4.1. Policy, Business Process, and Technology

Who should be involved?
The Importance of Communication and Education

Even though the Implement Change section discusses the development of the policies, business processes and technologies separately, it is important to work on them concurrently to achieve the right balance, since they are so interdependent. As a reminder:

Ensuring the security of an application relies on the appropriate implementation of an institution's values (policy) in the business policy, technology, and end-user realms. For an example of how these can be interdependent, see the discussion of Single Sign-on Considerations.

Who Should Be Involved?

Refer to the Define the Problem section for the list of stakeholders to consider. You can have one team for each of the three areas with overlapping membership or one large group consider these issues.

Depending on your scope, you should have representatives from each area meet regularly to discuss the overlaps, gaps, and issues when the plans from the three teams are integrated. For example, it may be concluded that the technical team can’t implement a technical enforcement method for a policy, and therefore a business process and related policy-enforcement methodologies must be changed.

Key to this part of the process is effective and on-going communication to keep everyone informed and reduce the surprises. Doing this builds trust into this part of the project and enhances the likelihood of arriving at the most appropriate solution.

The Importance of Communication and Education

Remember to include campus outreach efforts and training in your plans to educate and inform the user community about the goals and deliverables of the project and to prepare them for a change that will probably affect the way they interact with the institution's systems.

Managers and policy makers, in particular, need to understand the basics of the authentication service and its implications for their respective department. End users should understand their responsibilities, role, and importance in maintaining secure credentials, for instance. Education and awareness methods could be in the form of presentations from key stakeholders or project staff, informational web sites, online Q&A forums, blogs, or email mailing lists.

Click [next] below to find out more about the policy associated with authentication.