Requirements Flashcards
Data Classification - Impact Analysis NIST FIPS 199
Provides a framework for classifying data based on impacts across the three standard dimensions: confidentiality, integrity, and availability.
Data Classification - Impact Analysis NIST SP 800 - 18
Provides a framework for classifying data based on impacts across the three standard dimensions: confidentiality, integrity, and availability.
Data Classification - Impact Analysis - First Step
Identify High, Medium, Low impact data. Maybe based on impacts to people, customers or financial loss.
ISO 2700X Series
This series defines the relevant vocabulary, a code of practice, management system implementation guidance, metrics, and risk management principles.
- More than 20 standards in place.
- Is what ISO 900X is for Quality.
- Broad in scope, it is designed to be applicable to all shapes and sizes of organizations.
ISO/ IEC 15408 Common Criteria
A framework where security functional and assurance requirements can be specified in precise terms, allowing vendors to implement and/ or make claims about the security attributes of their products.
- Target of Evaluation
- Protection Profiles: set of security requirements for OS, firewalls etc.
- Evaluation Assurance Level : 7 levels
ISO/ IEC 9126: Software Engineering – Product Quality
This four-part standard addresses some of the critical issues that adversely affect the outcome of a software development project.
- defines six quality characteristics that can be used to measure the quality of software: Functionality, Reliability, Usability, Efficiency Maintainability and Portability.
ISO/ IEC/ IEEE 12207: Systems and Software Engineering – Software Life Cycle Processes
Establishes a set of processes covering the lifecycle of the software. Each process has a defined set of activities, tasks, and outcomes associated with it. It acts to provide a common structure so all parties associated with the software development effort can communicate through a common vocabulary.
ISO/ IEC 33001: 2015 Information Technology – Process Assessment
Process assessment is also known as SPICE. Updated to Software Process Improvement and Capability Determination.
- used for process capability determination and process improvement efforts related to software development.
- Six levels 0 to 5
Federal Information Security Management Act (FISMA)
Federal Information Security Management Act of 2002 (FISMA) is a federal law that requires each federal agency to implement an agency-wide information security program.
NIST developed Risk Management Framework detailed in NIST SP 800-39
Federal Information Processing Standards (FIPS)
Are mandatory sets of requirements on federal agencies and specific contractors.
Developed by NIST.
FIPS 140 Series
Security Requirements for cryptographic modules
FIPS 186-3
Digital Signature Standard (DSS)
FIPS 190-4
Secure Hash Standard (SHS)
FIPS 197
Advanced Encryption Standard (AES)
FIPS 200
Minimum security requirements for Federal Information and Information Systems
SAFECode
SAFECode is dedicated to communicating best practices that have been used successfully by member firms.
- industry backed org.
NIST SP 800-39
Risk Management Framework as six steps guidelines.
1. Categorize Security systems
2. Select Security Controls
3. Implement Security Controls
4. Assess Security Controls
5. Authorize Information Systems
6. Monitor Security Controls
NIST SP 800 152
A profile for US Federal cryptographic key management system
NIST SP 800 107
Recommendations for Applications using approved hash algorithms
NIST SP 800 100
Information Security Handbook, a guide for managers
NIST SP 800 63
Digital Identity Guidelines
NIST SP 800 53
Security and privacy controls for Information systems and organizations.
NIST SP 800 30
Guide for conducting risk assessments
Sarbanes-Oxley Act of 2002
The information systems used for financial accounting must have some form of security control over integrity so that all may have confidence in the numbers being reported by the system.
- Was a reaction to several major accounting and corporate scandals, costing investors billions and shaking public confidence in the stock markets.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act
contains elements designed to protect consumers’ personal financial information (PFI).
The three primary rules worth noting are
1. The Financial Privacy Rule, which governs the collection and disclosure of PFI, including companies that are nonfinancial in nature 2. The Safeguards Rule, which applies to financial institutions and covers the design, implementation, and maintenance of safeguards deployed to protect PFI
3. The Pretexting Protections, which addresses the use of pretexting (falsely pretending) to obtain PFI
HIPAA and HITECH
Healthcare Insurance Portability and Accountability Act (HIPAA) deals with personal health information (PHI).
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is part of the American Recovery and Reinvestment Act of 2009 (ARRA) and is designed to enhance privacy provisions of electronic personal health information records.
Payment Card Industry Data Security Standard (PCI DSS)
Details the contractual requirements for members that accept and process bank cards. Includes requirements for security management, policies and procedures, network architecture, software design, and other critical protective measures for all systems associated with the processing and storing of cardholder data.
Payment Application (PA) DSS standard is a set of requirements used by software vendors to validate that a payment application is compliant with the requirements associated with PCI DSS. when creating applications designed to handle cardholder data, compliance with PA DSS signals that the software is properly designed.
PIN Transaction Security (PTS): security aspects associated with the Card PIN are governed by the PTS standard.
Privacy-Enhancing Technologies
Include small application programs called cookie cutters that are designed to prevent the transfer of cookies between browsers and web servers.
Requirements Traceability Matrix (RTM)
a grid that assists the development team in tracking and managing requirements and implementation details.
Consists of: Requirement ID, Requirement Description, Requirement Source, Test objectives, Validation Methods, Use cases.
Misuse cases can help in
- Can be used to help document the types of nonfunctional or quality requirements, such as reliability, resiliency, maintainability, testability, and so on.
- Usability is one of the hallmarks of use cases and has a role in misuse cases as well.
- can examine a system from an attacker’s point of view, whether the attacker is an inside threat or an outside one.
NIST SP 800 60
Data classification: Guide for Mapping Types of Information and Information Systems to Security Categories
ISO 27001
implementing an information classification system