4.1. Policy, Business Process, and Technology
Even though the Implement Change section discusses the development of the policies, business processes and technologies separately, it is important to work on them concurrently to achieve the right balance, since they are so interdependent. As a reminder:
- Policy is the statement of an organization's intent or decision on an issue. It describes the "what" or "why." This can be done at a high-level such as determining who may receive credentials and what the user can access with them. Components of a policy framework can be written and communicated in many different ways
- Business process describes "how" to implement this intent. Using the credentials policy above, a related business process could entail working with the offices that first interact with particular constituents and determining how they should verify users' identities. In addition, the credentials must be generated and securely somehow distributed to the individuals. Later, if the institution would like to offer services to another group (contractors, local high-school seniors, etc.), the policy may need to be amended to include them and new business processes set up and technology changed accordingly.
- Technology also describes "how" to implement the intent and goes hand-in-hand with the business processes. Using the above example, the technologist implements the appropriate password practices and configures the appropriate system (s) to generate the credentials that will be distributed by the business offices. Users then log into an application or a network, using a well-designed technology architecture that meets the security requirements and can scale to accommodate the user groups identified in the policy statement.
Ensuring the security of an application relies on the appropriate implementation of an institution's values (policy) in the business policy, technology, and end-user realms. For an example of how these can be interdependent, see the discussion of Single Sign-on Considerations.
Refer to the Define the Problem section for the list of stakeholders to consider. You can have one team for each of the three areas with overlapping membership or one large group consider these issues.
Depending on your scope, you should have representatives from each area meet regularly to discuss the overlaps, gaps, and issues when the plans from the three teams are integrated. For example, it may be concluded that the technical team can’t implement a technical enforcement method for a policy, and therefore a business process and related policy-enforcement methodologies must be changed.
Key to this part of the process is effective and on-going communication to keep everyone informed and reduce the surprises. Doing this builds trust into this part of the project and enhances the likelihood of arriving at the most appropriate solution.
Remember to include campus outreach efforts and training in your plans to educate and inform the user community about the goals and deliverables of the project and to prepare them for a change that will probably affect the way they interact with the institution's systems.
Managers and policy makers, in particular, need to understand the basics of the authentication service and its implications for their respective department. End users should understand their responsibilities, role, and importance in maintaining secure credentials, for instance. Education and awareness methods could be in the form of presentations from key stakeholders or project staff, informational web sites, online Q&A forums, blogs, or email mailing lists.
Click [next] below to find out more about the policy associated with authentication.