upon the extent of business engagement and process/system exposure. Business must take ownership in establishing the appropriate access controls.
Prevent unintended and unplanned leakage of information and Leakage of intellectual property (IP) of the organization. Business must define the type of information and IP that must be prevented from any leakage, for example, information related to employees, customers, partners, products, services, and associated transactions.
Unplanned disruption in the functioning of core organization Failures and information assets could pose risk to business continuity and security of business operations. Prevent unplanned and unnecessary failures in ongoing operations for mitigating associated business continuity risks.
Business must make sure all aspects of secured business operations are considered holistically for preventing unplanned failures. Business has the knowledge of processes and the context. Business must define what errors and fraud must be prevented.
The PROTECT performance domain represents what is or must be guarded against any lasting damage to integrity and trust within and outside the organization.
Protect Capability Building Blocks Credentials
Protect and preserve credentials and any information deemed and Sensitive sensitive by the organization from any harm.
Protect the privacy of information and transaction while communicating or sharing information between people, processes, and devices regardless of their location or means of communication.
Business only can define the privacy level required and must create the capability to define these levels and associate an appropriate level for every information asset.
Rules and A control is an actionable pre-decided policy statement for offering Controls secured business operations for a business situation or for an external regulatory requirement. This control requires one or more rules to put it into action. A rule is a binding statement that is set for managing some business situation.
A rule can be leveraged by one or more controls. Establish guiding principles, governing rules, and controls for ensuring appropriate design and implementation of security-related procedures. It is important that business takes accountability to define these rules and controls for securing business operations.
A decision for planning and managing security risk may require Making support of business leaders across business functions. Business must define decisions rights, processes, and measures for ensuring appropriate behavior across the organization in a structured manner. Life Cycle Every asset has a useful life beyond which its value deteriorates.
To sustain secured business operations through business innovations or changes in the business environment, business management must review, replace, and retire past decisions, controls, rules, processes, and structures to keep them aligned with the changing business dynamics.
Business must take responsibility to define lifecycle management of rules and controls for managing, at all times, desired security risk levels.
Business leaders are periodically making strategic and tactical decisions, Management requiring either a change in the existing capabilities or, development of new capabilities.
Introduction of a new or enhanced capability can impact the security aspect of the business operations, or it may be required to ensure new business operations are optimal and secured.
To ensure value is created, security risks are mitigated, operations remain secured, and the business management must take the ownership and accountability seriously to see that the change happens as expected in the organization.
People Capability Building Blocks Culture
Beliefs, behavior, attitude, and adoption of a security mindset and risk posture of people in the organization. Culture defines what people in the organization will do when they encounter a situation.
Unless machines are making all the decisions, it is important that leadership is promoting and driving the appropriate culture for secured business operations under all circumstances.
Most of the security incidents in an organization happen due to lack of awareness and readiness. In many cases, people represent the first or the last mile in business interactions.
People can only make decisions and take actions based on what they know. Individual responsibility starts with business leaders making sure that people are aware of the security implications and are prepared to take appropriate actions.
People Capability Building Blocks Transitions
It is given that people will change their roles and new people will take over the tasks. The transition should not only address the access controls but also the individual knowledge related to security in the context of the tasks being transitioned.
Business must define the type and extent of access controls and security knowledge needed for a job, and ensure that access and knowledge transfer is managed across transitions.
Management and Having capability for setting the direction, driving change Operations and accountability, ensuring integration across strategic and execution processes, managing development, and adoption of security practices across the organization.
Just like business management is anticipating, planning and driving innovative business capabilities, business should be evaluating and planning security capabilities, policies, and practices for sustaining secured business operations through the change in business.
The PROFILE performance domain defines what the organization must know to plan and maintain secure business operations. It includes knowledge of vulnerabilities, exceptions, risks, and dependencies in organizations across people, process, information, and technologies.
Without this knowledge, organizations may not be as proactive in anticipating and addressing potential incidents. In many ways, this domain supports all other performance domains.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide for here]
Realizing Secured Business Operations
In this post, we focus on how organizations can achieve and sustain secured business operations. The secured operating model provides an actionable body of knowledge in understanding, identifying, and implementing necessary operational capabilities for realizing the desired outcomes defined in the secured business model.
