SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.

Slides:

Advertisements

Similar presentations

Enterprise Performance Life Cycle (EPLC) Stage Gate Reviews

Advertisements

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

Software Quality Assurance Plan

KDP-1: Integrate supply chain knowledge into secure solutions concepts Evaluate supply chain threats with respect to the set of possible solutions under.

ITIL: Service Transition

Project Cyber Security Order 706 January 10, 2012 Most of the material presented has been compiled from NERC webinars and drafting team meetings.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

1 Phases & Impact on other Projects Definition and Scope –Relationship between Appraisal Policy/ Procedure, Technology and Management Overview, Components.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:

Security Controls – What Works

Software Project Transition Planning

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Objectives Explain the purpose and various phases of the traditional systems development life cycle (SDLC) Explain when to use an adaptive approach to.

First Practice - Information Security Management System Implementation and ISO Certification.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

ISO 9000 Certification ISO 9001 and ISO

Security Assessments FITSP-M Module 5. Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Complying With The Federal Information Security Act (FISMA)

QUALITY MANAGEMENT SYSTEM ACCORDING TO ISO

Commercial Database Applications Testing. Test Plan Testing Strategy Testing Planning Testing Design (covered in other modules) Unit Testing (covered.

Information Systems Security Computer System Life Cycle Security.

Commissioning of Fire Protection and Life Safety Systems Presented by: Charles Kilfoil Bechtel National Waste Treatment Plant Richland WA.

Security Assessments FITSP-A Module 5

1 INTERREG IIIB “ATLANTIC AREA” Main points of community regulation 438/2001 financial management and control systems EUROPEAN COMMISSION SPAIN.

Cybersecurity: Engineering a Secure Information Technology Organization, 1st Edition Chapter 7 Software Supporting Processes and Software Reuse.

INSURANCE DOCUMENTS There are various insurance documents used for different types of insurance, which are essential for all classes of insurance business.

Federal Information System Security Educators Association

Module CC3002 Post Implementation Issues Lecture for Week 1 AY 2013 Spring.

NIST Special Publication Revision 1

Principle of Protection By C’Les Jensema About ARMA International and the Generally Accepted Recordkeeping Principles® ARMA International (

CS 360 Lecture 3.  The software process is a structured set of activities required to develop a software system.  Fundamental Assumption:  Good software.

Roles and Responsibilities

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

SENG521 (Fall SENG 521 Software Reliability & Testing Software Product & process Improvement using ISO (Part 3d) Department.

Installation and Maintenance of Health IT Systems

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Management & Development of Complex Projects Course Code MS Project Management Project Life Cycle & PM Process Groups Lecture # 4.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.

Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.

Life Cycle Logistics.

International Atomic Energy Agency Roles and responsibilities for development of disposal facilities Phil Metcalf Workshop on Strategy and Methodologies.

Software Engineering Lecture # 1.

Environmental Officer Course Introduction Fort Wainwright, Alaska Environmental Officer Course 2011 Name//office/phone/ address UNCLASSIFIED 12/24/2015.

NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.

It was found in 1946 in Geneva, Switzerland. its main purpose is to promote the development of international standards to facilitate the exchange of goods.

Evaluate Phase Pertemuan Matakuliah: A0774/Information Technology Capital Budgeting Tahun: 2009.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

1515 N. Courthouse Road Suite 310 Arlington, VA Integrating Security into the SDLC Eric Silberman,

Chang, Wen-Hsi Division Director National Archives Administration, 2011/3/18/16:15-17: TELDAP International Conference.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

TEMPUS ME-TEMPUS-JPHES “IMPROVEMENT OF PARTNERSHIP WITH ENTERPISES BY ENHENCEMENT OF A REGIONAL QUALITY MANAGEMENT POTENTIALS IN WBC” TEMPUS

DoD Template for Application of TLCSM and PBL

TechStambha PMP Certification Training

SNS College of Engineering Coimbatore

Flooding Walkdown Guidance

Cisco Lifecycle Services Advanced Security Exam Code: practice-questions.html.

