Problem solve Get help with specific problems with your technologies, process and projects.

When to approach security during a requisition

I am on a IT Security Team that has been comprised to assess, develop and implement some requirements to do new business acquisition and regulatory requirements. It has been my experience and professional goal to bring security to the forefront of the business operations, so that it is viewed early in the big scheme of things.

In an effort to get us closer to the core of the business, I have pursued adding security to the Requirements Management Team. Some are of the opinion that security should be in with the Design Team and more specifically, "Security is a requirement that is usually handled at the end of the requirements phase and at the beginning of the design phase. Typically you would not bring security into the picture until after the project has become fairly mature."

I do not subscribe to this mindset. What are your thoughts on this? Am I missing something? What supporting arguments can you share with me?

Your issue is shared with security personnel throughout private and government sectors. Security personnel have long held the understanding that the first step in the life cycle of application/program development or acquisition, is defining the security administrative/technical requirements of the system/application. (Specifications are usually defined in the initiation phase of development). It is far less costly, more efficient and effective to incorporate security functionality in the design phase than to try to back it. Based on the requirements, the security and audit related functions would be defined. This is further enforced if your organization has C1 to A1, or trusted environment requirements. There is always a chance with delaying security functionality until later stages that functions will not work or other modifications will have to be made to the existing code.

I would like to direct you to the DoD Rainbow series. Even though it is written for the government, many (if not most) of the same guiding principles hold true (follow the C1 specs). These sites may be of particular interest to you, as they are directed to "developers, purchasers, or program managers who must identify and satisfy requirements associated with security-relevant acquisitions:"

Of particular interest will be some NIST publications:

This was last published in July 2001

Dig Deeper on Information security policies, procedures and guidelines

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.