Enterprise Architecture - Guiding Principles

Enterprise Architecture (EA) artifacts must be developed with a clear understanding of how the EA will be used and who will use it. The EA may be used as a tool for evaluating design alternatives and selecting optimal solutions, as a guide providng insights into how practices will be streamlined or improved through automation or as a plan for needed investments and an understanding of what costs savings will be achieved through consolidation. Throughout, the people involved in the development and maintenance of an EA Framework shall consistently follow certain guiding principles, so that the EA contributes to the vision and mission of the enterprise. That makes the guiding principles of most important and mostly the first step in developing EA.


Enterprise architecture principles serve as a Framework for decision making by providing guidance about the preferred outcomes of a decision in a given context. This acts as a mechanism for harmonizing decision making across organization functions & departments in addition to guiding the selection and evolution of information systems to be as consistent and cost effective as possible. Alignment with enterprise architecture principles should be a goal for any initiative and will result in fewer obstacles, surprises and course corrections later in the project.


The usefulness of principles is in their general orientation and perspective; they do not prescribe specific actions. A given principle applies in some contexts but not all contexts. Different principles may conflict with each other, such as the principle of accessibility and the principle of security. Therefore, applying principles in the development of EA requires deliberation and often tradeoffs. The selection of principles to apply to a given EA is based on a combination of the general environment of the enterprise and the specifics of the goals and purpose of the EA. The application of appropriate principles facilitates grounding, balance, and positioning of an EA. Deviating from the principles may result in unnecessary and avoidable long-term costs and risks.


Typically there will be a set of overarching general principles and specific principles with respect to Business Architecture, Application & Systems, Data & Information, Security, etc. The following are some of the generic guiding principles that could be applicable to all enterprises.

Maximize Value

Architectures are designed to provide long-term benefits to the enterprise. Decisions must balance multiple criteria based on business needs. Every strategic decision must be assessed from a cost, risk and benefit perspective. Maximizing the benefit to the enterprise requires that information system decisions adhere to enterprise-wide drivers and priorities. Achieving maximum enterprise-wide benefits will require changes in the way information systems are planned and managed. Technology alone will not bring about change. To maximize utility, some functions or departments may have to concede their preferences for the benefit of the entire enterprise.

Business Continuity

As system operations become more pervasive, the enterprise become more dependent on them. This calls for ensuring reliability and scalability to suit the current and perceived future use of such systems throughout their design and use. Business premises throughout the enterprise must be provided with the capability to continue their business functions regardless of external events. Hardware failure, natural disasters, and data corruption should not be allowed to disrupt or stop enterprise activities. The enterprise business functions must be capable of operating on alternative information delivery mechanisms. Applications and systems must be assessed for criticality and impact on the enterprise's mission in order to determine the level of continuity that is required as well as on the need for an appropriate recovery plan.

Applications & Systems Architecture

Applications and Systems should be scalable to support use by different size organizations and to handle decline or growth in business levels. While the unexpected surge or decline in the volumes are to be handled, support for horizontal scaling is also essential. Enterprise applications should be easy to support, maintain, and modify. Enterprise applications that are easy to support, maintain, and modify lower the cost of support, and improve the user experience. Applications and Systems shall have the following characteristics: Flexibility, Extensibility, Availability, Interoperability, Maintainability, Manageability and Scalability

Legal and Regulatory Compliance

Information system management processes must comply with all relevant contracts, laws, regulations and policies. Enterprise policy is to abide by laws, policies, and regulations. This will not preclude business process improvements that lead to changes in policies and regulations. The enterprise must be mindful to comply with laws, regulations, and external policies regarding the collection, retention, and management of data.Education and access to the rules. Efficiency, need, and common sense are not the only drivers. Changes in the law and changes in regulations may drive changes in our processes or applications. Staff need to be educated about the importance of regulatory compliance and their responsibility to maintain it. Where existing information systems are non-compliant they must be strategically brought into compliance.

Leverage investments

All systems shall leverage existing and planned components, enterprise software, management systems, infrastructure, and standards. It is impossible to accurately predict everything upfront. A try before you buy approach validates investment plans, designs and technologies. Prototypes enable users to provide early feedback about the design of the solution. If the enterprise capability is incomplete or deficient, efforts will be made to address the deficiency as against duplicating or investing further in building such new capabilities. This will allow us to achieve maximum utility from existing investments.

Risk Based Approach to Security

Following a risk-based approach provides the enterprise with an opportunity to: Identify threats to projects, initiatives, data and the ongoing operation of information systems; Effectively allocate and use resources to manage those risks; Avoid unwarranted speculation, misinterpretation and inappropriate use; and Improve stakeholder confidence and trust. Information systems, data and technologies must be protected from unauthorized access and manipulation. Enterprise information must be safe-guarded against inadvertent or unauthorized alteration, sabotage, disaster or disclosure. The cost and level of safeguards and security controls must be appropriate and proportional to the value of the information assets and the severity, probability and extent of harm

Continuous Improvement

The rate of change and improvement in the worldwide information technology market has led to extremely high expectations regarding quality, availability and accessibility. As a result, ICT must deliver projects and service-level agreements (SLAs) on progressively shorter deadlines and information systems with increasingly higher quality in an effective cost-control manner. This demand requires an operating model that continuously reviews and improves upon current practices and processes. Routine tasks that can be automated should be, but only where the benefit justifies the cost. The complexity of the process, the potential time savings and the potential for error reduction should be factored into the benefit. Processes and tasks must be analyzed and understood to determine the opportunity for improvement and automation. Service outages, errors and problems need to be analyzed to understand and improve upon deficiencies in existing processes and practises. Manual integration, where data is copied from one information system to another by hand, should give way to automated processes that are repeatable, timely and less prone to error.

Responsive Change Management

Changes to the enterprise information environment are implemented in a timely manner. If people are to be expected to work within the enterprise information environment, that information environment must be responsive to their needs. Processes may need to be developed to manage priorities and expectations. This principle will, at times conflict with other principles. When this occurs, the business need must be considered but initiatives must also be balanced with other enterprise architecture principles. Without this balanced perspective short-term considerations, supposedly convenient exceptions and inconsistencies, will rapidly undermine the management of information systems.

Technology Independence

Business architecture describes the business model independent of its supporting technology and provides the foundation for the analysis of opportunities for automation. Eliminate technology constraints when defining business architecture and ensure automated processes are described at the business process level for analysis and design. Enterprise functions and IT organizations must have a common vision of both a unit’s business functions and the role of technology in them. They have joint responsibility for defining the IT needs and ensuring that the solutions delivered by the development teams meet expectations and provide the projected benefits. Independence of applications from the supporting technology allows applications to be developed, upgraded and operated under the best cost-to-benefit ratio. Otherwise technology, which is subject to continual obsolescence and vendor dependence, becomes the driver rather than the user requirements themselves.

Data is a Shared Resource

Timely access to accurate data is essential to improving the quality and efficiency of enterprise decision making. It is less costly to maintain timely, accurate data and share it from a single application than it is to maintain duplicate data in multiple applications with multiple rules and disparate management practices. The speed of data collection, creation, transfer and assimilation is driven by the ability of the enterprise to efficiently share these islands of data across the organizations. A shared data environment will result in improved decision making and support activities as we will rely on fewer sources (ultimately one) of accurate and timely managed data. Data sharing will require a significant cultural change. This principle of data sharing will need to be balanced with the principle of data security. Under no circumstance will the data sharing principle cause confidential data to be compromised.

The above is not an exhaustive list. The set of principles actually depends on the enterprise's vision and mission and as the EA is aligned to such vision and mission, the principles should also be formulated with alignment in mind. While the above principles are generic and may be used by all enterprises, it is important to state the principle in a structured manner. The principle shall be supported with a rationale, so that the users can understand, why this principle exist and to what extent the same can be traded-off when a conflict arise. 

