Developing Security Requirements Without Developing an Ulcer

摘要

For over 15 years the author has worked as a consultant in the field of cyber security. Much of that time has involved responding to RFIs, RFQs and RFPs with varying amounts of rigor when it comes to the requirements presented to responding vendors. And in most cases, the requirements have been confusing, inappropriate, or even counterproductive from the perspective of actually accomplishing security. And then, one day, the author had to come up with requirements himself...and it all made sense. He realized why requirements he had seen were typically so far off the mark, and suddenly had insight into the whole situation from end to end. The purpose of this paper is to delineate some of the causes for this and to offer helpful alternative approaches and methods towards the creation of appropriately detailed security requirements, so that those in the audience who have to come up with requirements will understand how they are consumed, and get some insight into the way that requirements are consumed as a source of guidance.