Why is value assurance important to A Smart City Security Strategy? Value assurance is a means to review security plans, proposals, architectural designs and strategies to determine that value to the City will be delivered.
Like any assurance process, it cannot guarantee value will be delivered but it can investigate and decide that the information is aligned to a framework or standard and that the evidence is sound and backs up the decisions, risk mitigation and actions. Value assurance should be independent in its approach and incorporate consultation and critical reviews of all proposals. The objectives of a value assurance review should be:
a) To provide an external challenge to the security project team at each key decision stage; to help assess the validity and robustness of the work done and the key areas requiring focused attention; and to assist in achieving the value of the deliverable.
b) To assess the suitability of the plans and strategies to ensure a go-ahead to operate within the context of the overall Security Architecture.
c) To appraise the readiness and justification of the project to proceed into the next phase, including the project’s soundness for capital allocation.
d) To capture lessons learned for dissemination across teams and, where appropriate, facilitate best practice transfer into the maturation or project team.
Two important areas of value assurance are the compliance to the security architecture framework and the validity of the evidence supplied. Checking compliance is relatively straight forward by ensuring the proposals are all based on the agreed template and process, checking evidence is a lot harder.
If an organisation has had a disciplined approach to information management (supported by an enterprise information management strategy ensuring all formal information is well classified, categorised and accessible) then an evidence relationship map should be straightforward. By evidence relationship map I mean the pedigree of references to past documentation pertaining to the current proposal.
For example, references to three similar projects implementing the same technologies or business decisions that have all proved value through their successes – delivered to schedule or cost, shown effective transformation and or growth through service or citizen satisfaction.
If an organisation has poorly managed its information assets then building up evidence to support decisions will be a lot harder. I suspect most Cities are a mix of these two scenarios and as Security Architecture is relatively new, historic information assets aligned to the cyber security framework is unlikely. Value assurance and evidence management are two critical activities to support Security Architecture maturity. If a City is not using evidence to support architectural decisions then it is running the risk of undermining the importance of its security strategy and its ability to deliver value in the future.
Smart City Cyber Security 