• Perform initial security risks assessment: As the information security professional is working with your business and IT stakeholders, you should be able to gather enough information to build an initial security risk assessment that will allow you to better inform the project. This is an excellent time to perform data categorization, which was discussed in the risk management chapter.
• Ensure that security requirements are testable: It is important that you develop testable information security requirements as part of the overall project requirements for the information system. Simply put, if you develop a requirement that you cannot test, you have most likely developed a bad requirement. In the following example, the first requirement for logging is vague. If you implement logging but do not have the ability to log specific events, you will not be able to properly secure the information system. The second example is much better. In this example, we are giving specific testable elements that can be used to build the information system's logging capability:
  • Bad requirement example: The information system must implement logging
  • Bad requirement example: The information system must audit events related to the successful login and logout of privileged users