6 Part 6: V-Modell Reference Activities

6.3 Activities

6.3.7 Requirements and Analyses

6.3.7.7 Preparing Information Security Concept

Purpose

This activity is intended to prepare and update a project-related IT security concept. In detail, for example, statements on the following aspects relevant for safety and security will be specified:

• Operational environment
• Protection requirements
• Directives / requirements from other projects
• Information security requirements
• Information security measures
• Risks remaining
• Emergency planning
• Directives for other projects / agencies

6.3.7.7.1 Describing Operational Purpose

The project, for which the Information Security Concept will be prepared, shall be identified. The project identification includes information on the identification of the project (e.g. DP identification number) and general information on the project (e.g. Project Managers, classification, relations to and dependencies on other projects).

Operational purpose and operational environment shall be described briefly.

6.3.7.7.2 Analyzing Protection Requirements

The information structure of the processed or transferred information shall be determined. The protection requirements regarding confidentiality (based on the classification of the information), integrity, authenticity and availability shall be specified.

6.3.7.7.3 Presenting System Architecture

The system architecture of the selected solution shall be decribed as seen from an »Information Security point of view, taking into account the modes of operation (dedicated, system high, compartment und multi-level).

6.3.7.7.4 Determining Information Security Requirements

The »Information Security requirements shall be determined, subdivided into technical, organizational, personal and material information security requirements.

6.3.7.7.5 Determining Information Security Measures

The information security measures required to implement the »Information Security requirements shall be described, subdivided into technical, organizational, personal and material information security measures. The products designed to implement the information security measures shall be identified.The intended information security measures shall be coordinated with the Acquirer. In addition, the information security measures shall be matched with the risk reduction measures in the product Hazard and Risk Analysis - Functional Safety (e.g. regarding redundancy, inconsistency).

6.3.7.7.6 Analyzing Risks Remaining

This sub-activity shall describe which information security requirements will be fulfilled by which information security measures.

If information security requirements cannot be covered completely by information security measures, the hazards for availability, integrity, authenticity, and confidentiality will be identified and classified.

For every resulting risk, it shall be determined whether it is tolerable or not.

For every risk classified as intolerable, it shall be examined whether a strengthening of the measures can reduce the respective risk to such a degree that it will become tolerable.

If a risk is classified as intolerable and cannot be remedied by a strengthening of measures, a solution which is also acceptable from an economic point of view shall be developed (e.g. identification of transitional measures, change of functionality, abandonment of IT use).

The complete analysis will be included into the Annex of the Information Security Concept as project-specific Hazard and Risk Analysis - Information Security. The main statements of the analysis will be documented in the subject Risks Remaining.

6.3.7.7.7 Executing Emergency Planning

The emergency measures required for the project shall be developed. This includes particularly the detailed description of the approach for restoring system functionality after a partial or total failure of the system

6.3.7.7.8 Preparing Standards for Verifying the Effectiveness of the Measures

This partial activity is intended to continuously improve and optimize the Information Security Concept. Standards for verifying the effectiveness of the measures for maintaining information security shall be specified. This includes also specifications for necessary training and sensitization measures.