Page 4 - Estimating_Software
P. 4
Estimating Software – Security
Access controls are put in place by introducing security policies or guidelines. The IT department is
often responsible for administering these guidelines via network controls. However, every employee
plays a role in the overall effectiveness of the strategy, with responsibilities to ensure that they are
not ineffective or incomplete, thus compromising the overall security of the business.
It is often possible to enable effective access controls by altering the way people perform their work
functions. Separation of duties (SoD) is the concept of having more than one person required to
complete a task, the primary objective being to prevent fraud and errors. This is achieved by
distributing the tasks and associated privileges for a specific process among multiple people.
We can use this principle as part of the estimating process.
No matter what estimating technique you use (e.g. Three-Point, bottom-up or parametric estimating
etc.), separating critical parts of the estimating process to qualified personnel for expert judgment is
likely to achieve the best results. This separation of duties could be applied at any stage of building an
estimate from resource cost data entry to reporting, analysis or review.
Estimating data is a significant part of a company’s intellectual property and it flows that organisations
must ensure they are doing all they can to protect this vital asset. Adherence to corporate internal
policies and procedures assists in capturing companies’ IP. Additionally, software automation that
models best practice can automatically capture IP safely and securely. It also allows companies to
retain an estimator's individual knowledge that may otherwise walk out the door if the estimator
leaves, instead of capturing it as corporate IP knowledge that enhances the profitability and value of
the company.
Estimating projects may contain confidential information including client contact details, drawings,
quantity take-off data, marketing information, resource rates, and margin details.
How can companies protect this type of information beyond network and policy access controls? The
answer is by applying a multi-faceted approach to security extending beyond simple network access.
Application Security
Software security assurance is a process that protects data and resources contained in and controlled
by your software.
Incorporating security into software requires considerations beyond basic authentication and
authorisation. Architecture, testing and development processes all need to apply software security
assurance. How users interact with the software via the user interface, and also the methods of
operating the software, both dictate how software security assurance translates to the user
experience.
Information about the data, often called metadata, provides a systematic method for describing the
resources and improves the retrieval of information. Metadata is particularly useful as it provides
valuable information about the unseen relationships between data. It helps the user correlate data
that was previously considered unrelated, while also providing the keys to unlocking critical or highly
important data inside the data warehouse.
This is a key factor as to why application security also relates to the data warehouse (in this case your
database). How and where your data is stored and accessed is integral to the overall security of the
application in use. How the software application reports and uses this metadata also extends to other
Page | 4
