Face it, your security requirements suck. I’ll tell you why. You write down controls verbatim from your catalog of controls (800-53, SoX, PCI, 27001, etc), put it into a contract, and wonder how come when it comes time for security testing, we just aren’t talking the same language. Even worse, you put in the cr*ptastic “Contractor shall be compliant with FISMA and all applicable NIST standards”. Yes, this happens more often than I could ever care to count, and I’ve seen it from both sides.
The problem with quoting back the “requirements” from a catalog of controls is that they’re not really requirements, they’re control objectives–abstract representations of what you need in order to protect your data, IT system, or business. It’s a bit like brain surgery using a hammer and chisel–yes, it might work out for you, but I don’t really feel comfortable doing it or being on the receiving end.
And this is my beef with the way we manage security controls nowadays. They’re not requirements, functionally they’re a high-level needs statement or even a security concept of operations. Security controls need to be tailored into real requirements that are buildable, testable, measurable, and achievable.
Requirements photo by yummiec00kies. There’s a social commentary in there about “Single, slim, and pleasant looking” but even I’m afraid to touch that one. =)
Did you say “Wrecks and Female Pigs’? In the contracting world, we have 2 vehicles that we use primarily for security controls: Statements of Work (SOW) and Engineering Requirements.
Statements of Work follow along the lines of activities performed by people. For instance, “contractor shall perform monthly 100% vulnerability scanning of the $FooProject.”
Engineering Requirements are exactly what you want to have build. For instance, “Prior to displaying the login screen, the application shall display the approved Generic Government Agency warning banner as shown below…”
Let’s have a quick exercise, shall we?
What 800-53 says: The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.
How It gets translated into a contract: Since it’s more along the lines of a security functional requirement (ie, it’s a specific functionality not a task we want people to do), we brake it out into multiple requirements:
The $BarApplication shall produce audit records with the following content:
- Event description such as the following:
- Access the $Baz subsystem
- Mounting external hard drive
- Connecting to database
- User entered administrator mode
- Date/time stamp in ‘YYYY-MM-DD HH:MM:SS’ format;
- Hostname where the event occured;
- Process name or program that generated the event;
- Outcome of the event as one of the following: success, warn, or fail; and
- Username and UserID that generated the event.
For a COTS product (ie, Windows 2003 server, Cisco IOS), when it comes to logging, I get what I get, and this means I don’t have a requirement for logging unless I’m designing the engineering requirements for Windows.
What 800-53 says: The The organization configures the information system to provide only essential capabilities and specifically prohibits and/or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited and/or restricted functions, ports, protocols, and/or services].
How It gets translated into a contract: Since it’s more along the lines of a security functional requirement, we brake it out into multiple requirements:
The $Barsystem shall have the software firewall turned on and only the following traffic shall be allowed:
- TCP port 443 to the command server
- UDP port 123 to the time server at this address
If we drop the system into a pre-existing infrastructure, we don’t need firewall rules per-se as part of the requirements, what we do need is a SOW along the following lines:
The system shall use our approved process for firewall change control, see a copy here…
So what’s missing, and how do we fix the sorry state of requirements?
This is the interesting part, and right now I’m not sure if we can, given the state of the industry and the infosec labor shortage: we need security engineers who understand engineering requirements and project management in addition to vulnerability management.
Don’t abandon hope yet, let’s look at some things that can help….
Security requirements are a “best effort” proposition. By this, I mean that we have our requirements and they don’t fit in all cases, so what we do is we throw them out there and if you can’t meet the requirement, we waiver it (live with it, hope for the best) or apply a compensating control (shield it from bad things happening). This is unnerving because what we end up doing is arguing all the time over whether the requirements that were written need to be done or not. This drives the engineers nuts.
It’s a significant amount of work to translate control objectives into requirements. The easiest, fastest way to fix the “controls view” of a project is to scope out things that are provided by infrastructure or by policies and procedures at the enterprise level. Hmmm, sounds like explicitly stating what our shared/common controls are.
You can manage controls by exclusion or inclusion:
- Inclusion: We have a “default null” for controls and we will explicitly say in the requirements what controls you do need. This works for small projects like standing up a pair of webservers in an existing infrastructure.
- Exclusion: We give you the entire catalog of controls and then tell you which ones don’t apply to you. This works best with large projects such as the outsourcing of an entire IT department.
We need a reference implementation per technology. Let’s face it, how many times have I taken the 800-53 controls and broken them down into controls relevant for a desktop OS? At least 5 in the last 3 years. The way you really need to do this is that you have a hardening guide and that is the authoritative set of requirements for that technology. It makes life simple. Not that I’m saying deviate from doctrine and don’t do 800-53 controls and 800-53A test procedures, but that’s the point of having a hardening guide–it’s really just a set of tailored controls specific to a certain technology type. The work has been done for you, quit trying to re-engineer the wheel.
Use a Joint Responsibilities Matrix. Basically this breaks down the catalog of controls into the following columns:
- Control Designator
- Control Title
- Provided by the Government/Infrastructure/Common Control
- Provided by the Contractor/Project Team/Engineer