![Page 1: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/1.jpg)
SecSDLC
Chapter 2
![Page 2: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/2.jpg)
Phases of the SecSDLC
![Page 3: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/3.jpg)
INVESTIGATION• Directive from management
• Creation of security policy
• Teams:– Analyse problem– Define Scope– Specify Goals– Identify Constraints
• Feasibility Analysis• Determine:
– Resources– Commitment
![Page 4: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/4.jpg)
ANALYSIS
• Analysis of:– Existing security policies– Known threats– Current controls– Legal issues –privacy laws on personal info
![Page 5: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/5.jpg)
ANALYSIS – continued …• Risk Management– Identify, assess & evaluate risks levels
(Especially threats to information)
• Threat: represents a constant danger to assets• Attack: harm, damage – exploit vulnerabilities to
compromise controlled system• Threat agent: the cause of danger – object, person or
entity• Exploit: techniques used to misuse, take advantage of• Vulnerability: weakness, exposure, helplessness,
defenceless
![Page 6: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/6.jpg)
Threats to Information Security
![Page 7: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/7.jpg)
ANALYSIS – continued …
• Prioritise risk– By each category of threat– and its related method of attack
• Manage risk– Identify & assess value of information assets– Risk assessment -
Assigns comparative risk rating or score to each information asset
![Page 8: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/8.jpg)
DESIGN
LOGICAL DESIGNTeam members:
• Create & develop blue print for security
• Examine & implement key policies
PHYSICAL DESIGNTeam members:• Evaluate technology to
support security blue print• Generate alternative
solutions• Agree on final design• Also includes developing
criteria for determining the definition of successful solution.
![Page 9: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/9.jpg)
DESIGN – continued …
• Security ModelsNIST & ISO/IEC 27002– Used to guide design process– Provide framework to ensure all areas of security
are addressed
• Framework adapted/adopted to meet InfoSec needs
![Page 10: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/10.jpg)
DESIGN – continued …INFORMATION SECURITY PROGRAM – critical design elements(Purpose of InfoSec Program – p. 61)• Policies
provides rules for protection of information assets– Gen/Security program policy– Issue specific security policy– System specific security policy
• SETA– Security education – building in-depth education– Security training – develop skills & knowledge– Security awareness – improving awareness
• Design of controls– Managerial – deals with security planning process & security program
management – RM & Sec Control review– Operational – lower level planning; DR &IR– Technical – address tactical/technical implementation of security;
technological issues
![Page 11: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/11.jpg)
DESIGN – continued …• Contingency Planning (CP)
prepare, react & recover from circumstances threatening organisation– Incident Response Planning (IRP)– Disaster Recovery Planning (DRP)– Business Continuity Planning (BCP)
• Design, implementation & maintenance of controls for physical resources– People– Hardware– Information system elements
![Page 12: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/12.jpg)
IMPLEMENTATION
• Security solutions acquired, implemented and tested
• Personnel issues evaluated– Training – Education programs
• Management of project plan– Planning project– Supervise tasks & action steps– Wrapping up project
![Page 13: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/13.jpg)
IMPLEMENTATION – continued …• Project team• Staffing InfoSec function– Position & name security function– Plan for proper staffing– Understand impact of InfoSec across IT– Integrate InfoSec concepts into personnel
management practices• Information Security Professionals– CIO, CISO, Security Manager, Data Owner, Data
Custodian, Data users• Professional Certification
![Page 14: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/14.jpg)
MAINTENANCE
• After implementation InfoSec program must be:– Operated– Properly managed– Kept up to date
using established procedures
![Page 15: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/15.jpg)
MAINTENANCE – continued …
• Maintenance ModelFocus org effort on systems maintenance– External monitoring – new & emerging threats– Internal monitoring – org netw & info systems– Planning & risk assessment– Vulnerability assessment & remediation –
penetration testing
• Readiness & review - functionality
![Page 16: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/16.jpg)
Maintenance Model
![Page 17: SecSDLC Chapter 2. Phases of the SecSDLC INVESTIGATION Directive from management Creation of security policy Teams: – Analyse problem – Define Scope](https://reader035.vdocuments.mx/reader035/viewer/2022062805/5697bfe01a28abf838cb32cd/html5/thumbnails/17.jpg)
MAINTENANCE – continued …
• ISO Management Model– Fault Management – id and address faults– Configuration & Change Management – change
components & change administration– Accounting Management & Auditing – system
monitoring– Performance Management
• Security Management