SecSDLC Chapter 2

Phases of the SecSDLC

INVESTIGATION Directive from management Creation of security policy Teams: Analyse problem Define Scope Specify Goals Identify Constraints Feasibility Analysis Determine: Resources Commitment

ANALYSIS Analysis of: Existing security policies Known threats Current controls Legal issues –privacy laws on personal info

ANALYSIS – continued … Risk Management Identify, assess & evaluate risks levels (Especially threats to information) Threat: represents a constant danger to assets Attack: harm, damage – exploit vulnerabilities to compromise controlled system Threat agent: the cause of danger – object, person or entity Exploit: techniques used to misuse, take advantage of Vulnerability: weakness, exposure, helplessness, defenceless

Threats to Information Security

ANALYSIS – continued … Prioritise risk Manage risk By each category of threat and its related method of attack Manage risk Identify & assess value of information assets Risk assessment - Assigns comparative risk rating or score to each information asset

DESIGN LOGICAL DESIGN PHYSICAL DESIGN Team members: Create & develop blue print for security Examine & implement key policies Team members: Evaluate technology to support security blue print Generate alternative solutions Agree on final design Also includes developing criteria for determining the definition of successful solution.

DESIGN – continued … Security Models NIST & ISO/IEC 27002 Used to guide design process Provide framework to ensure all areas of security are addressed Framework adapted/adopted to meet InfoSec needs

DESIGN – continued … INFORMATION SECURITY PROGRAM – critical design elements (Purpose of InfoSec Program – p. 61) Policies provides rules for protection of information assets Gen/Security program policy Issue specific security policy System specific security policy SETA Security education – building in-depth education Security training – develop skills & knowledge Security awareness – improving awareness Design of controls Managerial – deals with security planning process & security program management – RM & Sec Control review Operational – lower level planning; DR &IR Technical – address tactical/technical implementation of security; technological issues

DESIGN – continued … Contingency Planning (CP) prepare, react & recover from circumstances threatening organisation Incident Response Planning (IRP) Disaster Recovery Planning (DRP) Business Continuity Planning (BCP) Design, implementation & maintenance of controls for physical resources People Hardware Information system elements

IMPLEMENTATION Security solutions acquired, implemented and tested Personnel issues evaluated Training Education programs Management of project plan Planning project Supervise tasks & action steps Wrapping up project

IMPLEMENTATION – continued … Project team Staffing InfoSec function Position & name security function Plan for proper staffing Understand impact of InfoSec across IT Integrate InfoSec concepts into personnel management practices Information Security Professionals CIO, CISO, Security Manager, Data Owner, Data Custodian, Data users Professional Certification

MAINTENANCE After implementation InfoSec program must be: Operated Properly managed Kept up to date using established procedures

MAINTENANCE – continued … Maintenance Model Focus org effort on systems maintenance External monitoring – new & emerging threats Internal monitoring – org netw & info systems Planning & risk assessment Vulnerability assessment & remediation – penetration testing Readiness & review - functionality

Maintenance Model

MAINTENANCE – continued … ISO Management Model Fault Management – id and address faults Configuration & Change Management – change components & change administration Accounting Management & Auditing – system monitoring Performance Management Security Management