Protection Needs Elicitation (PNE) Flashcards
PNE
The determination of security requirements is also known as Protection Needs Elicitation
PNE begins
discovery of assets that need to be protected from
unauthorized access and users.
IATF
Information Assurance Technical Framework
IATF) is a set of security guidelines that covers Information Systems Security Engineering (ISSE
PNE is the first step of IATF to
Engage the customer, Information management modeling, Identify least privilege applications, Conduct threat modeling and analysis, Prioritize based on customer needs, Develop information protection policy, and Seek customer acceptance.
PNE activities
Brainstorming, Surveys (Questionnaires and Interviews), Policy Decomposition, Data Classification, Subject-Object Matrix, Use Case & Misuse Case Modeling.
Brainstorming
the quickest and most unstructured method to glean
security requirements.
Brainstorming shortcomings
high degree of likelihood that the brainstormed ideas don’t directly relate to the business, technical and security context of the software; can either lead to ignoring certain critical security considerations or going overboard on a non-trivial security aspect of the software; very subjective.
Surveys (Questionnaires and Interviews)
Surveys are effective means to collect functional and assurance requirements. The effectiveness of the survey is dependent on how applicable the questions
in the surveys are to the audience that is being surveyed.
Questionnaires cover
business risks, process (or project) risks and technology (or product) risks.
Policy Decomposition
a crucial step in the process of gathering requirements and an appropriate level of attention must be given to this process.
Policy Decomposition process
Policy documents internal & external (e.g. PCI DSS); high level objectives (e.g. confidentiality); security requirements (e.g. Identify Management); software security requirements (e.g. Input Validation).
high level objectives
CFG – Configuration management; SEG – Segregated environments; SOD – Separation of duties; DAT – Data protection; PRC – Production readiness checking and CRV – Code review.
Types of Data
primarily designated as structured data (e.g. database) or unstructured data (e.g. image, video, email) for the purposes of classification.
Data classification
the conscious effort to assign labels (a level of sensitivity) to information (data) assets, based on potential impact to confidentiality, integrity and availability (CIA), upon disclosure, alteration or destruction.
Data classification objective
to lower the cost of data protection and maximize the return on investment when data is protected.