Expert Advice Community

How vague is too vague for the register of requirements?

  Quote
Created:   Aug 25, 2023 Last commented:   Aug 30, 2023

How vague is too vague for the register of requirements?

I'm checking our contracts for security requirements, and find something like
"implement logical access controls to prevent unauthorized access"
"keep operating systems on all electronic devices updated"
"run malware detection software on your systems"

Are these examples too vague to be added to the the register of requirements?

Assign topic to the user

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

Expert
Rhand Leal Aug 30, 2023

To decide whether a requirement is too vague or not, you can use the following criteria: (1) the requirement defines the action to be performed? (2) the requirement defines on which assets the action is to be performed? and (3) the requirement defined the objectives to be achieved?

Considering that:

The requirement to "implement logical access controls to prevent unauthorized access" does not define over which assets the action needs to be performed. Examples of assets to be considered: servers, networks, user devices, all assets, etc. This is important because, depending on the assets, different actions may need to be taken.

The requirement "keep operating systems on all electronic devices updated" does not define which objectives need to be achieved. Examples of objectives: to prevent application errors, to prevent vulnerabilities to be explored, etc. This is important because, depending on the objective, some updates may be recommended or not (e.g., an update for an application you do not use).

The requirement to "run malware detection software on your systems" does not define which objective needs to be achieved. Examples of objectives: protection against most common attacks or protection against unknown or smart threats (i.e., those that use advanced evasion strategies). This is important because it will help define the antimalware type to be used (e.g., Signature-based malware detection, Behavior-based malware detection, Sandboxing, etc.).

The best approach here is to ask the person who will be responsible for complying with the requirement (e.g., the head of the IT department or a system administrator) so he can evaluate if the requirement understanding is clear.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Aug 25, 2023

Aug 30, 2023