It should be fairly obvious that the most important operational requirement is security. Every day, users become more dependent on the Internet for information and for getting work done, and important, private information about business and finance is transmitted and maintained on corporate intranets. Making sure your applications are secure now goes far beyond the old days of trying to keep people from putting their passwords on sticky notes on their monitors. The potential for disaster is immense. The possibility of having proprietary information compromised or even destroyed is easily the biggest nightmare for executives in every size and every type of organization. Losing historical data used for forecasting and targeted marketing can be damaging, and intentional destruction of current information and software could affect profits or even put an organization out of business. The .NET Framework provides the best platform for building, deploying, maintaining, and running applications while addressing the critical concerns of security and privacy. Without understanding what security issues need to be addressed and how to resolve them, however, you can't take advantage of the functionality available in .NET. In the requirements-gathering phase, the focus is on recognizing current and future threats and developing security measures that counteract these real or implied threats. If you just implement security measures without regard for the actual types of threats your application faces, you might achieve only a false sense of security. Most security measures are based on the following concepts:
There are several tangible requirements that should be part of any organization's security policies. The following list provides examples of some of these requirements:
Threats to an organization's business applications usually fall into these two categories:
Another consideration when determining your security requirements is analyzing the organization's accepted level of risk for the application, the accepted level of risk for its data, and the expense of providing acceptable security. The effort and expense should correlate with the value of what you are seeking to protect. For example, a hospital with an application storing sensitive patient information should be able to justify having an extensive security policy; a small shoe store that maintains the shoe sizes of its customers might not. Also, consider the effect on an organization if key or sensitive data is leaked to the wrong people. The cost to an organization in terms of loss of client or shareholder confidence could be just as devastating as lost or corrupted data. Another key consideration in the security requirements process is how to monitor and improve an organization's security measures, especially after the application has been installed. As applications evolve over time, new security threats present themselves. At a minimum, conduct a periodic review to ensure that the organization's applications are not exposed to unnecessary risks. The only way to ensure maximum protection against security threats is for the organization to adopt the policy of being constantly vigilant in protecting itself. |