Teachability - a Significant Soft Skill for Leaders

"If You Want to Learn, Be Teachable" -- By John C. Maxwell

There is an old saying that “you can't teach an old dog new tricks,” but the concept called “teachability” remains a key component for ensuring that the professionals of all walks are successful in their pursuit. This is all the more important in the IT because the "Change" here happens at a faster pace and those being teachable get better in their career towards becoming a leader.


Today's educational methods and curriculum are designed with a basic assumption that the students are teachabile. But when teachers find few students who lack this skill, they get into frustration. This makes the gap between teaching and teachability widening. The teachability factor should form part of the early school curriculum, so that it pays the fruits as the student pass through the further stages of education. 

Today's kids are smarter and they are born with Smart gadgets and devices and they handle these devices far better than their grandfathers. But this smartness does not mean that they are teachable. Being teachable is closely related to adaptability and being Curious. To be teachable, one has to be: quick to learn and observe; take direction, advice, correction when you make a mistake, etc.; and learn from all of those. Both parents and the teachers should be trained to improve these teachability traits of the students right from the childhood.

The character of Teachability has two aspects to it; one is being a learner and the other is to pass it on, to share insights and what we have learned with others. It is first being a learner, absorbing and applying what one has come through, then replicating that in others. To be a person who can teach we have to be a person who is teachable. Being teachable is a choice. We choose whether we are open or closed to new ideas, new experiences, others’ ideas, people’s feedback, and willingness to change. The key to teachability is not just that we try ideas on for size, but that we actually learn from others and change our point of view, process, and future decision making based on the what we have learned.


We all know that "Change is the only Constant thing" and the change is happening every where. For IT, the change happens in a faster pace. Newer tools and technologies emerge quite faster, needing the IT professionals on the run to learn things continuously. One of the important characteristic required to adapt change is being Teachable. Today’s competitive advantage goes to those who can learn and adapt faster, which are the important traits of being teachable. 

The work and decision making enviornment is different across work places. One should be willing to adapt and learn to these changing enviornment and circumstances and simply put be teachable.

Here are the important traits of Teachability:

Conducive to Learning - Approach each day as an opportunity for new learning experience. Have open minded and listen to people. There is a certain learning opportunity from every person you meet. Teachable persons remain alert for new ideas and always expect something to learn in every problem they face. They know that success has less to do with possessing natural talent and more to do with choosing to learn.

Be a Beginner for ever - When people are actually beginners, they have the mind set to be trained and learn. But as we all know, once they get better in the subject and reap more and more successes, they tend to get carried away and get to a state of closed minded. To be teachable, one has to stay in the beginner's mind-set for ever. The more success you have, the harder it is to maintain the beginner's mind-set because you are much more likely to think you know the answer and have less to learn. Believing in and practicing the following will help one to keep the beginners' mind-set: everyone has something to teach me; every day I have something to learn; and every time I learn something, I benefit.

Reflect and Change -Becoming and remaining teachable requires people to honestly and openly reflect and evaluate themselves continuously. Any time you face a challenge, loss, or problem, one of the first things you need to ask yourself is, “Am I the cause?” If the answer is yes, then you need to be ready to make changes. Recognizing your own part in your failings, no matter how painful, and working hard to correct your mistakes, leads to the ability to change, grow, and move forward in life.

Inter-Personal Skill - Inter-Personal skill will help nurture the art of learning from perople around. Be open minded and freely speaking to those around you to openly, yet honestly share the facts of not only work but also personal life. This will help strengthen the relationship, being approachable with those around and thus help get honest feedback. This will also make them courageous and honest enough to speak freely. Be willing to accept such feedback and criticism.

Learn Unto Death - The secret to any person’s success can be found in his or her daily agenda. People grow and improve, not by huge leaps and bounds, but by small, incremental changes. Teachable people try to leverage this truth by learning something new every day. A single day is enough to make us a little larger or a little smaller. Several single days strung together will make us a lot larger or a lot smaller. If we do that every day, day upon day, there is great power for change.

Non-Defensive - After you receive any form of constructive criticism, think about it and decide how you will act differently in the future. Don't get defensive when called out. Instead, learn from it and improve, so you don't make the same mistake again. Many of these lessons will come from the school of hard knocks. A teachable person is non-defensive. When they are wrong they quickly admit their wrongdoing and seek to learn how to be better next time. A teachable person allows others to speak truths learned from experience into their lives. A teachable person does not make unilateral decisions but seeks wisdom and knowledge from multiple people.

As you would have observed, Teachability requires certain soft skills, which are not easy to acquire. Though this is not to "born-with" skill, one can put in efforts to become teachable. Most of the organizations today are considering soft skills as most valuable than the hard skills, because, hard skills can be acquired on the job, but soft skills are not as easy to acquire. Thougn many of the recruiters are looking for Teachability as a soft skill, they are certainly looking for the traits that form part of Teachability. Like for instance, for most of the recruiters, the above mentioned traits figure in their evaluation checklist.

John C Maxwell suggests the following to pursue Teachability:

Learn to Listen - As the old saying goes, “There’s a reason you have one mouth and two ears.” Listen to others and remain humble, and you will learn things that can help you expand your talent.

Understand the Learning Process - Act, Reflect, Improve and Repeat

Look for and Plan Teachable Moments - By reading books, visiting places that inspire you, attending events that prompt you to pursue change, and spending time with people who stretch you and expose you to new experiences.

Make your teachable moments count - Pay attention to:

• Points they need to think about
• Changes they need to make
• Lessons they need to apply
• Information that they need to share

Ask yourself, “Am I really teachable?” - Ask yourself the following questions:

• Am I open to other people’s ideas?
• Do I listen more than I talk?
• Am I open to changing my opinion based on new information?
• Do I readily admit when I am wrong?
• Do I observe before acting on a situation?
• Do I ask questions?
• Am I willing to ask a question that will expose my ignorance?
• Am I open to doing things in a way I haven’t done before?
• Am I willing to ask for directions?
• Do I act defensive when criticized, or do I listen openly for truth?

A "no" to one or more questions above would mean that you have something to work on.

The Promise and Peril of IoT

The Internet of Things can be defined as below:

The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors and connectivity to enable it to achieve greater value and service by exchanging data with the manufacturer, operator and/or other connected.

As we can see today, there are many things that we use in our daily livelihood are becoming smarter as they have embedded sensors and related electronics and algorithms, so thay they collect data in real time and convert the same into useful information. The most common smart things that we see now range from tracking devices, cars, refridgerators, security cameras, ovens and even dustbins. The Healthcare industry is leading in adopting the IoT devices and we have devices which are worn under the skin, that on the positive side help address many of the health concerns.


The IoT ecosystem primarily has three things: the device itself, with necessary sensors to collect data; the network that the devices use to share the data with the back end systems; and the back end system which apart from applying various analytical and algorithmic processes on the collected data also manages the devices, like rolling out updates, patches, etc. Certain devices may not have the ability to connect to the internet, in which case, the devices reach out to the back end through intermediate broker devices, like smart phones.

IoT is here to Stay

More and more IoT devices are coming out and will soon be everywhere and experts predict that the number can grow to 50 billion by year 2020. The IoT will undoubtedly be beneficial, but not without any perils. The pervasive interconnectedness of the IoT devices will also help the businesses in better understanding customer behavior and adopt appropriate business and marketing strategies targeting the specific customers. While the businesses like healthcare service provicers may make the most out of this IoT push, it poses many concerns ranging from data security to life safety of those who either directly or indirectly use such devices.

