Abstract
In today’s complex IT system because of the wide abundance of threats and deliberate attempts to attack networks and IT assets, it is crucial to have a stream-lined process which attempts to incorporate security as an integral part of the development process as opposed to including security measures after the development cycle has finished. System Development Lifecycle (SDLC) is a hypothetical method created for the design and step-by-step implementation of general information system in business organizations using six different phases. Security System development lifecycle (SecSDLC) uses the same six phases to implement the security project except that its intent and scope is specific to the particular threats identified and designing
…show more content…
In SDLC, information security is not considered from the inception of the project from the investigation phase, in contrast, SecSDLC implements information security in each stage of the phases. Implementation of security as an integral part of the development process helps to avoid vulnerabilities in the system and integration of security at each stage of the phases will be a seamless operation and the amount of spending and time requirement will be significantly minimized. Another key difference which makes the SecSDLC more attractive over SDLC is the fact that SecSDLC attempts to analyze existing security policies and find loopholes in the system, examine legal issues and perform risk assessment of the current threat to the IT infrastructure at hand and based on the assessment results buildup of security blueprint and incident response planning will be performed (Whitman & Mathord, 2012, p.26-28). This stream-lined process makes the SecSDLC more suitable for current IT Systems where threats and vulnerabilities are limitless. Systems designed with no inherent security blueprint in place such as the traditional SDLCs fail to survive in the current and future IT systems. In the current and future IT implementation, prevention is given more emphasis than finding a cure once exposed to threats and
The system development life cycle is a formal four-step process that can be followed in order to identify a problem and solve it. The first step is
During SDLC phase one, the initiation phase, “the need for a system is expressed and the purpose of the system is documented” (NIST, 2008). Some of the expected outcomes from this phase would be a project plan and schedule; system performance specifications outlining the operational requirements, system design documents, and a document that defines roles and responsibilities. The corresponding RMF step, security categorization, establishes the foundation for security standardization among information systems and provides a vital step towards integrating security into the information system (NIST, 2008). During this step, the type(s) of information processed by the information system are identified and the information system is categorized to determine the level of protection requirements to put in place. Some of the expected outputs of this step include a security project plan and schedule, documented system boundary, the system categorization, and the security roles and responsibilities. These two process steps are very similar except the focus of RMF is on information security related functions. In some cases, SDLC produces the expected outputs that RMF requires, and the security professionals only require a copy of the documentation for their records. For example, the system design document often depicts the system boundary. The reason this step is so critical is that it
It is not uncommon to find various organizations complaining about security flaws in their information systems. Failing to prevent or mitigate the security flaws may lead to system breakdown, errors, and loss of crucial information. This is why it is important for users of information systems to find the right solutions that can help counter and mitigate security flaws. One common problem with security flaws connected with information systems or networks is that the security flaws occur in multiples. Technological advances have, fortunately, made it possible for people and organizations to prevent and detect such security flaws using security strategies. Layered Security and Defense in Depth are two strategies that can help prevent attacks and protect information systems against security flaws. The two strategies are similar but are based on completely two different concepts. This paper compares and contrasts the Layered Security and Defense in Depth Strategies by explaining how each of the two functions. Additionally, the paper includes an explanation about the advantages and disadvantages of the two strategies.
This way the IT department can understand what the higher level and lower level employees need for system stability and a better graphical interface. Another plan of action would include the method of Systems Development Life Cycle or SDLC. The phases of this method are planning, analysis, system design, implementation and operation. First we must plan on what exactly we are trying to accomplish. We know we need to upgrade the Riordan Manufacturing system. Next we must analyze the system and look for problematic errors. A project proposal can be essential to launching a system analysis (Farah, 2013). These are things to keep in mind: understand the business situation or problem, understand the significance to the problem in the organization, think of alternate solutions, the use of computer information systems for solutions, find people interested in the solving the problem (Farah, 2013). This plan is used to decrease redundancies, errors, and increase security. Finding all the weak spots in the company will help in the improvement of integrating an updated efficiently functioning system. Feasibility is important to account for when upgrading the system. Integrating a CRM will help to work with customers and understand their needs and wants to benefit the company and the relationship with their customers. Designing the system will involve knowing what kind of software is needed to store and
The OIG 2011 FISAM Assessment indicates that “FISMA Section 3544 requires establishing policies and procedures to ensure information security is addressed throughout the life cycle of each agency information system” (VA Office of Inspector General, 2012, p. 9). Based on the lack of consistency in use of SDLC and change control, major security risks may go unnoticed.
Harris, S. (2006, November 5). Developing an information security program using SABSA, ISO 17799. Retrieved September 19th, 2015, from
This paper serves to direct the development team along a pathway of security, with the intent to share information about the most secured manner to implement this project. It must first be acknowledged that for information to be secured, information security must be integrated into the SDLC from system inception. The early integration of security in the
Other security elements are in reference to data recovery, database administration, handling a breach in security and administrative security policies such as access procedure, employee transfer and excessive user access. As I assume the role of the chief security officer, database designer, database administrator, and chief applications designer this project is very important to the armed services and the Virgin Islands National Guard as we strive to provide global security.
In shaping a new security policies, it is essential to have a full understanding of all aspects of the internal network and services to be protected from both internal and outside threats. An article by Solms & Solms (2004) outlines several criteria in developing information security. First, a governing body must be formed to ensure all sensitive data is secured and provide due
After the information system is installed, the IS security controls must be monitored and assessed on a continuous basis. Continuous monitoring ensures the security controls in place are effective. In this step, there are five tasks. The first task requires managers to determine the security impact based on the threat environment. The second task is conducting assessments on certain security controls as outlined in their Continuous Monitoring Strategy. The third task is correcting discrepancies found in the assessment. The fourth task requires updating the Security Authorization package based on the previous results. The fifth task requires the appropriate officials to make a risk determination and acceptance by reviewing the reported security
System Analysis is the study where detailed information about the components and requirements of a system, the information needs of an organisation, the characteristics and current components of the systems and the user functional requirements of the systems that is proposed system.
12. Why is a methodology important in the implementation of information security? How does a methodology improve the process?
Information security professional’s job is to deploy the right safeguards, evaluating risks against critical assets and to mitigate those threats and vulnerabilities. Management can ensure their company’s assets, such as data, remain intact by finding the latest technology and implementing the right policies. Risk management focuses on analyzing risk and mitigating actions to reduce that risk. Successful implementation of security safeguards depends on the knowledge and experience of information security staff. This paper addresses the methods and fundamentals on how to systematically conduct risk assessments on the security risks of information systems.
Designing a working plan for securing the organization s information assets begins by creating or validating an existing security blueprint for the implementation of needed security controls to protect the information assets. A framework is the outline from which a more detailed blueprint evolves. The blueprint is the basis for the design, selection, and implementation of all subsequent security policies, education and training programs, and technologies. The blueprint provides scaleable, upgradeable, and comprehensive security for the coming years. The blueprint is used to plan the tasks to be accomplished and the order in which
Computer system plays an important role in solving human problem in their daily life. There are standard steps in order to develop information system called System Development Life Cycle (SDLC). SDLC is the framework available to build a complete system. There are five phases in SDLC which are planning, analysis, design, coding, testing and maintenance (refer to Figure 1 in Appendix 1).