6.4 Refine Security Requirements for Critical Assets

This activity can be difficult for many analysis teams, as it requires defining security requirements for each critical asset, focusing on the organizational perspective. As you review security requirements from earlier workshops, you will start to see conflicts and gaps among the data.

For example, senior managers may have selected confidentiality as the most important security requirement, while staff members valued availability most. Your task is to view the information from the perspective of the organization and resolve the differences in the data. You must consider trade-offs in selecting one security requirement over another. Which aspect of security would you sacrifice to protect another? Is easy availability of data more important than preserving confidentiality? These are the types of issues that you must resolve during this activity.

Step 1: Describe the Security Requirements for Each Critical Asset

Consider the following questions when refining or describing security requirements for each critical asset:

• Is this asset proprietary or sensitive? Does it contain personal information? Should it be inaccessible to anyone who is not authorized to see it? If the answer to any of these questions is yes, what is the specific confidentiality requirement?

• Are authenticity, accuracy, and completeness important for this asset? If yes, what is the specific integrity requirement?

• Is accessibility of the asset important? If yes, what is the specific availability requirement?

• What other security-related requirements, if any, are important to this asset?

As you think about the questions, review the security requirements and areas of concern that were recorded for that asset during processes 1 to 3. Remember that if the critical asset was not identified as important during the earlier processes, you will have neither areas of concern nor security requirements information for it. In that case you will have to create security requirements without the benefit of this additional information. Discuss the questions among yourselves. When you reach a decision about the security requirements for a critical asset, make sure that you record this information.

The analysis team at MedSite reviewed the security requirements and areas of concern for PIDS that were identified by earlier workshop participants (see Figures 6-6 and 6-7). The team then used its collective judgment and experience to create a refined list of security requirements. You can see the results in the right column of Figure 6-10.

Once you have refined (or in some cases, created) the security requirements for each critical asset, you need to determine which requirement is most important.

Step 2: Prioritize Security Requirements for Each Critical Asset

Consider any conflicts among the security requirements. As you do this, discuss the trade-offs among the requirements. Is confidentiality more important than availability? How important is integrity relative to the other requirements? This trade-off can be difficult. You need to avoid taking the easy way out and declaring that all requirements are equally important. When you get to mitigation in phase 3, you may find that you need to make a choice between mitigation strategies or actions based on the relative priorities of security requirements. Will you need to sacrifice some confidentiality for availability? When you reach a decision about the most important security requirement for a critical asset, make sure that you record this information.

The analysis team from MedSite discussed the trade-offs among the requirements. They decided that availability was the most important requirement and then documented this decision by placing an X in the middle column of the table in Figure 6-10. You could also put all of the security requirements in priority order.

If you look at the security requirements for PIDS created by the operational area managers during process 2, you will see that they selected all requirements as being equally important (see Figure 6-6). Although the facilitator captured the wishes of the managers during that workshop, the analysis team members understood that they needed to evaluate the trade-offs and make a decision during this step. They selected availability as the top requirement for PIDS because the primary mission of MedSite is to treat its patients.

Now you understand what assets are most critical to your organization, and you have examined what aspects of those assets are important. It is time to examine what threatens your critical assets.