As the benefits seem to outweigh the drawbacks, it is very likely that IoT is here to stay and the concerns have to be addressed as it matures in the coming years. Let us examine the Promises that IoT era is about to bring in and also the Perils that come along.


The Promise

Healthcare

As mentioned earlier, healthcare providers are among the earliest to adopt the IoT. The wider deployment of electronic medical records (EMRs) and deployment of telemedicine technology that relies heavily on the type of remote data collection needed IoT to take it further and this convergence is expected to fuel the growth of IoT. With IoT, patients can submit their vitals from home without having to personally visit their physician and thus experiencing an enhanced and timely care, which could be life saving many times. This also helps in healthcare providers innovate further and come up with preventive care plans. Typical IoT devices that we see now are the fitness trackers, smart watches and other wearable devices like smart shoes.

Automobile

Next to Healthcare, Automobiles makers have shown greater interest in leveraging the IoT and thus the cars are becoming smart with capabilities like driverless cars, parking assist, switching on the A/c remotely, etc. IoT, if not already, will enrich the in car experience of the driver and passengers. The applications include enhanced in-car infotainment, improved safety controls and improved remote maintenance. For example, the car tyres are getting smarter with the ability to notify the tyre pressure in real time and even extend it further to automatically inflate or deflate the tyre on the go. The cars rolling out today already have some level of smartness built in, giving an enhanced safety and driving experience.

Manufacturing

The IoT brings revolutionary changes to society, economy, and technology, in such a manner that no one can just ignore to leverage it for its benefits. Manufacturing companies for that matter are seriously working to leverage IoT to: gain enhanced visibility over the production process; link the production to the business processes; and build responsive monitoring processes that improves the efficiency and quality of the products and services. Application of IoT in the above areas will lead to significants benefits like, securing and monitoring the movement of goods within and outside the factory, improving the quality of the products, preventive maintenance and upkeep of the plant & machinery, etc. When implemented correctly in every stage of the manufacturing process, IoT will be a significant benefit to employees on the manufacturing floor to the shippers and finally to the customer.

Retail

Retail industry would not want to be left out in this race of adopting the IoT as it has the biggest potential to leverage for a better business results. Being in direct contact with the end consumers, retailers can make use of in-store sensors and can track smartphones throughout the store and record path-to-purchase data that can later be used to optimize store layouts. Check out process can be made easier with smart shopping bags, so that the moment an item is dropped into the bag, the same is added to the order making the billing process a lot easier. IoT is likely to be very useful in fraud prevention, like theft of inventory, etc. Early adopters will be positioned to more quickly deliver IoT-enabled capabilities that can increase revenue, reduce costs and drive a differentiated brand experience. The IoT will be a disruptive force in retail operations.

Other Benefits

Energy sector is adopting IoT with smart meters and grids to gather real-time data for remote monitoring of resource consumption, malfunctions, etc. Needless to mention, IoT enables buidling of smarter homes with smart-connected home appliances and thermostats giving an ability to the users to remotely monitor and manage. IoT is also entering our homes in the form of internet-connected lightbulb, thermostat, door lock, washing machine or oven you can control from inside or outside your house.  IoT has the power of transforming our lives by offering the needed sensing, connectivity and intelligennce to improve our wellbeing. 

Having seen the some of the promises, some of which are already real, let us now check out the dangers that come along.

The Perils

With IoT devices, consumers are often exposed to newer risks and concerns that these new generation devices and gadgets bring in. The concerns include their own safety, possible effects on networks used apart from the data protection and legal issues.

Another concern for the businesses is the amount of data produced by all IoT devices. The enormous data produced by various sensors must be transmitted over the networks, needing high performance networks and stored calling for the storage and related infrastructure. The volume of data managed by enterprises between 2015 and 2020 is expected to grow 50 times year-over-year. The concern is not just on the volume, but also on the quality and security of the data. The legal issues around the data ownership, accountability and responsibility cannot be ruled out as well.

Security & Privacy

IT professionals are no longer just protecting data, circuits, and transmissions, but need to focus on the relationships between “things”, “service to things” and “things to people.” Safety must be ensured along with availability, confidentiality and integrity. IoT devices might expose vlunerabilities, exposing an easy way for hackers to get into networks and databases of personal data. While manufacturers are responsible for the security of their products, organizations and end users are equally responsible deploying and monoitoring within their network. 

The ways and means of securing IoT is unclear as the industry is still evolving with thousands of start ups coming with cheaper and basic connected devices, ignoring security and safety in mind. The concerns around security and privacy stems out basically at three levels. The first being from the device itself. The device containing sensors to gather data and to perform certain actions should have a mechanism securely identify and authenticate the host system, so that it respond to the authorized hosts only and not to any. The second being the network used for sending and receiving data. Most of the IoT devices use the wireless protocols like bluetooth, to reach out to an intermediate device for further connectivity with internet. Securing these networks is very important as well to ensure data protection. The third is the Back End, where the huge volume of data gathered are stored for making it into more meaningful information for further actions.

The Internet of Things can be a complex market with multiple nodes, and businesses should aim to simplify this process. There’s no better way to assure a customer of the simplicity and security, than communicating regularly. It might seem like a rudimentary thing to do, but the true test of a successful business is to ensure that there’s a process in place amidst all that clutter. 

Other Concerns

Today's connected cars contain a multitude of computers collecting data, from driving habits to location data to media or entertainment use. With connectivity, data collected by the vehicle’s computers are sent to a manufacturer or third-party and data is received as well in the form of command & control or as updates to the programs & algortihms. In addition to privacy concerns, these technologies potentially allow hackers to remotely access a vehicle’s control systems and thus impact the safety of the human life

The consumer behavior is being used to the advantage of the retailers. For example, your trousers might get horrified by your weight gain and in turn will have the TV showing contextual ads about new fad diets, the fridge selling you low-fat yogurt, etc.

By getting smarter, the things get expensive with a shorter life span. For instance, your mattress may not need replacing every couple of years, but the smart mattress with a sensor inside may need a maintenance and replacement sooner than that. For cheaper connected devices like the kettle, toaster, waist belt, light switches and door knobs; expect replacement of these components to become a new, regular expense.

The current generation kids are born with smart devices on hand and are extremely addicted to digital gadgets and the smartphone notifications keep them busy staying away from in-person socilaization, leading up for a complete digital burn-out. 

Information Security - Reducing Complexity

Change is constant and we are seeing that everything around us are evolving. Primarily, the evolution is happening on the following categories:

Threats:

There is a drastic change in the threat landscape between now and the 1980s or even 1990s. Between 1980 and 2000, a good anti-virus and firewall solution was considered well enough for an organization. But now those are not just enough and the hackers are using sophisticated tools, technology and sills to attack the organizations. The motive behind hacking has also evolved and in that front, we see that hacking, though illegal is a commercially viable profession or business. 

Compliance:

With the pace at which the Threat landscape is evolving, governments have reasons to be concerned much as they are increasingly leveraging the technology to better serve the citizens and thus giving room for an increased security risk. To combat such challenges, Governments have come up with regulatory compliance requirements making it even complex for the CSOs of enterprises.

Technology:

Technology is evolving at a much faster pace and as we are experiencing, we are seeing that the things around us are getting smarter with the ability to connect and communicate to internet. On the other side, considerable progress have been achieved in the Artificial Intelligence, Machine Learning, etc. These newer ‘smarter things’ are adding up to the complexity as the CSOs of the have to handle the threats that these bring on to the surface.

Needless to mention that the hackers too make the best use of the technology evolution and thus improving their attack capabilities day by day.