Why the secured operating model when we have many operational frameworks such as NIST 800-171, NIST 800-53, ISO 27001/27002, and many others? There is no doubt these frameworks provide a depth of knowledge that no single person or organization can develop and organize.
These frameworks focus on security policies, procedures, and controls, providing a highly prescriptive content for auditors, implementers, and practitioners. It is left up to the organization to figure out the extent of relevancy and develop a roadmap for implementing policies, procedures, and controls.
Organizations tend to underplay or overengineer the implementation due to the lack of structured understanding, alignment, prioritization, and business case for policies, procedures, and controls in the context of organizational and business capabilities.
Just like when digging a hole, it is difficult to be wide and deep at the same time, most of these technical frameworks provide excellent depth in cybersecurity and risk management but tend to ignore other capabilities needed to drive overall organizational maturity and effectiveness even in their area of focus.
The secured operating model provides the bridge between what the organization wants to secure in the form of a secured business model and the specific best practices and implementation described in these frameworks. Figure articulates the dependencies and relationship between various layers of the body of knowledge in achieving and sustaining secured business operations.
The secured operating model includes a set of core capabilities along with their maturity levels. The model also includes underlying practices derived from various best practices and security frameworks.
The model allows organizations to focus on their capabilities. It is the capabilities that enable organizations to sense, respond, and operate in a predictable manner even in previously unknown situations.
Every time there is a security breach, it doesn’t do any good if the organization scrambles and comes up with an excuse of not seeing it before. With the secured operating model, the organizations can build and maintain the required capabilities to achieve and sustain secured business operations.
Components of Secured Operating Model
The secured operating model consists of twenty-one operational capabilities organized into the following six capability domains.
Master of Data Management
Provide relevant awareness and training to all the workforce about the capabilities/services, keeping them informed and prepared in identifying and addressing new vulnerabilities that require human behavior in addition to systematic controls.
Establish a collaborative business and IT governance structure, associated processes, and committee to govern the development, maintenance, and transitioning incremental/new capabilities to conduct business operations in a secured manner.
Define, measure, and monitor key performance indicators and metrics for security effectiveness and desired outcomes. The next section includes key practices for improving change management, governance, and KPI measurement in the organization.
Managing day-to-day operations is one of the core business activities in any organization. In the context of secured business operations, ongoing operational practices need to include activities related to maintaining secured operations.
Therefore, the Operations Management capability domain includes and primarily focuses on the following:
Access Control Management
Audit and Monitoring
These operational capabilities are not new to the organization, which is good news. We just need to make sure these capabilities are enhanced so that business process design and execution are security aware and incorporates additional practices and measures for ensuring end-to-end secured business processes.
Entire business data is managed between master data and enterprise data. Master data management conceptually establishes data integrity and security that is extended and further maintained through enterprise data management.
Data architecture is the framework that is required for managing the master data and circulating securely the enterprise data for secured business operations. The framework for master data management consists of data design incorporating data definitions, data capabilities for maintaining data integrity, data security, and data services for enabling business operations data flows.
Master Data Management Capability Building Blocks Identity
Identities include a digital representation of the entire workforce Management and other managed resources associated with the business.
The workforce includes employees, contractors, and partner and customer resources who are involved in the business. The digital representation includes the storing and management of the associated identities and attributes. This capability ensures that digital representation of the identities is securely protected and poses no risks in leaking the associated details.
Manage physical and nonphysical assets owned by the Management organization.
For secured business operations, appropriate access is required Management for every consumer, and that is managed automatically by assigning appropriate roles to the consumer.
The consumer may be a workforce resource, a process, a system or a device. The role management capability is required to assign an appropriate role to a consumer at the start of the relationship and then update the role to account for transitions and changes in relationships.
To develop, deploy, and maintain lifecycle of policies, with the help Management of a governance committee, to conduct business operations in a secured manner.
Secure end-to-end business operations by ensuring all the cross- Management functional and organization dependencies are understood, well documented, and they all follow the same governance policies/ rules to achieve the goal of secured business operations.
Glossary and Define all relevant terms so that their purpose and Life Cycle meaning are consistently understood and used across the business organizations and the ecosystem. The above capabilities are further explored with enabling practices in the next section.
Securing business operations depends upon the infrastructure used for performing business activities. The security of infrastructure is the key focus area for every organization. As infrastructure is typically maintained by IT, this area does not generally get business management attention unless there is an incident impacting the business.
