Information Technology Reference
In-Depth Information
Another completely appropriate approach is to isolate IA and treat IA compli-
ance management as a separate set of requirements from the broader compliance
management program. When to integrate and when to treat separately is up to you
and the business situation at hand. For example, the building of an IA service (e.g.,
computer security incident response center [CSIRC]) is an IA-centric effort. The
CSIRC service integrates into the larger enterprise. However, the requirements for
a CSIRC are largely IA requirements.
6.3.1
IA Compliance Requirements Engineering
There are similarities in the form and flow of compliance requirements engineering
and SE requirements engineering. Both deal with motivations from outside the
organization and inside the organization. Both capture business drivers in the form
of requirements, but compliance requirements are produced at a broader enter-
prise perspective (e.g., legislation), while SE requirements are produced at a deeper
project-focus perspective (e.g., capability, product, or service). Both document the
following:
n
n
n
n
n
n
n
Requirements hierarchy
Requirements traceability
To-be vision
As-is snapshot
Gap analysis
Remediation analysis
Transition plan
A formal IA requirements hierarchy documents the alignment of business
and technical drivers with IA requirements. It records and tracks both initial and
ongoing business justification for IA. It also documents the traceability of the IA
services and IA mechanisms to the business requirements and business risks that
motivated them.
As presented in chapter 3, the IA
2
Process consists of eight steps: intent, envi-
ronment, scope, inputs, discover, analyze, outputs, and production. In terms of IA
compliance requirements,
intent
means identifying what compliance requirements
are applicable, differentiating external and internal IA requirements, and differen-
tiating explicit and implicit IA requirements. The nature of the requirements will
provide guidance on how IA is further influenced by the
environment.
For instance,
geographical and climate differences may require different IA responses; nations
and states may impose legislative mandates that call for different IA responses. The
scope
may be enterprisewide; it may be a set of related systems or a single system
storing a particular kind of data (e.g., personally identifiable information [PII]).
he
outputs
include a requirements hierarchy, requirements traceability matrix,
