The following Q&A article is based on a PMI webinar on the compliance and cybersecurity aspects of Citizen Development platforms. You can watch Part 1 and Part 2 of this webinar here and here.

Topics:

• Compliance of Citizen Development platforms with GDPR, HIPPA, and ISO 27001
• Common cybersecurity features in low-code, no-code (LCNC) platforms
• AgilePoint platform's cybersecurity features
• Citizen developers' security mindfulness and the LCNC platform's security features
• Best practices to avoid restricting citizen development activity from a governance perspective
• AgilePoint's adherence to best practices to prevent restricting citizen development activity
• Implementation of citizen-developed apps and best practices to identify security flaws
• Adoption of AgilePoint enterprise citizen development in large, hybrid organizations

1. Is it possible to determine whether a specific enterprise citizen development platform is GDPR, HIPPA, or ISO compliant?

You can ask the platform provider if they are ISO certified, but understanding the regulations yourself can go a long way in your due diligence process.

GDPR mandates lawful and transparent collection, storage, and processing of personal data with consent. HIPAA requires safeguards for protected health information, while ISO 27001 sets a framework for information security management.

AgilePoint's governance and permission framework meets these standards, including compliance with GDRP, HIPAA, ISO, Department of Defense regulations, and Export control laws.

We've partnered with renowned hosting providers who bring world-class physical security to clients' data centers, and AgilePoint has layered information security policies and practices in line with the world's most demanding Enterprise customers.

Our integration capabilities make integration with existing privacy and security systems uncomplicated. Automated audit trails, alerts, and logging help with compliance requirements and data tracking.

2. What are the most common cyber security features on LCNC (low-code, no-code) platforms?

The most common features of LCNC cyber security include authentication and authorization, data encryption, secure protocols, firewall protection, malware protection, and intrusion detection systems.

Authentication and authorization help ensure that only authorized users can access the system, while data encryption helps protect data in transit. Secure protocols help to protect data transfer over public networks, firewalls prevent unauthorized access to the system, and malware protection stops malicious software from entering the system.

Intrusion detection systems deployed by many LCNC vendors monitor the system for any suspicious activity and alert the appropriate personnel. These security features are essential for securing LCNC platforms and preventing malicious actors from accessing sensitive data. Most LCNC tools generate code and may offer additional security features such as code scanning, refactoring, and analysis features.

3. What cybersecurity features are available in the AgilePoint platform?

AgilePoint is ISO 27001 and SOC2 certified, two of the most stringent industry benchmarks for information security and compliance. A third-party assessor verifies and audits our security practices, guaranteeing that our customers can be confident that their data is safe and secure.

The AgilePoint platform provides cybersecurity features, such as identity and access management, automated audit trails, firewalls, intrusion detection, and system management through an easy-to-use and centralized settings module.

IT can extend and ensure applications built on the platform comply with their organization's security and governance policies. It allows IT to change labels, display order, enforce global CSS, lock down BPMN, block users or IPs, control app-level CSS injector, and enable multiple authentication providers.

AgilePoint provides IT professionals with streamlined tools for a secure and efficient operation by centralizing security features in the settings module.

4. Is it necessary for citizen developers to be mindful of app security even when low-code no-code platforms have their own security features?

Low-code and no-code (LCNC) platforms vary in security and control options, offering organizations limited governance.

While these platforms can enhance efficiency, they only partially replace the need for security mindfulness at the Citizen Development level.

PMI's CD Canvas classifies projects based on financial, reputational, and other risks to guide development paths objectively. LCNC platforms still require content and security measures mindful of production and data protection. Security policies must comply with regulations and industry standards. While LCNC platforms streamline development, organizations must remain vigilant in security practices and procedures.

5. Do AgilePoint’s security and governance features eliminate the need for citizen development-level security mindfulness?

AgilePoint is an advanced LCNC and BPMS platform with superior runtime, security, and governance mechanisms. Unlike generic LCNC platforms, AgilePoint is based on explicit process model-driven technology and does not translate user artifacts into code. It is the only LCNC platform that allows administrators to control and modify any specific workflow instances, even during runtime, making it a highly secure option while reducing the accumulation of technical debt.

The AgilePoint's mature lifecycle management engine blocks broken or malfunctioning artifacts from migrating to the production environment, ensuring high availability and security.

IT has fine-grained control over the system, applications, users, reports, and data entities using the following security features:

• Identity management
• Portal level permission
• Analytics level permission
• Application level permission
• Data level permission
• Role-based access control

You get a very prescriptive approach with the combination of AgilePoint's advanced, layered security and governance and the PMI methodology to classify applications based on risk factors.

6. What are the best practices for avoiding onerous restrictions that discourage citizen development activity from a governance perspective?

Without a high level of knowledge, citizen developers find it challenging to understand the development process and create projects that clear IT security checks. Some of the best practices include

• It sets clear expectations and guidelines for citizen development activities. All Citizen Developers should be informed about these policies and easily accessible for reference.
• It is essential to be open to feedback and suggestions from citizen developers regarding their development projects.
• One has to ensure sufficient time is allocated for development activities, as rushing a project can lead to mistakes, which can have costly consequences.