Business Needs:

The driver of adoption of these evolution is the business need. As businesses want to stay ahead of the competition, they leverage the evolving technologies and surge ahead of the competition. With a shorter time to market, all departments, including the security organization should be capable of accepting and implementing such changes at faster pace. Due to this time pressure, there is a tendency to look for easier and quicker ways to implement changes ignoring the best practices.

Consumerization

IT today is to simplify things to the consumers within and outside the organization and this raises the user expectation and thus leading to too many changes with some being unrealistic as well. This may include the users bringing their own anything (BYOA). This will soon include Bring Your Own Identity with chips implanted under the skin. As you would know, employees who work at the new high tech office campus in Sweden, EpiCenter can wave their hands to open doors, with an RFID chip implanted under the skin.

Connected world

Most enterprises are now connected with their business partners in terms for exchanging business data. With this the IT System perimeter extends to that of the partners’ as well to some extent. Rules and polices had to be relaxed to support such connected systems. Now that we are looking at things that we use every day will transform as connected things, adding up to the complexity.

Big data

Basically the need for big data tools to handle this. While this complexity did exist earlier, the attacks were not that sophisticated then. Today with the level of sophistication on the attack surface, the need for simplifying complexity of handling huge data is very much required.

Skillset

The threat landscape is widening and the attacks are getting sophisticated, which call for even better tools and technologies to be used to prevent or counter them. This means that there is a continuous change in the method, approach, tools and technology used, making it difficult to maintain and manage the skills of the human resources.

Application Eco System

A midsized organization will have hundreds of applications, needing to have different exceptions to the policies and rules. These applications may in turn use third party components and thus the chances of a vulnerability within these applications is very high. Given that these applications constantly undergo change and evolve, there is a possibility that the code or component left behind might expose a vulnerability.

How does this impact

Complexity impacts the security capability in many ways and the following are some:

Accuracy in Detection

The complexity makes the detection of a compromise difficult. Having to handle and correlating large volume of logs from different devices and that too different vendors will always be a challenge and this makes timely and accurate detection a remote possibility. A successful counter measure require accurate detection in the pre-infection or atleast in the infection stage. The later it is detected, it is complex to counter the same.

Resources

Each new security technology requires people to properly deploy, operate and maintain it. But it is difficult to add new heads to the Security Organization as and when a new tool or technology is considered. Similarly, managing the legacy solutions put in by older employees who are no longer employed in the organizaiton is likely to remain untouched due to the fear of breaking certain things.

Vulnerabilities and Exposures

With the huge number of applications used by the enterprise, this is a complex and huge exercise, unless the same is integrated into the build and delivery process by mandating a security vulnerability assessment. With innumerable number of applications, components, and the operating systems connecting to the enterprise network, this is almost impossible. Needless to mention that with the wearables and other smarter things connection to the network, who knows, what vulnerability exist in such smarter things and in turn exploited by hackers.

Methods for reducing complexity

Complexity is certainly bad and reducing complexity will beneficial both in terms of cost and otherwise. However, simplification by any means should not result in compromising the needed detection and protection abilities. A balanced approach is necessary so that the risk, cost and complexity are well balanced and beneficial to the organization. The following are some of the methods that may help reduce the complexity:

• Integrated processes as against isolated security processes. Every Business process should have the security related processes integrated within, so that every person in the organization will by default contribute towards security. The security process framework shall be designed in such a manner that it evolves over a period based on experience and feedback.
• Practicing Agile approach within the security organization, so that the complexity is hidden within tools and appliances by automating the same. Agile approach also helps the security organization to embrace changes faster, especially, when implementing changes in response to a detected threat or compromise. One has to carefully adopt such practices into the Security framework.
• Outsourcing the security operations to Managed Security Service Providers(MSSP) is certainly an option for small and medium enterprises that brings takes some of the complexity away and thus benefits the organization. Needless to mention here that outsourcing does not absolve the responsibility of the security organization from any security incident or breach.
• “Shrinking the Rack” – Consolidating technologies whereby devices combining multiple technology and capability within it may make it easier for deployment and administration. At the same time this has the risk of ‘having all eggs in one basket’, i.e. when such a device or solution is hacked, then it is far and wide open for the hackers.
• Mandating periodical code, component and process refactoring, where by unneeded legacy code, component and process are periodically reviewed and removed from the system. This will help keeping the applications maintainable and secure. Also implant security as a culture amongst all the employees, so that they handle security indicators responsibly.

Factors Affecting Software Resiliency

The digital transformation is happening everywhere right from small private firms to government organizations. On the personal front, connected things is coming on, where by every thing that we have or use will be smart enough to connect and communicate with other things(systems). This in effect means there will be an increased reliance on IT systems to accomplish various tasks. This will call for high order of resilience on the part of such systems and the absence of which may lead to disasterous situation.

As we all know, the word resiliency means 'the ability to bounce-back after some events'. In otherwords, it is a capability of withstanding any shock or impact without any major deformation or rupture. In software terms, resilience is the persistence of the avoidance of failures when facing a change or in a deviated circumstance.

To design a resilient system, one should first understand the various factors that work against the resiliency. Here are some such factors:

Design Flaws

Design and Architecture of the systems is a major factor that works in favor or against the resiliency requirement. The architects shall while designing the system or solution should have a good understanding of what could go wrong and provide for an exception handling ability, so that all exceptions are appropriately handled, making the system not to go down and instead recover from such exception and continue to operate. The architects have many options today in terms of tools, technologies, standards, methodologies and frameworks that help buidling resiliency within. It is the ability of choosing the right combination of tools, technologies, etc for the specific systems that will decide on the resilience capability of the system. 

Software Complexity

The size and complexity of software systems is increasing, thus the ways in which a system can fail also increases. It is fair to assume that the increase in failure possibilities does not bear a linear or additive relationship to system complexity. Typically, the complexity of the software systems increases as it evolves by responding to the changing business needs. This is more so as the tools and technologies used to design and build the software are becoming outdated, making it difficult in maintaining the systems. 

This complexity attribute makes it increasingly difficult to incorporate resiliency routines that will respond effectively to failures in the individual systems and in their complex system. The cost of achieving an equivalent level of resiliency due to the complexity factor should be added to that of the individual systems

Interdependency and Interconnectivity

We are living in a connected world and systems of many of today's businesses depend on connectivity with their partner entities to do their business. This adds multiple points of failures over and above the network connectivity. The system resiliency is increasingly dependent on the resiliency of systems different other organizations over which the entity has no control. This means that a failure or outage of a business partner's system can have a ripple effect. This situation requires the systems need to be aware and capable of such failure or outage with other connected systems and the ability to recover from such events should be designed within. 

Rapid Changes

Thanks to the evolving digital economy, the business needs are changing too frequently and thus needing system changes. Every change in an existing system, for sure will add a bit of complexity, as the architecture on which the system originally designed wouldn't have considered the changes that are coming through. Many a times, considering the time to market, such changes need to be implemented quicker than expected, leaving the software designers to adopt a quick and dirty approach to deliver the change, leaving a permanent solution for a later time period. The irony is that there will never be a time when the 'permanent solution' is implemented.

Change is one of the key source of adding complexity to the Software systems. However, the evolving tools, technologies and methodologies come to the rescue, so that the Architects design systems and solutions in such a way to pave way for embracing such changes and to embed the resiliency factors in the design.

A frequently held criticism of Common Criteria testing is that, by the time the results are available, there is a good chance that the tested software has already been replaced. The danger here is that the new software may contain new vulnerabilities that may not have existed in prior versions. Thus, determining that an obsolete piece of software is sufficiently resilient is not particularly indicative of the state of the newest version and, therefore, is not very useful

Conclusion

Higher levels of resilience can be achieved by leveraging Machine Learning and Big Data tools and techniques. As the world is moving towards more and more connected things, high order of resilience is critical. With Machine Learning capability, the systems and devices can be embedded with algorithms that make them learn from past events and the data collected from various other connected networks and systems in addition to the ambient data. The systems can be designed to predict the health of various underlying components and thus its own health as well. Based on such prediction, the components may choose to use alternate approaches, like using alternate network protocols like Wireless, Bluetooth, etc, or choose to connect to a different component or system altogether.

