Another Security Breach

Dave Ranck — Tue, 02 Feb 2010 05:54:28 +0000

Hundreds of thousands of BlueCross customers are in for a scare. This week, the insurance company is sending out notifications to its customers fessing up to a significant data breach that saw a thief make off with 57 hard drives from a call center in Tennessee.

The hard drives contained encoded — but not encrypted – records of phone calls and video files containing sensitive patient information. eSecurity Planet has the details on the breach.

Personally Identifiable Information (PII) – it drives companies crazy. We need to obtain it to provide services, but if we mishandle it, we are in for big trouble. This latest case shows that security is an integrated problem. Often we concentrate on having strong passwords and software controls to limit access and guarantee that data only goes to the users who should have access. Yet we leave the front door open by not protecting physical access to servers and thereby the data that is on them. Think of the laptops that were misplaced a while ago. Had they been encrypted, the exposure would have been under control but the company’s reputation would still have been damaged. People don’t believe encrypted data is safe. If a thief can get the laptops or the drives in this case, the average person fears that the data is compromised.

In software and system design we need to pay attention to every aspect of loss prevention and that includes non-technical preventative security measures. I once had a client who spent a large sum of money on a hand reader for the data center main door, but left their database exposed to direct TCP access with the default system admin user name and password still set. Ouch. It is easy to get caught up finding technical solutions to problems like data security and forget to lock the front door at night. In this latest case encrypted drives would go a long way in preventing actual data loss, but once the data physically leaves the control of the company, the company cannot prove that the data was not compromised.

Lesson to be learned: Do not forget the real issues. Address the whole problem homogenously, taking all aspects into account.

Risk Management in Requisite Pro

Dave Ranck — Wed, 02 Dec 2009 10:23:01 +0000

Risk Management is an important part of project success. Here is one way to help perform Risk Management using Rational Requisite Pro. Risks are a part of every project. Successful projects successfully manage risks. You can never completely eliminate risk, so it must be dealt with proactively.

From an older article:

Risk management is an important part of Project Management. In my mind it is one of the most important aspects of the development process. Throughout the lifecycle of a project, risks will be discovered that, if not dealt with, can cause the project to fail. By tracking risks and dealing with them head-on and early in the project, the possibility of project success can be greatly enhanced.

Rational Requisite Pro is a good tool for managing requirements, but it has no in-built ability to handle risks. They can be assigned to a requirement as an attribute, but there is no linkage to a Risk List document or Risk Management Plan. I have outlined a simple way to add this capability to Req Pro. to add Risk Management to Req Pro you:

1. Create a requirement of type Risk
2. Create appropriate attributes for the Risk requirement type
3. Create Outlines and Document Types to add you Risk documents to your project
4. Use a view to manage your Risks

There may be other ways to accomplish this within Req Pro, but this is one way that works for us. Follow the steps below to add Risk Management to your project.

Create the Risk Requirement Type

1. Select the project in the Explorer and click File > Properties. The Project Properties dialog box appears.

2. Click Add: The Requirement Type dialog box appears.

3. Type Risk for the Name and a Description (up to 255 characters) for the requirement type.

4. In the Initial Requirement # text box, type the number to be used for the first requirement of the requirement type you are creating or modifying. Requirements are automatically numbered as they are created, starting with the number in this text box. The default number is 1, but you can change the number to any positive integer.

5. If you want to allow requirements of this requirement type to be used in cross-project traceability, select the Allow External Traceability check box.

6. In the Requirement Must Contain text box, type or modify a single word or phrase that must be included in every requirement of this type that is created, up to 32 characters. This box is optional, and is not case-sensitive.

7. In the Requirement Tag Prefix text box, type RISK

8. Select a Requirement Color and a Requirement Style to be used in documents for requirements of this type. The default is blue, Double Underline.

9. Click OK in each dialog box.
Create Risk Attributes

You probably want to create special attributes for your new Risk requirement.I suggest you create at least the following 2 attributes (you can modify existing attributes if you wish instead of creating new ones):

Attribute	Values	Use
Status	Open	Close or defer mitigated risks
	Deferred
	Closed
Ranking	Integer	A ranking of impact on project. Use to create Top Ten List
Mitigation	Text	Strategy for risk mitigation

To create the attributes:

1. Select the project in the Explorer and click File > Properties. The Project Properties dialog box appears.

2. Click the Attributes tab.

3. Select the requirement type from the list.

4. Click Add. The Add Attribute dialog box appears.

5. Type a Label for the new attribute, and select an attribute type in the Type list.

6. For list-type attributes, type the values you want to assign to the value list in the List Values text box. The maximum length for a list value is 32 characters. Order the values in the list as you want them to sort in the Requirement Properties dialog box, Attributes tab. For list-type attributes, you can set the default value using the Default button below the Values per Attribute list.

For entry-type attributes, type a default value in the Default Value list box, if appropriate.

7. To hide attributes of the selected requirement type from all Rational RequisitePro users in a view and in the Requirement Properties dialog box, select the Hidden from display check box.

8. To automatically mark traceability or hierarchical relationships as suspect when the attribute is changed, select the Change affects suspect check box.

9. Click OK to close each dialog box.

Create Outlines

Note: the .dot files list below are standard RUP artifacts. You
may of course use any document you choose.

Copy rup_rskpln.dot to C:\Program Files\Rational\RequisitePro\outlines (or your outline folder location)
Create a new text document with the following 3 lines (each line must end with a carriage return):

RUP Risk Plan
Risk Management Plan and Risk List
rup_rskpln.dot

Save as rup_rskpln.def in the Outlines directory

Copy rup_rsklst.dot to C:\Program Files\Rational\RequisitePro\outlines (or your outline folder location)
Create a new text document with the following 3 lines:

RUP Risk List
Risk List
rup_rsklst.dot

Save as rup_rsklst.def in the Outlines directory

Create Document Types

1. Select the project in the Explorer and click File > Properties. The Project Properties dialog box appears.

2. Click the Document Types tab.

3. Click Add. The Document Type dialog box appears.

4. In the Name text box, type: Risk Management Plan

5. In the Description text box, type: Project Risk List and mitigation plan

6. In the File Extension text box, type: rsk.

7. Select the Risk default requirement type

8. Select the RUP Risk Plan outline

9. Click OK

10. Do the same for Risk List but use the following properties:
Name: Risk List
Description: [Enter your description]
File Extension: RSKL

11. Click OK.

12. Click OK to close the Project Properties dialog box.

You can now add a Risk Management Document and a Risk List to your Risk Package and add Risk requirements.

Create Views

Create a view for Risks. This view will be used to export a list of
risk to be imported into the Risk List document. You should include
those attributes you want in the document and sort on Ranking or
Status and Ranking

To create and maintain a Risk List:

1. Add requirements of type Risk and set attributes appropriately

2. You can set traceability to other requirement types such as Use Cases

3. Add a Risk List document to a package in your project and optionally
a Risk Management Plan document.

4. Export your risk list to your Risk List document
a. Periodically export the view you created for Risks to a Word document.
b. Open the Risk List document and use Insert -> File to insert the exported risk list into your risk list document.

Summary

By creating a requirement of type Risk, you can use Requisite Pro to trace risks to other requirements. In this way, you can always know what requirements are affected by certain risks. You can also maintain your risks in the Req Pro database and semi-automatically update your risk list document.

Just Enough Technology » Risk

Another Security Breach

Risk Management in Requisite Pro