Developing Security Requirements

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Now we're going to talk about developing
00:00
security requirements.
00:00
Someone who works in IT, or security,
00:00
or related area and you care about security,
00:00
you might be asking yourself one question.
00:00
Wait a second, we've done our business impact analysis,
00:00
why are we now talking about doing
00:00
>> security requirements?
00:00
>> We'll get to that in a moment.
00:00
In this lesson, we're going to talk about
00:00
the process of identifying security requirements,
00:00
the reference material that really be most
00:00
useful for figuring out
00:00
what the security requirements are,
00:00
and then also talking about
00:00
different [inaudible] of ways of thinking about
00:00
security requirement based on
00:00
the Cloud services model that your organization is using.
00:00
The items on the left here: business requirements,
00:00
business impact analysis, frameworks, regulations.
00:00
Those are really all of
00:00
the materials that are going to be
00:00
useful for determining
00:00
the security requirements for your organization.
00:00
Now we talked about business requirements,
00:00
what the organization is really trying to
00:00
do in the Cloud,
00:00
and what services, applications,
00:00
data, you name it, is required.
00:00
That's really going to help you determine
00:00
how you can apply many of
00:00
the concepts we've talked about,
00:00
especially that CIA framework.
00:00
How confidentiality, integrity,
00:00
and availability be enforced and
00:00
maintained given the business requirements,
00:00
what's being done?
00:00
Then we can leverage our business impact analysis
00:00
to identify what are the most critical assets,
00:00
what really needs the greatest amount of
00:00
protection because it has the greatest business value,
00:00
and how to really prioritize any security efforts and
00:00
requirements around the assets that
00:00
are most important to the organization.
00:00
Frameworks. We talked about how
00:00
different security frameworks can really take a lot of
00:00
the thinking in a good way
00:00
out of figuring out what controls
00:00
>> are really appropriate.
00:00
>> Many organizations have figured out
00:00
the high level control areas that
00:00
really deserve our focus
00:00
when we're talking about the Cloud,
00:00
especially when it comes to things
00:00
such as encryption, access,
00:00
data, classification, labeling, redundancy, backups.
00:00
These areas, they're a little
00:00
different in the Cloud compared to on-premise.
00:00
Many of these frameworks really
00:00
are an excellent guide to help
00:00
organizations concentrate their efforts
00:00
and implement effective controls.
00:00
Regulations. If you're in a regulated industry,
00:00
what unique controls applied to you and
00:00
your business case that really should
00:00
be baked into your security requirements.
00:00
Then another thing to consider is that the way
00:00
organizations use the Cloud may
00:00
differ on the business case,
00:00
and what services they're really utilizing.
00:00
I love this shared services model because
00:00
it helps you at a high level.
00:00
When you think about requirements,
00:00
look at each of the responsibilities
00:00
that fall to the organization.
00:00
Anything in blue is what you're responsible for.
00:00
If you're a security professional
00:00
working for an organization that is
00:00
utilizing Cloud services and it helps you prioritize.
00:00
We're using infrastructure as a service.
00:00
We really need to focus on a broader set of
00:00
security requirements to make
00:00
sure that we're operating in the Cloud safely.
00:00
This is a SaaS solution,
00:00
they're really only a smaller
00:00
set of security controls and
00:00
concerns that requirements will be derived from.
00:00
But this shared security and responsibility model is
00:00
an excellent high-level guide to focus your thinking on
00:00
what are the key security requirements
00:00
for my organization?
00:00
Let's reflect a little bit.
00:00
How does your organization identify
00:00
security requirements?
00:00
We talked about many different artifacts,
00:00
as well as looking at
00:00
the shared security responsibility model
00:00
based on services to help you really
00:00
get a jump-start and focus your thinking on what are
00:00
the most important things to figure
00:00
out from a security requirements perspective.
00:00
Then we also want to think about
00:00
how can different security responsibilities we have
00:00
discussed be used to
00:00
proactively identify security requirements.
00:00
That shared responsibility model example again,
00:00
helps you see from a high level,
00:00
where do we as an organization have
00:00
the greatest responsibility from security
00:00
given the service model that we're using?
00:00
Then also, we want to consider those other items,
00:00
what are the business impact analysis,
00:00
what are the most important assets?
00:00
Then what regulations may apply to us in our industry
00:00
that we also need to consider
00:00
when developing our requirements?
00:00
Well, I hope you feel a lot more
00:00
confident in your ability to
00:00
create and come up with
00:00
the most important requirements in terms of security.
00:00
In summary, we talked about
00:00
the importance of security requirements.
00:00
We talked about the ways of identifying
00:00
security requirements based on those different assets,
00:00
and the business impact analysis,
00:00
and the requirements frameworks, regulations.
00:00
Then we also talked about how
00:00
the security requirements can
00:00
be different by service model and how
00:00
thinking about how
00:00
those different shared security responsibilities can
00:00
help us really create a shortcut for
00:00
identifying the most important
00:00
security requirements for organization.
00:00
I hope you've found this useful.
00:00
I'll see you in the next lesson.
Up Next