How to use the risk management framework for traceability of requirements and threats

Cybersecurity and Information Security (InfoSec) activities are implemented to protect data, information, systems and users. Skilled security, program and system stakeholders work together to ensure that business objectives are met, while minimizing the risk of threats that could lead to loss of data or system control. This loss could be due to theft, natural disasters, computer / server outages, unauthorized or risky operation, or other threats. Program management and security approaches are combined to maximize business functions and capabilities while protecting an organization. These approaches include: Requirements Management, Risk Management, Threat Vulnerability Scanning, Continuous Monitoring, and System and Information Backups. All of these management approaches require a lot of experience to maximize results and avoid problems that could otherwise have been avoided.

Program managers, as representatives of their companies and customers, demand timely delivery of quality products and services to the operations. Significant experience maximizes product quality and performance while minimizing risks. Experience facilitates oversight, open collaboration and decision-making to maximize innovation, reliability, sustainability and the coordination of assets and resources.

An important point of program management today is that each entity collects, processes and stores a lot of confidential information and shares it with other computers over various private and public networks. This concern is offset by the rapid pace of technology, software, standards and other changes industry must remain aware of. It is essential that this information is carefully managed and protected within companies to avoid widespread, irreparable financial losses for both the company and its customers, not to mention your company’s reputation. Protecting our data and information is an ethical and legal requirement for any project and requires proactive commitment to be effective.

Multiple cybersecurity tools and techniques are used to effectively manage risks in system development and operations. Out of necessity, management, engineering and cybersecurity activities must work proactively within the implementation of requirements to maximize system functions and capabilities while minimizing risks. Make no mistake; the threats to our companies, systems and users are real. Since requirements are adequately documented, security controls should also be designed to help mitigate known risks to our systems.

Requirements and threats are documented in much the same way as to ensure traceability and repeatability. Proactive management is required to implement, run, monitor, test, verify, and validate that the requirements have been met and that applicable threats have been mitigated. The difference in management is that ultimately the requirements have to be met, but threats are managed and mitigated with regard to the likelihood and severity of the threat to our users, businesses and systems. Risks are documented to demonstrate management and mitigation. Documenting these requirements and threats and their supporting details is key to the proactive and repeatable effort that is required. We believe that the best approach to do this is to keep this management as simple and detailed as possible to plan, execute and audit the program or company.

Risk management framework (RMF) processes are applied to the security measures found in cybersecurity and information security credentials. These RMF activities are well documented and overlap with best management and engineering practices. Often you will find that the recommended activities of the RMF are activities that you should already be doing with considerable skill. The traceability of these program and security activities requires the ability to verify the history and status of each security check, regardless of whether the system is in development or in operation. The documentation is necessarily detailed. Traceability includes the identification between requirements, safeguards and the necessary information necessary to trace between requirements, safeguards, strategies, policies, plans, processes, procedures, audit institutions and other information necessary for repeatable life cycle development and operational guarantee repeatability.

Experience in program management and risk management is of primary importance for managing requirements and risks. A great and fundamental tool for experienced users is the Requirement Traceability Matrix (RTM) and Security Control Traceability Matrix (SCTM). The RTM and SCTM are fundamentally direct in purpose and scope, which facilitates traceability and repeatability for the program. The variables of an RTM and SCTM can be very similar and are adaptable to the needs of the program and the customer. There are many examples for the content details of the RTM or SCTM, both separate and similar documents, including:

1) A unique RTM or SCTM identification number for each requirement and security check,

2) ID numbers referenced for associated requirements tracking items,

3) a detailed word-for-word description of the requirement or safeguard,

4) technical assumptions or customer needs linked to the functional requirement,

5) the current status of the functional requirement or security check,

6) a description of the function accompanying the architecture / design document,

7) a description of the functional technical specification,

8) a description of the functional system component (s),

9) a description of the functional software module (s),

10) the test case number linked to the functional requirement,

11) the test status and implementation solution for functional requirements,

(12) a description of the functional verification document, and

13) a column with various comments that can help with traceability.

While the content of the RTM and SCTM is flexible, the need for such tools is not. With the complexity and need to protect systems and services from multiple threats today, experienced managers, engineers, users and other professionals will seek the traceability that quality and secure systems require.

Source by James E Fogarty