CyberSecurity requires documented Security Standards. These security standards need to be effective
and must be validated following any changes to processes, software or infrastructure. Security
standards are also validated annually during internal audits. The process of validation requires
meticulous details defined within Design qualifications (DQ), Installation qualifications (IQ),
Operational qualifications (OQ), and Performance qualifications (PQ). These qualification
specifications have been described below in greater detail. The validation of CyberSecurity standard
must take into consideration the following three characteristics:
• Multidisciplinary approach: A specific characteristic of CyberSecurity work when it requires the
collaboration of several experts from different disciplines such as Business Analysts, Product
Specialists, Technical Specialists, Application Specialists, Technical Architects, Security Specialists,
Service Continuity Specialists, engineers, experts on Q.A.
• Time constraints: Generally CyberSecurity work is submitted to rigorous time schedules. These
validations are normally executed during the prototyping or UAT stage of the SDLC or prior to
changes being deployed into production operations.
• Budget: CyberSecurity validation requires the time of professionals, which has a cost associated
with it thus the appropriate authorizations and budgeting maybe necessary to make it happen.
CyberSecurity Validation activities must be included within the Master CyberSecurity Validation
Program (MCVP). This includes qualification of security standards for custom software and COTS
(commercial off the shelf) software and technical infrastructure equipment like servers, routers,
switches, firewalls, desktops, tablets, laptops, and smart phones. The MCVP will be comprised of
current state and future state CyberSecurity Architecture for the initial validation before deployment
and re-validation during changes. For large projects the MCVP will become a project deliverable.
Security Standard Specification Content:
• Design qualification (DQ) – are the specifications used to establish a CyberSecurity Architecture
Design that will be used by management for decision making purposes such as to develop or
purchase a process, software or infrastructure device. These requirements detail the acceptance
criteria which is mandatory requirement before development or procurement can commence.
• Installation qualification (IQ) – is a set of specifications used to asses the installation of a process,
software or infrastructure device and to provide assurance that it has been correctly installed and
maintained based on manufacturers recommendations.
• Operational qualification (OQ) is a set of specifications used to measure the functionality of a
process, software or infrastructure device to provide assurance that it is operating as planned.
• Performance qualification (PQ) is a set of specifications used to measure the performance of a
process, software or infrastructure device to provide assurance that it is performing as intended.
This specification can be used to detect misuse.
This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution.
If you would like additional information or assistance with the customization and implementation of a balanced risk
management process for your security program then please contact Mark @ 604-349-6557 or email@example.com
Page 1 of 1