To secure the infrastructure, many practices are considered and deployed, such as single or multi-factor authentication, single sign-on, firewalls, secured local area, wide area, and wireless networks, and applications security.
The Open Systems Interconnection (OSI), Figure model is an effective way to understand, at the conceptual level, the Infrastructure elements and their security needs.
To better manage infrastructure security, we have organized infrastructure capabilities in three building blocks.
Network Management Managing all the LAN, WAN, and WLAN infrastructure in a secured manner to prevent penetration into the Information boundary walls of an organization.
Business Management: Change Management
Businesses are periodically making strategic and tactical decisions for innovating, improving profitability, improving top-line growth, improving bottom-line growth, improving brand value, expanding into new markets, meeting compliance requirements, and on and on. Any such decision requires either changing the existing capabilities or developing new capabilities.
A new project is spawned to develop a new or enhanced capability. In today’s cybercrime environment, every project must have a security track so that the capabilities and developed solutions are secured. Most organizations follow internationally recognized standard practices for project management.
Yes, over 18% of the projects fail. What does it mean? A failed project didn’t deliver on expectations, either a capability was not developed or delivered, or it was not successfully transitioned into operations.
In many cases, the security implications and requirements were not considered early enough in the development and transition processes. Change management is an operational practice to ensure all factors, including security, are considered and managed for successful delivery.
Without change management, it is not possible to determine requirements from an operational perspective for a new capability or enhancement to an existing capability.
Without change management, it is not possible to gauge the impact on existing operations or to understand the readiness and training requirements for business users. In addition, without change management, it is not possible to determine new vulnerabilities affecting the desired security posture.
Change management is a critical operational practice for business management. Writing about change management is not the focus of this post. Our Iceberg Is Melting: Changing and Succeeding Under Any Conditions, by John Kotter and Holger Rathgeber, is one of the recommended posts for learning about change management.
In the secured business model, we talked about change management policies under the policy domain of the model. Change management as an operational capability and practice is required for supporting change management policies and secured business operations.
Business Management: Governance
The technology selection is typically based on industry ratings and reviews, and not based on the best fit for meeting the business requirements. This is generally the case with security solutions as security needs are not defined by business, and they are a risk-averse posture for the Chief Information Security Officer or IT management.
The result is a continuous increase in spending on IT security while the business continues to incur financial damages from security incidents. Global spending is expected to be $101B in 2018 and $170B by 2020. As per the world economic forum, businesses have security-related damages in the range of $400B–$500B with much more damage not being reported.
The accountability needs to be shared among business and IT management and the Chief Information Security Officer, mainly for defining the security requirements and supporting policies, rules, and controls.
An appropriate governance practice involving cross-functional business and IT executives, managers, and subject-matter experts is required for ensuring timely decision making and sponsoring initiatives for achieving and sustaining secured business operations.
The figure provides an example of a governance committee structure for establishing an operational practice of governing security matters. The above governance committee structure has three layers.
The steering committee provides the leadership for security and other business portfolios. They manage any escalations from the operating committee. This committee sponsors security initiatives. This committee is generally presided by the Chief Operating Officer or an equivalent role.
This operating committee is exclusively for security. This is formed with the help of middle-management leaders from all functional organizations. This team needs to be empowered to make security-related decisions based on the guidelines provided by the steering committee. This team should have the authority to fund various related initiatives in the form of projects.
For some reason, due to a complex situation and/or due to costs involved, if this team is not able to make a decision, such an issue needs to be escalated to the steering committee for the decision making and forgetting funding approvals.
This committee is presided over by a chairperson who is selected with the motion issued by this team and the votes taken by this committee. As this is an ongoing committee, a chairperson should be on rotation and preside over this committee for a predefined duration of a year or so.
Analysts and Managers
This team of analysts and managers are subject-matter experts from different functional organizations. It consists of some static members and some who join this team on a demand basis.
Based on the issue at hand, managers assign analysts and designate a project manager who manages the analysis and decides the on-demand resource(s) required for the project.
The managers from this team help arrange on-demand resource(s). Based on the due diligent analysis, the project manager collects the facts to present the team findings and recommendations for enhancements and implementations of the existing rules and controls or for additional rules and controls.
