Federal agencies moving to the cloud have a lot to consider, but a new guide from the Chief Information Officer (CIO) Council provides some useful advice. The Application Rationalization Playbook is designed to help IT portfolio managers at federal agencies figure out which applications can be smartly migrated to the cloud. It offers detailed advice for agencies to consider during the “application rationalization” process. One of the key points is that before they make any moves, federal agency IT managers should scope and define each application to see where it fits in their overall plans for migrating to a cloud environment.
Scoping the boundary of an information system is a basic governing practice. Poorly defined or poorly managed boundaries can often lead to ill-informed risk management decisions. So, the rationalization process as defined by The Application Rationalization Playbook is really a risk management process.
Before agencies begin the rationalization process, they should carefully consider the existing relationship between applications, information systems, and their authorization boundaries. The agency needs to first understand the environment in which existing applications operate. It also needs to understand why they were developed in the first place. Finally, it needs to determine how the organization is currently making risk-based decisions around the operation of the applications.
Before we go too much further, let’s level set on a few relevant terms in the guide.
What Defines an Information System?
The National Institute of Standards and Technology (NIST) defines an information system as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information”. Information system components, or just components, are the “information technology (IT) assets (hardware, software, firmware) that comprise an information system”.
The discrete set of components that make up a system need approval by a designated Authorizing Official (AO) to operate. The authorization boundary includes the components of an information system that have been authorized to operate by the AO. The AO’s agreement to run the information system is based on the risk of operating it being at or below the established tolerable level. To put it another way, AOs shouldn’t agree to operate information systems that don’t meet at least the minimal level of risk tolerance they need.
Applications can represent the entire information system or be a component of a larger, more complex information system.
What Is the Information System’s Purpose?
Before moving to the cloud, you need to take a step back and look at the service or business process the information system supports. By getting a full understanding of the information system’s purpose within the context of the organization’s overall business processes, you can better understand the various data inputs and outputs that users provide. This foundational knowledge will provide insight into the different kinds of data that the system uses and produces.
How Does information Flow within the System?
Now you understand what kind of information is being processed. The next step is to visualize how information flows within the system. Seeing how information flows makes it easier to understand the multiple channels in which information is collected, stored, processed, and transmitted . By visualizing this, agencies can uncover the information asset containers in which the business process information is stored, transported, or processed.
Where Does Information “Live” within the Information System?
The Software Engineering Institute (SEI) defines an Information asset container as “a physical or logical location where assets are stored, transported, and processed. A container can encompass technical containers (servers, network segments, personal computers), physical containers (paper, file rooms, storage spaces, or other media such as CDs, disks, and flash drives), and people (including people who might have detailed knowledge about the information asset).”
Logically, the IT components of an information system are truly information asset containers. However, without going through the exercise of first mapping out the information flows, agencies may overlook an information asset container outside the current authorization boundary. This oversight could lead to an ill-informed rationalization determination based on not understanding the information system in its entirety.
In summary, federal agencies moving to the cloud must take stock of their existing information systems, including applications. They need to make sure that they thoroughly understand all aspects of them before starting the rationalization process. Carefully considering an information system’s architecture will make it easier to assess the risk of migrating an application to a cloud environment.
*** This is a Security Bloggers Network syndicated blog from Blog – Delta Risk authored by Mike Wigal. Read the original post at: https://deltarisk.com/blog/federal-agencies-moving-to-the-cloud-must-take-stock-of-information-systems/