Evolution of Wearables - What is in store?

Many of us are hearing more and more about fitness bands and some are using these. Big players are now rolling out smart watches, which has disrupted the basic fitness bands considerably in a very short span of time, as these smart watches have these basic fitness features within. Wearables like, glasses, jewellery, headgear, belts, armwear, wristwear, legwear, footwear, skin patches, exoskeletons and textiles, etc are also increasingly becoming "Smart". These emerging smart devices can be worn by human beings, which will collect various data based on embedded sensors and provide useful information that will help improve oneself, which could be on physical fitness, health, etc.

As one can understand, wearables is not just limited to the gadget that decorate your wrist and the number of wearable devices in different segments are growing very fast. With rapid evolution around this space, there are devices that are worn around different areas of the body and the following graphic shows the smart devices that are worn in different parts of the human body:

Who are at it?

Amongst many others, companies like Google, Samsung, Fitbit, Jawbone, GoQii, LG, Sony have been into Wearable devices and the competition is heating up as big players like Intel and Apple are betting big on this market.

Fitbit dominated the market for “basic bands,” according to Canalys’ market estimates, with more than 50 percent market share in the second half of the year. The Jawbone UP came second, cutting itself around a fifth of the pie, followed by Nike with its Fuelband.

The market forecast and the trend makes us feel that this wearable space could potentially disrupt many of the traditional devices. Thus many are looking at embracing this market either to see how this could disrupt their product line or to see if they have an opportunity in this space.

NeuroMetrix of Waltham will be jumping into the market for wearable electronic devices. But the company's new Quell device - an over-the-counter version of its Sensus device for management of chronic pain - is an actual medical device that is used to manage pain.

TomTom, the Dutch brand known for its standalone GPS navigators among other things, has brought its line of sports watches to India. TomTom launched four fitness wearables, which include TomTom Runner and Multi-Sport GPS watches, which deliever real time stats such as time, distance, pace, speed and calories burnt to runners, swimmers and cyclists.

Xiaomi said in a press release that local sales of its Mi Band - a fitness tracking bracelet that can be powered for 30 days on a single charge, has surpassed 100,000 units since it was unveiled. The Beijing-based company forecast that more than 500,000 Mi Bands will be sold in Taiwan by the end of the year, giving it the biggest share of the country's wearable device market that is currently led by Sony Corp. and Samsung Electronics Co.

Intel is firing on all cylinders to expand into the growing wearable technology arena such as smart watches and other Internet-enabled wearables. This investment in Vuzix Corporation is yet another effort by the chipmaker in this regard. Intel has unveiled Curie, a low-powered module no bigger than a button, as part of its vision to lead in the wearables field.

Rumors have said that HTC will be launching a smartwatch at the upcoming CES. The initially planned unveiling of the device was back in October, but the date was pushed back to CES 2015. Details of the device are unclear though, as it could be a smartwatch or a fitness tracker.

In addition to all these devices, there will also be wearable technology focusing on health and fitness, prosthetics and smart clothing.

The Trend

Shipments of smart wearables are expected to grow from 9.7 million in 2013 to 135 million in 2018, according to CCS Insight's new global forecast. The forecast predicts that wrist-worn devices will account for 87% of wearables to be shipped in 2018 — comprising 68 million smartwatches and 50 million smart bands with no screen or with a minimal, one-line display.

The smartwatch will be the leading product category and take an increasingly large share of wearable shipments. We estimate smartwatch shipments will rise by a compound annual rate of 41% over the next five years. Smartwatches will account for 59% of total wearable device shipments this year, and that share will expand to just over 70% of shipments by 2019.

The dominant sector will remain the healthcare sector which merges medical, fitness and wellness. It has the largest number of big names such as Apple, Accenture, Adidas, Fujitsu, Nike, Philips, Reebock, Samsung, SAP and Roche behind the most promising new developments.

Google's Android could be critical for developing the smart devices ecosystem, though significant changes will be required before it is suitable for all kinds of wearable devices. Google has already released Android Wear, targeted for smart watches.

Samsung, Google, Apple, with their massive war chests, have come into this market. They’re going to really help elevate the category for consumers. They’re going to help people understand the kinds of benefits that they can get from these products. The next few years, will see activity trackers with a little bit more biosensing data, and smart watches that people are going to have to charge every night.

If Wearables 1.0 was about creating the basic technologies for the wearable devices, Wearables 2.0 was and still is about crafting rich, robust business models based on these technologies. Wearables 3.0 will be all about perfecting, expanding and engaging customers at a level never experienced before. Big players in Wearable Technology and Internet of Things, from healthcare companies to insurance corporations, from high street retailers to music industry, Google, Apple, Samsung, Mercedes, Nike, Audi, just to name a few are all to give for free their devices in exchange for data.

What could be the future?

Though it’s easy to be pessimistic, one cannot ignore the potential that this market has in store. In any event, while we wait for this category to evolve, it’s entertaining to watch the puzzle pieces slowly come together. Convergence is expected, in much the same way that the smartphone extended the basic functionalities of the feature phone and disrupted certain traditional devices like point and shoot camera.

Medical and Wellness segment could be the one which will embrace this category of wearable devices and make health more affordable and self manageable for every one. For instance, one can wear a virtual doctor while on a specific treatment. A better example could be that the advances in wearable devices could lead to a scenario, where a diabetes patient may get appropriate doses of insulin administered into his body automatically based on various data collected by the sensors worn around the body. This could be risky, if the data, so collected are inaccurate and that is one of the major concern that is expected to be addressed in the coming years.

There has to be a marriage of fitness devices and medical management devices to really impact patient health. The future of wearable technology in fitness and health isn’t about the fitness bands and health monitors – it’s about what can be done with the data they collect, which means that these devices have to be supplemented by smart applications that are powered by big data and analytics tools.

A very large percentage of the population already owns a smart phone, which has lot many capabilities, including that of the basic wearable devices. As such, it will be critical that wearables provide a distinct value proposition that is separate and different than the smartphone, although the smartphone will likely still act as the “hub” to collect information.

We’re already starting to see sensor-embedded running vests and smart socks. But we could soon see jackets with solar panels (to recharge your gadgets on the go), 3D printed dresses that everyone can afford, health-monitoring underwear, even clothes that react to light. If we had the ability to change the look of all of our clothes, just by fiddling with our phones, it would mean less spending on new gear and plenty of spare wardrobe space.

Wearables need to move beyond the gamification of fitness to focus on monitoring and improving our health. With extra sensors and smarter and reliable algorithms, future devices should be able to warn us of high blood pressure and dehydration, fatigue and stress. Perhaps then, forewarned by data we understand, we’ll find wearables more compelling.

In Wearable Tech 3.0 Security is paramount. Six months from now and we’ll understand how poor the wearables 1.0 security was, if any! The big players in this market should finally draw, define and release the IoT and Wearables industry Security Standards. Wearable Tech 3.0 is the beginning of a new era where enterprises provide real value to their customers, a key technology benefit in the age of the customer.

Enterprise Architecture Practice - Capabilities

Enterprise Architecture (EA) function now have an unprecedented chance to lead the way in identifying new business opportunities, thanks to the innovations in the web and mobile technologies and businesses realizing the business advantages of such advancements. EA serves a strategic business purpose by enabling business capabilities to be implemented via IT architecture and related IT delivery processes.

