The Security Systems Development Life Cycle (Sec SDLC )

THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE (SEC SDLC )

The same phases used in the traditional SDLC can be adapted to support the implementation of an information security project.

1 Sec SDLC phases

Investigation

· This phase begins with a directive from upper management, dictating the process, outcomes, and goals of the project, as well as its budget and other constraints.

· Frequently, this phase begins with an enterprise information security policy, which outlines the implementation of a security program within the organization.

· Teams of responsible managers, employees, and contractors are organized.

· Problems are analyzed.

· Scope of the project, as well as specific goals and objectives, and any additional constraints not covered in the program policy, are defined.

· Finally, an organizational feasibility analysis is performed to determine whether the organization has the resources and commitment necessary to conduct a successful security analysis and design.

Analysis

· In this phase, the documents from the investigation phase are studied.

· The developed team conducts a preliminary analysis of existing security policies or programs, along with that of documented current threats and associated controls.

· The risk management task also begins in this phase.

Risk management is the process of identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the organization’s security and to the

information stored and processed by the organization.

Logical design

· This phase creates and develops the blueprints for information security, and examines and implements key policies.

· The team plans the incident response actions.

· Plans business response to disaster.

· Determines feasibility of continuing and outsourcing the project.

Physical design

· In this phase, the information security technology needed to support the blueprint outlined in the logical design is evaluated.

· Alternative solutions are generated.

· Designs for physical security measures to support the proposed technological solutions are created.

· At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project.

· At this phase, all parties involved have a chance to approve the project before implementation begins.

Implementation

1    Similar to traditional SDLC

2  The security solutions are acquired ( made or bought ), tested, implemented, and tested again

3  Personnel issues are evaluated and specific training and education programs are conducted.

4 Finally, the entire tested package is presented to upper management for final approval.

Maintenance and change

1    Constant monitoring, testing, modification, updating, and repairing to meet changing threats have been done in this phase.

Security Professionals and the organization

Senior management

Chief information Officer (CIO) is the responsible for

--  Assessment

--  Management

--  And implementation of information security in the organization

Information Security Project Team

1.   Champion

ü     Promotes the project

ü     Ensures its support, both financially & administratively.

2.    Team Leader

ü     Understands project management

ü     Personnel management

ü     And information Security technical requirements.

ü Security policy developers

            individuals who understand the organizational culture,

            existing policies

            Requirements for developing & implementing successful policies.

ü Risk assessment specialists

            Individuals who understand financial risk assessment techniques.

              The value of organizational assets,

            and the security methods to be used.

ü Security Professionals

            Dedicated

            Trained, and well educated specialists in all aspects of information security from both a technical and non technical stand point.

ü System Administrators

            Administrating the systems that house the information used by the organization.

ü End users

Data Owners

1.     Responsible for the security and use of a particular set of information.

2.                       Determine the level of data classification

3.                       Work with subordinate managers to oversee the day-to-day administration of the data.

Data Custodians

1       Responsible for the storage, maintenance, and protection of the information.

2       Overseeing data storage and backups

3       Implementing the specific procedures and policies.

Data Users (End users)

·     Work with the information to perform their daily jobs supporting the mission of the organization.

·     Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

4.           Key Terms in Information Security Terminology

1      Asset

-An asset is the organizational resource that is being protected. -An Asset can be logical ,such a 

  Website, information or data

     Asset can be physical, such as    person , computer system

2  Attack

·     An attack is an intentional or unintentional attempt to cause damage to or otherwise compromise the information and /or the systems that support it. If someone casually reads sensitive information not intended for his use, this is considered a passive attack. If a hacker attempts to break into an information system, the attack is considered active.

3  Risk

·     Risk is the probability that something can happen. In information security, it could be the probability of a threat to a system.

4 Security Blueprint

·     It is the plan for the implementation of new security measures in the organization. Sometimes called a frame work, the blueprint presents an organized approach to the security planning process.

5  Security Model

A security model is a collection of specific security rules that represents the implementation of a security policy.

ü Threats

1.     A threat is a category of objects, persons, or other entities that pose a potential danger to an asset. Threats are always present. Some threats manifest themselves in accidental occurrences, while others are purposeful. For example, all hackers represent potential danger or threat to an unprotected information system. Severe storms are also a threat to buildings and their contents.

ü Threat agent

1.     A threat agent is the specific instance or component of a threat. For example, you can think of all hackers in the world as a collective threat, and Kevin Mitnick, who was convicted for hacking into phone systems, as a specific threat agent. Likewise, a specific lightning strike, hailstorm, or tornado is a threat agent that is part of the threat of severe storms.

ü Vulnerability

1.     Weaknesses or faults in a system or protection mechanism that expose information to attack or damage are known as vulnerabilities. Vulnerabilities that have been examined, documented, and published are referred to as well-known vulnerabilities.

ü Exposure

The exposure of an information system is a single instance when the system is open to damage. Vulnerabilities can cause an exposure to potential damage or attack from a threat. Total exposure is the degree to which an organization’s assets are at risk of attack from a threat..