In this episode, Hans Eckman helps us to understand how the Business Analyst is perfectly suited to be the first line of defense in preventing security breaches.  Hans also shares some approaches and advice for handling security related requirements.

After listening to this episode, you'll understand:

  • How your application may be used to gain access to another system
  • How to use systems thinking to discover security needs
  • Why records retention is an important security consideration
  • Where to start when looking for security needs.

Show Notes

By the time you tried to build security into your product, it’s probably already too late.  The business analyst needs to be the advocate for security-related requirements as well as fraud prevention. The business analyst also needs to understand what data is at risk and the impacts of data retention.

It’s often not your system that gets breached but another system on the network and the interconnectivity of applications on the network have made all systems vulnerable. The business analyst should understand the relationship and connectivity between applications to appropriately understand the risk.

Think not only of the system aspect but the process as a whole. We need to consider all aspects of the process including the technology, the access of internal personnel, and paper used in the process. Take ownership and consider the security-related risks for the entire process to develop security-related nonfunctional requirements as well as record retention requirements.


Where do we start?

A good place to start is with the context diagram. This helps you to see the interrelation between the people and the systems within a process. You can then start drilling down to identify the risk and focus on the highest value and highest risk areas.

Once you identify the high-risk areas, you can work with subject matter experts from security teams to better understand security policies and record retention requirements. Developers and architects can also help you to understand security needs.

The basic goal of security is to keep people out. However, there will be people who need access. As a business analyst, you need to understand the various roles and levels of access needed. We also need to understand what needs to happen when the user makes a change. Do we need to log that change or update the version?

Start to think of the data as an actor itself. This goes beyond abuser stories which we discussed in episode 43. This access control model will drive out most of the value you’ll have in a project.


Capturing Requirements

When it comes to capturing some of the security requirements, we often use functional or nonfunctional requirements. In agile, you can do the same with user stories or acceptance criteria. A good approach is to get together with a tester any security representative to try and pick apart the requirements and find security holes.

Any time you can build a set of baseline security requirements, you will likely be able to reuse those requirements for future enhancements or other projects. Essentially, you are establishing the security and records retention policy in a set of requirements that can be maintained in a repository for future use.


With the prevalence of identity theft and stolen data, guarding against a security breach is everyone’s responsibility.  The more we learn from each other, the harder it will be for criminals to gain access to critical data.

Listen to the full episode to hear all of Hans Eckman’s advice for defending against a security breach.



Your Homework

We don’t have to learn by ourselves from our own mistakes. There are plenty of resources on the Internet, through podcasts, through industry associations such as the IIBA, and conferences that we can use to build our skills and share information. Leverage your network and the work that’s been done by others; start with some of the effective practices in your industry.

What’s your take?

What’s your approach to discovering and capturing security requirements?  Please share your tips, experience, and comments in the section below.


Links mentioned in this episode:

Hans Eckman

Hans Eckman

GVP at SunTrust Bank

Hans Eckman provides linchpin leadership and consulting for rapidly evolving companies, with 19 of his 25+ years’ experience creating workflow & support optimization solutions across diverse industries. Hans rejoined the Innovation Programs team at SunTrust Bank, where he helps develop disruptive programs and products that drive innovation, process improvement, and engagement across the enterprise.  Hans co-founded the SunTrust BA Center of Excellence. His presentations can be viewed at

Thank you for listening to the program

To get more valuable content to enhance your skills and advance your career, you can subscribe on iTunes.

Also, reviews on iTunes are highly appreciated! I read each review and it helps keep me motivated to continue to bring you valuable content each week.