Protection Needs Elicitation (PNE) Flashcards
PNE
The determination of security requirements is also known as Protection Needs Elicitation
PNE begins
discovery of assets that need to be protected from
unauthorized access and users.
IATF
Information Assurance Technical Framework
IATF) is a set of security guidelines that covers Information Systems Security Engineering (ISSE
PNE is the first step of IATF to
Engage the customer, Information management modeling, Identify least privilege applications, Conduct threat modeling and analysis, Prioritize based on customer needs, Develop information protection policy, and Seek customer acceptance.
PNE activities
Brainstorming, Surveys (Questionnaires and Interviews), Policy Decomposition, Data Classification, Subject-Object Matrix, Use Case & Misuse Case Modeling.
Brainstorming
the quickest and most unstructured method to glean
security requirements.
Brainstorming shortcomings
high degree of likelihood that the brainstormed ideas don’t directly relate to the business, technical and security context of the software; can either lead to ignoring certain critical security considerations or going overboard on a non-trivial security aspect of the software; very subjective.
Surveys (Questionnaires and Interviews)
Surveys are effective means to collect functional and assurance requirements. The effectiveness of the survey is dependent on how applicable the questions
in the surveys are to the audience that is being surveyed.
Questionnaires cover
business risks, process (or project) risks and technology (or product) risks.
Policy Decomposition
a crucial step in the process of gathering requirements and an appropriate level of attention must be given to this process.
Policy Decomposition process
Policy documents internal & external (e.g. PCI DSS); high level objectives (e.g. confidentiality); security requirements (e.g. Identify Management); software security requirements (e.g. Input Validation).
high level objectives
CFG – Configuration management; SEG – Segregated environments; SOD – Separation of duties; DAT – Data protection; PRC – Production readiness checking and CRV – Code review.
Types of Data
primarily designated as structured data (e.g. database) or unstructured data (e.g. image, video, email) for the purposes of classification.
Data classification
the conscious effort to assign labels (a level of sensitivity) to information (data) assets, based on potential impact to confidentiality, integrity and availability (CIA), upon disclosure, alteration or destruction.
Data classification objective
to lower the cost of data protection and maximize the return on investment when data is protected.
NIST SP800-18
Guide for developing security plans for Federal Information system. It provides a framework
for classifying information assets based on impact to the CIA.
Business owner / Data owner
decision to classify data, who has access and what level of access, etc
Business/data owner responsibility
assets are appropriately classified; validate that security controls are implemented as needed by
reviewing the classification periodically; define authorized list of users and access criteria based on
information classification; ensure appropriate backup and recovery mechanisms are in place; delegate as needed the classification responsibility, access approval authority, backup and recovery duties to a data custodian.
data custodian responsibility
Perform the information classification exercise; Perform backups and recovery as specified by the data owner; Ensure records retention is in place according to regulatory requirements or organizational retention policy.
DLM
Data Lifecycle Management - a policy-based approach, involving procedures and practices, to protect data throughout the information life cycle: from the time it is created to the time it is disposed or deleted.
First component of DLM
Data classification, once data is organized into appropriate categories (or tiers) appropriate controls
can be applied to protect the confidentiality, integrity and availability of data.
Secure memory management
prevents disclosure of data when data is processed.
Cryptographic protection
encryption and hashing, in conjunction with end-to-end secure communication protocols operating in the transport (e.g., SSL/TLS) or network (e.g., IPSec) layer protects data when it is transmitted.
DLP
Data Leakage Prevention technologies come in
handy to protect against unauthorized disclosures when data is transmitted.
