Security triage: An industrial case study on the effectiveness of a lean methodology to identify security requirements

Context: Poste Italiane is a large corporation offering integrated services in banking and savings, postal services, and mobile communication. Every year, it receives thousands of change requests for its ICT services. Applying to each and every request a security assessment "by the book" is simply not possible. Goal: We report the experience by Poste Italiane of a lean methodology to identify security requirements that can be inserted in the production cycle of a normal company. Method: The process is based on surveying the overall IT architectures (Security Survey) and then a lean dynamic process (Security Triage) to evaluate individual change requests, so that important changes get the attention they need, minor changes can be quickly implemented, and compliance and security obligations are met. Results: The empirical evaluation conducted for over an year at Poste Italiane shows that the process significantly reduces the time to identify security requirements at the pace of change. C...