Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Information Security: Imtiaz Hussain

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

Information Security

Imtiaz Hussain
PhD Computer Science (Scholar)
Lecturer
Dept. of Computer Science
Securing SDLC
Securing SDLC

 SDLC should include consideration of the security of the system


being assembled as well as the information it uses.
 This means that each implementation of a system is secure and does
not risk compromising the confidentiality, integrity, and availability
of the organization’s information assets.
 Each of the SDLC phases includes a minimum set of security steps
needed to effectively incorporate security into a system during its
development.
Investigation/Analysis Phases

Security Categorization
 Defines three levels i.e., low, moderate, or high of potential impact on
organizations or individuals.
 Security categorization standards assist organizations in making the appropriate
selection of security controls for their information systems.
Preliminary Risk Assessment
 Results in an initial description of the basic security needs of the system.
 A preliminary risk assessment should define the threat environment in which the
system will operate.
Logical/Physical Design Phases

Risk Assessment
 Analysis that identifies the protection requirements for the system through a
formal risk assessment process.
 This analysis builds on the initial risk assessment performed during the Initiation
phase, but will be more in-depth and specific.
Security Functional Requirements Analysis
 analysis of requirements that may include the following components:
 (1) system security and
 (2)security functional requirements
Logical/Physical Design Phases

Security Assurance Requirements Analysis


 Address the developmental activities required and assurance to produce
the desired level of confidence that the information security will work correctly
and effectively.
 The analysis, based on legal and functional security requirements, will be used as
the basis for determining how much and what kinds of assurance are required.
Cost Considerations and Reporting
 determines how much of the development cost can be attributed to information
security over the life cycle of the system.
 These costs include hardware, software, personnel, and training.
Logical/Physical Design Phases

Security planning
 Ensures that security controls, planned are fully documented.
 The security plan also provides description of the information system
 Configuration management plan
 Incident response plan
 Security awareness and training plan
 Rules of behavior & Risk assessment
 Security test and evaluation results
 System interconnection agreements
 Security authorizations/ accreditation
Logical/Physical Design Phases

Security Control Development


 Ensures that security controls described in the respective security plans are
designed, developed, and implemented.
Developmental Security Test and Evaluation
 Ensures that security controls developed for a new information system are
working properly and are effective.
 Ensures that security controls developed for a new information system are tested
and providing strong security.
Implementation Phase

Inspection and Acceptance


 Ensures that the organization validates and verifies that the functionality described
in the specification is included in the deliverables.
System Integration
 Ensures that the system is integrated at the operational site where the information
system is to be deployed for operation.
 Security control settings and switches are enabled in accordance with vendor
instructions and available security implementation guidance.
Implementation Phase

Security Certification
 Ensures that the controls are effectively implemented through established
verification techniques and procedures
 Security certification also uncovers and describes the known vulnerabilities in the
information system.
Security Accreditation
 Provides the necessary security authorization of an information system to process,
store, or transmit information that is required.
 This authorization is granted by a senior organization official and is based on the
trusted and verified effectiveness of security control.
Maintenance and Change Phase
Configuration Management and Control
 Ensures adequate consideration of the potential security impacts due to specific
changes to an information system.
 It is critical to establishing an initial baseline of hardware, software, and firmware
components for the information system.
Continuous Monitoring
 Ensures that controls continue to be effective in their application through periodic
testing and evaluation.
 Security control monitoring i.e., verifying the continued effectiveness of those
controls over time and reporting the security status of the information system to
officials is an essential activity.
Maintenance and Change Phase

Information Preservation
 Ensures that information is confidential, retained, as necessary, to conform to
current legal requirements
Media Sanitization
 Ensures that data is deleted, erased, and written over as necessary.
Hardware and Software Disposal
 Ensures that hardware and software is disposed of as directed by the information
system security officer.

You might also like