How To Use The Risk Management Framework for Requirement And Threat Traceability

Cybersecurity and Information Security (InfoSec) activities are implemented to protect data, information, systems, and users. Skilled security, program and system stakeholders work together to ensure that business objectives are met while minimizing the risk of threats where data or system control may be lost. This loss may be due to theft, natural disasters, computer/server malfunction, unauthorized or risky operation, or from any other threats. Program Management and security approaches are combined to maximize business functions and capabilities while also protecting an organization. These approaches include: Requirements Management, Risk Management, Threat Vulnerability Scanning, Continuous Monitoring, and System and Information Backups. All of these management approaches require significant experience to maximize results and prevent issues that could have otherwise been prevented.

Program Managers, as representatives of their companies and clients, call for the timely delivery of quality products and services to operations. Significant experience maximizes product quality and performance while also minimizing risks. Experience facilitates oversight, open collaboration, and decision-making to maximize innovation, reliability, sustainability, and the coordination of assets and resources.

An important Program Management concern today is that a great deal of confidential information is collected, processed and stored by every entity and shared across various private and public networks to other computers. Compounding this concern is the fast pace of technology, software, standards, and other changes that industry must maintain awareness of. It is essential that this information be carefully managed within businesses and protected to prevent both the business and its customers from widespread, irreparable financial loss, not to mention damage to your company’s reputation. Protecting our data and information is an ethical and legal requirement for every project and requires proactive engagement to be effective.

Multiple Cybersecurity tools and techniques are used to effectively manage risk within system development and business operations. By necessity, management, engineering, and Cybersecurity activities must proactively work within the execution of requirements to maximize system functions and capabilities while also minimizing risks. Make no mistake; the threats to our businesses, systems, and users are real. As requirements are sufficiently documented, so must the security controls that are intended to help mitigate the known risks to our systems.

Requirements and threats are documented in much the same way as to ensure traceability and repeatability. Proactive management is needed to implement, execute, control, test, verify, and validate that the requirements have been met and the applicable threats have been mitigated. The management difference is while requirements must ultimately be met, threats are managed and mitigated on the likelihood and severity of the threat to our users, businesses, and systems. Risks are documented to show management and mitigation. Documenting these requirements and threats and their supporting details is the key to the proactive and repeatable effort that is needed. We believe the best approach in doing this is to keep this management as straightforward as possible and as detailed as needed to plan, execute, and control the program or business.

Risk Management Framework (RMF) processes are applied to the Security Controls that are found in Cybersecurity and Information Security references. These RMF activities are well documented and overlap the best practices of management and engineering. Often, you will find that the activities recommended of the RMF are activities that you should already be doing with significant proficiency. Traceability of these program and security activities require the ability to verify the history and status of every security control, regardless if the system is in development or in operation. Documentation by necessity is detailed. Traceability includes the identification between requirement, security control, and the necessary information needed to trace between requirements, security controls, strategies, policies, plans, processes, procedures, control settings, and other information that is needed to ensure repeatable lifecycle development and operational repeatability.

Program Management and Risk Management experience is of primary importance to managing requirements and risk. A tremendous and fundamental aid of the experienced is the Requirement Traceability Matrix (RTM) and Security Control Traceability Matrix (SCTM). The RTM and SCTM are fundamentally direct in purpose and scope which facilitates traceability and repeatability for the program. The variables of a RTM and SCTM can be very similar and are tailorable to the needs of the program and customer. There are many examples for the content details of the RTM or SCTM, both separate but similar documents, that may include:
1) A unique RTM or SCTM identification number for each requirement and security control,
2) referenced ID numbers of any associated items for requirements tracking,
3) a detailed, word for word description of the requirement or security control,
4) technical assumptions or customer need linked to the functional requirement,
5) the current status of the functional requirement or security control,
6) a description of the function to the architectural/design document,
7) a description of the functional technical specification,
8) a description of the functional system component(s),
9) a description of the functional software module(s),
10) the test case number linked to the functional requirement,
11) the functional requirement test status and implementation solution,
12) a description of the functional verification document, and
13) a miscellaneous comments column that may aid to traceability.

While the contents of the RTM and SCTM are flexible, the need for such tools is not. With the complexity and need to protect systems and services today from multiple threats, experienced managers, engineers, users and other professionals will look for the traceability that quality and secure systems require.

Leave a Comment