secsdlc chapter 2. phases of the secsdlc investigation directive from management creation of...
TRANSCRIPT
SecSDLC
Chapter 2
Phases of the SecSDLC
INVESTIGATION• Directive from management
• Creation of security policy
• Teams:– Analyse problem– Define Scope– Specify Goals– Identify Constraints
• Feasibility Analysis• Determine:
– Resources– Commitment
ANALYSIS
• Analysis of:– Existing security policies– Known threats– Current controls– Legal issues –privacy laws on personal info
ANALYSIS – continued …• Risk Management– Identify, assess & evaluate risks levels
(Especially threats to information)
• Threat: represents a constant danger to assets• Attack: harm, damage – exploit vulnerabilities to
compromise controlled system• Threat agent: the cause of danger – object, person or
entity• Exploit: techniques used to misuse, take advantage of• Vulnerability: weakness, exposure, helplessness,
defenceless
Threats to Information Security
ANALYSIS – continued …
• Prioritise risk– By each category of threat– and its related method of attack
• Manage risk– Identify & assess value of information assets– Risk assessment -
Assigns comparative risk rating or score to each information asset
DESIGN
LOGICAL DESIGNTeam members:
• Create & develop blue print for security
• Examine & implement key policies
PHYSICAL DESIGNTeam members:• Evaluate technology to
support security blue print• Generate alternative
solutions• Agree on final design• Also includes developing
criteria for determining the definition of successful solution.
DESIGN – continued …
• Security ModelsNIST & ISO/IEC 27002– Used to guide design process– Provide framework to ensure all areas of security
are addressed
• Framework adapted/adopted to meet InfoSec needs
DESIGN – continued …INFORMATION SECURITY PROGRAM – critical design elements(Purpose of InfoSec Program – p. 61)• Policies
provides rules for protection of information assets– Gen/Security program policy– Issue specific security policy– System specific security policy
• SETA– Security education – building in-depth education– Security training – develop skills & knowledge– Security awareness – improving awareness
• Design of controls– Managerial – deals with security planning process & security program
management – RM & Sec Control review– Operational – lower level planning; DR &IR– Technical – address tactical/technical implementation of security;
technological issues
DESIGN – continued …• Contingency Planning (CP)
prepare, react & recover from circumstances threatening organisation– Incident Response Planning (IRP)– Disaster Recovery Planning (DRP)– Business Continuity Planning (BCP)
• Design, implementation & maintenance of controls for physical resources– People– Hardware– Information system elements
IMPLEMENTATION
• Security solutions acquired, implemented and tested
• Personnel issues evaluated– Training – Education programs
• Management of project plan– Planning project– Supervise tasks & action steps– Wrapping up project
IMPLEMENTATION – continued …• Project team• Staffing InfoSec function– Position & name security function– Plan for proper staffing– Understand impact of InfoSec across IT– Integrate InfoSec concepts into personnel
management practices• Information Security Professionals– CIO, CISO, Security Manager, Data Owner, Data
Custodian, Data users• Professional Certification
MAINTENANCE
• After implementation InfoSec program must be:– Operated– Properly managed– Kept up to date
using established procedures
MAINTENANCE – continued …
• Maintenance ModelFocus org effort on systems maintenance– External monitoring – new & emerging threats– Internal monitoring – org netw & info systems– Planning & risk assessment– Vulnerability assessment & remediation –
penetration testing
• Readiness & review - functionality
Maintenance Model
MAINTENANCE – continued …
• ISO Management Model– Fault Management – id and address faults– Configuration & Change Management – change
components & change administration– Accounting Management & Auditing – system
monitoring– Performance Management
• Security Management