Business Management: KPI Measurements
Managing access control is a key achievement in securing business operations. The life-cycle approach is required. The first-time access, ongoing access, and retiring the access, all three phases of life-cycle management, are equally important for maintaining the end-to-end security of business operations.
Each business operation end to end performs a number of steps, where each step may require different managed assets or more than one managed asset is used for executing end-to-end business operations.
Appropriate access needs to be granted to these managed assets for different users. Similarly, each managed asset may be accessing other managed assets for giving business-required capabilities.
Each managed asset may be accessed by multiple users and/or each managed asset may be accessed by more than one other managed assets to provide business- required capability. For illustrative purposes, consider a voice service.
It is a managed asset. It will require audio, an instrument to access audio, means to communicate using voice, audio provisioning from the service provider, billing to a business user department, and few more related managed assets to provide voice capability for a business operation. From a security perspective, it is important that voice is not hacked as it is used for business conversations.
All the managed assets described above need restricted access control and protection of voice communications. In brief, a simple capability, such as voice, requires a many-to-many relationship among managed assets.
This is a simple illustration to convey the point that access control management involved the following:
Workforce users (could be internal only or both, internal and external) managed assets, represented as digital ids
Business Application-based managed assets, represented as digital ids
Infrastructure-based managed assets, represented as digital ids
The relationship among users and non-user-based managed assets
Many-to-many-based access control among the managed assets
Business Processes steps for the business operation
IT Processes for the business operation
The complexity is added as businesses have many, several thousand to millions of workforce users internally and externally, and several thousand business applications and infrastructure-based managed assets.
In addition, currently, business transformations for growth and increasing profitability businesses are embracing services transformation, cloud- based business and infrastructure services.
The hope is that the above complexities provide the perspective to understand why access control management is critical for securing business operations.
Keep in mind the entire lifecycle of access management, involving first-time access, access during hire-to-retire of a workforce user and non-human managed assets, termination of access control, and the need to be strictly controlled to minimize vulnerabilities associated with securing business operations.
To securely manage access control, different operational practices are required from Figure under Business Management, Operations Management, Risk Management, Compliance Controls, Master Data Management, and Infrastructure Management.
The intent here is not to leave access control management as a complex thing to manage; rather, the intent is to justify the criticality of it for securing business operations and provide approaches discussed in other operational practices to manage the lifecycle of access control, systematically.
Operations Management: Audit and Monitoring
Audit and monitoring is not only a compliance requirement but also, it is a critical operational practice for maintaining controls established. As stated in post 1, for cybersecurity a significant proportion of the spending in billion dollars is allocated for fraud and data breach detection with emphasis on Security Analytics, Threat Intelligence, Mobile Security, and Cloud Security.
The main purpose of security analytics and threat intelligence is to develop audit and monitoring capabilities for finding potential fraud and data breaches before significant damage is done and to be able to take proactive actions based on the set thresholds.
It is like identifying unknown risks for risk management. The focus on mobile and cloud security is mainly due to the fact that growth for businesses is becoming more and more dependent on business solutions being developed, using cloud-based business services on mobile platforms. These solutions add more vulnerabilities to security if the access controls are not properly managed.
We talked about KPI Measurements as a business management operating practice. One of the key elements in KPI Measurements operating practice is the capability to measure for key performance indicators.
Audit and Monitoring provide the means to collect relevant data. The good and commonly used KPI is for managing and controlling unwanted access controls by each workforce user.
This is a compliance requirement as well. Companies have deployed a solution based on audit and monitoring to identify a user not accessing a particular tool or service, say for 90 days, and invokes user access after 90 days of the account remaining dormant.
This meets compliance requirements, though it adds vulnerability for leaving the access to an account for so long. This is one of the use cases where security analytics and threat intelligence can help determine on a near real-time basis the unwanted access by setting up the right controls and minimizing the associated vulnerabilities by creating near real-time to real-time audit and monitoring capabilities.
By having an operational practice, it can be a part of your operations DNA to become vigilant by enabling smart audit and monitoring capabilities.
Risk Management Vulnerability Management
Vulnerability exposes the operational weakness that poses a security risk. It means there is a direct value of strengthening operations by managing vulnerabilities.
Healthy operations are like a healthy body. Like a healthy body that allows one to be more productive and creative, healthy operations allow organizations to be more profitable and innovative.
