8.0 Planning Phase

  • The minimum required security specifications must be determined during the planning phase before the design begins. All system components and their security requirements must be considered.
  • Hardware supporting security must be tamper proof.
  • Any secret keys used by the system must not be subject to exposure.
  • The business users and management must provide information to the technical management and staff who are working on the project. The information must include current real estimates of work volumes at peak and normal times along with information about the criticality of the system and confidentiality, integrity, and availability needs of the data associated with the project.
  • The project management methodology must ensure that all stakeholders in the project are consulted.
  • All projects must have a project plan before the project phase is completed.
  • The project plan must allow management to assess project progress and make adjustments to the budget or schedule.
  • The project plan should include a statement of work, description of the project scope, information about deliverables and when they should be delivered, required resources, responsibilities of staff, milestones, critical path information, and any dependancies.
  • The project management methodology must provide procedures for determining system requirements for all projects.
  • The project management methodology must provide procedures for reviewing and approving system requirements for all projects.
  • The project management methodology must provide specify who is responsible for determining system requirements and reviewing and approving system requirements for all projects.
  • Security, disaster recovery, and business continuity requirements must be considered during the planning phase.
  • There must be a process which may include a checklist to be sure that all system requirements have been considered. Operational and functional requirements and requirements for the business and technology sides must be considered. Performance, reliability, compatibility, safety, maintenance, laws, and security must be considered.
  • All system requirements must be documented and given a priority.
  • All system requirements should be measureable and testable.
  • All system requirements must be formally documented, reviewed, and approved before the next phase of the project begins or any purchases to support the project are made.
  • When a project changes or replaces a current system, an analysis of impact considering security controls and training to implement the controls must be created.