Wednesday, May 11, 2016

Project Delivery Process D136

D136 - Design and Setup System Security Provisions

SIIPS Delivery Processes (D).png

DEFINITION

SIIPS D136.pngEnsure that appropriate security provisions have been included in the detailed functional design and setup the system with the appropriate security controls and access capabilities.

SUMMARY

The purpose of this task is to:
  • review existing system security provisions and determine their adequacy in light of new or increased exposures resulting from the introduction of the new system,
  • modify existing processes and procedures, and/or design additional processes and procedures as necessary to address security risks,
  • set up the system(s) to have the appropriate levels of access and control.
There are four main elements:
  • review existing security provisions
  • design and set up package-specific security
  • design and set up network security
  • design and set up end-user computing security

PATH PLANNING GUIDANCE

Normal practice

DEPENDENCIES

Prerequisites (Finish-Finish):
  • Working development environment - Process D130
Dependent procedures (Finish-Start):
  • All tasks requiring access to the system

RECEIVABLES

  • Technical Plan IP (D110)
  • Delivery Approach Definition (DAD)
  • Definition of Requirements (DoR)

DELIVERABLES

  • Security Requirements IP
  • Accessible, controlled system

TOOLS

  • vendors’ technical manuals and information for the various systems software and package software components

DETAILED DESCRIPTION OF TASKS

Review existing security provisions

This task identifies, defines and addresses new system security issues introduced by the new system.
The purpose of this task is to:
  • Review the new system design to determine what new risks or exposures it introduces into the systems environment.  The review includes an inspection of the package’s security provisions and those specified in the operating environment, the data base and the network.
  • Review existing system security provisions to determine whether they are adequate for the new system.
  • Define and document the changes required to existing provisions, and new provisions that must be added.
  • Set up appropriate security for the development, testing and live environments.
Most modern packages have extensive security capabilities.  Most Application Packages offer a widespread range of security provisions via user profiles, including access to application functions or data objects.  In certain cases where high security standards are required (e.g. in the business case where two users have to authorise a transaction in order to make it valid), the standard security provisions might have to be enhanced by bespoke developments within the Application (e.g. in user exits).
The changes required to existing provisions, such as standard access control software, are implemented and re-implemented throughout the project as needs vary - ie to meet the needs of development, testing, and live operation.
Information sources may include:
  • recovery capabilities of hardware and software products
  • security and control requirements (Definition of Requirements)
  • business resumption requirements (Definition of Requirements)
  • regulatory requirements (Definition of Requirements)
  • functional integration strategy (Delivery Approach Definition)
  • technical integration strategy (Delivery Approach Definition)
  • business process specifications
The requirements, options, recommendations and detailed solution are documented in the System Security Requirements Implementation Paper.  Detail may include:
  • description (including magnitude, likelihood, business impact)
  • current security provisions, if any
  • definition of new type or level of security required.
The scope of this paper will be the entire system including the package modules, bespoke developments, surrounding systems, feeders, and the technical platform.  Sufficient detail is required to guide technical specification of solution.

Responsibilities:

  • Project Mgt - Reviews team members' work
  • Tech Mgt - Reviews system security design and advises project team on existing organizational standards and the extent to which technical security provisions accommodate system requirements
  • Data Mgt - Reviews backup and recovery and advises project team on existing organizational standards and the extent to which database security accommodates system requirements
  • Team/MIS - Reviews existing organizational system security procedures, defines when and how they will be used and designs special security provisions required to support the system

