“Both risk governance and regulatory requirements emphasize the need for an effective risk management plan. And to effectively manage risk, it is important that definitions of the risk management plan objectives are clear from the start, so that the plan can head in the right direction. Risk management of information assets also provides a strong basis for information security activities, such as controlling risk to the confidentiality, integrity, and availability of information aligning mitigation efforts with business objectives, and providing cost-effective solutions after analyzing security risks” (University of Phoenix – Skillsoft®, 2012).
A security development life cycle is a guide for ensuring that security is continually being improved. Security lifecycle implementation requires policy and standards implementation from the start.
Security policy and standards are the foundation to any component of a security plan. These are especially critical in both the assessment and protection phase of the lifecycle. The assessment phase will use the standards and policy as the basis of conducting the assessment. Resources will be evaluated against the security policy. During the protection phase, resources will be configured to meet policy and standards. Security should be addressed at all stages of the systems development life cycle (SDLC).
The Term Paper on Risk Management Plan 4
... Information Security Management (FISMA) compliance is required for federal agencies to protect their important information. Their other organizations in which standards are given for risk ... in the event of a fire. •Create a contingency plan and a policy statement. •Create testing, training, and exercising manuals. •Create separation ...
“The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system.
A methodology is a formal approach to solving a problem by means of a structured sequence of procedures. Using a methodology ensures a rigorous process with a clearly defined goal and increases the probability of success. Completion of methodology adoption triggers activities such as, establishing key milestones and team selection ensuring accountability for accomplishing the project goals” (Whitman, 2012, p. 21).
The stages of an SDLC include:
1.Investigation
2. Analysis
3. Logical design
4. Physical design
5. Implementation
6. Maintenance and Change
The only differences between the two are the specific activities and intent that takes place for each phase in the SDLC (table 1-2).
The investigation phase of the SecSDLC starts with a directive from upper management specifying the process, outcomes, and goals of the project, as well as its budget and other constraints. NIST SP 800-60 is a great resource to identify different information types as well as listing security impact levels and justifications. Additionally, NIST SP 800-53 separates controls into three baselines that match the potential system impact levels including system owner identification. The requirement analysis phase involves conducting a preliminary analysis of existing security policies or programs, along with documented current threats and associated controls.
The logical design phase involves team members creating and developing the blueprint for security, examining, as well as implementing key policies that influence decisions in the future. The physical design phase involves team members evaluating technology needs to support the security blueprint, providing alternative solutions, and approving the final design. The implementation phase involves acquiring, testing, implementing, and retesting of security solutions. This phase also involves conducting evaluation, specific training, and education programs provided to personnel.
In this phase, DISA STIGS, NIST SP 800-18, NIST SP-53A, and NIST SP 800-37 are the references that incorporates technology best practices, finalize system security plan, develop security control testing plan, test security controls, authorize system, and develop plan of action and milestones. The maintenance and change phase involves the operation, proper management, and keeping up to date of the information security program through established procedures. In this activity, it is important to incorporate recommendations from resources such as, NIST SP 800-53a, NIST SP 800-86, NIST SP 800-83, NIST SP 800-61, and NIST 800-40.
The Essay on Social Security System
The social security system in the United States is a federal program that benefits the retirees and the disabled that was introduced in 1935. This program contains the disability income, public housing, retirement benefits, food stamps program and also the veterans’ pension. These benefits are not like any other government welfare programs. This is because the social security welfare system ...
Table 1-2, (Whitman, 2012, p. 28).
The Information Technology (IT) Security Certification and Accreditation (C&A) process evaluates the implementation of an IT system or site against its security requirements. The process produces evidence used by a designated manager as part of the basis for making an informed decision about operating that IT system or site.
