Week 1-2 SecSDLC PDF

The Security Systems Development Life Cycle Phases of SecSDLC Phases of SecSDLC Investigation The investigation phase of the SecSDLC begins with a directive from upper management that dictates the process, outcomes, and goals of the project, as well as its budget and other constraints. This phase begins with an enterprise information security policy (EISP), which outlines the implementation of a security program within the organization. Teams of responsible managers, employees, and contractors are organized. Problems are analyzed, and the scope of the project is defined along with specific goals and objectives and any additional constraints not covered in the program policy. Phases of SecSDLC Analysis In the analysis phase, the documents from the investigation phase are studied. The development team conducts a preliminary analysis of existing security policies or programs, documented current threats, and associated controls. This phase also includes an analysis of relevant legal issues that could affect the design of the security solution. Risk management begin in this stage which focuses on identifying, assessing, and evaluating the levels of risk in an organization, specifically the threats to its security and to the information it stores and processes. Phases of SecSDLC Logical Design The logical design phase creates and develops the blueprints for information security. Examines and implements key policies that influence later decisions. At this stage, the team also plans incident response actions to be taken in the event of partial or catastrophic loss. Phases of SecSDLC The planning answers the following questions: Continuity planning: How will business continue in the event of a loss? Incident response: What steps are taken when an attack occurs? Disaster recovery: What must be done to recover information and vital systems immediately after a disastrous event? Phases of SecSDLC Physical Design Phases of SecSDLC Implementation The implementation phase of the SecSDLC is similar to that of the traditional SDLC. The security solutions are acquired (made or bought), tested, implemented and tested again. Personnel issues are evaluated, and specific training and education programs are conducted. Finally, the entire tested package is presented to upper management for final approval Phases of SecSDLC Maintenance and Change The last phase, and the most important one, given the ever-changing threat environment. Today’s information security systems need constant monitoring, testing, modification, updating, and repairing. In Information security, the battle for stable, reliable systems is a defensive one. repairing damage and restoring information is a constant effort against an unseen adversary. SDLC and SecSDLC Phase Summary SDLC and SecSDLC Phases Summary Initiation During this first phase of the development life cycle, The NIST security considerations are key to diligent and early Approach to integration, thereby ensuring that threats, requirements, and potential constraints in functionality Securing the and integration are considered. SDLC At this point, security is looked at more in terms of business risks with input from the information security office. Initiation The NIST Key security activities for this phase include: Approach to Initial delineation of business requirements in terms of confidentiality, integrity, and availability; Securing the Determination of information categorization and SDLC identification of known special handling requirements to transmit, store, or create information such as personally identifiable information; Determination of any privacy requirements. Development/Acquisition Key security activities for this phase include: The NIST Conduct the risk assessment and use the results to Approach to supplement the baseline security controls; Securing the Analyze security requirements; SDLC Perform functional and security testing; Prepare initial documents for system certification and accreditation; Design security architecture. Implementation/Assessment The NIST During this phase, the system will be installed and evaluated in the organization’s operational environment. Approach to Key security activities for this phase include: Securing the SDLC Integrate the information system into its environment; Plan and conduct system certification activities in synchronization with testing of security controls; Complete system accreditation activities. Operations and Maintenance The NIST In this phase, systems are in place and operating, Approach to enhancements and/or modifications to the sys tem are developed and tested, and hardware and/or software is Securing the added or replaced. SDLC The system is monitored for continued performance in accordance with security requirements and needed system modifications are incorporated. Operations and Maintenance Key security activities for this phase include: The NIST Conduct an operational readiness review; Approach to Securing the Manage the configuration of the system; SDLC Institute processes and procedures for assured operations and continuous monitoring of the information system’s security controls; Perform reauthorization as required. Disposal The disposal activities ensure the orderly termination of the system and preserve the vital information about the system so that some or all of the information may be reactivated in The NIST the future, if necessary. Approach to Key security activities for this phase include: Securing the Building and executing a disposal/transition plan; SDLC Archival of critical information; Sanitization of media; Disposal of hardware and software Senior Management chief information officer (CIO) An executive-level position that oversees the organization’s computing technology and strives to create efficiency in the processing and access of the organization’s information. chief information security officer (CISO) Typically considered the top information security officer in an organization. The CISO is usually not an executive-level position, and frequently the person in this role reports to the CIO. Senior Management The CISO’s place and roles A small functional team of people who are experienced in one or multiple facets of the required Project Team technical and nontechnical areas for the project to which they are assigned. Information Security Members of the Security project team Project Team A senior executive who promotes the project and ensures its Champion support, both financially and administratively, at the highest levels of the organization. Members of Security Team leader Security policy developers Project A project manager who may also be a People who understand the departmental line manager or staff organizational culture, existing policies, Team unit manager, and who understands and requirements for developing and project management, personnel implementing successful policies. management, and information security technical requirements. Information Security Risk assessment specialists Security professionals Project People who understand financial risk Dedicated, trained, and well-educated Team assessment techniques, the value of specialists in all aspects of information organizational assets, and the security security from both a technical and method. nontechnical standpoint. Information Security Project Team Systems administrators End users People with the primary responsibility for Those whom the new system will most administering systems that house the directly affect. information used by the organization A selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls that do not disrupt the essential business activities they seek to safeguard. three types of data ownership Data owners Members of senior management who are Data responsible for the security and use of a particular set of information. Responsibilities The data owners usually determine the level of data classification as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data. three types of data ownership Data custodians Working directly with data owners, data Data custodians are responsible for the Responsibilities information and the systems that process, transmit, and store it. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner. three types of data ownership Data users Data Everyone in the organization is Responsibilities responsible for the security of data, so data users are included here as individuals with an information security role. Communities of Interest Communities of Interest Information Technology Management and Professionals The community of interest made up of IT managers and skilled professionals in systems design, programming, networks, and other related disciplines has many of the same objectives as the information security community. Its members focus more on costs of system creation and operation, ease of use for system users, and timeliness of system creation, as well as transaction response time. Communities of Interest Organizational Management and Professionals The organization’s general management team and the rest of the resources in the organization make up the other major community of interest. This large group is almost always made up of subsets of other interests as well, including executive management, production management, human resources, accounting, and legal staff.

Week 1-2 SecSDLC PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue