“Both hazard administration and regulative demands emphasize the demand for an effectual hazard direction program. And to efficaciously pull off hazard. it is of import that definitions of the hazard direction program aims are clear from the start. so that the program can head in the right way. Risk direction of information assets besides provides a strong footing for information security activities. such as commanding hazard to the confidentiality. unity. and handiness of information alining extenuation attempts with concern aims. and supplying cost-efficient solutions after analysing security risks” ( University of Phoenix – SkillsoftÂ® . 2012 ) . A security development life rhythm is a usher for guaranting that security is continually being improved. Security lifecycle execution requires policy and criterions execution from the start.
Security policy and criterions are the foundation to any constituent of a security program. These are particularly critical in both the appraisal and protection stage of the lifecycle. The assessment stage will utilize the criterions and policy as the footing of carry oning the appraisal. Resources will be evaluated against the security policy. During the protection stage. resources will be configured to run into policy and criterions. Security should be addressed at all phases of the systems development life rhythm ( SDLC ) . “The systems development life rhythm ( SDLC ) is a methodological analysis for the design and execution of an information system.
A methodological analysis is a formal attack to work outing a job by agencies of a structured sequence of processs. Using a methodological analysis ensures a strict procedure with a clearly defined end and increases the chance of success. Completion of methodological analysis acceptance triggers activities such as. set uping cardinal mileposts and squad choice guaranting answerability for carry throughing the undertaking goals” ( Whitman. 2012. p. 21 ) . The phases of an SDLC include:
3. Logical design
4. Physical design
6. Care and Change
The lone differences between the two are the specific activities and purpose that takes topographic point for each stage in the SDLC ( table 1-2 ) . The probe stage of the SecSDLC starts with a directive from upper direction stipulating the procedure. results. and ends of the undertaking. every bit good as its budget and other restraints. NIST SP 800-60 is a great resource to place different information types every bit good as naming security impact degrees and justifications. Additionally. NIST SP 800-53 offprints controls into three baselines that match the possible system impact degrees including system proprietor designation. The demand analysis stage involves carry oning a preliminary analysis of bing security policies or plans. along with documented current menaces and associated controls.
The logical design stage involves team members making and developing the design for security. analyzing. every bit good as implementing cardinal policies that influence determinations in the hereafter. The physical design stage involves team members measuring engineering demands to back up the security design. supplying alternate solutions. and O.K.ing the concluding design. The execution stage involves geting. proving. implementing. and retesting of security solutions. This stage besides involves carry oning rating. specific preparation. and instruction plans provided to forces.
In this stage. DISA STIGS. NIST SP 800-18. NIST SP-53A. and NIST SP 800-37 are the mentions that incorporates engineering best patterns. finalise system security program. develop security control proving program. trial security controls. authorise system. and develop program of action and mileposts. The care and alteration stage involves the operation. proper direction. and maintaining up to day of the month of the information security plan through established processs. In this activity. it is of import to integrate recommendations from resources such as. NIST SP 800-53a. NIST SP 800-86. NIST SP 800-83. NIST SP 800-61. and NIST 800-40.
Table 1-2. ( Whitman. 2012. p. 28 ) .
The Information Technology ( IT ) Security Certification and Accreditation ( C & A ; A ) procedure evaluates the execution of an IT system or site against its security demands. The procedure produces grounds used by a designated director as portion of the footing for doing an informed determination about operating that IT system or site.
The NSTISSI2 NATIONAL INFORMATION SYSTEMS SECURITY ( INFOSEC ) GLOSSARY No. 4009 September 2000 defines enfranchisement as a “comprehensive rating of the proficient and non-technical security precautions of an IS to back up the accreditation procedure that establishes the extent to which a peculiar design and execution meets a set of specified security requirements” and accreditation is a “formal declaration by a Designated Approving Authority ( DAA ) that an IS is approved to run in a peculiar security manner at an acceptable degree of hazard. based on the execution of an sanctioned set of proficient. managerial. and procedural safeguards” ( SANS Institute. 2007. p. 1 ) .
“The NIACAP establishes a standard national procedure. set of activities. general undertakings. and a direction construction to attest and recognize systems that will keep the information confidence ( IA ) and security position of a system or site” ( National Security Telecommunications and Information Systems Security Committee. 2000 ) . The procedure certifies that the information system ( IS ) meets documented security demands and will go on to keep the commissioned security position throughout the system life rhythm. “Adapting the procedure includes bing system enfranchisements and ratings of merchandises. Users of the procedure must aline the procedure with their plan schemes and incorporate the activities into their endeavor system life rhythm. While the NIACAP maps to any system life rhythm procedure. its four stages are independent of the life rhythm scheme.
While developed for national security systems. the NIACAP may. at an agency’s discretion. be adapted to any type of IS and any computing environment and mission topic to the policies found in OMB Circular A-130. Appendix III and the criterions and counsel issued by the National Institute of Standards and Technology ( NIST ) ” ( National Security Telecommunications and Information Systems Security Committee. 2000. p. 1 ) . NIST Particular Publication 800-64. rpm. 1. provides an overview of the security considerations for each stage of the SDLC – “Each SDLC phases includes a minimal set of security stairss needed to efficaciously integrate security into a system during its development.
An organisation will either utilize the general SDLC described or will hold developed a trim SDLC that meets their specific demands. Based on NIST recommendation. organisations should integrate associated IT security stairss of the general SDLC into their development process” ( Whitman. 2012. p. 24 ) . Integrating security activities into the SDLC. let organisations to acquire the most out of three cardinal advantages. First. the system benefits from a tougher security. diminishing the chance and consequence of knowing and unwilled exposures. Second. by sing security constructs during the right SDLC stage. the incorporation of security into the system becomes seamless and benefits from cost decrease. Otherwise. retrofitting a system with security demands is a dearly-won procedure. Finally. “the activity of incorporating security into the lifecycle of federal information systems is required by the Certification and Accreditation ( C & A ; A ) process” ( Onpointcorp. com. n. d. ) .
National Security Telecommunications and Information Systems Security Committee. ( 2000 ) . National Information Assurance Certification and Accreditation Process ( NIACAP ) . Retrieved from hypertext transfer protocol: //www. fismacenter. com/nstissi_1000. pdf Onpointcorp. com. ( n. d. ) . Integrating Security into the System Development Life Cycle ( SDLC ) . Retrieved from hypertext transfer protocol: //www. onpointcorp. com/uploads/137/doc/Security_in_the_SDLC. pdf SANS Institute. ( 2007 ) . Certification and Accreditation ( C & A ; A ) Vs System Development Life Cycle Management ( SDLC ) . Retrieved from hypertext transfer protocol: //www. sans. org/reading-room/whitepapers/auditing/certification-accreditation-c-a-system-development-life-cycle-management-sdlc-1961 University of Phoenix – SkillsoftÂ® . ( 2012 ) . CISM 2012: Information Risk Management and Compliance ( Part 1 ) : Information Risk Management Overview. Retrieved from hypertext transfer protocol: //library. skillport. com/courseware/Content/cca/sp_cisn_a04_it_enus//output/t4/misc/transcript. html Whitman. M. E. ( 2012 ) . Principles of Information Security ( 4th ed. ) . Mason. Ohio: Cengage Learning.