Design and set up package-specific security

The purpose of this task is to provide a detailed technical design of security provisions that are to be implemented as part of the package itself and set up the required facilities.  These include both:
  • the way in which this package will utilise standard user-profiles and access-control software already in place, and
  • routines that must be developed as part of the new system.
The objectives are to:
  • address the security requirement effectively and efficiently, and
  • co-ordinate with other security capabilities (system-wide, etc).
Worksteps - these worksteps define the specific needs for an Application system:
  • Define logic of system-specific security provisions.  Define user groups and their access requirements.  A user profile should be set up for each user group, defining access to functions, data objects and organisational units as required but not too wide in scope.  If access is set too narrowly in the early stages of the project, this might bring up problems when developing and testing the system.  In order not to hinder user activities, user master data should be implemented for all user profiles and access to all major objects be tested before any development or system testing is started.
  • Design software to implement these provisions. Some Applications provides the possibility of pre-defined user-exits in its transactions, into which additional security checks can be built in. These might be performed might require access to external authorisation instances in the operating system, the database, the network or the end-user equipment.
  • Set up or build the required facilities.
Information sources:
  • site standards and procedures
  • senior customer management
  • internal and external auditors
  • MIS operations management
  • vendor technical documentation regarding security, control, user profiles, and backup and recovery capabilities of hardware and software products
  • security and control requirements (Definition of Requirements)
  • business resumption requirements (Definition of Requirements)
  • regulatory requirements (Definition of Requirements)
  • functional integration strategy (Delivery Approach Definition)
  • technical integration strategy (Delivery Approach Definition)
  • business process specifications
  • system security requirements
Package-specific needs, options, recommendations and details will be included in the System Security Requirements Implementation Paper.  User Profiles for development, testing and live operation will be set up during the course of the project as needed.
The detail in the Implementation Paper may include:
  • description of purpose
  • relationship to other security capabilities
  • logical design
  • software specification.

Responsibilities:

Project Mgt Reviews team members' work
Team/MIS    Designs detailed, system-specific security specifications and implements them in system

Design and setup network security

The objective of this task is to ensure that network security provisions are adequate for the system security requirements.
The purpose of the task is to:
  • determine the need for security provisions to control access to networks and access through them to other system components,
  • modify existing processes and procedures or design additional processes and procedures as necessary to address security risks, and
  • set up and/or build facilities as required.
Worksteps:
  • identify network security issues
  • identify hardware and/or software capabilities that address these issues
  • define network security solution (hardware, software, and procedures)
  • specify hardware and software configurations and options
  • design procedures
  • build set/up network security as required.
Information sources:
  • site standards and procedures
  • internal and external auditors
  • MIS operations management
  • vendor and technical documentation regarding security, control, and backup and recovery capabilities of network hardware and software products
  • security and control requirements (Definition of Requirements)
  • business resumption requirements (Definition of Requirements)
  • regulatory requirements (Definition of Requirements)
  • functional integration strategy (Delivery Approach Definition)
  • technical integration strategy (Delivery Approach Definition)
  • business process specifications
  • system security requirements.
The network security needs, options, recommendations and detailed design are included in the Implementation Paper.  It may include
  • description of network security requirements
  • overview of the approach to addressing these requirements
  • definition of new policies (if any) governing network security
  • specification of how network access control capabilities will be used
  • specification of manual procedures (if any).

Responsibilities:

  • Project Mgt Reviews team members' work
  • Tech Mgt      Reviews network security design and advises project team on existing organizational standards and the extent to which they can accommodate the system network security requirements
  • Team/MIS    Reviews existing organizational network security procedures, defines when and how they will be used and designs special network security required to support the system

Design and set up end-user computing security

This task ensures that appropriate security provisions have been included in the detailed functional design and sets up access and control facilities as required.
The purpose of this task is to:
  • review all aspects of the detailed functional design and determine the need for additional provisions to protect data and processes from unauthorised access of any kind
  • modify existing processes and procedures, or design additional processes and procedures as necessary to address security risks
  • build/set up facilities as required.
Information sources:
  • site standards and procedures
  • senior customer management
  • internal and external auditors
  • MIS operations management
  • vendor and technical documentation regarding security, control, and backup and recovery capabilities of network hardware and software products
  • security and control requirements (Definition of Requirements)
  • functional integration strategy (Delivery Approach Definition)
  • technical sap integration strategy (Delivery Approach Definition)
  • business process specifications
  • system security requirements.
The end-user security design is included in the System Security Requirements Implementation Paper.  It may cover:
  • description of end-user security requirements
  • overview of the approach to addressing these requirements
  • definition of new policies (if any) governing end user security
  • specification of manual procedures (if any).

Responsibilities:

Project Mgt - Reviews team members' work
Tech Mgt - Reviews end-user computing security design and advises project team on existing organisational standards and the extent to which they can accommodate the system end-user computing security requirements

Team/MIS - Reviews existing organizational end-user security procedures, defines when and how they will be used and designs special end-user computing security required to support the system

No comments:

Post a Comment