Security is one of the most important things to consider when developing any type of system. There are numerous malicious attacks that could happen at any time that you have to ensure that your system is protected. The first step in doing this is thinking and developing the requirements that will drive the way your team and you handle anything that comes your way.
Security requirements are important because you will have sensitive data contained within that you need to protect. We have seen in the past how hackers have been able to collect users’ identities, financial records, Social Security numbers, and the list keeps going.
One thing that companies fail in doing is taking the time to research, analyze, and collect security requirements before developing a system. This is always an error because then you spend more time trying to patch up the things you didn’t foresee. I have been collecting requirements for years, and I have noticed that when done correctly, you usually build a good, stable system
Security Requirements are usually part of the overall Functional Requirements Document or Security Requirements Specifications. There are times that people will build a separate Security Plan, but usually it’s within one of the two documents named above.
The four major areas that you should consider when collecting and writing security requirements documents are:
- User Management
- Data Management
- Access Control
- Auditing
User Management
When developing a system, there are usually users who will be accessing the system. The main questions to answer are the following:
- Who are the people that will be accessing the system? Will they be frequent users? How do they relate with one another?
- Do these users have different levels of classification, if it applies?
- What will be the user roles used in the system?
- How will you authenticate these users? How are you going to manage passwords?
- Who will have manage these users? What are the security guidelines that these people have to follow?
- What kind of checks will have you in place to ensure that there is no security breach?
Data Management
Next, you should consider how you will protect the data maintained in the system. You should think about these points when thinking about data management:
- Does the data have different classification levels? How will you handle the difference in data sensitivity?
- How will you control access to data? What are the different ways that you will? How do they relate with one another?
- How is data collected? What safeguards will be in place when users are entering data into the system?
- Will the system have encryption? If so, what kind of encryption will it have? When will encryption be used?
- What kind of data validation will be performed?
Access Control
Access Control is how users will interact with the data. It is probably the most important section because usually issues with access control is why attacks are usually successful. Here are question to ask yourself when thinking about access control:
- Will there be remote access to the system? How is remote access handled? How will you secure users remotely accessing the system?
- How will you secure different control points into the system?
- What kind of physical access controls will be in place? How will you manage it?
- Who can access what kind of data? What kind of rights will they have to that data?
Auditing
You should always be collecting, reviewing, and discussing how users are using the system, what they are accessing, errors, risks, and vulnerabilities. You should be asking these questions when dealing with auditing. Auditing could save you from a serious mishap because you are constantly monitoring the system.
- What kind of data will be collected in the audit trail? Frequency? When it will be reviewed by security personnel?
- How will error, audit, and any security notifications be performed? Frequency?
- How long will audit trail and history be contained in the system? How long will they be in archives?
- How will audits be backed up? Frequency?
- Who will review these audit trails? Frequency?
Resources
These resources will help you in understanding what kind of detailed security questions you should be asking yourself:
- Security Technical Implementation Guides
- US Military and Government Security Guides and Information
- Functional Requirements Document Sample
- Writing Software Requirements Specifications
- Functional Requirements Document Checklist
Final Thoughts
These are the basic four areas that you should be thinking about when thinking about security for your system. One thing that you should also remember is that security goes hand-in-hand with non-functional requirements that if ignored, can negatively affect your system. Best thing is to do things right from the beginning, so you won’t have any headaches later.
Tags: Access control, collecting requirements, Data, functional requirements document, Non-functional requirement, Password, requirements gathering, Security, security requirements, software requirements specification
