Distribution of Security Requirements
One key feature of Ciso is the ability to distribute security requirements to objects (such as applications, devices, locations and organizations).
Options for distribution of security requirements
Security requirements can be distributed on the following objects and type of objects:
- Organization
- Internal organization (organization labelled as internal)
- External organization (organizations labelled as external, also called suppliers)
- Locations
- Physical locations
- Virtual locations
- Network
- Devices
- Client
- Server
- Network device
- Other device
- Applications
If you need to distribute security requirements more specific, you can always use tags or other conditions to ensure the right requirements is applied on the right object.
It is also possible to distribute the same security requirements to several objects, for example you might want to add encryption requirements to both a device and an application.
Creation of objects and distribution of security requirements
The way you connect applications, devices, locations and organizations in Ciso will have an effect of the distribution of security requirements. In this section, this topic will be explored, and it will be described how you should do it in the most effective way. Depending on how the responsibilities to fulfil security requirements are divided between your internal organization and you suppliers there are different ways to setup your model in Ciso.
Create an internally managed application hosted in a supplier datacenter
The first example is an internally managed application that is running in a supplier data center on a VM that we manage (for example an AWS EC2 instance or Azure VM). The split of responsibility in terms of security requirements will then be:
- External organization security requirements = supplier
- Location security requirements = supplier
- Device security requirements = our own organization
- Application security requirements = our own organization
In the example, all the objects are created with the name “guide” to make it simple. Security requirements are also named “guide”, view below is from “infrastructure and suppliers” page that can be found on the top right menu called “Model”:
Add the tag you want to use.
Click on the organization “Guide” and then click on the “Security requirements” tab:
As you can see above, the external organization requirements and physical security (location) based requirements are distributed to the supplier. You can now use the supplier review function and send out questions to your supplier so they can respond to your requirements. See chapter 6 for more details.
In the example we are working with, application & device requirements are our responsibility and it’s up to an owner or responsible for the object to ensure requirements are fulfilled. See section “respond to security requirements” for more details.
Create a SaaS application, for example Microsoft 365
In this example the supplier will get all the requirements apart from the ones you have specified is the responsibility of your own organization to fulfil.
As you can see above, device and location security requirements are also linked to the supplier even though you have not created any device or location.
Using providers for mixed delivery models
If you have shared responsibility with a supplier (or other internal organization), you can use the provider feature of the application object
You can add multiple organizations that takes part in the fulfilment of the requirements if you want.
If add another organization as provider, the requirements will show up on the other supplier as well and you need to manually decide which requirements goes were. This can be done by setting “Not applicable” to the requirements that are not valid. This is done by selecting the requirement you want to remove and then ticking the box for “Not applicable” and then press close.