07-26-2011 5:10 PM
Hello Gurus,
Would you please share your expertise on the below question.
Does security team needs to be involved in the blueprint workshops during the functional requirements gathering. I am asking this because, we hardly find any security requirements during functional requirements gathering. What i feel is efficient or productive is, sitting with the each functional team (SD, FI, CO, MM, SD etc) after they have gathered all the business requirements and then work with the functional team to incorporate the security requirements as well as any controls if any for building security roles
Which one would be more productive for security? during functional req's gathering or after functional req's are gathered.
Please let me know, thanks in advance
Venkat
07-26-2011 5:53 PM
Hi Venkat,
It is always recommended to be a part of the Blueprint discussions to give your piece of recommendations to the Functional teams in terms of Security Design, Role Building and Maintenance. Further, the individual requirements can be addressed.
This is the phase where the best solutions can be adapted from the industry.
Regards,
Raghu
07-26-2011 8:51 PM
07-26-2011 6:59 PM
Hi Venkat,
In line with what Raghu has already said, it is important to be engaged during blueprint. If there are not many requirements coming out of blueprint then that's because the right people aren't being asked the right questions! It is not just the role of the functional team to engage the business (after all, they are not risk and control experts usually).
I would be expecting to engage with at least the following (in some cases the roles may be combined):
Functional team leads
Client team leads
Cient business process experts/owners
Internal Audit/Risk Management
Compliance/internal controls
Client IT/IS security
The objective for blueprint is to produce a detailed design so you have a lot of stakeholders to be speaking to and functional team are only a small group that you need to work with to do an adequate job.
Have fun!
07-26-2011 8:52 PM
Alex !! Thanks much, i really appreciate ......... Your answer will help my cause
07-26-2011 10:16 PM
It also depends on the size and expertize of the project and how much you can bring with to the blueprint.
If you are lucky, then reviewing the blueprint draft for show-stoppers or feedback for optimization is sufficient and being asked for input to key meetings is sufficient as a "solution architect". If they invite you, then you know that you are respeted for your inputs.
Going to all those meetings is not effiecient and if you always represent security before they have a blueprint then you will be yet another a bottle-neck in the process making the meetings longer.
so, it depends.. as usual.
Cheers,
Julius