Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix G

APPENDIX G

CONTINUOUS MONITORING

MANAGING AND TRACKING THE SECURITY STATE OF INFORMATION SYSTEMS

G.1 MONITORING STRATEGY
Section 2.2 SYSTEM DEVELOPMENT LIFE CYCLE states "Security requirements are a subset of the overall functional requirements levied on an information system and therefore, whenever possible, are incorporated into the system development life cycle at the earliest opportunity. Without the early infusion of security requirements, significant expense may be incurred by the organization later in the life cycle to address security considerations that could have been included in the initial design. This may also result in less than effective information security solutions."

Yet, this section of the draft appears to see security requirements as separate from functional requirements. A "build security in" philosophy would include security requirements in the analysis, desgin, and testing stages of the SDLC. Therefore, security requirements should be articulated in the requirements analsysis stage(s), mapped to the features intended to implement them, and incorporated into the regression testing performed when any (and all) changes are verified and validated. Walter Houser 20:08, 19 December 2009 (UTC)