5 Part 5: V-Modell Reference Work Products

5.3 Products

5.3.7 Requirements and Analyses

5.3.7.9 Information Security Concept

Process module: Safety and Security (Supplier)

Responsible: Security Manager (when using process module Safety and Security (Supplier))

Activity: Preparing Information Security Concept

Work Product Attributes: initial

Purpose

The Information Security Concept shall be prepared for every IT project and every project with IT elements.

The project-related Information Security Concept includes all information security requirements mandatory for the system to be developed, the information security measures designed to protect the information against loss of integrity, authenticity, confidentiality and availability, and information security requirements and information security measures designed to protect technical information processing and information transmission systems.

During the preparation and updating process, the contents of the Information Security Concept shall be checked for correctness, consistency and completeness and adapted as required.

During service use, the Information Security Concept shall be updated in case of technical changes, changes of regulations, changes of the hazard situation, extension of the functionality and construction measures.

The ยปSecurity Manager of the respective project is responsible for the preparation of the Information Security Concept.

Is generated by

Software Implementation, Integration and Evaluation Concept, Software Architecture (see product dependency 4.18)

Hardware Architecture, Hardware Implementation, Integration and Evaluation Concept (see product dependency 4.7)

Software Implementation, Integration and Evaluation Concept, Software Architecture (see product dependency 4.19)

Software Implementation, Integration and Evaluation Concept, Software Architecture (see product dependency 4.17)

Hardware Architecture, Hardware Implementation, Integration and Evaluation Concept (see product dependency 4.8)

Hardware Architecture, Hardware Implementation, Integration and Evaluation Concept (see product dependency 4.6)

System Implementation, Integration and Evaluation Concept, Enabling System Architecture (see product dependency 4.16)

Enabling System Implementation, Integration, and Evaluation Concept, Enabling System Architecture (see product dependency 4.24)

Enabling System Implementation, Integration, and Evaluation Concept, Enabling System Architecture (see product dependency 4.5)

Enabling System Implementation, Integration, and Evaluation Concept, Enabling System Architecture (see product dependency 4.21)

System Implementation, Integration and Evaluation Concept, System Architecture (see product dependency 4.15)

System Implementation, Integration and Evaluation Concept, System Architecture (see product dependency 4.23)

System Implementation, Integration and Evaluation Concept, System Architecture (see product dependency 4.4)

System Implementation, Integration and Evaluation Concept, System Architecture (see product dependency 4.20)

Overall System Specification (see product dependency 4.25)

Overall System Specification (see product dependency 4.26)

Depends on

Project Manual, Data Protection Concept, Safety and Security Analysis (see product dependency 5.46)

Project Manual, Overall System Specification, Data Protection Concept (see product dependency 5.47)

5.3.7.9.1 Presentation of the Project and the Operational Environment

In addition to a general survey of the project, this subject shall roughly describe operational purpose and operational environment.

5.3.7.9.2 Protection Requirements

The information processed or transmitted - including their classification regarding confidentiality and their assessment with respect to integrity, authenticity and availability - shall be identified.

5.3.7.9.3 System Architecture from an IT Security Point of View

The system architecture shall be presented as seen from an information security point of view. The necessary infrastructure and general organizational and personal conditions shall be identified.

5.3.7.9.4 Information Security Requirements

The information security requirements shall be identified, subdivided into technical, organizational, personal and material information security requirements.

5.3.7.9.5 Information Security Measures

The necessary information security measures shall be described, subdivided into technical, organizational, personal and material information security measures. The products designed to implement the information security measures shall be listed.

5.3.7.9.6 Risks Remaining

If information security requirements cannot be covered completely by information security measures, the risks remaining shall be described.

5.3.7.9.7 Emergency Plan

The necessary emergency measures shall be developed. This includes particularly the detailed description of the approach for restoring system functionality after a partial or total failure of the system.

5.3.7.9.8 Standards for Verifying the Effectiveness of the Measures

Standards for verifying the effectiveness of the measures for maintaining information security shall be specified. This includes particularly also specifications for necessary training and sensitization measures.

Part 1: Fundamentals of the V-Modell
Part 2: A Tour through the V-Modell
Part 3: V-Modell Reference Tailoring
Part 4: V-Modell Reference Roles
Part 5: V-Modell Reference Work Products
Introduction
Overview of the Product Model of the V-Modell
Products
Supply and Contracting
Planning and Control
Reporting
Configuration and Change Management
Evaluation
Acquisition and Contracting
Requirements and Analyses
Proposal for the Introduction and Maintenance of an Organization-Specific Process Model
Project Proposal
Requirements Specification Overall Project
Evaluation of the Overall Project Requirements Specification
Requirements Specification
Requirements Evaluation
User Tasks Analysis
Data Protection Concept
Information Security Concept
Presentation of the Project and the Operational Environment
Protection Requirements
System Architecture from an IT Security Point of View
Information Security Requirements
Information Security Measures
Risks Remaining
Emergency Plan
Standards for Verifying the Effectiveness of the Measures
Safety and Security Analysis
Legacy System Analysis
Market Survey for Off-the-Shelf Products
Make-or-Buy Decision
System Elements
System Specifications
System Design
Logistic Elements
Logistic Conception
Process Improvement
Generative Product Dependencies
Content-Related Product Dependencies
Product Index (According to Disciplines)
Product Index (alphabetically)
List of Figures
Part 6: V-Modell Reference Activities
Part 7: V-Modell Reference Mapping to Standards
Part 8: Annex
Part 9: Templates