Questions to Ask Yourself When Collecting and Writing Security Requirements

Security is one of the most important things to consider when developing any type of system. There are numerous malicious attacks that could happen at any time that you have to ensure that your system is protected. The first step in doing this is thinking and developing the requirements that will drive the way your team and you handle anything that comes your way.

Security requirements are important because you will have sensitive data contained within that you need to protect. We have seen in the past how hackers have been able to collect users’ identities, financial records, Social Security numbers, and the list keeps going.

One thing that companies fail in doing is taking the time to research, analyze, and collect security requirements before developing a system. This is always an error because then you spend more time trying to patch up the things you didn’t foresee. I have been collecting requirements for years, and I have noticed that when done correctly, you usually build a good, stable system

Security Requirements are usually part of the overall Functional Requirements Document or Security Requirements Specifications. There are times that people will build a separate Security Plan, but usually it’s within one of the two documents named above.

The four major areas that you should consider when collecting and writing security requirements documents are:

1. User Management
2. Data Management
3. Access Control
4. Auditing

User Management

When developing a system, there are usually users who will be accessing the system. The main questions to answer are the following:

• Who are the people that will be accessing the system? Will they be frequent users? How do they relate with one another?
• Do these users have different levels of classification, if it applies?
• What will be the user roles used in the system?
• How will you authenticate these users? How are you going to manage passwords?
• Who will have manage these users? What are the security guidelines that these people have to follow?
• What kind of checks will have you in place to ensure that there is no security breach?

Data Management

Next, you should consider how you will protect the data maintained in the system.  You should think about these points when thinking about data management:

• Does the data have different classification levels?  How will you handle the difference in data sensitivity?
• How will you control access to data? What are the different ways that you will?  How do they relate with one another?
• How is data collected? What safeguards will be in place when users are entering data into the system?
• Will the system have encryption? If so, what kind of encryption will it have? When will encryption be used?
• What kind of data validation will be performed?

Access Control

Access Control is how users will interact with the data.  It is probably the most important section because usually issues with access control is why attacks are usually successful. Here are question to ask yourself when thinking about access control:

• Will there be remote access to the system? How is remote access handled?  How will you secure users remotely accessing the system?
• How will you secure different control points into the system?
• What kind of physical access controls will be in place? How will you manage it?
• Who can access what kind of data? What kind of rights will they have to that data?

Auditing

You should always be collecting, reviewing, and discussing how users are using the system, what they are accessing, errors, risks, and vulnerabilities.  You should be asking these questions when dealing with auditing.  Auditing could save you from a serious mishap because you are constantly monitoring the system.

• What kind of data will be collected in the audit trail? Frequency? When it will be reviewed by  security personnel?
• How will error, audit, and any security notifications be performed? Frequency?
• How long will audit trail and history be contained in the system? How long will they be in archives?
• How will audits be backed up? Frequency?
• Who will review these audit trails? Frequency?

Resources

These resources will help you in understanding what kind of detailed security questions you should be asking yourself:

1. Security Technical Implementation Guides
2. US Military and Government Security Guides and Information
3. Functional Requirements Document Sample
4. Writing Software Requirements Specifications
5. Functional Requirements Document Checklist

Final Thoughts

These are the basic four areas that you should be thinking about when thinking about security for your system. One thing that you should also remember is that security goes hand-in-hand with non-functional requirements that if ignored, can negatively affect your system. Best thing is to do things right from the beginning, so you won’t have any headaches later.

Look Back on My Career in 2009; What’s Next in 2010

Three Don’ts When Taking Part in a Peer Review

I have participated in many peer reviews, be it for gap analysis, requirements, or proposals.  I have seen a few them go awry for numerous reasons.  Here are a few tips that I picked up while attending these peer reviews:

1. Leave the egos at home – There was one gap analysis that was four of us in one room for three months hashing out the best and worst of three complex financial management systems.  It was already a tedious and stressful job trying to figure out which features to place in the new system.  The process became ten times as hard because of two individuals who though his system was the best, and that he was the only expert.  Honestly, leave the egos at home.  When you are thinking about how great you are or the system you represent, you are not being open enough to take in other people’s suggestions, which can be detrimental to designing a new system.

2. Don’t continuously interrupt - Sometimes allowing people to ask questions during someone introducing a topic is the worst thing to do.  You usually get sidetracked with other conversations that you really don’t address the discussed topic.  I found it best to allow someone to say his/her part, and then ask any questions you have afterwards.  It gives them time to touch on everything that he/she wants to talk about, and you are able to have useful questions at the end.

3.  Don’t belittle others’ ideas or questions - I’ve been around some people who will smirk or say some sarcastic comment if a person says something that they deem “stupid.” Peer reviews are usually times to brainstorm ideas.  Therefore, this is one of the only times that I will agree that no question (or idea) is stupid.

Research Before Starting Any Project

Before starting any project or document, there is something that you must do. RESEARCH! I can’t stress that enough. There have been all kinds of projects that I have been on, and the one mistake that they usually make is not taking the time to research. It’s something that time should be allocated for during the project planning process. Reading the client’s documentation, interviewing them, and analyzing external resources, you will have a better understanding of the issues that your team and you are trying to solve.

1. Research the Client’s Documentation - When a client hires me to write a proposal, the first thing I do is reading the RFP or proposal guidelines carefully, and I create a requirements matrix. Tip: Placing a proposal requirements matrix at the front of your proposal showing that you have covered all the points that they had already creates a good first impression. After doing that, I begin trying to understand the client’s problem. There have been so many times where companies only rely only on their past performance and their name. Yes, past performance is important, but you have to also consider that every problem is unique. Even if something you have done in the past covers the majority of what they want, it usually won’t satisfy the problem 100%.  Research their reports, system documentation, and anything you can get your hands on.

2. Interview Your Clients – Interviewing is also very important. You can do this for gathering requirements. Understanding what clients do every day, and what they want is key to developing a product or service that will better help them. It’s a great way to also build a rapport with them. Whenever you take the time to speak to clients, you are showing them that you are fully invested in helping them do their jobs better.

The best way to do this is create open-ended interview questions that you can further build from. A child learns by asking why after why questions. You have to do the same. Don’t be afraid to ask anything you need to know, even if you feel that it’s a dumb question. This is the only time that I will say that there is no such thing as a stupid question.

3. Look at External Resources - I’ve written many responses to government RFPs, so I usually read what reports the Government Accountability Office (GAO) and the agency’s Inspector General has written. These are reports created after months of analysis, so they are extremely useful. There are also reports that non-profit organizations looking for grants can view that are similar to these. Maybe think-tanks, research organizations, and many others have probably done some type of research.

My internship as a Research Assistant at a think tank when I got out of college taught me that. In order to create full-depth analysis reports, we had to research for months. It’s one of the reasons that think tanks are considered experts in their field. Definitely learn to do the same.

Photo Detail: Problem and Solution – Magnifying Glass, originally uploaded by iQoncept. 7JEQ7FG8JA22