Though Enterprise Architecture is not a very new practice, the maturity level is still not the optimal in most enterprises. Seeing the benefits that the EA function can bring to the table,  many enterprises are attempting to setup the EA practice within, but are in fact struggling to get it right. EA not just science and not just art as well. It is a combination of art and science. Successful EA practice has been found to being able to demonstrate certain key capabilities. In the EA world, there is no such thing as 'one size fits all', as it is highly dependent on the enterprises' business, its objectives, goals, strategies and priorities, which is never the same across enterprises.

While the objective of this blog is to discuss about the key capabilities that the EA function should be able to demonstrate, it is also good to highlight out what EA is not.

What EA is not:

• EA is NOT a project
• EA is NOT about review 
• EA is NOT a one-time activity
• EA is NOT for IT
• EA is NOT a strategy
• EA is NOT all about cost-reduction
• EA is NOT one-man show

A successful EA practice should consider practicing and demonstrating the following key capabilities:

Staying Relevant

As we all know, it is highly unlikely that an architectural solution that works well for one enterprise will work well for another in the same industry domain. This is because each enterprise has its own vision and mission to win over the competition and constantly wish to stand alone in the crowd in certain key areas. Staying relevant helps the EA function in aligning strategic and operational views of business with the underlying technology and service delivery processes. For this reason, the EA practice should strive to understand the vision, mission and strategies of the enterprise and continue to stay aligned to the same, so that the architectural solutions continue to stay relevant for the enterprise.

Technology & Architecture Vision

No doubt that modern enterprise largely depend on technology and in certain cases, the business in fact is driven by technology. Irrespective of whether technology drives the business or not, technology is a key enabler of the business. So, it becomes essential to have a technology vision, which is aligned to the business vision. It is needless to mention that having a vision will not be just enough, and the same shall be driven down to the operational processes and practices. Every architecture and governance process should derive the technology vision as envisaged and so the solutions continue to stay relevant and yield the intended results. The technology vision and strategy shall be such that leverages both new tech innovations and existing capabilities that will enable the business to achieve the target state. 

The goal of the architecture vision is to articulate how the proposed architecture will enable the business goals, respond to the strategic drivers, conform to the principles, and addresses the stakeholder concerns and objectives.

Transforming and automating operations

While leveraging the existing knowledge and resources is key in saving costs, it is important for the EA function to stay on top of the technology and business innovations and explore opportunities of leveraging the same so that the enterprise stays on course of achieving its target mission and vision. This is where the EA teams should consider leveraging Agile approaches, so that the target reference architecture also stays dynamic and relevant. The EA framework shall have an evolution cycle, so as to improve the framework itself and similarly the architecture solutions should also be continually evolved based on feedback and availability of enabling technologies and innovations.

It is needless to mention here that the EA function shall equally consider the 'Business As Usual' as any transformational initiative should not derail the enterprise from achieving its intended mission and vision.

Being the Change Leader

EA is all about bringing change for the good. i.e. EA programs is all about driving the enterprise from its current state to the target reference state, which is nothing but identifying and driving changes to various resources at various levels, so that the target state is achieved. This is yet another key capability that come down to the old adage of building “better, faster, cheaper” systems that provide agility to change or expand capabilities, in response to ever-changing business requirements. EA function leads the planning for these new system and technology capabilities, ensuring the best solutions to the business requirements by providing blueprints and implementation road maps to the design and delivery teams. They also provide a service to the other organizational functions by ensuring compliance of these solutions at critical design and delivery milestones.

Mitigating risk

As the emphasis shifts from cleaning up the legacy of systems and technologies to better planning and governance of new IS and IT initiatives, we see a corresponding shift in the role of the EA practice. The focus shifts from driving out costs to reducing risks associated with new programs, while ensuring timely delivery of new capabilities. 

Every architectural initiatives shall be subject to a risk review and decisions shall be made based on the business value expected out of it. The changing business and regulatory conditions might also impact the solutions and at times could end up the enterprises not being able to realize the intended value out of it. This where the "Fail Fast" approach would help in making the right decisions. Periodic reviews of the change or transformational projects should be conducted with a view to ascertain whether the intended value is not impacted with the current conditions. Thus being able to manage and mitigate the risks well is a key capability that the EA practice should demonstrate.

Overseeing investments

It is natural for enterprises to look for Return on Investments (RoI), as the capital has a cost. The EA practice shall consider the cost of capital and the investment requirements for various change initiatives and work with the related other functions to ensure that the benefits are quantified so as to ensure the investments yield desired returns. In cases where the benefits are not directly quantifiable, the EA team shall identify such indirect benefits derived out of such investments and shall ascertain the monetary value in a best possible manner. 

Governing the architecture

As said earlier, EA function is not a project and it is a continuous function. EA function shall put in place necessary framework to monitor and manage the architectural activities in a constant basis. Business architects in the EA function monitor the project portfolio, while IT architects govern technology solutions, leveraging reference architectures to build the future state in alignment with strategic road maps. The governance principles shall be applied to various architecture activities with an objective to ensure the strategy alignment, risk management, measuring & monitoring, optimal resource utilization.

Integrating people, processes, and technology

Considering the innovation around the areas of web, mobile, big data powered by social media, modern enterprises are looking forward to leverage these to derive maximum business value. In this direction, to stay competitive and relevant to the customer business, most successful organizations are rapidly moving towards the system of engagement architecture supported by digital collaboration platforms and social strategies devised by EA where EA would create an effective social governance model and an overall enterprise strategy. It necessitates a pervasive social layer that spans many different system of records and departments within an organization. Discussion would also enlighten more focus on expanding social footprint by delivering consistent digital experience and utilizing social content and online communities to increase collaboration with customers and other stakeholders.

Information Security - Cost Analysis

Reports indicate that the Information Security is now a Board Agenda and the security spending by enterprises is on the rise. This is more because of the raise in the data breaches worldwide and the increased hacking and cyber attacks. This impacting all enterprises, be it small, medium or large and across various segments, i.e. not only financial but also all domains. The increased exposure and financial damages associated with security risks have pushed enterprises to increase the budget allocations and mitigate if not avoid such risks.

The following recent predictions of Gartner influence the Information Security spending among enterprises:

• By 2015, roughly 10% of overall IT security enterprise product capabilities will be delivered in the cloud.
• Regulatory pressure will increase in Western Europe and Asia/Pacific from 2014.
• By year-end 2015, about 30% of infrastructure protection products will be purchased as part of a suite offering.
• By 2018, more than half of organizations will use security services firms that specialize in data protection, security risk management and security infrastructure management to enhance their security postures.
• Mobile security will be a higher priority for consumers from 2017 onward.

In the best interests of the investors, any spending or investment should be backed up with an appropriate cost-benefit analysis. Applying this cost-benefit-justifications to Information Security function is gaining focus but remains a challenge. Quantification forms the basis for being able to perform the cost-benefit analysis. The advantages of quanti fication are its accuracy, objectivity, and comparability. In addition, quanti cation is the basis for calculations and statistical analyses. While costing is a comparatively easier aspect, quantifying the benefits is still a challenge as it depends on the occurrence of uncertain events.

