A Benefits Elections System is a system that is usually controlled by the Human Resources and it allows the employees to change some of their benefits like insurance and other benefits that they may be enjoying in the company. (Keller, Siegrist & Gutscher, 2008)
There are several considerations that are necessary to be addressed when considering the possible security requirements and the possible risks which are associated with the Benefits Elections Systems. Some of the things that need to be considered include:
- The complexities involved
When setting up the project, care should be taken to ensure that all the requirements of the benefits election system are taken into consideration. The complexities should not be ignored. There should be a proper allocation of resources so as to incorporate all the requirements. If any of the requirements is left unattended to then the whole project is likely to get stalled before completion (Keller, Siegrist & Gutscher, 2008)
- Time consumption
The project should have an accurate timetable that should be followed to the later. If the timetable is not properly followed then the project might not be completed in time. The timetable should indicate all the activities to be carried out and the time that is allocated for every activity in the project design. Each phase should be completed within the stipulated time limit.
- Untimely errors during the implementation process
The project designers should ensure that they put some provision for the errors. This will help to control the errors whenever they occur during the implementation process.
The Benefits election system should be tested from the environment in which it is to be deployed so as to ensure that the system works properly and meets all the needs of the users and also ensure that users are familiarized with its use.
The security requirements for the implementation of the Benefits Elections Systems will be addressed within the following contexts:
- The specifications of the operational environment
The operational environment needs to be taken into consideration since it will determine the types of security measures that need to be put in place.
- Diagrams which will be specifying trust and risk boundaries. This will be achieved through the use of dataflow diagrams
These diagrams will help to show the flow of events and the progress of the project so as to ensure that there is a timely completion of all the phases involved in the design process.
- Specifications of the resources and an outline of their capabilities.
All the resources that are to be used in the project should be properly defined so as to ensure that cases of lack of sufficient resources do not occur during the implementation process.
- A comparison of the resources specifications to users of resources which are being implemented within the set requirements
- Possible points of a breach in security by cyber attacks and also analysis of the cyber attack profile.
- Scenario cases of misuse
The security requirements will describe the functional and non-functional requirements that should be satisfied in order to achieve the security attributes of the system
The security requirements can be formulated at different abstraction levels.
The security requirements that can be used include:
- Secure Functional Requirements – This requirement can be derived from misuse cases and it usually describes what shall not happen. It is integrated into each of the functional requirements.
- Functional Security Requirements – it can be derived from the best practices, policies and regulations of the system. It involves the security services that need to be achieved by the system which is being described. It includes: authenticating the system, authorization, performing server clustering and making of back-ups.
- Non-Functional Security Requirements – they are related to the architectural requirements. It includes the robustness of the system and is derived from the architectural principles of the system and good standards.
- Secure Development Requirements – they describe the required activities and ensure that the system is not subject to vulnerabilities. Includes data classification and test methodologies.
The systems development Life Cycle
This stage starts with the commencement of the system planning process and continues to the system acquisition and development, implementation, operations and maintenance and ends with the deposition of the system. (Schneier, 2008) There are some specific security decisions which must be made throughout the process so as to ensure that the system is secure. Some of the stages include:
- Initiation phase
This begins with determining the need for the system. During this time the organization defines the security requirements. The approval decisions made by the management are done at this stage. Information which is obtained at this point can be used to estimate the cost of the whole system and also the cost of the security measures to be implemented. The organization also establishes security categorization and conducts a risk assessment for the information system being developed. (Schneier, 2008) Depending on the size of the project, this stage can take between 2 weeks to 2 months. The duration that it may take depends on negotiations and decisions that need to be made.
- Implementation stage
During this time, the system is installed and an evaluation is done in the organization’s operational environment. This stage takes most of the time for the design process. It may take between 1 - 6 months depending on the size of the project. During the implementation stage, a smooth transition has to be implemented so that the staff is familiarized with the new system (Schneier, 2008).
- Operations/Maintenance Phase
This stage involves modifications to the system so that it meets all the needs of the employees. It takes place after the implementation stage and continues throughout the life cycle of the system (Schneier, 2008).
- Bruce Schneier, Beyond Fear.(2008) Thinking Sensibly about Security in an Uncertain World, Copernicus Books
- Goldwasser, S. Micali, and C. Rackoff (1989) The Knowledge Complexity of Interactive Proof Systems, SIAM J. Computing, vol. 18, num. 1, pp. 186–208
- Keller, C., Siegrist, M., & Gutscher, H. (2006) The Role of the Affect and Availability Heuristics in Risk Communication. Risk Analysis, Vol. 26, No. 3