Page 105 - CISSO_Prep_ Guide
P. 105
Requirements
Many information technology projects fail to deliver what the
business really needed or expected. Instead, they provide a
product not correctly aligned with business requirements, and that
may be difficult for the users to use. This also happens with
security, projects that should have strengthened the organization.
This makes it more resilient, more responsive, or more robust.
When we examine the reason that so many projects fail, we hear
a common theme - "the requirements were incorrect," or "the
requirements changed."
Of course, the requirements changed! A business faces two
problems when it comes to needs: first of all, they do not really
know how to describe their needs. Secondly, by the time the
project is finished, the business has evolved into a new
operational world!
Therefore, we must understand the business. We need to see
security from the perspective of the company and examine their
processes and their requirements. Once we know the
organization, only then are we able to develop a security solution
that is ideal for the company. The key to remember is that security
is dependent on the company, not the other way around.
Gathering the security requirements is often as much about
education as it is listening. The sources of our needs - the people
in the business - usually do not know what security really is or
what we are trying to do. Their perception may be that security is
to implement strong passwords - they do not consider, perhaps,
the needs for availability, error handling, redundancy, access
controls, and resistance to attacks. The business, as we would
expect, will usually describe their requirements from the
perspective of how the process should work, and how to handle
