Information Security: Imtiaz Hussain
Information Security: Imtiaz Hussain
Information Security: Imtiaz Hussain
Imtiaz Hussain
PhD Computer Science (Scholar)
Lecturer
Dept. of Computer Science
Securing SDLC
Securing SDLC
Security Categorization
Defines three levels i.e., low, moderate, or high of potential impact on
organizations or individuals.
Security categorization standards assist organizations in making the appropriate
selection of security controls for their information systems.
Preliminary Risk Assessment
Results in an initial description of the basic security needs of the system.
A preliminary risk assessment should define the threat environment in which the
system will operate.
Logical/Physical Design Phases
Risk Assessment
Analysis that identifies the protection requirements for the system through a
formal risk assessment process.
This analysis builds on the initial risk assessment performed during the Initiation
phase, but will be more in-depth and specific.
Security Functional Requirements Analysis
analysis of requirements that may include the following components:
(1) system security and
(2)security functional requirements
Logical/Physical Design Phases
Security planning
Ensures that security controls, planned are fully documented.
The security plan also provides description of the information system
Configuration management plan
Incident response plan
Security awareness and training plan
Rules of behavior & Risk assessment
Security test and evaluation results
System interconnection agreements
Security authorizations/ accreditation
Logical/Physical Design Phases
Security Certification
Ensures that the controls are effectively implemented through established
verification techniques and procedures
Security certification also uncovers and describes the known vulnerabilities in the
information system.
Security Accreditation
Provides the necessary security authorization of an information system to process,
store, or transmit information that is required.
This authorization is granted by a senior organization official and is based on the
trusted and verified effectiveness of security control.
Maintenance and Change Phase
Configuration Management and Control
Ensures adequate consideration of the potential security impacts due to specific
changes to an information system.
It is critical to establishing an initial baseline of hardware, software, and firmware
components for the information system.
Continuous Monitoring
Ensures that controls continue to be effective in their application through periodic
testing and evaluation.
Security control monitoring i.e., verifying the continued effectiveness of those
controls over time and reporting the security status of the information system to
officials is an essential activity.
Maintenance and Change Phase
Information Preservation
Ensures that information is confidential, retained, as necessary, to conform to
current legal requirements
Media Sanitization
Ensures that data is deleted, erased, and written over as necessary.
Hardware and Software Disposal
Ensures that hardware and software is disposed of as directed by the information
system security officer.