THE SECURITY SYSTEMS DEVELOPMENT LIFE CYCLE (SEC
SDLC )
The same phases used in the traditional SDLC can be
adapted to support the implementation of an information security project.
1 Sec SDLC phases
Investigation
· This
phase begins with a directive from upper management, dictating the process,
outcomes, and goals of the project, as well as its budget and other
constraints.
· Frequently,
this phase begins with an enterprise
information security policy, which outlines the implementation of a
security program within the organization.
· Teams of
responsible managers, employees, and contractors are organized.
· Problems
are analyzed.
· Scope of
the project, as well as specific goals and objectives, and any additional
constraints not covered in the program policy, are defined.
· Finally,
an organizational feasibility analysis is performed to determine whether the
organization has the resources and commitment necessary to conduct a successful
security analysis and design.
Analysis
· In this
phase, the documents from the investigation phase are studied.
· The
developed team conducts a preliminary analysis of existing security policies or
programs, along with that of documented current threats and associated
controls.
· The risk
management task also begins in this phase.
Risk management is the process of identifying,
assessing, and evaluating the levels of risk
facing the organization, specifically the threats to the organization’s
security and to the
information
stored and processed by the organization.
Logical design
· This
phase creates and develops the blueprints for information security, and
examines and implements key policies.
· The team
plans the incident response actions.
· Plans
business response to disaster.
· Determines
feasibility of continuing and outsourcing the project.
Physical design
· In this
phase, the information security technology needed to support the blueprint
outlined in the logical design is evaluated.
· Alternative
solutions are generated.
· Designs
for physical security measures to support the proposed technological solutions
are created.
· At the
end of this phase, a feasibility study should determine the readiness of the
organization for the proposed project.
· At this
phase, all parties involved have a chance to approve the project before
implementation begins.
Implementation
1 Similar
to traditional SDLC
2 The
security solutions are acquired ( made or bought ), tested, implemented, and
tested again
3 Personnel
issues are evaluated and specific training and education programs are
conducted.
4 Finally,
the entire tested package is presented to upper management for final approval.
Maintenance and change
1 Constant
monitoring, testing, modification, updating, and repairing to meet changing
threats have been done in this phase.
Security Professionals and the organization
Senior management
Chief
information Officer (CIO) is the responsible for
-- Assessment
-- Management
-- And
implementation of information security in the organization
Information Security Project Team
1. Champion
ü Promotes
the project
ü Ensures
its support, both financially & administratively.
2. Team Leader
ü Understands
project management
ü Personnel
management
ü And
information Security technical requirements.
ü Security policy developers
individuals who understand the organizational
culture,
existing policies
Requirements for developing & implementing
successful policies.
ü Risk assessment specialists
Individuals who understand financial risk
assessment techniques.
The value of organizational assets,
and the security methods to be used.
ü Security Professionals
Dedicated
Trained, and well educated specialists in all
aspects of information security from both a technical and non technical stand
point.
ü System Administrators
Administrating the systems that house the
information used by the organization.
ü End users
Data Owners
1. Responsible
for the security and use of a particular set of information.
2.
Determine the level of data classification
3.
Work with subordinate managers to oversee the
day-to-day administration of the data.
Data Custodians
1 Responsible
for the storage, maintenance, and protection of the information.
2 Overseeing
data storage and backups
3 Implementing
the specific procedures and policies.
Data Users (End users)
· Work with
the information to perform their daily jobs supporting the mission of the
organization.
· Everyone
in the organization is responsible for the security of data, so data users are
included here as individuals with an information security role.
4.
Key Terms
in Information Security Terminology
1 Asset
-An asset is the organizational resource that is being protected. -An Asset can be logical ,such a
Website, information or data
Asset can be physical, such as person , computer system
2 Attack
· An attack
is an intentional or unintentional attempt to cause damage to or otherwise
compromise the information and /or the systems that support it. If someone
casually reads sensitive information not intended for his use, this is considered
a passive attack. If a hacker attempts to break into an information system, the
attack is considered active.
3 Risk
· Risk is
the probability that something can happen. In information security, it could be
the probability of a threat to a system.
4 Security Blueprint
· It is the
plan for the implementation of new security measures in the organization.
Sometimes called a frame work, the blueprint presents an organized approach to
the security planning process.
5 Security Model
A
security model is a collection of specific security rules that represents the
implementation of a security policy.
ü Threats
1. A threat
is a category of objects, persons, or other entities that pose a potential
danger to an asset. Threats are always present. Some threats manifest themselves
in accidental occurrences, while others are purposeful. For example, all
hackers represent potential danger or threat to an unprotected information
system. Severe storms are also a threat to buildings and their contents.
ü Threat agent
1. A threat agent
is the specific instance or component of a threat. For example, you can think
of all hackers in the world as a collective threat, and Kevin Mitnick, who was
convicted for hacking into phone systems, as a specific threat agent. Likewise,
a specific lightning strike, hailstorm, or tornado is a threat agent that is
part of the threat of severe storms.
ü Vulnerability
1. Weaknesses
or faults in a system or protection mechanism that expose information to attack
or damage are known as vulnerabilities. Vulnerabilities that have been
examined, documented, and published are referred to as well-known vulnerabilities.
ü Exposure
The
exposure of an information system is a single instance when the system is open
to damage. Vulnerabilities can cause an exposure to potential damage or attack
from a threat. Total exposure is the degree to which an organization’s assets
are at risk of attack from a threat..
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.