Home arrow Resources arrow White Papers arrow Justification for elevating the visibility and priority of security in engineering process standards 20 November 2008  
Security Process Professional .......... Resources for IT Audit & Security Improvement
HomeSectionsWeb LinksResourcesNews and EventsWho Am IComment
 
Justification for elevating the visibility and priority of security in engineering process standards E-mail

Are separate security process standards really necessary? Or can revision of existing engineering standards to better reflect security concerns avoid the need for adoption of a separate set of security process standards? This paper provides the business case for adopting changes to a key IEEE process standard that would be the first to integrate security specific activities into the SDLC, suggesting that a viable alternative to security process standards is possible.

"Efforts that do not treat security as an integral part of systems engineering and architecture fail to provide security. It no longer makes any business sense to spend any money, apply any resources and proceed with any Software Development project unless corporate assets and private customer data will be sufficiently secure." --IEEE P1074 Information Security Assurance Team

The linked paper details the findings of the ISA team that resulted in recommendations to update IEEE P1074 Standard for Developing Software Life Cycle Processes with dedicated security guidance. It embodies deep research into information assurance trends and international software process and security standards, concluding that without such guidance the standard would fail to meet contemporary business requirements and the needs of engineering professionals.

The paper demonstrates that the trend toward isolating security as a separate engineering area may not be necessary--or advisable--for the process domain. The root cause of many organizational security problems stem from their using a fractured security model that compartmentalizes security responsibility across an enterprise without providing an effective infrastructure for controlling security communications and deliverables end to end, or coordinating enterprise security efforts across departments. This results in redundant--often conflicting activities that can undermine security posture and expose organizations to unecessary cost and risk.

This can be easily mitigated if prevailing process standards were updated to reflect this new priority. The 1074 effort proves that with minimal effort, current process standards can be revised, thus potentially avoiding the need for a separate set of security process standards. This standard will ballot in 2005.

To download the white paper in pdf format, click the following link

Justification for Elevating the Visibility and Priority of Security Activities in the IEEE P1074 standard

White Papers

Home
Last Updated ( Saturday, 26 March 2005 )
 
< Prev   Next >
[ Back ]
Top of Page