Familiarity with IT Security

Reason

Why It Matters

Understanding Business Risks

Identify potential threats to data and systems.

Requirement Gathering

Ensure security requirements are part of system requirements.

Process Design

Design workflows that protect sensitive data.

Compliance & Regulations

Ensure solutions comply with laws and standards (e.g., GDPR, HIPAA).

Stakeholder Communication

Explain security needs and risks to stakeholders.

Principle

Description

Confidentiality

Ensuring data is only accessible to authorized users.

Integrity

Ensuring data is accurate and not altered improperly.

Availability

Ensuring systems and data are accessible when needed.

Threat

Description

Phishing

Tricking users into sharing sensitive information.

Malware

Malicious software like viruses and ransomware.

SQL Injection

Inserting malicious SQL code via input fields.

Denial of Service (DoS)

Making systems unavailable by overwhelming them.

Man-in-the-Middle (MITM)

Intercepting communication between two parties.

Data Breach

Unauthorized access and leak of sensitive data.

Control

Purpose

Authentication

Verifying user identity (e.g., passwords, biometrics).

Authorization

Granting users permission to access specific data.

Encryption

Protecting data by converting it into unreadable format.

Firewalls

Blocking unauthorized access to networks.

Antivirus & Anti-malware

Detecting and removing malicious software.

Access Control Lists (ACL)

Defining which users can access which resources.

Multi-Factor Authentication (MFA)

Adding extra layers of identity verification.

Data Loss Prevention (DLP)

Preventing sensitive data from leaving the organization.

Regulation/Standard

Focus Area

GDPR (General Data Protection Regulation)

Protects personal data of EU citizens.

HIPAA (Health Insurance Portability and Accountability Act)

Protects medical information (USA).

ISO 27001

International standard for information security management.

PCI DSS (Payment Card Industry Data Security Standard)

Protects payment card data.

CCPA (California Consumer Privacy Act)

Data privacy for California residents.

Activity

Security-Related Focus

Requirement Gathering

Identify and document security and privacy requirements.

Process Analysis

Ensure workflows protect sensitive data (e.g., avoid sharing passwords via email).

System Design Review

Work with architects to evaluate security features.

Vendor/Third-Party Assessment

Assess vendors' ability to protect data.

Testing and Validation

Ensure security requirements are properly implemented (e.g., access controls).

Area

Sample Requirement

Authentication & Authorization

"System must support multi-factor authentication."

Data Encryption

"All sensitive customer data must be encrypted at rest and in transit."

Audit Logging

"System must log all user activities related to data access."

Data Privacy

"System must allow users to request deletion of their personal data (GDPR compliance)."

Backup & Recovery

"System must support daily backups and data recovery within 24 hours."

Access Control

"Only authorized roles can view customer payment information."

Tool/Technology

Purpose

SSL/TLS Certificates

Encrypt data over the internet (HTTPS).

VPN (Virtual Private Network)

Secure remote access to internal systems.

IAM (Identity and Access Management)

Manage user permissions and identities.

SIEM (Security Information and Event Management)

Monitor and analyze security incidents.

DLP Solutions

Prevent unauthorized sharing of sensitive data.

Endpoint Security Software

Protect devices from threats (e.g., antivirus).

Area

Security Aspect to Consider

Cloud Services (AWS, Azure, GCP)

Data protection, access controls, compliance.

APIs and Integrations

Securing APIs, using tokens, OAuth2.

Mobile Applications

Secure storage, data transmission.

Third-Party Vendors

Ensure vendor security and compliance.

Aspect

Key Takeaways

Definition

Protecting systems, data, and networks from threats.

Importance for BAs

Ensure security is part of system and process design.

Core Principles (CIA)

Confidentiality, Integrity, Availability.

Common Threats

Phishing, Malware, SQL Injection, Data Breaches.

Security Controls

Authentication, Authorization, Encryption, Firewalls.

Regulations

GDPR, HIPAA, ISO 27001, PCI DSS.

BA’s Role

Capture security requirements, review designs, ensure compliance.

Tools

SSL, VPN, IAM, SIEM, DLP.