Establishing operational practice for managing vulnerabilities means having the capability of registering vulnerabilities, understanding associated threats, understanding the associated potential risks, and the capability to reduce or eliminate existing types of vulnerabilities. Having operational practice for vulnerability management means having ongoing associated capabilities to gain sustainable value.
Compliance Controls Segregation of Duties
It is called the separation of duties as well. The straightforward way to understand this is by using an illustrative example – a buyer cannot make payment for the items purchased.
In the past, this was controlled merely by giving accounts payable authority to a different person. In today’s digital world, that is certainly a fundamental necessary requirement; however, it is not sufficient.
It needs to be ensured that the buyer does not have access to accounts payable automated utility managed the asset. If this access control is not managed securely, not only does this vulnerability possess a risk to business operations, but it is also noncompliant as per the segregation of the duties compliance requirement.
This compliance control is managed by business architecture by setting the right organizational structures and creating appropriate roles. However, the automated tools in use require appropriate segregation of duty utilities and access control management to successfully meet the compliance control requirements.
Based on our experience, businesses spend the bare minimum to meet compliance needs, but the vulnerabilities created due to not being able to achieve desired access controls pose threats to manage secured business operations. Again, who can manage these access controls?
What is required for ensuring appropriately automated utilities are produced so that these access controls can be managed? Business needs to lead this in collaboration with IT.
We discussed managed asset under the access control management and risk management sections of the secured operating model. These managed assets could be a workforce user (employee, consultant, contractor, supplier, customer, partner), IT infrastructure, process, business products, and service offerings.
In short, a managed asset could be a human or non- human. The total number of these assets could be in several thousand, to millions, depending upon your organization size.
As these are managed assets, these need to be tracked for securely conducting the business operations. Each asset is granted an identity in digital terms. Each asset has a life cycle as long as it is associated with the organization and contributes to generating value. Each identity is used in one form or another in the other business transaction.
It acts as master data for executing a business transaction. At the same time, this is loosely managed by most companies without realizing the implications in securing business operations.
To manage identities, master data management treatment is required so that there is a proper data definition for each managed asset type, data integrity and security is maintained for each asset, and appropriate data services are provided for accessing identity data for business transactions.
By now, it must have become clear that managed assets are critical to run the business. As discussed earlier, the identity management capability manages the identity details of these assets for security purposes. As these are business assets, formal asset management is required.
Business has distinct functions to manage different classes of assets, for example, HR for employees, contractors, and consultants, Customer Service for customers who have relationships with the organization, Manufacturing for product development, Purchasing for vendors, etc.
Each of these functions must follow an asset management methodology to manage the life cycle of these assets; the relationship among the assets; the value they generate; the timeline of the disposition of these assets; and, of course, the risk to quality and integrity.
To maximize return on assets, each managed asset has one or more roles to play in the organization. Based on the given role, an asset is granted access to other managed assets.
To keep it simple, let us keep our focus on workforce users- the roles assigned to manage value, competency, and capacity. To maintain a level of separation, ease of management, and avoid unnecessary complexity, access to various assets is granted to roles rather than directly to users.
Roles are master data assigned to each workforce user, maybe one or more than one, for managing access control of managed assets.
For access control management, roles are assigned to a workforce user identity based on policies defined by governance. To manage roles, same master data management principles, Data Definition, Data Integrity, Data Security, Data Services and Data Architecture are required.
Access control management depends upon policies. These policies are defined and maintained by the governance committee. The policies are defined in collaboration with cross-functional business and IT management who are part of this governance committee.
These policies are documented in plain English language for general understanding, yet actionable through access control management systems and procedures. Roles can refer the policy data to enforce access controls for securing business operations.
As the policy data is referenced, it needs the same treatment as master data with principles of data definition, data integrity, data security, data services, and data architecture. effective, and secure manner. It is critical to highlight security needs for inter/intra dependencies that can be linked to associated risks and/or vulnerabilities.
To interoperate and communicate, every organization needs a language, acronyms, and definitions of terms. Most organizations do have them but they are not used consistently across the organization.
They may have different meanings to different people. It is an issue when an organization wants to have end-to-end secured operations across various functions, systems, processes, and people.
