SecSDLC

Chapter 2

Phases of the SecSDLC

INVESTIGATION• Directive from management

• Creation of security policy

• Teams:– Analyse problem– Define Scope– Specify Goals– Identify Constraints

• Feasibility Analysis• Determine:

– Resources– Commitment

ANALYSIS

• Analysis of:– Existing security policies– Known threats– Current controls– Legal issues –privacy laws on personal info

ANALYSIS – continued …• Risk Management– Identify, assess & evaluate risks levels

(Especially threats to information)

• Threat: represents a constant danger to assets• Attack: harm, damage – exploit vulnerabilities to

compromise controlled system• Threat agent: the cause of danger – object, person or

entity• Exploit: techniques used to misuse, take advantage of• Vulnerability: weakness, exposure, helplessness,

defenceless

Threats to Information Security

ANALYSIS – continued …

• Prioritise risk– By each category of threat– and its related method of attack

• Manage risk– Identify & assess value of information assets– Risk assessment -

Assigns comparative risk rating or score to each information asset

DESIGN

LOGICAL DESIGNTeam members:

• Create & develop blue print for security

• Examine & implement key policies

PHYSICAL DESIGNTeam members:• Evaluate technology to

support security blue print• Generate alternative

solutions• Agree on final design• Also includes developing

criteria for determining the definition of successful solution.

DESIGN – continued …

• Security ModelsNIST & ISO/IEC 27002– Used to guide design process– Provide framework to ensure all areas of security

are addressed

• Framework adapted/adopted to meet InfoSec needs

DESIGN – continued …INFORMATION SECURITY PROGRAM – critical design elements(Purpose of InfoSec Program – p. 61)• Policies

provides rules for protection of information assets– Gen/Security program policy– Issue specific security policy– System specific security policy

• SETA– Security education – building in-depth education– Security training – develop skills & knowledge– Security awareness – improving awareness

• Design of controls– Managerial – deals with security planning process & security program

management – RM & Sec Control review– Operational – lower level planning; DR &IR– Technical – address tactical/technical implementation of security;

technological issues

DESIGN – continued …• Contingency Planning (CP)

prepare, react & recover from circumstances threatening organisation– Incident Response Planning (IRP)– Disaster Recovery Planning (DRP)– Business Continuity Planning (BCP)

• Design, implementation & maintenance of controls for physical resources– People– Hardware– Information system elements

IMPLEMENTATION

• Security solutions acquired, implemented and tested

• Personnel issues evaluated– Training – Education programs

• Management of project plan– Planning project– Supervise tasks & action steps– Wrapping up project

IMPLEMENTATION – continued …• Project team• Staffing InfoSec function– Position & name security function– Plan for proper staffing– Understand impact of InfoSec across IT– Integrate InfoSec concepts into personnel

management practices• Information Security Professionals– CIO, CISO, Security Manager, Data Owner, Data

Custodian, Data users• Professional Certification

MAINTENANCE

• After implementation InfoSec program must be:– Operated– Properly managed– Kept up to date

using established procedures

MAINTENANCE – continued …

• Maintenance ModelFocus org effort on systems maintenance– External monitoring – new & emerging threats– Internal monitoring – org netw & info systems– Planning & risk assessment– Vulnerability assessment & remediation –

penetration testing

• Readiness & review - functionality

Maintenance Model

MAINTENANCE – continued …

• ISO Management Model– Fault Management – id and address faults– Configuration & Change Management – change

components & change administration– Accounting Management & Auditing – system

monitoring– Performance Management

• Security Management