7. Does AgilePoint adhere to best practices to avoid restricting citizen development activity with burdensome regulations?

AgilePoint recognizes that governing citizen-developed apps is crucial for highly regulated or business-critical applications.

We empower the security faction of IT to pre-approve data entities and all other components of an application, including process actions, integration options, role restrictions, API security, and user interface. 

By doing so, your citizen developers can develop applications on AgilePoint that run at a scale not possible with generic LCNC platforms. You can now reach production levels faster with AgilePoint compared to generic Low-Code platforms.

We believe enterprise Citizen Development has more detailed requirements as it supports strategic, enterprise-wide initiatives and, as such, will address a broader range of use cases and levels of information sensitivity.

8. Do Citizen Developers implement their own apps, or does the IT team have to implement them after ensuring there are no security flaws in the code?

Citizen Developers can implement what they develop, but we recommend that you may involve an IT team for proper quality assurance. The IT team should be responsible for ensuring that all artifacts that Citizen Developers create are secure and do not contain any vulnerabilities.

It helps ensure that any products or services developed by Citizen Developers are of high quality and adhere to applicable industry standards. Additionally, involving an IT team will help ensure the resolution of bugs and enable you to address technical issues promptly. Ultimately, adding an IT team to the development process will help improve the quality and security of any products or services developed by Citizen Developers.

9. How are citizen developers' apps put into production with AgilePoint's platform?

It is essential to impose a stringent deployment methodology to successfully implement and operate any LCNC application, typically in an enterprise environment or if the application is developed as a business-critical one.

Applications created by citizen developers in AgilePoint are composed only of components, features, or data sets already pre-approved by the organization's IT, enabling rapid security clearance and instant deployment. Furthermore, IT can allow quick migration based on the application's use case, data-access requirements, and users' roles.

AgilePoint offers its enterprise customers up to three environments (tenants) for development, testing, and production. IT Security pre-approves components and permits select citizen developers to quickly move complete applications or certain artifacts from development to testing to production.

Also, AgilePoint is based on explicit process model-driven technology and doesn't translate business process artifacts into code, even during runtime. No code translation combined with the fact that IT security can pre-approve components decreases the security risks associated with malicious code or any harmful content being executed or used. It eliminates unauthorized access to sensitive or confidential information in production.

You can create applications with pre-approved components and get them into production faster than generic LCNC platforms.

10. Can you consider continuous development as continuous learning?

Most LCNCs focus on a specific use case, i.e., forms. However, AgilePoint covers many use cases like forms, processes, integrations, chatbots, and mobile apps. 

AgilePoint is a singular platform for continued learning and allows citizen developers to start with simple use cases and ultimately graduate to the most valuable application type - cross-functional automation. Rather than continually acquire and learn new platforms to address new use cases, AgilePoint enables Citizen Developers to progress without changing platforms. Along the way, you can reuse every application or artifact in different applications.

Bonus Questions

When does a large, hybrid organization start adopting AgilePoint enterprise citizen development?

There is no specific time to mark an in-production citizen-developed application as a business-critical application, but depending on the size and maturity of the company’s IT and governance policies, this may change. If a handful of users access a citizen-developed application and only solve irregular issues of a function, it doesn’t need to be as business-critical.

However, if an application is likely to be or is used by many users spread across different departments and functions; it may make sense to allow IT to take ownership of the application after development. Citizen developers can remain an active part of the further development and enhancement of citizen developer applications. However, they must follow change management policies to ensure they do not impact any user or services relying on these applications.

The AgilePoint platform enables IT to monitor the usage of applications created by citizen developers making it easier to decide when an application is ready to be marked as business critical and move it out of a function’s citizen developer incubator.

What department typically launches governs and manages a Citizen Dev program in an organization?

The CIO plays a critical role in launching successful citizen development initiatives by coordinating with IT, business, and end users to create a unified vision and culture of collaboration. Without this centralized approach, siloed applications can be created that do not meet the organization's needs. Proper training of business users and IT support is also crucial for success.

AgilePoint offers a secure and governed environment for Citizen Development. With a layered security framework and governance controls, IT can manage and oversee the creation of business applications by Citizen Developers. The platform's analytics module allows continuous monitoring and reporting of security issues or breaches. IT can define data entities, policies, and access control, which enables granting critical roles to business users while maintaining data security.

Supporting Citizen Developers: Do You Need Dedicated Personnel like Project Managers, Data Specialists or Developers?

Citizen development tools empower business users to create their applications but still require roles and responsibilities from both business users and IT. Establishing a Center of Excellence (CoE) under the CIO's leadership can promote and manage citizen development initiatives, reducing errors and preventing costly shadow IT. The CoE should involve stakeholders from different functions, including IT, for security and governance policymaking.

The CoE is a gatekeeper for ideas and business applications, ensuring resources are not wasted on duplicate efforts. With a learning curve for citizen developers, the CoE should provide learning resources and certifications like PMI CD. A formal and well-structured CoE does not slow down processes but aids in the success of citizen development initiatives.

To understand more about the security and governance tooling embedded in the AgilePoint platform, take a look at "Security and Governance" page and explore more about the enterprise Citizen Development platform.