You are on page 1of 5

Identifying Business Attributes

The basic process I would utilize is as follows:

1- Meeting with Senior 2- Review the business 3- Document High Level 4- Analyze business
Management strategy System Requirements drivers

• Output: Document • Output: How will • Output: Business • Output: Distilled


High Level Goals business systems Drivers Business Attributes
help achieve these
goals?

Using a real estate company (TRE) below is a list of interview questions and answers that would yield enough
understanding to define their business attributes. The questions are roughly in sequential order with the first 3 steps of
the process flow above.

Interview Question Answer


What does TRE do? TRE facilitates the purchase and sale of residential real estate.
How does TRE make money? TRE earns a commission on the real estate transactions we facilitate.
How is TRE uniquely TRE is a premium real estate company.
positioned in the market? - Sellers know that we work with highly qualified buyers and want to tap into that
pool of customers.
- Buyer agents know our properties are prepared for sale and priced
competitively.
Why would someone choose Sellers choose us over other firms because:
TRE over a different real - TRE properties have the best sale-price/list-price ratio in the market.
estate company? What is - On average, TRE properties are on the market for 15 days.
TRE’s competitive
advantage?
What must TRE do to retain - Attract highly qualified professional real estate agents.
these advantages? - Provide our customers with a predictable and transparent process.
What role does technology - TRE has a public facing website. This website
play at TRE? o Serves as the portal for current and potential buyers and sellers to easily
and reliably find, store, and exchange information, pictures of properties,
and other relevant documentation with their agents.
o Integrates with third-party sites to automatically cross-post the listings and
all related information.
o Provides KPI reporting to agents and management.
- TRE has a third-party ERP platform used by the accounting and HR teams to plan
and record accounting and HR related functions.
o Agent commissions and employee benefits
o Financial accounting & consolidated reporting
- All employees, including agents are issued laptops/smart phones.
Considering the role of A. Protecting the privacy of the information stored in the website and ERP.
technology at TRE, what are B. Ensuring customers have a positive interaction so they want to refer us or
the underlying drivers for become repeat customers.
security? C. Ensuring the website is easy to use.
D. Ensuring the systems are always available.
E. Preventing and detecting attempted fraud by agents or other staff.
F. Providing an efficient means to managing users’ access to the website and
ERP system.
G. Preventing unauthorized modification to sensitive information.
H. Ensuring that secure external support is possible when required.
These business drivers above are then analyzed and underlying business attributes are identified.

Brand-
Confidential enhancing
Usable
Access-
Authorized Private Error Free
controlled
Supported Efficient

Business Business
Driver B Business
Driver A Driver C

Accountable Supported
Available Reliable
Non- Responsive Automated
Monitored
repudiable
Business
Driver D Business Business
Driver E Driver F

Access Supported
Controlled

Business Business
Driver G Driver H

Conceptual layer depiction:


Assets (what) Motivation Process (how) People (who) Location Time (when)
(why) (where)
Access- Prevent RBAC, SSO, Transitive - Egg & honey Inactivity
controlled unauthorized defined joiner trust combination: Time-Outs –
access to and leaver between - DMZ = 30 minutes
confidential policies & customer & limited web Password
information. procs. Network website/ services Lifetimes – 6
segmentation application. accessible months
(office, server, CA will serve externally.
DMZ). as trusted 3rd - VPN in DMZ.
party for SSL. - Web servers
Accountable Provide a Logging of all Transitive in DMZ. Stored Data
means to transactions at trust - App & DB Lifetimes – 7
detecting application and between log servers in years
fraudulent or network layers. server & production
dishonest webservers. zone.
activity. Internal CA
will serve as - Internal zone
trusted 3rd accessible
party for SSL. locally or via
Authorized Prevent users RBAC, SSO, Transitive VPN. Replay
from modifying defined joiner trust - Bastion only Protection
listings, and leaver between accessible enabled
financial data, policies & customer & internally.
or procs. website/ - Production
compensation. application. zone access
via bastion
Available Protect against Network and One-way System
only. All
denial of application trust Session
systems
service attacks. monitoring. between Lifetimes - 24
physically
internal hours
controlled in
environment Message Time
tier 4
and DMZ. to Live – 2
colocation.
seconds
Trusted time –
all times
Brand- Ensure Application API Transitive Indefinitely
enhancing customers integration & trust
know their SSL encryption between
privacy is on website. customer &
valued and the website/
site is easy to application.
access. CA will serve
as trusted 3rd
party for SSL.
Confidential Ensure private Encryption all Transitive Stored Data
data is not stored trust Lifetimes -7
disclosed. customer data. between years
customer & Cryptographic
website/ Key Lifetimes–
application. 30 years
CA will serve
Certification
as trusted 3rd
Lifetimes – 1
party for SSL.
year
Efficient Ensure that Application API Transitive Certification
movement integration & trust Lifetimes – 1
through the SSL encryption between year
site is fluid and on website. customer &
simple. website/
application.
CA will serve
as trusted 3rd
party for SSL.
Error Free Ensure that Application API, Transitive Cryptographic
errors are not RBAC, system trust Key Lifetimes–
present in segmentation. between 30 years
storage or customer &
reporting. website/
application.
CA will serve Certification
as trusted 3rd Lifetimes – 1
party for SSL. year
Monitored Identify any Logging of all One-way Certification
attacks are transactions at trust Lifetimes – 1
identified application and between year
promptly. network layers. internal
environment
and DMZ.
Non- Ensure that a Logging of all One-way Stored Data
repudiable user can be transactions at trust Lifetimes -7
held application and between years
accountable for network layers. internal Cryptographic
their actions. environment Key Lifetimes–
and DMZ. 30 years
Certification
Lifetimes – 1
year
Private Ensure that Encrypt all Transitive Stored Data
employee’s PII stored trust Lifetimes -7
or customers’ customer data. between years
sensitive data is App API customer & Cryptographic
kept private. integration & website/ Key Lifetimes–
SSL encryption application. 30 years
on website. CA will serve
Certification
as trusted 3rd
Lifetimes – 1
party for SSL.
year
Reliable Ensure that Logging of all One-way Response
agents are able transactions at trust Time-Out – 10
to function and application and between seconds
customers have network layers. internal
access to see environment
important and DMZ.
listing
information.
Supported Prevent Centralized One-way Stored Data
extended user trust Lifetimes – 7
periods of time administration between years
where an agent with defined internal
or customer escalation environment
cannot access policy and and DMZ.
systems due to procedures.
technical Logging of all
support delay. transactions at
application and
network layers.
Usable Ensure the user SSO for internal Transitive Inactivity Inactivity
has no users. Network trust Time-Outs – Time-Outs
reservations separation for between 30 minutes – 30
about returning customer & minutes
for future ERP website/ Password Password
interactions. application. application. Lifetimes – 6 Lifetimes –
MFA and CA will serve months 6 months
source IP as trusted 3rd System
history for party for SSL. Session
customers. Lifetimes -
24 hours