Starting with the idea of a Return on Security Investment (ROSI) several concepts have been developed to support the decision for or against an information measure. On way to do this is to apply the concept of Net Present Value (NPV). NPV-Formula for information security investments could be as below:

The following are the four aspects of Information Security costs:

• Information Security Management - This is about the costs associated with the Information Security function, which comprises of People, Process and Technology. Though quantifying this aspect of the cost is straightforward, measuring the benefits is not.
• Incidental costs of Information Security related decisions - As we all know, Information Security is a cross functional task and every personnel and process in the organization need to contribute towards Information Security. As such, implementation of any security control will cause additional overhead in other departments or functions. For instance, regulating the fair use of the Internet will require some extent of involvement from the HR function in the form of policies, code of conduct, ethics etc. Quantifying of both costs and benefits is not as easy.
• Cost of capital for Security investments - Like any investment, capital invested in security function has a cost and quantifying this element of cost is not at all a challenge.
• Costs arising out of security incidents - This is more like a Risk Management and all the principles of measuring the risks apply here as well. The risk measure for security incidents can be measured as a product of the probability and the impact. However quantifying this in absolute value requires the identification of the impacted information and / or related resource and the value of such resource. Many people have opined that information is the currency of the organization, but it has a dynamic value, i.e. the value of information depends not only on its significance to the organization but also its significance to others.

A common way of categorising and structuring costs in a repeatable and comparable way is required to manage the associated challenges. Building on that basis it becomes possible to identify cost-drivers and to analyse di fferent security management approaches like the following:

• Balance Sheet Oriented Approach - where the costs are categorized and quantified under personnel, hardware, software and services. This approach does not take into consideration of the cross functional aspect of the security function.
• Life Cycle Oriented Approach - where the costs are categorized and quantified against the various life cycle phases of the security function. Typically, the life cycle of the security function would be in the lines of Plan - Do - Check - Assess, in which case the costs are quantified with respect to each of the life cycle phases. This approach takes the project management approach and can be useful for quantifying the incremental cost of a specific security initiative, but this approach will not be useful for assessing the costs for the security management function as a whole.
• Process Oriented Approach - where the costs are categorized into direct and indirect costs at process level. Direct costs could comprise of People and Technology and the Indirect costs could comprise of cost allocated by various functions towards a specific process, the quantified costs of risk avoidance and risk mitigation. This approach can be customized further to suit the varying needs of the enterprise.
• Control Oriented Approach - where costs are categorized with respect to individual security control, which can be added up to ascertain the cost for a security area. However this approach has challenges abound in putting a standard approach and framework for ascertaining the costs at control level. The costs that every control comprise of are that of a share in the fixed organizational overhead, in addition to the variable costs of people, technology and the processes.
• Layer Oriented Approach - where information security costs are categorized against the different layers of the ISMS layers, namely Management System, People & Processes, Architecture & Concepts, Operational Measures and Pre-requisites.

While quantifying the benefits is not very easy, by applying the Quantitative Risk Analysis techniques, the cost of not implementing a specific security process or control can be ascertained, which can be considered as the benefit of implementing the control or process. Another technique that can be useful to categorize and visualize the cost-benefits is the modeling and simulation.

Information Security Controls Relating to Personnel

Information Security in an organization largely focusses on the Confidentiality, Integrity and Availability of data, information and related resources. While the risk of threats are increasing, study says that the threat is more from the inside than from the outside. This has mandated the need for framing polices, procedures and controls around the employees of the organization, so that such risks arising from within can be mitigated or managed well.

Whilst personnel security controls cannot provide guarantees, they are sensible precautions that provide for the identity of individuals to be properly established. In circumstances where risk assessments indicate that the necessary thresholds are met, they provide for checks to be made of official and other data sources that can indicate whether individuals may be susceptible to influence or pressure which might cause them to abuse their position or whether there are any other reasons why individuals should not have access to sensitive assets.

Personnel security aims to:

• reduce the risk of loss, damage or compromise of Australian Government resources by providing assurance about the suitability of personnel authorised to access those resources
• create an environment where those accessing Australian Government resources are aware of the responsibilities that come with that access and abide with their obligations under the PSPF
• minimise potential for misuse of Australian Government resources through inadvertent or deliberate unauthorised disclosure
• support a culture of protective security.

Controls designed around the following aspects would certainly help an organization to achieve the said purpose:

Information security awareness and training

Organizations must have a program to provide information security awareness and training for personnel on an on-going basis, focusing on information security policies including topics such as responsibilities, consequences of non–compliance, and potential security risks and counter–measures. It is human nature to lose or forget training content over time. Providing ongoing information security awareness and training helps keep personnel aware of issues and their responsibilities.

Information security awareness and training programs are designed to help personnel to: become familiar with their roles and responsibilities; understand and support security requirements; and learn how to fulfil their security responsibilities. Methods that can be used to continually promote awareness include logon banners, system access forms and departmental bulletins or memoranda.

Specific controls may be designed around the following aspects of information security awareness training:

• Accessibility of the Information Security Policies and Procedures
• Number and type of such programs to be offerred to personnel
• Degree and content of information security awareness and training, which may be based on the roles of employees and on the target systems to which they have access to.
• A scoring system for employees designed to establish the level of awareness by employees. A gamified approach would work better here.
• Establishing responsibility and accountability for security of the information assets.
• Review and feedback system for content and process improvement

Authorisations and Security Clearances

Depending on the roles and responsibilities, the employees gain access to various systems, data and information. It is important that only appropriately authorised, cleared and briefed personnel are allowed access to various such systems. For the purpose the systems, data and other information resources shall be identified and classified based on the sensititivity. Similarly, a mapping of various roles that would have different types of access on such resources is also created. This mapping will typically be based on the "need to know". Exceptions are also documented and are handled with additional clearances or approvals.

Employees seeking access to a system need to have a genuine business requirement to access the system as verified by their manager. Once a requirement to access a system is established, giving personnel only the privileges that they need to undertake their duties is imperative. Providing all personnel with privileged access when there is no requirement for privileged access can be a significant threat to a system. Any temporary access to information resources shall be time bound and the same shall be subject to close observation. Similarly, during emergency situations, privilege escalation may be required to carry out certain critical tasks. Such authorizations shall be documented and appropriate additional authorization shall be mandated.

Specific controls may be designed around the following aspects:

• Existence of a process for ascertaining employee's background and trust worthiness
• Documented inventory of information assets with appropriate security and sensitivity classification
• Documented roles and responsibilities of personnel
• Establishing the identity of the employees or contractors as the case may be
• Mapping of roles with the information assets
• Authorization for process for grant of privileges
• Change management process for privilege escalation or downgrade
• Maintenance of Access logs with necessary details
• Periodic review and audit of authorizations and access logs

Internet Usage

Use of internet is a major source of security breaches as it may facilitate external threats in the form of malware, virus. etc. There shall be a fair use policy with respoect to Internet, which shall set out the Do's and Don'ts for the employees. Employees should be made aware on how to report any suspicious contact and what suspicious contact is, especially contact from external sources using Internet services. Organizations should implement measures to monitor their personnel’s compliance with their internet usage policies.

Employees need to take special care not to accidentally post sensitive or classified information on public websites, especially in forums, blogs and social networking sites. Employees holding any key position may attribute an appropriate disclaimer that such posts carry his personal views and do not bind the organization.

The following specific controls may help in implementing the policies and procedures around this aspect:

• Existence of a Fair Use Policy
• Collection of logs and data for monitoring violations to such policies
• Initiation of disciplinary action against policy violations
• Enforce appropriate system security and privacy policies for internet usage
• Monitor the use of unspecified or unauthorized websites or applications that access internet.0

Principles of Information Governance

With the evolution of tools and technologies around big data, the variety and volume of customer information collected has increased many fold. This also requires the responsible use of such information by the organization. Many countries have promulgated legislations to regulate the use and protection of such information in every organization.

The set of multi-disciplinary structures, policies, processes and controls that are used to manage the customer information and thereby supporting the current and future reglatory, legal and operational requirements make up the Information Governance framework of the organization. Information governance goes beyond retention and disposition to include privacy, access controls, and other compliance issues. It is interesting to note that big data innovators recognize the importance of governance to the success of their projects.

