Security Policy Production

Definition

Security policy production is the security engineering task during which a security policy and privacy statement are produced.

Objectives

The typical objectives of the security policy production task are:

• Produce the security policy for an endeavor or work product.
• Produce the privacy statement for an application.

Preconditions

The security policy production task typically may begin when the following preconditions hold:

• The security team is adequately staffed and trained in security policy production.
• The security risk assessment task is started.

Completion Criteria

The security policy production task is typically complete when the following postconditions hold:

• The security policy is complete and approved.
• The privacy statement is complete and approved.

Steps

The security policy production task typically involves performing the following steps in an iterative, incremental, parallel, and time-boxed manner:

• Policy Determination:
  • Read and understand the security needs assessment.
  • Obtain, read, and understand examples of relevant reusable security policies.
  • Determine the endeavor-specific:
    • Importance of Security.
    • Security Goals.
    • Security Principles.
    • Security Policies for:
      • Identification
      • Authentication.
      • Authorization.
      • Integrity.
      • Intrusion Detection.
      • Nonrepudiation.
      • Privacy.
      • Security Auditing.
      • Survivability.
      • Physical Protection.
      • System Maintenance.
    • Security Responsibilities for:
      • Implemention.
      • Evaluation.
      • Compliance.
      • Communication and Training.
      • Monitoring and Enforcement.
  • Determine the Applicable Regulations, Laws, Certifications and Standards
• Policy Documentation:
  • Locate, obtain, and read the appropriate conventions:
    • Content and Format Standard.
    • Inspection Checklist.
    • Documentation Template.
  • Use the template to create a blank specification or document.
  • Fill in the front matter.
  • Fill in the introduction section.
  • Enter the major policy content into the appropriate sections.
  • Fill in the appendices including all major issues, TBDs, and assumptions.
  • Generate the associated table of contents and table of figures.
  • Informally evaluate the policy against its:
    • Content and format standards.
    • Inspection checklists.
  • Iterate the policy as necessary.
  • Notify the security inspection team that [cohesive parts of] of the policyare ready for inspection.
  • Maintain the policy.

Techniques

The security policy production task is typically performed using the following techniques:

• Documentation content and format standards
• Document templates
• Document inspection checklists

Work Products

The security policy production task typically results in the production of the following work products:

• Privacy Statement
• Security Policy

Guidelines

• The security policy should not redundantly repeat the security requirements specified in the system requirements specification.
• The security policy should not redundantly repeat the security mechanisms documented in system architecture document.