امنيت معماري جويشگر بومی

Gathering Systems Requirements

Gathering Systems Requirements

Computer System Validation

Presentation transcript:

SDLC: System Development Life Cycle cs5493

SDLC Classical Model Linear Sequential – Aka waterfall model

SDLC

Example: Concept to Planning

SDLC Model Variants The classical SDLC model has been refined into more useful variants.

SDLC Refined Model

SDLC Sustainment Cycle Changes are required to sustain the system – Planning needed changes based on technology, market forces, security requirements, etc. – Analysis of proposed changes on the system – Design and integration of changes into the system – Implement proposed changes (make it so!) – Maintenance (things break, need replacement, obsolescence)

SDLC : Sustainment Loop (cycle)

SDLC Refined Model

SDLC Applied to Information Systems NIST (Uncle Sam) recommends including security in all development stages of an information system.

NIST Information SDLC Phases Initiation Phase

SDLC Phases Initiation Phase Acquisition/Development Phase

SDLC Phases Initiation Phase Acquisition/Development Phase Implementation Phase

SDLC Phases Initiation Phase Acquisition/Development Phase Implementation Phase Operations/Maintenance Phase

SDLC Phases 1.Initiation Phase 2.Acquisition/Development Phase 3.Implementation Phase 4.Operations/Maintenance Phase 5.Disposition Phase

Information SDLC (Executive Summary)

SDLC Phases 1.Initiation Phase 2.Acquisition/Development Phase 3.Implementation Phase 4.Operations/Maintenance Phase 5.Disposition Phase

1. Initiation Phase a) Security Categorization b) Preliminary Risk Assessment

1. Initiation Phase a) Security Categorization Security categorization standards assist in the appropriate selection of security controls.

1. Initiation Phase a) Security Categorization Categorization levels can be labeled low, moderate, or high....later to be categorized into a CC EAL. (Common Criteria Evaluation Assurance Level)

1. Initiation Phase b) Preliminary Risk Assessment Analysis that identifies the protection requirements for the system.* *This would also be used in the certification/accreditation process.

SDLC Phases 1.Initiation Phase 2.Acquisition/Development Phase 3.Implementation Phase 4.Operations/Maintenance Phase 5.Disposition Phase

2. Acquisition/Development Phase Risk Assessment (overlap with the previous phase)

2. Acquisition/Development Phase Risk Assessment Security Functional Requirements

2. Acquisition/Development Phase Risk Assessment Security Functional Requirements Security Assurance Requirements Analysis

2. Acquisition/Development Phase Risk Assessment Security Functional Requirements Security Assurance Requirements Analysis Cost Considerations & Reporting

2. Acquisition/Development Phase Risk Assessment Security Functional Requirements Security Assurance Requirements Analysis Cost Considerations & Reporting Security Planning

2. Acquisition/Development Phase Risk Assessment Security Functional Requirements Security Assurance Requirements Analysis Cost Considerations & Reporting Security Planning Security Control Development

2. Acquisition/Development Phase Risk Assessment Security Functional Requirements Security Assurance Requirements Analysis Cost Considerations & Reporting Security Planning Security Control Development Developmental Security Test & Evaluation

2. Acquisition/Development Phase a)Risk Assessment b)Security Functional Requirements c)Security Assurance Requirements Analysis d)Cost Considerations & Reporting e)Security Planning f)Security Control Development g)Developmental Security Test & Evaluation h)Other Components

2. a) Risk Assessment Overlaps with the previous phase: – identify the protection requirements for the system.

2. b) Security Functional Requirements Analysis Should include consideration of relevant laws and regulations. This applies to Government agencies Companies with government contracts Payment card industry laws and regulations etc

2. c) Security Assurance Requirements Analysis The correct and effective use of security controls. – CC can be helpful here. Choose systems that have been evaluated to meet an assurance standard.

2. d) Cost Considerations and Reporting Estimate the cost of information security over the life-cycle of the system.

