Jul 27, 2009
IT systems security is an extremely broad field that encompasses almost all aspects of hardware and software, in addition to touching on several areas of operational policy and governance. Many IT systems in a wide range of industries have been developed without consistent and comprehensive security controls, resulting in numerous incidents where sensitive data has been exposed or systems have been compromised. These incidents commonly arise due to a lack of well-defined security requirements and inappropriate security design, and are often the result of insufficient development budget or the use of an ad-hoc
process for implementing security within systems.
This paper was written to be a lightweight, easily adoptable primer and checklist to assist an organisation in better understanding security requirements and controls. This is intended to allow development teams to build a minimum level of security into a system without the overhead of incorporating an unwieldy process into the system development lifecycle or forcing large amounts of documentation upon system implementers. It is suitable for smaller organisations and non-critical systems within larger organisations that do not possess a mature process for the development of secure software.
This document is structured as three main sections covering security properties, security requirements and security controls, and a number of supplementary sections that provide guidance on security mechanisms and security assurance. In addition, a number of sample documents are provided as appendices to provide an example of some outputs of the described process. The following figure illustrates how a particular security item progresses through various stages of the system security lifecycle.
While the contents of this paper will be applicable to all systems, it is stressed that this primer is not intended to cover these security topics in great depth but instead aims to provide enough detail so that an organisation or individual project team is able to make a sufficiently informed decision about security requirements and relevant security controls. The implementation of business-critical systems should adhere to a proven methodology with input from security specialists throughout the development lifecycle.
Download paper: stratsec - Wong - System Security Primer.pdf