The following Q&A article is based on a PMI webinar on the compliance and cybersecurity aspects of Citizen Development platforms. You can watch Part 1 and Part 2 of this webinar here and here.
Topics:
You can ask the platform provider if they are ISO certified, but understanding the regulations yourself can go a long way in your due diligence process.
GDPR mandates lawful and transparent collection, storage, and processing of personal data with consent. HIPAA requires safeguards for protected health information, while ISO 27001 sets a framework for information security management.
AgilePoint's governance and permission framework meets these standards, including compliance with GDRP, HIPAA, ISO, Department of Defense regulations, and Export control laws.
We've partnered with renowned hosting providers who bring world-class physical security to clients' data centers, and AgilePoint has layered information security policies and practices in line with the world's most demanding Enterprise customers.
Our integration capabilities make integration with existing privacy and security systems uncomplicated. Automated audit trails, alerts, and logging help with compliance requirements and data tracking.
The most common features of LCNC cyber security include authentication and authorization, data encryption, secure protocols, firewall protection, malware protection, and intrusion detection systems.
Authentication and authorization help ensure that only authorized users can access the system, while data encryption helps protect data in transit. Secure protocols help to protect data transfer over public networks, firewalls prevent unauthorized access to the system, and malware protection stops malicious software from entering the system.
Intrusion detection systems deployed by many LCNC vendors monitor the system for any suspicious activity and alert the appropriate personnel. These security features are essential for securing LCNC platforms and preventing malicious actors from accessing sensitive data. Most LCNC tools generate code and may offer additional security features such as code scanning, refactoring, and analysis features.
AgilePoint is ISO 27001 and SOC2 certified, two of the most stringent industry benchmarks for information security and compliance. A third-party assessor verifies and audits our security practices, guaranteeing that our customers can be confident that their data is safe and secure.
The AgilePoint platform provides cybersecurity features, such as identity and access management, automated audit trails, firewalls, intrusion detection, and system management through an easy-to-use and centralized settings module.
IT can extend and ensure applications built on the platform comply with their organization's security and governance policies. It allows IT to change labels, display order, enforce global CSS, lock down BPMN, block users or IPs, control app-level CSS injector, and enable multiple authentication providers.
AgilePoint provides IT professionals with streamlined tools for a secure and efficient operation by centralizing security features in the settings module.
Low-code and no-code (LCNC) platforms vary in security and control options, offering organizations limited governance.
While these platforms can enhance efficiency, they only partially replace the need for security mindfulness at the Citizen Development level.
PMI's CD Canvas classifies projects based on financial, reputational, and other risks to guide development paths objectively. LCNC platforms still require content and security measures mindful of production and data protection. Security policies must comply with regulations and industry standards. While LCNC platforms streamline development, organizations must remain vigilant in security practices and procedures.
AgilePoint is an advanced LCNC and BPMS platform with superior runtime, security, and governance mechanisms. Unlike generic LCNC platforms, AgilePoint is based on explicit process model-driven technology and does not translate user artifacts into code. It is the only LCNC platform that allows administrators to control and modify any specific workflow instances, even during runtime, making it a highly secure option while reducing the accumulation of technical debt.
The AgilePoint's mature lifecycle management engine blocks broken or malfunctioning artifacts from migrating to the production environment, ensuring high availability and security.
IT has fine-grained control over the system, applications, users, reports, and data entities using the following security features:
You get a very prescriptive approach with the combination of AgilePoint's advanced, layered security and governance and the PMI methodology to classify applications based on risk factors.
Without a high level of knowledge, citizen developers find it challenging to understand the development process and create projects that clear IT security checks. Some of the best practices include
AgilePoint recognizes that governing citizen-developed apps is crucial for highly regulated or business-critical applications.
We empower the security faction of IT to pre-approve data entities and all other components of an application, including process actions, integration options, role restrictions, API security, and user interface.
By doing so, your citizen developers can develop applications on AgilePoint that run at a scale not possible with generic LCNC platforms. You can now reach production levels faster with AgilePoint compared to generic Low-Code platforms.
We believe enterprise Citizen Development has more detailed requirements as it supports strategic, enterprise-wide initiatives and, as such, will address a broader range of use cases and levels of information sensitivity.
Citizen Developers can implement what they develop, but we recommend that you may involve an IT team for proper quality assurance. The IT team should be responsible for ensuring that all artifacts that Citizen Developers create are secure and do not contain any vulnerabilities.
It helps ensure that any products or services developed by Citizen Developers are of high quality and adhere to applicable industry standards. Additionally, involving an IT team will help ensure the resolution of bugs and enable you to address technical issues promptly. Ultimately, adding an IT team to the development process will help improve the quality and security of any products or services developed by Citizen Developers.
It is essential to impose a stringent deployment methodology to successfully implement and operate any LCNC application, typically in an enterprise environment or if the application is developed as a business-critical one.
Applications created by citizen developers in AgilePoint are composed only of components, features, or data sets already pre-approved by the organization's IT, enabling rapid security clearance and instant deployment. Furthermore, IT can allow quick migration based on the application's use case, data-access requirements, and users' roles.
AgilePoint offers its enterprise customers up to three environments (tenants) for development, testing, and production. IT Security pre-approves components and permits select citizen developers to quickly move complete applications or certain artifacts from development to testing to production.
Also, AgilePoint is based on explicit process model-driven technology and doesn't translate business process artifacts into code, even during runtime. No code translation combined with the fact that IT security can pre-approve components decreases the security risks associated with malicious code or any harmful content being executed or used. It eliminates unauthorized access to sensitive or confidential information in production.
You can create applications with pre-approved components and get them into production faster than generic LCNC platforms.
Most LCNCs focus on a specific use case, i.e., forms. However, AgilePoint covers many use cases like forms, processes, integrations, chatbots, and mobile apps.
AgilePoint is a singular platform for continued learning and allows citizen developers to start with simple use cases and ultimately graduate to the most valuable application type - cross-functional automation. Rather than continually acquire and learn new platforms to address new use cases, AgilePoint enables Citizen Developers to progress without changing platforms. Along the way, you can reuse every application or artifact in different applications.
Bonus Questions
There is no specific time to mark an in-production citizen-developed application as a business-critical application, but depending on the size and maturity of the company’s IT and governance policies, this may change. If a handful of users access a citizen-developed application and only solve irregular issues of a function, it doesn’t need to be as business-critical.
However, if an application is likely to be or is used by many users spread across different departments and functions; it may make sense to allow IT to take ownership of the application after development. Citizen developers can remain an active part of the further development and enhancement of citizen developer applications. However, they must follow change management policies to ensure they do not impact any user or services relying on these applications.
The AgilePoint platform enables IT to monitor the usage of applications created by citizen developers making it easier to decide when an application is ready to be marked as business critical and move it out of a function’s citizen developer incubator.
The CIO plays a critical role in launching successful citizen development initiatives by coordinating with IT, business, and end users to create a unified vision and culture of collaboration. Without this centralized approach, siloed applications can be created that do not meet the organization's needs. Proper training of business users and IT support is also crucial for success.
AgilePoint offers a secure and governed environment for Citizen Development. With a layered security framework and governance controls, IT can manage and oversee the creation of business applications by Citizen Developers. The platform's analytics module allows continuous monitoring and reporting of security issues or breaches. IT can define data entities, policies, and access control, which enables granting critical roles to business users while maintaining data security.
Citizen development tools empower business users to create their applications but still require roles and responsibilities from both business users and IT. Establishing a Center of Excellence (CoE) under the CIO's leadership can promote and manage citizen development initiatives, reducing errors and preventing costly shadow IT. The CoE should involve stakeholders from different functions, including IT, for security and governance policymaking.
The CoE is a gatekeeper for ideas and business applications, ensuring resources are not wasted on duplicate efforts. With a learning curve for citizen developers, the CoE should provide learning resources and certifications like PMI CD. A formal and well-structured CoE does not slow down processes but aids in the success of citizen development initiatives.
To understand more about the security and governance tooling embedded in the AgilePoint platform, take a look at "Security and Governance" page and explore more about the
enterprise Citizen Development platform.
A modern process automation and orchestration platform that enables you to open up and seize new business opportunities, supercharge innovation, unlock new levels of efficiency and productivity, and deliver the experiences that help you win.
Platform
Automate business processes and workflows at scale. AgilePoint helps enterprises democratize and accelerate digital transformation, reduce technical debt and future-proof ROI.
Resources
© 2023 AgilePoint. All rights reserved.