Security is Everyone’s Responsibility


If you have been following my column over the past few months you should have a pretty good idea of where and when security comes into play for a typical organization.

Something that needs to be said however, is, that not all organizations have a dedicated roll responsible for security. Even if there is a dedicated roll, that person can’t be in twenty places at once.

In organizations that have dedicated teams of security personnel, like a financial institution, the challenge of having a security representative for each facet of the business becomes very challenging as there are dozens of project teams, offices, and operational issues that need to be tended to.

So what do we do?

If a formal representative can’t be present in a meeting or planning session, do we just forget about security?

The answer, I hope is "No, we don’t!"

Security is Everyone’s Responsibility

As business professionals, we need to understand that security is everyone’s responsibility; and that is especially true for business analysts, project managers, systems analysts, and others in the position of defining processes, technical architecture, or decision support.

If you are involved in a project that deals with information business assets, then you need to be thinking about the confidentiality and integrity of those assets throughout your project.

There are questions you need to be asking yourself, as well as others on the project, to better understand the security implications of a particular process, technology, or design element of that project.

Let’s use a real world example to illustrate this point.

You are in a meeting with a project manager, architect, the Director of Sales, and a few others.

The Sales and Marketing division is kicking off a session to discuss a new CRM portal that they are going to be implementing and you are the sole BA on the project.

As a business analyst, your role is to ensure the business objectives are being met in this design.

Taking in the lessons from the previous columns “
Insert Security Here” and “The Security Lifecycle” we now know that the security of information assets is one of the fundamental business objectives, and therefore, part of the responsibility of a professional analyst to concern themselves with.

How Do You Do It?

How do you ensure the objectives of security are being considered on this project?

It really is no different than the way you do it currently for your area of expertise, you need to ask questions, and evaluate the responses.

What and when to ask is the key because one of the challenges with information security is that security can be seen as a business disabler, rather than an enabler. People tend to think that those wearing the security hat are there to prevent them, stop them, or block them from doing the job, implementing a project, or accessing a resource.

Now, let’s say during this meeting you discovered that part of the business continuity plan for the portal was to e-mail the client CRM database to an administrators Hotmail account to “keep a backup”.

What would you do?


Information assets should only be disclosed to those so authorized.

Confidentiality is controlled though access controls and encryption.

An example is a password protected Zip file. Only those that know this password should be able to access it and will know the contents. Anyone without the password will only see junk filenames.

Good questions to ask around confidential are ones that expose access controls effectiveness. The more sensitive the data that the access control is protecting the deeper the solution should be.

Does the database hold client sensitive data? Does the file contain information that could damage our reputation if disclosed? Would a competitor gain an advantage if they we able to access this information?



Information assets should remain in the original form as intended by the owner.

Integrity can be controlled through access controls and encryption.

An example is a PDF document that has been encrypted with a digital certificate or an e-mail that has been signed with PGP.

Good questions to ask around integrity are ones that discover missing opportunities to encrypt information at rest or in transit. The more sensitive the asset it to the operation of the business, the more likely encryption should be used.

What would the impact be if the values in the table we changed without the owner’s approval? How often does the information change? Will the data be transmitted over public networks like the Internet?



The information asset should be accessible as needed or in the event of a disaster.

 Availability can be controlled through backups, fail over devices, and clustering.

 An example is a network that has two paths out to the Internet. If one goes down, the network can still be reached through the other link.

 Good questions to ask around availability are ones that determine how quickly an information asset needs to return to normal business function if it was no longer available.

How soon do the databases need to be back online after a crash? If we can’t get out e-mail for N hours is that okay? Will out clients mind if the information is not available for N hours? 

Most people would react in a very negative manner. “Are you crazy?” “No WAY!”, “Security will never permit this!”, and so on.

In my case, (as this is a real example I encountered) I was certainly screaming in my head this will never happen. However, a reaction like that will get your colleagues' backs and they will stop listening to anything you say beyond that comment.

The challenge for the analyst is explaining to people why it should never happen in the way it was designed.

If you read between the lines, that says, show them how to achieve their goal of getting a backup of the CRM database, but using processes and technology that follow better security practices.

To help the business, we ask questions that will highlight the fault in a manner that everyone can understand, and then demonstrate a solution to correct it. This is why becoming a security analyst is never an entry level job. You’ve had to do everyone else’s job first before you can tell them ways to do it better.


If you find yourself bewildered by the many facets of information security, but still want to play a part in this responsibility, keep in mind the triad: Confidentiality, Integrity, and Availability (see the sidebars for more details).

Pop Quiz

So, in this scenario, what’s the first question you would ask?

A) “What security controls are in place to protect the data?”
B) “When the data is in transit is it encrypted?”
C) “Who thought of this brilliant idea?”
D) “What happens when the administrator leaves the company?”

If you ask question A, then you are supporting the initial design and just looking to ensure controls are in place. Going with B is a dead-end as Hotmail uses a secured HTTP connection (HTTPS/SSL) so the closed ended answer of “Yes” will be given.

Answer C I hope you will keep to yourself, and therefore D is the best choice. You will highlight the key issue of the design; the administrator having complete access to the confidential CRM database and its contents.

The response from your question may lead to a small debate around the issue, but will further highlight other issues around the design such as using a 3rd party like Hotmail which the organization has no control over, or allowing a database to be transmitted without any access controls around it, thus preventing unauthorized access to the data inside.

Now let’s say everyone has agreed that maybe this isn’t such a good aspect of the design, but they are left with a problem, how do they backup the data to ensure availability if something happens to the database?

Now is your opportunity to help the business, through effective security practices, to implement a back up solution, maybe even tie it into some other project that could leverage this solution.


You have taken on the responsibility of ensuring the business assets are properly secured by asking the right questions, and whenever the next project comes along, people will look to you for guidance.

Author: Stewart Allen is a certified Information Security Consultant with over 12 years of experience specializing in Health Care and Financial Service industries.  Acting as an Information Security Advisor, Mr Allen is responsible for finding opportunities for his clients to achieve their business goals, while helping to ensure information assets are secure.  If you would like to learn more about the author he can be found on LinkedIn at

Like this article:
  9 members liked this article


BigT posted on Friday, October 10, 2008 7:56 AM
Very useful, particularly the Triad.
Only registered users may post comments.



Copyright 2006-2024 by Modern Analyst Media LLC