Security Product Evaluations
The growing use of commercial software products in large systems makes evaluating and selecting
appropriate products increasingly essential. However, many organisations struggle in their attempts
to choose suitable software products for use in designs. This security products evaluation page
describes the background fundamentals for that evaluation process and steps and techniques to follow.
Once a security vendor has demonstrated that they and their product(s) can meet recognised industry standards, Cyberteam Security can provide you with assistance on how their products can be implemented. There is often a trade-off between ease of use, functionality and maintenance on the one side and robustness of security on the other.
When selecting the aspects of the security feature set that will be implemented in any given scenario, the following should be considered:
- The nature of the system - is the system considered service critical.
- The data within the system - how sensitive is the data and the consequences of data loss or misuse.
- The visibility of the system - does the customer have direct interaction with the system, or is it embedded in a process?
- The desire for consistency and repeatability in service configurations - fewer differing configurations make for a more efficient support model.
The Fundamental Change Necessary
If you try to follow the traditional custom development approach when you implement a security-based system, you are likely to encounter the following scenario:
- You define your requirements (taking into account your system context).
- You or your contractor defines an architecture and design to satisfy the specified requirements.
- You or your contractor explores the marketplace to find products that provide the functionality needed and fit within the defined architecture.
- You find no appropriate security products.
The fundamental change necessary with a security-based systems approach is the simultaneous
exploration of the system context, potential architectures and designs, and available products
in the marketplace:
- System context - represents requirements (functional and nonfunctional), end-user processes, business drivers, the operational environment, constraints, policy, cost, and schedule.
- Architecture and design - represent the software and system architecture and design.
- Marketplace - means available and emerging security technology and products, non-developmental items (NDI), and relevant standards.
A security-based approach requires a carefully reasoned selection of alternatives from among the various options and tradeoffs. Engineering activities must support this concept, and its effects permeate everything you do. As a result, the acquisition strategy, contractual activities, and business activities must help this approach.
The conceptual security-based approach developed by the SEI is iterative. Typically you go through the process several times, gathering more information and eliminating or adding alternatives each time until a viable solution remains.
The five steps in the security product evaluation process are as follows:
- Assess and plan - This step includes developing effort estimations, setting goals, identifying stakeholders, and other typical planning activities. At the end of each iteration, accomplishments are assessed to set the plans for the next iteration.
- Gather information - This step includes defining requirements, learning about security products, and understanding design constraints and risks.
- Analyse - This step includes considering the entire body of knowledge that has been gathered about the products and the system, noting emerging compatibilities and identifying conflicts.
- Negotiate - This step includes reaching an accepted understanding among the various parties involved by resolving divergent expectations and points of contention.
- Construct - This step includes implementing the selected solution for the current iteration. This can be any sort of model, partial implementation, or implementation subject to further analysis.
This process is highly iterative. Expect to make multiple passes before defining the system to be
delivered and even after system delivery. Security product evaluation plays an essential role in
several steps, most obviously the “gather information” step. However, evaluation is often necessary
during the “Analyse” step to support understanding alternatives and during the “negotiate” step to
respond to stakeholders' concerns regarding the options.
The overall process and security product evaluation continues for the entire system life cycle. A good assessment is necessary but not sufficient for security-based systems success!
Security Product Evaluations information shown above is mostly generic and based on best-practice, therefore to get a better understanding on what we can do for your business, all we ask is that you contact us to discuss your Security Product Evaluations needs, to help you to choose the right hardware and software for your business.Click here to contact us