Security Requirements

Security is a complex topic that involves all levels of a deployed system. Developing security requirements revolves around identifying the security threats and developing a strategy to combat them. This security analysis includes the following steps:

1. Identifying critical assets

2. Identifying threats to those assets

3. Identifying vulnerabilities that expose the threats that create risk to the organization

4. Developing a security plan that mitigates the risk to the organization

The analysis of security requirements should involve a cross-section of stakeholders from your organization, including managers, business analysts, and information technology personnel. Often, an organization appoints a security architect to take the lead in the design and implementation of security measures.

The following section describes some of the areas that are covered in security planning.

Elements of a Security Plan

Planning for security of a system is part of deployment design that is essential to successful implementation. Consider the following when planning for security:

• Physical security. Physical security is the physical access to routers, servers, server rooms, data centers, and other parts of your infrastructure. Other security measures become compromised if an unauthorized person can walk into a server room and unplug routers.

• Network security. Network security is access to your network through firewalls, secure access zones, access control lists, and port access. For network security you develop strategies for unauthorized access, tampering, and denial of service (DoS) attacks.

• Application and application data security. Application and application data security covers access to user accounts, corporate data, and enterprise applications through authentication and authorization procedures and policies. This area includes defining the following policies:

  • Password policies

  • Access rights, such as delegated administration to users as opposed to administrator access

  • Account inactivation

  • Access control

  • Encryption policies, including secure transport of data and using certificates to sign data

• Personal security practices. An organization-wide security policy defines the working environment and practices with which all users must comply to ensure other security measures perform as designed. Typically, you develop a handbook or manual on security and also offer training to users on security practices. For an effective overall security policy, sound security practices must become part of the organization culture.