C E S –
A Systems Analysis Framework
By
Henry Chung, CISSP
Date:
(Related
materials first published in CISSP Forum
Introduction
CES is a framework and analytical approach to systems
analysis. It is particularly useful in information systems analysis.
I call this methodology CES (Control Environment SystemSet).
CES can be visualized as 3-dimensional: Control and SystemSet form the base that creates an Environment.
All real-life systems scenarios can have the following
characteristics:
We can use CES effectively for systems analysis, and
for that matter, for any practical purpose.
CES can be presented in a simple 3-column spreadsheet:
CES
*Please see CES.doc
(Published on CISSP Forum
for brief examples and more details)
Application
of CES Analysis
The CES spreadsheet can be as simple as listing your
ideas of CONTROLS, your targeted ENVIRONMENT, and all the SYSTEM SETS with
appropriate hyperlinks in one spreadsheet.
The hyperlinks in the CES spreadsheet can have links
to any powerful data infrastructures that can include websites and databases. Software can be developed for such purposes.
* * * * *
CES Approaches and Applications:
After data and information are collected and recorded for
the systems under study in a CES spreadsheet, we can start the systems analysis
using the following approaches ie. arrange the CES
columns to the following:
CES
CSE
ECS
ESC
SCE
SEC
CES APPLICATONS
CES: Analyze the System: Control the environment with working systems
-
Examine the CONTROL (what we want to
manipulate and control) first,
-
Look at the current state of the
ENVIRONMENT and evaluate
-
View the SYSTEM SETS all the
components we introduced
From the point of view of the CONTROL, know the
ENVIRONMENT, and know what we can use ie. SYSTEM SETS.
With exactly the same collected information on the
spreadsheet unchanged.
Rearrange CES columns, start from left to right:
CSE: Critic on the Systems:
-
Examine the CONTROL
-
View the SYSTEM SETS
-
Look at the current state of the
ENVIRONMENT
Based on the targeting CONTROL and the SYSTEM SETS we
spent time/effort on, we now know what ENVIRONMENT we have achieved as of NOW.
With exactly the same collected information on the
spreadsheet unchanged.
Rearrange CES columns, start from left to right:
ECS: Feasibility
Study of the Systems:
-
Examine ENVIRONMENT information at
hand
-
Examine CONTROL for implementation
-
View the SYSTEM SETS to be involved
in the implementation
We know what we want (ENVIRONMENT), next consider the
CONTROL, then come to the $ and effort for the SYSTEM SETS and
implementation. Of course hyperlinks in here helps a lot for linking relevant
information but won’t lose track of the studies systems.
With exactly the same collected information on the
spreadsheet unchanged.
Rearrange CES columns, start from left to right:
ESC: Design
of the Systems:
-
Examine the ENVIRONMENT to be achieved,
either it is the face, or the functionalities or the security
-
Put in the SYSTEM SETS eg. Web interface, software and hardware to be used
-
Examine CONTROL eg. What
kinds of security control we are up to or need for improvement?
JAD meetings or developers meeting: Each individual
can be directed and each expresses their view based on the same context. It is easier to view the SYSTEM SETS as
components/building blocks and see CONTROL as means of gaining control or put
things under control.
With exactly the same collected information on the
spreadsheet unchanged.
Rearrange CES columns, start from left to right:
SCE: Systems
Implementation and Review:
-
Examine the SYSTEM SETS being
implemented
-
View the CONTROL so far achieved
-
Evaluate the ENVIRONMENT current
state and compare to what we originally planned (eg. ECS
and ESC).
Check points can be planted at certain stages of the SCE.
With exactly the same collected information on the
spreadsheet unchanged.
Rearrange CES columns, start from left to right:
SEC: Learning the Systems.
-
Examine the SYSTEM SETS eg.
Where is the driving wheel? What is the browsing screen? Where is the execution
button?
-
See what to do with the targeted
ENVIRONMENT
-
View how much control can we have now eg.
How does the driving wheel feel. How many window screens I have to click and
step through?
Know the SYSTEM SETS and then have the CONTROL, thus
arrive at the desired ENVIRONMENT. It is
a natural path of logical thinking and learning.
Example of
Systems Analysis using CES:
See CES Application Example.xlsx
spreadsheet on CISSP Forum:
Discussion:
In terms of presenting and reporting, CES can have the
birds-eye-view because it uses a spreadsheet for presentation and
reporting. Subsequent CES or nest CES (eg. CES under C only) can be examined.
Individual department, branch, or group can have their
CES following the natural logical definition of their scope of CES. Example:
If a hard drive is designed with security protection features. The hard drive itself is an ENVIRONMENT to be
achieved. CONTROL is how to gain such
security control. Of course the SYSTEM
SETS will be the hardware part and software/interface involved.
I would like to stress that in CES, ENVIRONMENT is
even more abstract because the nature of all things under the sun are changing
constantly. It is very important to
remember this characteristic. Also
usually ENVIRONMENT is what we are after.
CONTROL or SYSTEM SETS without an ENVIRONMENT can be regarded as
dormant. But the CONTROL and SYSTEM SETS
information can be collected for future use.
With respect to time, the CONTROL always lags behind
and has to be optimized.
SYSTEM SETS is easy to comprehend the idea, but of
course the cost and complexities are just some of the many factors need to be
enumerated.
Summary and
Conclusion
CES is a framework to analyze any systems that are of
interest. It is only limited by one’s
preferences and resources. CES also is
as simple as the rows and columns of a spreadsheet (Relational
Database!). CES can be definable within
one’s imagination. As long as the scope
is defined and discussed, it can be passed along. Since the use of categorized technical terms
is limited to the 3 columns ie. C and E and S, you
probably do not need to invent new technical terms and need only have CES as
the common terms for communication between different types of audience or
departments.
In CES, Environment is always understood as the
targeted or ideal state that you want.
Control is how much control you have or hope to have on the Environment
with respect to time, and time is always changing. System Set is what you can use as beneficial
for the system under study. Follow this
principle, in nested CES, eg. CES under S such as developing a computer
circuit board; C will be the quality and interface you aim at, and E will be
the existing state of the manufacture or protocol of the circuit board. System
Set will be the etched electrical components on the circuit board.
The core of CES is to sort and then encompass all
systems under your study – the approach is the same as viewing things as rows
and columns in multi-dimensions but in different points of view. This is why a spreadsheet is always the best
way to view and summarize a CES under study.
Multiple spreadsheets can be of use. If all Cs, Es and Ss can be linked,
you can see the different aspects of the systems under study (eg. from the point of view of CONTROL). A bird eye’s view will have to be viewed on
the very high level – possibly the “mother” spreadsheet of the CES.
The spreadsheet can be expanded to multi-layers or for
the use of relational databases.
Hyperlinks inside the CES spreadsheet(s) can be very powerful for acCESs
to enormous amounts of important or sensitive information, but can be hidden
behind the spreadsheet. A core/main CES
spreadsheet encompass other CES (or nested CES), which can be utilized for
complex ENVIRONMENT.
CES is limitless in uses because it follows our
natural way of logical thinking.
* * *