When to approach security during a requisition
I am on a IT Security Team that has been comprised to assess, develop and implement some requirements to do new business acquisition and regulatory requirements. It has been my experience and professional goal to bring security to the forefront of the business operations, so that it is viewed early in the big scheme of things.
In an effort to get us closer to the core of the business, I have pursued adding security to the Requirements Management Team. Some are of the opinion that security should be in with the Design Team and more specifically, "Security is a requirement that is usually handled at the end of the requirements phase and at the beginning of the design phase. Typically you would not bring security into the picture until after the project has become fairly mature."
I do not subscribe to this mindset. What are your thoughts on this? Am I missing something? What supporting arguments can you share with me?
Your issue is shared with security personnel throughout private and
government sectors. Security personnel have long held the understanding that the
first step in the life cycle of application/program development or
acquisition, is defining the security administrative/technical
requirements of the system/application. (Specifications are usually
defined in the initiation phase of development). It is far less costly,
more efficient and effective to incorporate security functionality in the
design phase than to try to back it. Based on the requirements, the
security and audit related functions would be defined. This is further
enforced if your organization has C1 to A1, or trusted environment
requirements. There is always a chance with delaying security
functionality until later stages that functions will not work or other
modifications will have to be made to the existing code.
I would like to direct you to the DoD Rainbow series. Even though it is
written for the government, many (if not most) of the same guiding
principles hold true (follow the C1 specs). These sites may be of particular interest to you, as they are directed to "developers,
purchasers, or program managers who must identify and satisfy requirements
associated with security-relevant acquisitions:"
Of particular interest will be some NIST publications:
This was first published in July 2001