Definitions

Placeholder  for description of Foundations/Definitions

IT Architecture

Before we head off into definitions and categorization, lets just ask the question of all questions..."Why does anyone need an IT Architecture?"

 

IT Risk

Rarely one can find a risk related discussion that is specific to IT risks and that reaches beyond IT Security. This is rather surprising given that most business processes today rely heavily on IT and that risk management is a hot topic in corporate governance as well as a major source of business for compliance consultants.

IT Security

Security provided by IT Systems can be defined as the IT system’s ability to being able to protect confidentiality and integrity of processed data. as well as to be able to provide availability of system (and subsequently the processed of data). Together they are referred to as the CIA characteristics (= qualities).

IT Security Architecture

This article derives a definition for IT Security Architecture by combining the suggestions from the previous articles.

Security Patterns

In this article we discuss how the evolution of design patterns has shaped the prevalent understanding of security patterns. We then analyse that particularly in the area of security the best practices are also manifested in other ways than only design patterns (e.g. Standard of Good Practice, Security Principles, and Control Catalogues). Finally we conclude that combining the idea of a structured controls catalogue and design patterns (as proposed by OSA) is particularly appealing and helps both the designer as well as the quality assuror and auditor.

IT Security Requirements

IT Security Requirements describe functional and non-functional requirements that need to be satisfied in order to achieve the security attributes of an IT system.

Glossary

Definitions of common terms used in OSA and Security Architecture generally.

Definition:

IT Security Requirements describe functional and non-functional requirements that need to be satisfied in order to achieve the security attributes of an IT system.

Type of security requirements:

Security requirements can be formulated on different abstraction levels. At the highest abstraction level they basically just reflect security objectives. An example of a security objectives could be "The system must maintain the confidentially of all data that is classified as confidential".

More useful for a SW architect or a system designer are however security requirements that describe more concretely what must be done to assure the security of a system and its data. OSA suggests to distinguish 4 different security requirement types:

  • Secure Functional Requirements, this is a security related description that is integrated into each functional requirement. Typically this also says what shall not happen. This requirement artifact can for example be derived from misuse cases
  • Functional Security Requirements, these are security services that needs to be achieved by the system under inspection. Examples could be authentication, authorization, backup, server-clustering, etc. This requirement artifact can be derived from best practices, policies, and regulations.
  • Non-Functional Security Requirements, these are security related architectural requirements, like "robusteness" or "minimal performance and scalability". This requirement type is typically derived from architectural principals and good practice standards.
  • Secure Development Requirements, these requirements describe required activities during system development which assure that the outcome is not subject to vulnerabilities. Examples could be "data classification", "coding guidelines" or "test methodology". These requirements are derived from corresponding best practice frameworks like "CLASP".

Taxonomy

References

  • A good overview on the topic of security requirements can be found in the State of the Art Report (SOAR) on Software Security Assurance.
  • In the 2008 Jan/Feb special issue on security of the IEEE Software magazine, the authors present their analysis of current IT security requirements literature.
  • The most comprehensive framework on IT security requirements is currently the SQUARE method presented by the SEI of Carnegie Mellon University.

More Articles ...