Ciso Logo
Ciso Logo

Responding to Security Requirements

Published: August 18, 2023Last updated: April 4, 2024

As we have learned in previous chapters security requirements can be distributed in several ways. Now it’s time to look at how we can respond to them. In Ciso, responding to a security requirement is called a statement.

Requirements can be answered in three different ways:

  • Manually by the owner or responsible person
  • Via security services
  • Via the Supplier Review Process (see Supplier Review Module)

Manual Statement by Owner or Responsible

All objects in Ciso should be linked to an owner or responsible person. This is done via the general tab of each object (applications, devices, locations, and organizations). The owner/responsible will have the possibility to respond via the Ciso start page or directly on the object. See picture below from start page with the example we have used in chapter 4:

Click one of the different statuses above, add a comment if you want, and click ok.

Please note that it is possible to respond to requirements linked to a supplier this way as well. Ideally the supplier review process should be used but if the supplier refuses to answer you can do it this way instead. Of course, you need to check the supplier website or other source to ensure the requirements are fulfilled.

Respond to Security Requirements by Using Security Services

Another more efficient option to respond to requirements are by using security services. A security service is a grouping of security requirements which can be fulfilled just by adding the security service for an object. A common example is AD login which will fulfil several security requirements. To create a security service, navigate to “Governance” and select “Security Services” on the left side menu:

These are assigned to my user because I’m defined as owner for the application. Click the row to open all missing statement for the app or click the specific requirement to the right to open only that one.

Click the + sign on the top right corner to create a new security service.

Fill in name, description, and owner. If you tick the box for suppliers, they will also be able to respond by using this service. Please see supplier review section in chapter 6 for more details regarding that. Press “Apply”, then click the tab security requirement.

Select which requirements that should be included in the security service.

When the service is created you can just add the service to your application. This can be done on the application view or directly on the security service. To add applications directly click the application view: (below I’ve added the “guide app”)

After pressing “Yes”, you can see in the application tab “Security"