System Development Life Cycle
Irene Anderson
CMGT/582 - CIS Security and Ethics
June 23, 2014
Krystal Hall
System Development Life Cycle
“Both risk governance and regulatory requirements emphasize the need for an effective risk management plan. And to effectively manage risk, it is important that definitions of the risk management plan objectives are clear from the start, so that the plan can head in the right direction. Risk management of information assets also provides a strong basis for information security activities, such as controlling risk to the confidentiality, integrity, and availability of information aligning mitigation efforts with business objectives, and providing cost-effective solutions after analyzing
…show more content…
Table 1-2, (Whitman, 2012, p. 28).
The Information Technology (IT) Security Certification and Accreditation (C&A) process evaluates the implementation of an IT system or site against its security requirements. The process produces evidence used by a designated manager as part of the basis for making an informed decision about operating that IT system or site. The NSTISSI2 NATIONAL INFORMATION SYSTEMS SECURITY (INFOSEC) GLOSSARY No. 4009 September 2000 defines certification as a “comprehensive evaluation of the technical and non-technical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements” and accreditation is a “formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards” (SANS Institute, 2007, p. 1).
“The NIACAP establishes a standard national process, set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site” (National Security Telecommunications and Information Systems Security Committee, 2000). The
Users are assigned a unique user name and password. Passwords are required to be complex, changed frequently and will lockout after a predetermined number of invalid attempts. User sessions are required to re-authenticate after periods of inactivity. MC performs routine user account review to ensure appropriate entitlements and the removal of dormant accounts. All servers and workstations are built and hardened to the MC baseline standard with servers performing a single role (e.g. IIS). MC employs antivirus on all desktops and servers. Antivirus is centrally managed with definition updates pushed daily. MC performs routine vulnerability scans and monthly patch management. A third party external penetration test is performed annually. MC requires all sensitive data transmissions to be encrypted through web (e.g. HTTPS), bulk file transfer (e.g. Secure FTP) and email transmission (e.g. TLS) using industry recognized algorithms. Sensitive data is encrypted within the database. End users are restricted from writing to USB and CD-R. MC has deployed Security Incident Event Manager (SIEM) throughout the environment. The SIEM generates alerts which are reviewed by designated members of
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
“The Federal Information Processing Standards Publication Series of the National Institute of Standards and Technology (NIST) is the official series of publications relating to standards and guidelines adopted and promulgated under the provisions of Section 5131 of the Information Technology Management Reform Act of 1996 (Public Law 104-106) and the Federal Information Security Management Act of 2002 (Public Law 107-347)” ("FIPS PUB 199," 2004). In this paper, FIPS PUB 199 has been chosen as the security standard used by State of Maryland Department of information technology. This standard addresses to develop standards for categorizing information and information systems. On the other hand, ISO/IEC 27001 is the other standard not used by State of Maryland which has been discussed as a contrast standard.
The organisation undertakes or commissions a programme of assessments and audits of its information and IT security arrangements.
Harris, S. (2006, November 5). Developing an information security program using SABSA, ISO 17799. Retrieved September 19th, 2015, from
GIAC provides a set of vendor-neutral computer security certifications linked to the training courses provided by the SANS. GIAC is specific to the leading edge technological advancement of IT security in order to keep ahead of "black hat" techniques. Papers written by individuals pursuing GIAC certifications are
An effective information security program should include, periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. Policies and procedures should be based on risk assessments, cost effective reduced information security risk, and it should ensure that the information security is addressed throughout the entire life cycle of each and every organizational information system. Subordinate plans for providing sufficient information security for groups of the information system, facilities, networks, or information systems.
As we discussed previously, this document includes our recommendations for just a few of the security policies that would be useful for your organization. These recommendations are written in a form that will be approved by you and your management and are intended to demonstrate what is needed, not how the policies will be implemented. Procedural documents which will provide step-by-step directions on the implementation of the policies will follow the approval.
Risk analysis is an integral part of data safety within an organization and the analysis is vital to the mission and success of an organization. Risk analysis is used “to identify threats and then provide recommendations to address these threats” (Taylor et al, 2006). Risk analysis encompasses not only the equipment and programs used in an organization but also covers the culture, managerial, and administrative processes to assure data security. A key factor in risk analysis is to have a good Information Resource Management Plan.
An information security benchmark model (CIA) an acronym for information Confidentiality, Integrity and Availability can be used to evaluate the solution
Common certifications for information security analysts are the Certified Ethical Hacker certification, Chief Information Security Officers (CISO), the Computing Technology Industry Association(CompTIA) Network +, and the Certified Computer Forensics Examiner (CCFE) exams are examples of tests and certifications that information security analysts may take to enhance their professional skills and chances of employment. It is always essential that security analysts join professional organizations to keep up with current trends in forensics, data security, and other aspects of their profession. Some organizations for information security analysts are the Information Systems Security Association (ISSA) that can help you keep involved with your profession and current with trends in the information security analyst business. The association's stated goals are to provide international conferences, seminars, and local chapter meetings and seminars for training, education, and networking opportunities, and to provide access to information through the ISSA Website, its E-Newsletters, and the monthly ISSA Journal. The organization gives its members opportunities to earn CPE credits through chapter meetings, ISSA Web Conferences, and through subscription to the ISSA Journal. The ISSA gives its members leadership opportunities at chapter or international levels as council leaders, through
Information security professional’s job is to deploy the right safeguards, evaluating risks against critical assets and to mitigate those threats and vulnerabilities. Management can ensure their company’s assets, such as data, remain intact by finding the latest technology and implementing the right policies. Risk management focuses on analyzing risk and mitigating actions to reduce that risk. Successful implementation of security safeguards depends on the knowledge and experience of information security staff. This paper addresses the methods and fundamentals on how to systematically conduct risk assessments on the security risks of information systems.
A security administrator can look to the Information Technology- Code of Practice for Information Security Management, ISO 17799/BS 7799 as well as ISO 17799/BS 7799, the NIST Security Models including the SP 800-12, 14, 18, 26, and 30, and the VISA International Security Model are just a few of the established security frameworks available.
Computer system plays an important role in solving human problem in their daily life. There are standard steps in order to develop information system called System Development Life Cycle (SDLC). SDLC is the framework available to build a complete system. There are five phases in SDLC which are planning, analysis, design, coding, testing and maintenance (refer to Figure 1 in Appendix 1).