The Principles identify the critical hallmarks of information governance and provide both a standard of conduct for governing information and metrics by which to judge that conduct. In doing so, they give assurance to the public and society at large that organizations of every kind are meeting their responsibilities with respect to the governance of information.

Transmational organizations looking forward to demonstrate the highest level of maturity in the Information Governance design their Governance framework based on the following key principles:

Accountability:

Accountability to is key for the success of any program and on the same lines, for the Information Governance, to be successfull shall have an accountable senior leader, who shall oversee the governance practices and should require regular reporting for monitoring purposes. The organization should adopt policies and procedures to guide its workforce and agents and ensure its program can be audited and continually improved to support the organization’s goals.

An information governance program should at the minimum:

• Establish an information governance structure for program development and implementation
• Designate a qualified accountable person to develop and implement the program
• Document and approve policies and procedures to guide its implementation
• Remediate identified issues
• Enable auditing as a means of demonstrating the organization is meeting its obligations to both internal and external parties

A high maturity organization would demonstrate the following:

• The organization’s senior management and its governing board place great emphasis on the importance of information governance. 
• The records manager directs the records management program and reports to an individual in the senior level of management. 
• The chief information governance officer and the records manager are essential members of the organization’s governing body. 
• The organization’s initial goals related to accountability have been met, and it has an established process to ensure its goals for accountability are routinely reviewed and revised. 

Transparency

An organization’s processes and activities relating to information governance shall be documented in an open and verifiable manner. Documentation shall be available to the organization’s workforce and other appropriate interested parties within any legal or regulatory limitations, and consistent with the organization’s business needs. Transparency of the organization’s governance practices must extend to definitions of appropriate information uses and the processes for ensuring compliance with policies on appropriate information use.

An information governance program includes its information management and information control policies and procedures. To ensure the confidence of interested parties, records documenting the information governance program must themselves adhere to the fundamentals of information management.

At the highest maturity level, an organization should practice and demonstrate the following:

• The organization’s senior management considers transparency as a key component of information governance. 
• The software tools that are in place assist in transparency. 
• Requestors, courts, and other legitimately interested parties are consistently satisfied with the transparency of the processes and the organization’s responses. 
• The organization’s initial goals related to transparency have been met, and it has an established process to ensure its goals for transparency are routinely reviewed and revised. 

Integrity

An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability. Integrity of information, which is expected by patients, consumers, stakeholders, and other interested parties such as investors and regulatory agencies, is directly related to the organization’s ability to prove that information is authentic, timely, accurate, and complete. For the healthcare industry, these dimensions of integrity are essential to ensuring trust in information.

For safety, quality of care, and compliance with applicable voluntary, regulatory and legal requirements, integrity of information should include at least the following considerations:

• Adherence to the organization’s policies and procedures
• Appropriate workforce training on information management and governance
• Reliability of information
• Admissibility of records for litigation purposes
• Acceptable audit trails
• Reliability of systems that control information

Transformational organizations, which are at the highest maturity level should demonstrate the following abilities:

• There is a formal, defined process for introducing new record-generating systems, capturing their metadata, and meeting other authenticity requirements, including chain of custody. 
• Integrity controls of records and information are reliably and systematically audited. 
• The organization’s initial goals related to integrity have been met, and it has an established process to ensure its goals for integrity are routinely reviewed and revised. 

Protection

An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection.

Information protection takes multiple forms. First, each system must enable management of security access controls. Only members of the workforce and other authorized parties with the appropriate levels of access or security clearance may access information relevant to their roles or duties. Reliably protecting electronic and physical assets requires use of tools such as user authentication, key card access restrictions, and other relevant measures. This also requires that as the workforce and other authorized parties transition in status or job function, respective level of access is changed immediately to a level appropriate to the new role and duties.

The highly matured organizations would practice and demonstrate the following:

• Executives and/or senior management and other governing bodies (e.g., board of directors) place great value in the protection of information. 
• Audit information is regularly examined, and continuous improvement is undertaken. 
• Inappropriate or inadvertent information disclosure or loss incidents are rare. 
• The organization’s initial goals related to protection have been met, and it has an established process to ensure its goals for protection are routinely reviewed and revised. 

Compliance

An information governance program shall be constructed to comply with applicable laws and other
binding authorities, as well as with the organization’s policies. Every organization should:
Know what information should be entered into its records to demonstrate its activities are being conducted in a lawful manner.

Enter that information into its records in a manner consistent with laws and regulations.
Maintain its information in the manner and for the time prescribed by law or organizational policy.
Develop internal controls to monitor adherence to rules, regulations, and program requirements, thus assessing and ensuring compliance.

The following capabilities when demonstrated will mark the highest maturity level:

• The importance of compliance and the role of records and information in it are clearly recognized at the senior management and governing body levels.
• Auditing and continuous improvement processes are well-established and monitored by senior management. 
• The roles and processes for information management and discovery are integrated, and those processes are well-developed and effective. 
• The organization suffers few or no adverse consequences based on information governance and compliance failures. 
• The organization’s initial goals related to compliance have been met, and it has an established process to ensure its goals for compliance are routinely reviewed and revised. 

Availability

An organization shall maintain records and information in a manner that ensures timely, efficient, and accurate retrieval of needed information.

A successful and responsible organization must have the ability to identify, locate, and retrieve the information required to support its ongoing activities. This information may be used by:

• The healthcare team, patients, and other caregivers Authorized members of the workforce and others authorized consistent with regulations 
• Legal and compliance authorities for discovery and regulatory review purposes
• Internal and external reviewers for purposes including but not limited to: payer audit, financial audit, case management, and quality assurance.

High maturity organizations practice and demonstrate the following:

• The senior management and governing body provide support to continually upgrade the processes that affect records and information availability. 
• There is an organized training and continuous improvement program across the organization. 
• There is a measurable return on investment to the organization as a result of records and information availability. 
• The organization’s initial goals related to availability have been met, and it has an established process to ensure its goals for availability are routinely reviewed and revised. 

Retention

An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational, and historical requirements.

As part of its retention program, an organization must develop an information retention schedule, which specifies what information must be retained and for what length of time. Retention decisions are based on the type of information, and the organization’s legal, regulatory, fiscal, operational, clinical, role/mission, and historical requirements. Information retention schedules should be reviewed periodically and revised regularly. Some internal changes in the organization such as mergers and acquisitions or lines of business changes, or types of records generated, as well as external events such as legal, regulatory, or fiscal changes, may require revisions.

High maturity organizations consider practising the following:

• Retention is an important item at the senior management and governing body level.
• Retention is looked at holistically and is applied to all information in an organization, not just to official records. 
• Information is consistently retained for appropriate periods of time. 
• The organization’s initial goals related to retention have been met, and it has an established process to ensure its goals for retention are routinely reviewed and revised. 

Disposition

An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.

Disposition includes not only destruction, but also any permanent change in custodianship of the information, such as when it is transferred to another party due to a merger or acquisition of another hospital, clinic, or physician practice or when a organization discontinues a practice, service, or other business. In many cases, the appropriate disposition is the destruction of information, in which case the organization should ensure the information is transported and destroyed in a secure and environmentally responsible manner. The organization should document or certify that the information has been destroyed completely and irreversibly when required.

The processes of a high maturity organization should address the following:

• The disposition process covers all records and information in all media. 
• Disposition is assisted by technology and is integrated into all applications, data warehouses, and repositories. 
• Disposition processes are consistently applied and effective. 
• Processes for disposition are regularly evaluated and improved. 
• The organization’s initial goals related to disposition have been met, and it has an established process to ensure its goals for disposition are routinely reviewed and revised.

---

Reference:

1. Information Governance Maturity Model