The Model and Methods Increasing Public Administration Security by Implementing Security-By-Design Approach in IT Projects Requirements Definition Phase and Connecting It with Corporate Architecture Level

Kamil KACZYNSKI and Michal BIJATA

Abstract:

The current approach to defining requirements for a large-scale IT projects in Polish public administration has a number of critical vulnerabilities in as many as three security areas: (1) economic security, (2) security of implementation of strategic initiatives and (3) information security and cyber security. Meanwhile, the requirements definition stage is the most important stage of any project, especially IT projects. Errors, omissions or oversights committed at this stage grow at each subsequent stage of the project and even more so - at the project maintenance stage.  Therefore, the model was proposed to introduce methodological and process improvements to the stage of defining requirements for large-scale IT projects of the Polish public administration, which will reduce the level of risk generated by these projects in the aforementioned security areas. The solutions it introduces take into account the domain differences of IT projects and focus heavily on the requirements definition stage. In the process aspect, the model presents a proposal to include issues related to both the activity of creating the requirements themselves by the project team, as well as linking them to the broader context of the organisation, including primarily the processes of verifying consistence with the State Information Architecture (enterprise architecture) and the State IT Security Architecture. The whole process ends with the evaluation of the requirements by the project steering committee and the Committee of the Council of Ministers for Digitalisation (CoCoMC). In the context of artifacts, the model introduces new documents at the requirements definition stage in the form of principal rules for building IT requirements and principal rules for ensuring the security implied by those requirements. It also proposes the creation of a State IT Security Architecture taxonomically divided into: business security architecture, architecture of applications security, architecture of applications security, architecture of IT infrastructure security.

Referring to actors, it was proposed that the new body, the IT Security Council, be created in addition to the already existing IT Architecture Council. This body would be responsible for developing a State IT Security Architecture that would include a broad, cross-departmental view of multidimensional security.

nsdlogo2016