I'm checking our contracts for security requirements, and find something like
"implement logical access controls to prevent unauthorized access"
"keep operating systems on all electronic devices updated"
"run malware detection software on your systems"
Are these examples too vague to be added to the the register of requirements?
Assign topic to the user
To decide whether a requirement is too vague or not, you can use the following criteria: (1) the requirement defines the action to be performed? (2) the requirement defines on which assets the action is to be performed? and (3) the requirement defined the objectives to be achieved?
Considering that:
The requirement to "implement logical access controls to prevent unauthorized access" does not define over which assets the action needs to be performed. Examples of assets to be considered: servers, networks, user devices, all assets, etc. This is important because, depending on the assets, different actions may need to be taken.
The requirement "keep operating systems on all electronic devices updated" does not define which objectives need to be achieved. Examples of objectives: to prevent application errors, to prevent vulnerabilities to be explored, etc. This is important because, depending on the objective, some updates may be recommended or not (e.g., an update for an application you do not use).
The requirement to "run malware detection software on your systems" does not define which objective needs to be achieved. Examples of objectives: protection against most common attacks or protection against unknown or smart threats (i.e., those that use advanced evasion strategies). This is important because it will help define the antimalware type to be used (e.g., Signature-based malware detection, Behavior-based malware detection, Sandboxing, etc.).
The best approach here is to ask the person who will be responsible for complying with the requirement (e.g., the head of the IT department or a system administrator) so he can evaluate if the requirement understanding is clear.
Comment as guest or Sign in
Aug 30, 2023