6 Security Requirements Security requirements are functional or performance demands placed on a system to ensure a desired level of security Usually derived from organizational business needs sometimes including compliance with mandates imposed from outside, such as government standards Characteristics of good security requirements Correctness Consistency Completeness Realism Need Verifiability Traceability From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Requirements • Security requirements are functional or performance demands placed on a system to ensure a desired level of security • Usually derived from organizational business needs, sometimes including compliance with mandates imposed from outside, such as government standards • Characteristics of good security requirements: • Correctness • Consistency • Completeness • Realism • Need • Verifiability • Traceability 6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
7 Inputs to the Security Plan Security policies (Constraints) Requirements -> Security Planning Security plan Process Security Techniques and controls (Mechanisms) From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Inputs to the Security Plan 7 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
8 Responsibility for Implementation A section of the security plan will identify which people(roles)are responsible for implementing security requirements Common roles Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security Project leaders may be responsible for the security of data and computations Managers may be responsible for seeing that the people they supervise implement security measures Database administrators may be responsible for the access to and integrity of data in their databases Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data Personnel staff members may be responsible for security involving employees for example, screening potential employees for trustworthiness and arranging security training programs From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Responsibility for Implementation • A section of the security plan will identify which people (roles) are responsible for implementing security requirements • Common roles: • Users of personal computers or other devices may be responsible for the security of their own machines. Alternatively, the security plan may designate one person or group to be coordinator of personal computer security. • Project leaders may be responsible for the security of data and computations. • Managers may be responsible for seeing that the people they supervise implement security measures. • Database administrators may be responsible for the access to and integrity of data in their databases. • Information officers may be responsible for overseeing the creation and use of data; these officers may also be responsible for retention and proper disposal of data. • Personnel staff members may be responsible for security involving employees, for example, screening potential employees for trustworthiness and arranging security training programs. 8 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
9 Timetable and plan maintenance As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified The plan must include procedures for change and growth The plan must include a schedule for periodic review From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Timetable and Plan Maintenance • As a security plan cannot be implemented instantly, the plan should include a timetable of how and when the elements in it will be performed • The plan should specify the order in which controls are to be implemented so that the most serious exposures are covered as soon as possible • The plan must be extensible, as new equipment will be acquired, new connectivity requested, and new threats identified • The plan must include procedures for change and growth • The plan must include a schedule for periodic review 9 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Planning Team Members Security planning touches every aspect of an organization and therefore requires participation well beyond the security group Common security planning representation Computer hardware group System administrators Systems programmers Applications programmers Data entry personnel Physical security personnel Representative users From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Security Planning Team Members • Security planning touches every aspect of an organization and therefore requires participation well beyond the security group • Common security planning representation: • Computer hardware group • System administrators • Systems programmers • Applications programmers • Data entry personnel • Physical security personnel • Representative users 10 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved