▶ 1.5 Drafting Security Requirements
Security requirements complete the first step of both NIST’s Risk Management Framework and the simplified PRMF. The requirements describe what we want the security measures to do. The list of requirements is sometimes called the security policy.
We draft the security requirements to address the risks we identified. We then select security measures to implement those requirements. The requirements identify in general what we want for security, while the implemented security controls identify specifically what we get for security. For example, a household’s security requirement might say: “We admit only family, friends, and trusted maintenance people to our house.” The implementation says: “We have a lock ...
Get Elementary Information Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
