System Development Life Cycle
CMGT/582 - CIS Security and Ethics
June 23, 2014
System Development Life Cycle
“Both risk governance and regulatory requirements emphasize the need for an effective risk management plan. And to effectively manage risk, it is important that definitions of the risk management plan objectives are clear from the start, so that the plan can head in the right direction. Risk management of information assets also provides a strong basis for information security activities, such as controlling risk to the confidentiality, integrity, and availability of information aligning mitigation efforts with business objectives, and providing cost-effective solutions after analyzing security risks” (University of Phoenix - Skillsoft®, 2012). A security development life cycle is a guide for ensuring that security is continually being improved. Security lifecycle implementation requires policy and standards implementation from the start. Security policy and standards are the foundation to any component of a security plan. These are especially critical in both the assessment and protection phase of the lifecycle. The assessment phase will use the standards and policy as the basis of conducting the assessment. Resources will be evaluated against the security policy. During the protection phase, resources will be configured to meet policy and standards. Security should be addressed at all stages of the systems development life cycle (SDLC). “The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system. A methodology is a formal approach to solving a problem by means of a structured sequence of procedures. Using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success. Completion of methodology adoption triggers activities such as, establishing key milestones and team selection ensuring accountability for accomplishing the project goals” (Whitman, 2012, p. 21). The stages of an SDLC include: 1. Investigation
3. Logical design
4. Physical design
6. Maintenance and Change
The only differences between the two are the specific activities and intent that takes place for each phase in the SDLC (table 1-2). The investigation phase of the SecSDLC starts with a directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints. NIST SP 800-60 is a great resource to identify different information types as well as listing security impact levels and justifications. Additionally, NIST SP 800-53 separates controls into three baselines that match the potential system impact levels including system owner identification. The requirement analysis phase involves conducting a preliminary analysis of existing security policies or programs, along with documented current threats and associated controls. The logical design phase involves team members creating and developing the blueprint for security, examining, as well as implementing key policies that influence decisions in the future. The physical design phase involves team members evaluating technology needs to support the security blueprint, providing alternative solutions, and approving the final design. The implementation phase involves acquiring, testing, implementing, and retesting of security solutions. This phase also involves conducting evaluation, specific training, and education programs provided to personnel. In this phase, DISA STIGS, NIST SP 800-18, NIST SP-53A, and NIST SP 800-37 are the references that incorporates technology best practices, finalize system security plan, develop security control testing plan, test security controls, authorize system, and develop plan of action and milestones. The maintenance and change phase involves the operation, proper management, and keeping up to date of the information...
References: National Security Telecommunications and Information Systems Security Committee. (2000). National Information Assurance Certification and Accreditation Process (NIACAP). Retrieved from https://www.fismacenter.com/nstissi_1000.pdf
Onpointcorp.com. (n.d.). Incorporating Security into the System Development Life Cycle (SDLC). Retrieved from http://www.onpointcorp.com/uploads/137/doc/Security_in_the_SDLC.pdf
SANS Institute. (2007). Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC). Retrieved from http://www.sans.org/reading-room/whitepapers/auditing/certification-accreditation-c-a-system-development-life-cycle-management-sdlc-1961
University of Phoenix - Skillsoft®. (2012). CISM 2012: Information Risk Management and Compliance (Part 1): Information Risk Management Overview. Retrieved from https://library.skillport.com/courseware/Content/cca/sp_cisn_a04_it_enus//output/t4/misc/transcript.html
Whitman, M. E. (2012). Principles of Information Security (4th ed.). Mason, OH: Cengage Learning.
Please join StudyMode to read the full document