Most organizations do not maintain the glossary of security terms. The key words in the previous statement are “organization” and “maintain.” The IT department may have a version of terms, but generally, they are not published or publicized organization-wide.
Other departments or groups do not attempt to contribute, as they consider security an IT responsibility. Where the IT department creates a glossary of security terms, there may not be an ongoing effort to maintain it.
Why is it important to maintain the glossary? The simple answer is to increase awareness of security, particularly cybersecurity, among the organization’s workforce.
Without this awareness, it is difficult to keep people informed on security trends and to sustain secured business operations. To start with, use the lists of security terms maintained by the National Initiative for Cybersecurity Careers and Studies or by the National Institute of Standards and Technology.
Although the functional groups, such as marketing, engineering, and distribution, may have their own glossary of terms, the security terms are applicable to everyone inside the organization and any external entity with whom there are interdependencies. The glossary must be treated and managed as master data.
Every data has a shelf life, and therefore, every data requires life-cycle management. Security data domains, such as identity, asset, role, policy, dependency, and glossary, are no different. As the operating environment or other things change in the organization, an adjustment is needed in security data to reflect the change.
Timely and proper adjustments in the definition and attributes ensure ongoing data integrity, data security, data services, and data architecture for secured business operations.
For example, a change in the job of a user due to promotions, department change, or for any other reasons may trigger an adjustment in user identity, role, assets, and access controls.
If the user profile is not adjusted properly and timely, it could create an unwanted exposure, resulting in potential security threats.
When an asset is replaced for any reason, such as end-of-life or new capability requirements, its association with all identities need to remain intact with the replaced asset, so that business operations have minimal to no impact and relevant users can execute their relevant processes securely and with same or better efficiencies.
When a role is updated with new or different responsibilities, it may need a change in the things the role can access and perform.
In such a life-changing event of the role, there might be a need for identities associated with the original role to continue to perform their operations and do not get any extra access, thus keeping current operations secured.
The existing policies may not be sufficient in addressing change in the business conditions, business model or services, requiring a revision and updates to all other assets impacted by the policy. Managing dependencies, particularly interdependencies, can be complicated.
For example, let’s say your business partner gets access to submit their orders with no export holds, as long as they maintain the embargo with the same countries as your organization.
If the partner decides to lift the embargo from one of the countries without getting approval from your organization, submits the order that passes export hold conditions, and the products get shipped to that country, this may pose security threats along with compliance violations for your organization.
Ideally, the ability to submit the order to such a country must be adjusted with the life-changing event. Similarly, for the glossary term, if its meaning is expanded or reduced, or a new glossary term is added, it is imperative to timely publicize it so that people are aware and ready in dealing with new cyber threats.
To protect business operations, it is very important to keep the workforce informed. It is quite clear that life-cycle management is mandatory for sustaining secured business operations. Master data management is critical for defining and managing the life cycle of each of the security data domains.
Data Center Management
Applications have been the foundation for enabling business process automation. Organizations prefer buying off-the-shelf applications than building them. Whether buying or building, the applications tend to serve individual business functions and are hosted on a dedicated infrastructure for the functional organization.
Therefore, in this configuration, the security requirements are mostly contained and managed within the application. With the digital transformation, organizations are adopting cloud-based services rather than deploying and maintaining applications in-house.
These services tend to interact with other services in the cloud. While there are significant financial and performance benefits of using cloud services, there is an increased level of cyber threats.
The service or application management must address the changing nature of the infrastructure, access, and integration. Just like line-of-business application services, cloud-based application management services provide an opportunity to simplify security policies and enforcement methodologies.
Using Secured Operating Model
Each of the twenty-one capabilities in the secured operating model is described as a capability maturity map with five maturity levels. The complete capability maps are available online at secured business ops. com website.
Organizations can use these maps to assess the current state of these capabilities. Based on the desired state of the secured business model, organizations can determine the required state of secure operating model capabilities.
Without the business context, it is not fair to say anything low in maturity is not good, and anything in high is excellent. It is possible that organizations might be overinvesting in some areas, underinvesting in others, or just about right based on the business engagement model and business needs defined by the secured business model.
In the next post, the details will be provided for how to achieve and sustain the desired maturity levels. These maturity levels enable you to maintain the secured operating platform that is necessary for achieving the business vision and strategic goals. The structured execution is required once it has determined the desired maturity levels using the template described above.