The NSTISSI2 NATIONAL INFORMATION SYSTEMS SECURITY (INFOSEC) GLOSSARY No. 4009 September 2000 defines certification as a “comprehensive evaluation of the technical and non-technical security safeguards of an IS to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements” and accreditation is a “formal declaration by a Designated Approving Authority (DAA) that an IS is approved to operate in a particular security mode at an acceptable level of risk, based on the implementation of an approved set of technical, managerial, and procedural safeguards” (SANS Institute, 2007, p. 1).
“The NIACAP establishes a standard national process, set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site” (national security Telecommunications and Information Systems Security Committee, 2000).
The process certifies that the information system (IS) meets documented security requirements and will continue to maintain the accredited security posture throughout the system life cycle. “Adapting the process includes existing system certifications and evaluations of products. Users of the process must align the process with their program strategies and integrate the activities into their enterprise system life cycle. While the NIACAP maps to any system life cycle process, its four phases are independent of the life cycle strategy.
The Essay on All-in-One Computer Security Systems
All-in-one Computer Security Systems CIS/105 Some of the different programs that I choose to use as all-in-one security that has total protection are Norton Internet Security and McAfee has an exclusive active protection technology that analyzes and blocks threats in milliseconds. McAfee can immediately detect and remove viruses, even root kits, adware, spyware, and blocks. McAfee has a two-way ...
While developed for national security systems, the NIACAP may, at an agency’s discretion, be adapted to any type of IS and any computing environment and mission subject to the policies found in OMB Circular A-130, Appendix III and the standards and guidance issued by the National Institute of Standards and Technology (NIST)” (National Security Telecommunications and Information Systems Security Committee, 2000, p. 1).
NIST Special Publication 800-64, rev. 1, provides an overview of the security considerations for each phase of the SDLC – “Each SDLC phases includes a minimum set of security steps needed to effectively incorporate security into a system during its development.
An organization will either use the general SDLC described or will have developed a tailored SDLC that meets their specific needs. Based on NIST recommendation, organizations should incorporate associated IT security steps of the general SDLC into their development process” (Whitman, 2012, p. 24).
Integrating security activities into the SDLC, allow organizations to get the most out of three key advantages. First, the system benefits from a tougher security, decreasing the probability and effect of intentional and unintentional vulnerabilities. Second, by considering security concepts during the correct SDLC phase, the incorporation of security into the system becomes seamless and benefits from cost reduction. Otherwise, retrofitting a system with security requirements is a costly process. Finally, “the activity of integrating security into the lifecycle of federal information systems is required by the Certification and Accreditation (C&A) process” (Onpointcorp.com, n.d.).
References
National Security Telecommunications and Information Systems Security Committee. (2000).
National Information Assurance Certification and Accreditation Process (NIACAP).
Retrieved from https://www.fismacenter.com/nstissi_1000.pdf Onpointcorp.com. (n.d.).
The Essay on Home Security System
Surjit Gautum who has been a source of perpetual inspiration to us, gently guiding and our waves towards a bright career. You were ever willing to give all kind of support and encouragement. In the end we want to thankful our “Parents”, “teachers” and Almighty GOD for the entire thing that they do to us.Security is a prime concern in our day-today life. Every country as well as individual wants to ...
Incorporating Security into the System Development Life Cycle (SDLC).
Retrieved from http://www.onpointcorp.com/uploads/137/doc/Security_in_the_SDLC.pdf SANS Institute. (2007).
Certification and Accreditation (C&A) Vs System Development Life Cycle Management (SDLC).
Retrieved from http://www.sans.org/reading-room/whitepapers/auditing/certification-accreditation-c-a-system-development-life-cycle-management-sdlc-1961 University of Phoenix – Skillsoft®. (2012).
CISM 2012: Information Risk Management and Compliance (Part 1): Information Risk Management Overview. Retrieved from https://library.skillport.com/courseware/Content/cca/sp_cisn_a04_it_enus//output/t4/misc/transcript.html Whitman, M. E. (2012).
Principles of Information Security (4th ed.).
Mason, OH: Cengage Learning.