2. e) Security Planning The agreed security controls, planned or in place, are fully documented.

2. f) Security Control Development 1. New systems : the security plan includes provisions for development of security controls. (Sustainability cycle) 2. Existing systems : implies the advancement of the security controls, especially those that are ineffective. (Sustainability cycle)

2. g) Developmental Security Testing and Evaluation An assurance that the security controls for a new system are: – Implemented correctly – Operate as intended – Produce the desired outcome (as in certification and accreditation…)

2. h) Other Planning Components Examples: – Participation of all the relevant groups & individuals in the security planning process.* *This would include among others, such individuals as the Certification Agent and Information System Owner.

SDLC Phases 1.Initiation Phase 2.Acquisition/Development Phase 3.Implementation Phase 4.Operations/Maintenance Phase 5.Disposition Phase

3. Implementation Phase Inspection & Acceptance

3. Implementation Phase Inspection & Acceptance Security Control Integration

3. Implementation Phase Inspection & Acceptance Security Control Integration Security Certification

3. Implementation Phase a)Inspection & Acceptance b)Security Control Integration c)Security Certification d)Security Accreditation

3. a) Inspection & Acceptance Validate that the documented functionality is actually implemented.

3. b) Security Control Integration The security controls are integrated at the operational site where the information system is deployed for operation.

3. c) Security Certification Certification occurs when security controls are – Implemented correctly, – Operate as intended; and, – Produce the desired outcome. (As determined by the Certification Agent)

3. d) Security Accreditation The Authorizing Official (AO) will determine if the risks are acceptable for the information system.

SDLC Phases 1.Initiation Phase 2.Acquisition/Development Phase 3.Implementation Phase 4.Operations/Maintenance Phase 5.Disposition Phase

4. Operations Maintenance Phase Configuration Management Control

4. Operations Maintenance Phase a)Configuration Management & Control b)Continuous Monitoring

4. a) Configuration Management & Control Consideration of how changes to the system will impact the overall security. – Changes could be updates and patches to the OS and other software systems – Changes could be replacing failed or obsolete hardware.

4. b) Continuous Monitoring Security controls are monitored through periodic testing and evaluation to ensure they work as intended.

SDLC Phases 1.Initiation Phase 2.Acquisition/Development Phase 3.Implementation Phase 4.Operations/Maintenance Phase 5.Disposition Phase

Information Preservation

5. Disposition Phase Information Preservation Media Sanitization

5. Disposition Phase a)Information Preservation b)Media Sanitization c)Hardware & Software Disposal

5. a) Information Preservation Ensures information is retained as necessary and accommodates technology changes that may render current retrieval methods as obsolete.

5. b) Media Sanitization Data destined for disposal is properly erased.

5. c) Hardware & Software Disposal Hardware and software is disposed of in accordance with regulations, license agreements, laws, and agency policies.

FIN

Development/Acquisition Phase Security requirements shall be developed at the same time system planners define the requirements of the system.

Development/Acquisition Phase Security requirements shall be developed at the same time system planners define the requirements of the system. The security requirements shall be incorporated into design specifications along with assurances that the security features acquired can and do work correctly and effectively

Implementation Phase The system's security features shall be configured and enabled

Implementation Phase The system's security features shall be configured and enabled The system shall be tested and installed or fielded and the system authorized for processing.

Operation/Maintenance Phase Complete the many security activities outlined in the various rules of the system.

Operation/Maintenance Phase Complete the many security activities outlined in the various rules of the system. Perform backups, hold training classes, password management, review the system are just some examples

Disposal Phase Information may be moved to another system, archived, discarded or destroyed.

Disposal Phase Information may be moved to another system, archived, discarded or destroyed. Hardware and software can be sold, given away or discarded. – There is rarely a need to destroy hardware accept for some storage media containing confidential information that cannot be sanitized without destruction

Disposal Phase Information may be moved to another system, archived, discarded or destroyed. Hardware and software can be sold, given away or discarded. The disposition of software needs to be in keeping with its license or other agreements