You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 27, 2024. It is now read-only.
Per Secure SDLC, security & privacy requirements should be determined early in the process. Section 3.1 Mandatory Requirements and Section 3.2 Recommended Requirements of this document describes the Security & Privacy Requirements which must/should be considered.
The text was updated successfully, but these errors were encountered:
cgye
changed the title
Security Requirements
Security & Privacy Requirements
Jan 8, 2024
The following are currently executed, in scope, Security & Privacy requirements per Section 3.1 Mandatory Requirements of Secure Software Development Lifecycle:
Security Categorization
Classify Information
Establish System Security Control Profile
Auditing
Configure or use an authoritative time source for the time-stamp of the audit records generated by your solution components.
Networking
Network boundary protection (e.g. WAF) for external facing interfaces (deny-all or allow-by-exception policy)
The following are new, where the scope is up for discussion, Security & Privacy requirements per Section 3.1 Mandatory Requirements of Secure Software Development Lifecycle:
System Concept
Business Requirements
Identify all user and service management roles
Describe all operational scenarios
Identity and Access Management
Uniquely identify and authenticate users (no anonymize access)
Multi-factor authentication for privileged accounts
Process for managing access privileges (Principle of Least Privilege)
Encryption of data in transit (Guidance on securely configuring network protocols ITSP.40.062)
Encryption of data at rest (Cryptographic algorithms for UNCLASSIFIED, PROTECTED A, and PROTECTED B Information - ITSP.40.111)
Secret management procedures
Auditing
Identify the events within the solution that must be audited
Implement an audit process for the auditable events identified. At a minimum, the business owner or an auditor should audit actions against user accounts according to SPIN 2017‑01.
Protect audit information by controlling access to the audit log tools.
Service Continuity
Backup-and-restore process for GC data
Fail-over and availability (e.g. for MM)
Configuration Management
Define and document baseline configuration, which represents the most restrictive (secure) mode of operation
Implement a process to keep baseline configuration up to date as changes are implemented
Security Operations
Periodic Penetration Testing
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Identify non-functional Security & Privacy Requirements which are required for compliance with:
Per Secure SDLC, security & privacy requirements should be determined early in the process. Section 3.1 Mandatory Requirements and Section 3.2 Recommended Requirements of this document describes the Security & Privacy Requirements which must/should be considered.
The text was updated successfully, but these errors were encountered: